diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-11.1.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-11.1.ts index a7975178..996a195d 100644 --- a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-11.1.ts +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-11.1.ts @@ -1,60 +1,65 @@ export default { id: 'aws-nist-800-53-rev4-11.1', - title: 'ECS task definitions should limit memory usage for containers', + title: 'AWS NIST 11.1 ECS task definitions should limit memory usage for containers', - description: `'Limiting memory usage for your ECS tasks allows you to avoid running out of memory because ECS stops placing tasks on the instance, and Docker kills any containers that try to go over the hard limit. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable.'`, + description: `Limiting memory usage for your ECS tasks allows you to avoid running out of memory because ECS stops placing tasks on the instance, and Docker kills any containers that try to go over the hard limit. Having no limit on memory usage can lead to issues where one container can easily make the whole system unstable and as a result unusable. + + Memory limits must be set through the *memory* property for each *ContainerDefinition* within the task definition. For more information about the *memory* property, see [ContainerDefinition](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html) in the ECS API Reference.`, audit: '', rationale: '', - remediation: `**AWS Console** - - - Navigate to ECS. + remediation: `**Console Remediation Steps** + + - Navigate to [ECS](https://console.aws.amazon.com/ecs/). - Select the Region that contains your task definition. - In the left pane, select Task Definitions. - Check the task definition and click Create new revision. - On the Create new revision of task definition page, make changes. For example, to change the existing container definitions (such as the container image, memory limits, or port mappings), select the container, make the changes, and then choose Update. - Select Create. - - If your task definition is used in a service, update your service with the updated task definition and deactivate the previous task definition. For more information, see Updating a service. - - **AWS CLI** + - If your task definition is used in a service, update your service with the updated task definition and deactivate the previous task definition. For more information, see [Updating a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html). + + **CLI Remediation Steps** + - Create new task definition revision: - > aws ecs register-task-definition
- > --family \
- > [--task-role-arn \]
- > [--execution-role-arn \]
- > [--network-mode \]
- > --container-definitions \
- > [--volumes \]
- > [--placement-constraints \]
- > [--requires-compatibilities \]
- > [--cpu \]
- > [--memory \]
- > [--tags \]
- > [--pid-mode \]
- > [--ipc-mode \]
- > [--proxy-configuration \]
- > [--inference-accelerators \]
- > [--cli-input-json | --cli-input-yaml]
- > [--generate-cli-skeleton \]
- -- Update the service to use the new task definition: - > aws ecs update-service
- > [--cluster \]
- > --service \
- > [--desired-count \]
- > [--task-definition \]
- > [--capacity-provider-strategy \]
- > [--deployment-configuration \]
- > [--network-configuration \]
- > [--placement-constraints \]
- > [--placement-strategy \]
- > [--platform-version \]
- > [--force-new-deployment | --no-force-new-deployment]
- > [--health-check-grace-period-seconds \]
- > [--cli-input-json | --cli-input-yaml]
- > [--generate-cli-skeleton \]
`, + + aws ecs register-task-definition + --family + [--task-role-arn ] + [--execution-role-arn ] + [--network-mode ] + --container-definitions + [--volumes ] + [--placement-constraints ] + [--requires-compatibilities ] + [--cpu ] + [--memory ] + [--tags ] + [--pid-mode ] + [--ipc-mode ] + [--proxy-configuration ] + [--inference-accelerators ] + [--cli-input-json | --cli-input-yaml] + [--generate-cli-skeleton ] + + - Update the service to use the new task definition: + + aws ecs update-service + [--cluster ] + --service + [--desired-count ] + [--task-definition ] + [--capacity-provider-strategy ] + [--deployment-configuration ] + [--network-configuration ] + [--placement-constraints ] + [--placement-strategy ] + [--platform-version ] + [--force-new-deployment | --no-force-new-deployment] + [--health-check-grace-period-seconds ] + [--cli-input-json | --cli-input-yaml] + [--generate-cli-skeleton ]`, references: [ 'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html', @@ -76,6 +81,6 @@ export default { severity: 'medium', conditions: { path: '@.memory', - in: ["0", "256", "512"] + in: ['0', '256', '512'], }, } \ No newline at end of file diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-11.2.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-11.2.ts index 8b1bf325..ac59b49a 100644 --- a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-11.2.ts +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-11.2.ts @@ -1,60 +1,65 @@ export default { id: 'aws-nist-800-53-rev4-11.2', - title: 'ECS task definitions should set CPU limit for containers', + title: 'AWS NIST 11.2 ECS task definitions should set CPU limit for containers', - description: `'Unless specified, containers get access to all the CPU and memory capacity available on that host. Specifying CPU for ECS task definitions ensures that high priority containers are able to claim the CPU runtime they require.'`, + description: `Unless specified, containers get access to all the CPU and memory capacity available on that host. Specifying CPU for ECS task definitions ensures that high priority containers are able to claim the CPU runtime they require. + + A CPU limit must be set through the *cpu* property in the task definition. For more information about the *cpu* property, see [TaskDefinition](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_TaskDefinition.html) in the ECS API Reference.`, audit: '', rationale: '', - remediation: `**AWS Console** - - - Navigate to ECS. + remediation: `**Console Remediation Steps** + + - Navigate to [ECS](https://console.aws.amazon.com/ecs/). - Select the Region that contains your task definition. - In the left pane, select Task Definitions. - Check the task definition and click Create new revision. - On the Create new revision of task definition page, make changes. For example, to change the existing container definitions (such as the container image, memory limits, or port mappings), select the container, make the changes, and then choose Update. - Select Create. - - If your task definition is used in a service, update your service with the updated task definition and deactivate the previous task definition. For more information, see Updating a service. - - **AWS CLI** + - If your task definition is used in a service, update your service with the updated task definition and deactivate the previous task definition. For more information, see [Updating a service](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html). + + **CLI Remediation Steps** + - Create new task definition revision: - > aws ecs register-task-definition
- > --family \
- > [--task-role-arn \]
- > [--execution-role-arn \]
- > [--network-mode \]
- > --container-definitions \
- > [--volumes \]
- > [--placement-constraints \]
- > [--requires-compatibilities \]
- > [--cpu \]
- > [--memory \]
- > [--tags \]
- > [--pid-mode \]
- > [--ipc-mode \]
- > [--proxy-configuration \]
- > [--inference-accelerators \]
- > [--cli-input-json | --cli-input-yaml]
- > [--generate-cli-skeleton \] - + + aws ecs register-task-definition + --family + [--task-role-arn ] + [--execution-role-arn ] + [--network-mode ] + --container-definitions + [--volumes ] + [--placement-constraints ] + [--requires-compatibilities ] + [--cpu ] + [--memory ] + [--tags ] + [--pid-mode ] + [--ipc-mode ] + [--proxy-configuration ] + [--inference-accelerators ] + [--cli-input-json | --cli-input-yaml] + [--generate-cli-skeleton ] + - Update the service to use the new task definition: - > aws ecs update-service - > [--cluster \] - > --service \ - > [--desired-count \] - > [--task-definition \] - > [--capacity-provider-strategy \] - > [--deployment-configuration \] - > [--network-configuration \] - > [--placement-constraints \] - > [--placement-strategy \] - > [--platform-version \] - > [--force-new-deployment | --no-force-new-deployment] - > [--health-check-grace-period-seconds \] - > [--cli-input-json | --cli-input-yaml] - > [--generate-cli-skeleton \]`, + + aws ecs update-service + [--cluster ] + --service + [--desired-count ] + [--task-definition ] + [--capacity-provider-strategy ] + [--deployment-configuration ] + [--network-configuration ] + [--placement-constraints ] + [--placement-strategy ] + [--platform-version ] + [--force-new-deployment | --no-force-new-deployment] + [--health-check-grace-period-seconds ] + [--cli-input-json | --cli-input-yaml] + [--generate-cli-skeleton ]`, references: [ 'https://docs.aws.amazon.com/AmazonECS/latest/developerguide/update-service.html', @@ -75,6 +80,6 @@ export default { severity: 'medium', conditions: { path: '@.cpu', - in: ["0", "256", "512"] + in: ['0', '256', '512'], }, } \ No newline at end of file diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-12.1.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-12.1.ts index eee08823..aec5e1b4 100644 --- a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-12.1.ts +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-12.1.ts @@ -1,6 +1,6 @@ export default { id: 'aws-nist-800-53-rev4-12.1', - title: 'CloudFront distributions should have geo-restrictions specified', + title: 'AWS NIST 12.1 CloudFront distributions should have geo-restrictions specified', description: `CloudFront distributions should enable geo-restriction when an organization needs to prevent users in specific geographic locations from accessing content. For example, @@ -39,17 +39,23 @@ export default { accountId __typename geoRestriction { - restrictionType + restrictionType + locations } } }`, resource: 'queryawsCloudfront[*]', severity: 'medium', conditions: { - path: '@.geoRestriction', - array_all: { - path: '[*].restrictionType', - notIn: 'none' + and: [ + { + path: '@.geoRestriction.restrictionType', + in: ['whitelist', 'blacklist'] }, + { + path: '@.geoRestriction.locations', + isEmpty: false + }, + ], }, } \ No newline at end of file diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-12.2.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-12.2.ts index 11d9dc4c..e8637ca0 100644 --- a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-12.2.ts +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-12.2.ts @@ -1,6 +1,6 @@ export default { id: 'aws-nist-800-53-rev4-12.2', - title: 'EC2 instances should not have a public IP association (IPv4)', + title: 'AWS NIST 12.2 EC2 instances should not have a public IP association (IPv4)', description: `EC2 instances are reachable over the internet even if you have protections such as NACLs or security groups if a public IP address is associated with an instance. To minimize the risk @@ -50,7 +50,7 @@ Disable the public IP addressing feature arn accountId __typename - subnet { + subnets { autoAssignPublicIpv4Address } } @@ -58,10 +58,12 @@ Disable the public IP addressing feature resource: 'queryawsEc2[*]', severity: 'medium', conditions: { - path: '@.subnet', - array_all: { - path: '[*].autoAssignPublicIpv4Address', - notEqual: 'Yes' + not: { + path: '@.subnets', + array_any: { + path: '[*].autoAssignPublicIpv4Address', + equal: 'Yes', + }, }, }, } \ No newline at end of file diff --git a/src/aws/nist-800-53-rev4/tests/nist-800-53-rev4-11.x.test.ts b/src/aws/nist-800-53-rev4/tests/nist-800-53-rev4-11.x.test.ts index fa7f25d9..77154d8a 100644 --- a/src/aws/nist-800-53-rev4/tests/nist-800-53-rev4-11.x.test.ts +++ b/src/aws/nist-800-53-rev4/tests/nist-800-53-rev4-11.x.test.ts @@ -4,57 +4,14 @@ import cuid from 'cuid' import Aws_NIST_800_53_111 from '../rules/aws-nist-800-53-rev4-11.1' import Aws_NIST_800_53_112 from '../rules/aws-nist-800-53-rev4-11.2' -export interface Logging { - enabled: boolean -} - -export interface DataResource { - type: string -} - -export interface EventSelector { - readWriteType?: string - includeManagementEvents?: boolean - dataResources?: DataResource[] -} - -export interface Cloudtrail { - isMultiRegionTrail?: string - eventSelectors?: EventSelector[] - includeGlobalServiceEvents?: string -} - -export interface QueryawsCloudfront { +export interface QueryawsEcsTaskDefinition { id: string - logging: Logging + memory?: string | null + cpu?: string | null } -export interface QueryawsAccount { - id: string - cloudtrail: Cloudtrail[] -} - -export interface QueryawsCloudtrail { - id: string - eventSelectors?: EventSelector[] -} - -export interface QueryawsAlb { - id: string - accessLogsEnabled: string -} - -export interface QueryawsElb { - id: string - accessLogs: string -} - -export interface NIS6xQueryResponse { - queryawsCloudfront?: QueryawsCloudfront[] - queryawsAccount?: QueryawsAccount[] - queryawsCloudtrail?: QueryawsCloudtrail[] - queryawsAlb?: QueryawsAlb[] - queryawsElb?: QueryawsElb[] +export interface NIST11xQueryResponse { + queryawsEcsTaskDefinition?: QueryawsEcsTaskDefinition[] } describe('AWS NIST 800-53: Rev. 4', () => { @@ -66,14 +23,15 @@ describe('AWS NIST 800-53: Rev. 4', () => { }) }) - //11.X - describe(' AWS 11.1 ECS task definitions should limit memory usage for containers', () => { - const getTestRuleFixture = (memory: string|null|undefined): any => { + describe('AWS NIST 11.1 ECS task definitions should limit memory usage for containers', () => { + const getTestRuleFixture = ( + memory: string | null + ): NIST11xQueryResponse => { return { queryawsEcsTaskDefinition: [ { id: cuid(), - memory + memory, }, ], } @@ -81,7 +39,7 @@ describe('AWS NIST 800-53: Rev. 4', () => { // Act const testRule = async ( - data: any, + data: NIST11xQueryResponse, expectedResult: Result ): Promise => { // Act @@ -94,34 +52,29 @@ describe('AWS NIST 800-53: Rev. 4', () => { expect(processedRule.result).toBe(expectedResult) } - test('Container memory is within the acceptable limit', async () => { - const data: any = getTestRuleFixture('512') + test('No Security Issue when Container memory is within the acceptable limit (512)', async () => { + const data: NIST11xQueryResponse = getTestRuleFixture('512') await testRule(data, Result.PASS) }) - test('Container memory is within the acceptable limit', async () => { - const data: any = getTestRuleFixture('256') + test('No Security Issue when Container memory is within the acceptable limit (256)', async () => { + const data: NIST11xQueryResponse = getTestRuleFixture('256') await testRule(data, Result.PASS) }) - test('Container memory cannot be null or undefined', async () => { - const data: any = getTestRuleFixture(null) - await testRule(data, Result.FAIL) - }) - - test('Container memory cannot be null or undefined', async () => { - const data: any = getTestRuleFixture(undefined) + test('Security Issue when Container memory is not set', async () => { + const data: NIST11xQueryResponse = getTestRuleFixture(null) await testRule(data, Result.FAIL) }) }) - describe(' AWS 11.2 ECS task definitions should set CPU limit for containers', () => { - const getTestRuleFixture = (cpu: string|null|undefined): any => { + describe('AWS NIST 11.2 ECS task definitions should set CPU limit for containers', () => { + const getTestRuleFixture = (cpu: string | null): NIST11xQueryResponse => { return { queryawsEcsTaskDefinition: [ { id: cuid(), - cpu + cpu, }, ], } @@ -129,7 +82,7 @@ describe('AWS NIST 800-53: Rev. 4', () => { // Act const testRule = async ( - data: any, + data: NIST11xQueryResponse, expectedResult: Result ): Promise => { // Act @@ -142,25 +95,19 @@ describe('AWS NIST 800-53: Rev. 4', () => { expect(processedRule.result).toBe(expectedResult) } - test('CPU limit is within the acceptable limit', async () => { - const data: any = getTestRuleFixture('512') + test('No Security Issue when CPU limit is within the acceptable limit (512)', async () => { + const data: NIST11xQueryResponse = getTestRuleFixture('512') await testRule(data, Result.PASS) }) - test('CPU limit is within the acceptable limit', async () => { - const data: any = getTestRuleFixture('256') + test('No Security Issue when CPU limit is within the acceptable limit (256)', async () => { + const data: NIST11xQueryResponse = getTestRuleFixture('256') await testRule(data, Result.PASS) }) - test('CPU limit cannot be null or undefined', async () => { - const data: any = getTestRuleFixture(null) - await testRule(data, Result.FAIL) - }) - - test('CPU limit cannot be null or undefined', async () => { - const data: any = getTestRuleFixture(undefined) + test('Security Issue when CPU limit is not set', async () => { + const data: NIST11xQueryResponse = getTestRuleFixture(null) await testRule(data, Result.FAIL) }) }) - }) diff --git a/src/aws/nist-800-53-rev4/tests/nist-800-53-rev4-12.x.test.ts b/src/aws/nist-800-53-rev4/tests/nist-800-53-rev4-12.x.test.ts index 01ae5010..3046c8a8 100644 --- a/src/aws/nist-800-53-rev4/tests/nist-800-53-rev4-12.x.test.ts +++ b/src/aws/nist-800-53-rev4/tests/nist-800-53-rev4-12.x.test.ts @@ -4,58 +4,27 @@ import cuid from 'cuid' import Aws_NIST_800_53_121 from '../rules/aws-nist-800-53-rev4-12.1' import Aws_NIST_800_53_122 from '../rules/aws-nist-800-53-rev4-12.2' - -export interface Logging { - enabled: boolean -} - -export interface DataResource { - type: string -} - -export interface EventSelector { - readWriteType?: string - includeManagementEvents?: boolean - dataResources?: DataResource[] -} - -export interface Cloudtrail { - isMultiRegionTrail?: string - eventSelectors?: EventSelector[] - includeGlobalServiceEvents?: string +export interface GeoRestriction { + restrictionType: string + locations: string[] } -export interface QueryawsCloudfront { - id: string - logging: Logging -} - -export interface QueryawsAccount { - id: string - cloudtrail: Cloudtrail[] -} - -export interface QueryawsCloudtrail { - id: string - eventSelectors?: EventSelector[] +export interface Subnet { + autoAssignPublicIpv4Address: string } - -export interface QueryawsAlb { +export interface QueryawsEc2 { id: string - accessLogsEnabled: string + subnets: Subnet[] } -export interface QueryawsElb { +export interface QueryawsCloudfront { id: string - accessLogs: string + geoRestriction: GeoRestriction } -export interface NIS6xQueryResponse { +export interface NIST12xQueryResponse { queryawsCloudfront?: QueryawsCloudfront[] - queryawsAccount?: QueryawsAccount[] - queryawsCloudtrail?: QueryawsCloudtrail[] - queryawsAlb?: QueryawsAlb[] - queryawsElb?: QueryawsElb[] + queryawsEc2?: QueryawsEc2[] } describe('AWS NIST 800-53: Rev. 4', () => { @@ -67,18 +36,19 @@ describe('AWS NIST 800-53: Rev. 4', () => { }) }) - //12.X - describe(' AWS 12.1 CloudFront distributions should have geo-restrictions specified', () => { - const getTestRuleFixture = (restrictionType: string): any => { + describe('AWS NIST 12.1 CloudFront distributions should have geo-restrictions specified', () => { + const getTestRuleFixture = ( + restrictionType: string, + locations: string[] + ): NIST12xQueryResponse => { return { queryawsCloudfront: [ { id: cuid(), - geoRestriction: [ - { - restrictionType - }, - ], + geoRestriction: { + restrictionType, + locations + }, }, ], } @@ -86,7 +56,7 @@ describe('AWS NIST 800-53: Rev. 4', () => { // Act const testRule = async ( - data: any, + data: NIST12xQueryResponse, expectedResult: Result ): Promise => { // Act @@ -99,25 +69,29 @@ describe('AWS NIST 800-53: Rev. 4', () => { expect(processedRule.result).toBe(expectedResult) } - test('Georestrictions allowed. Content is available', async () => { - const data: any = getTestRuleFixture('whitelist') + test('No Security Issue when there is an inbound rule with a restrictionType equal to whitelist and locations specified', async () => { + const data: NIST12xQueryResponse = getTestRuleFixture('whitelist', ['CA','US']) await testRule(data, Result.PASS) }) - test('Georestrictions not set. Content is not available', async () => { - const data: any = getTestRuleFixture('none') - await testRule(data, Result.FAIL) + test('No Security Issue when there is an inbound rule with a restrictionType equal to whitelist and locations specified', async () => { + const data: NIST12xQueryResponse = getTestRuleFixture('blacklist', ['CA','US']) + await testRule(data, Result.PASS) }) + test('Security Issue when there is an inbound rule without geoRestriction specified', async () => { + const data: NIST12xQueryResponse = getTestRuleFixture('none', []) + await testRule(data, Result.FAIL) + }) }) - describe(' AWS 12.2 EC2 instances should not have a public IP association (IPv4)', () => { - const getTestRuleFixture = (autoAssignPublicIpv4Address: string): any => { + describe('AWS NIST 12.2 EC2 instances should not have a public IP association (IPv4)', () => { + const getTestRuleFixture = (autoAssignPublicIpv4Address: string): NIST12xQueryResponse => { return { queryawsEc2: [ { id: cuid(), - subnet: [ + subnets: [ { autoAssignPublicIpv4Address, }, @@ -129,7 +103,7 @@ describe('AWS NIST 800-53: Rev. 4', () => { // Act const testRule = async ( - data: any, + data: NIST12xQueryResponse, expectedResult: Result ): Promise => { // Act @@ -142,16 +116,14 @@ describe('AWS NIST 800-53: Rev. 4', () => { expect(processedRule.result).toBe(expectedResult) } - test('Subnet is Default and auto assign attribute is true', async () => { - const data: any = getTestRuleFixture('Yes') - await testRule(data, Result.FAIL) - }) - - test('Subnet is nonDefault and auto assign attribute cannot be false', async () => { - const data: any = getTestRuleFixture('No') + test('No Security Issue when EC2 instances not have a public IP association (IPv4)', async () => { + const data: NIST12xQueryResponse = getTestRuleFixture('No') await testRule(data, Result.PASS) }) + test('Security Issue when EC2 instances have a public IP association (IPv4)', async () => { + const data: NIST12xQueryResponse = getTestRuleFixture('Yes') + await testRule(data, Result.FAIL) + }) }) - })