Merge branch 'alpha' into feature/CG-1099

src/aws/cis-1.2.0/CHANGELOG.md

@@ -1,3 +1,29 @@
+# @cloudgraph/policy-pack-aws-cis-1.2.0 [0.11.0](https://github.com/cloudgraphdev/cloudgraph-policy-packs/compare/@cloudgraph/[email protected]...@cloudgraph/[email protected]) (2022-05-02)
+
+
+### Bug Fixes
+
+* rename vpc flowLogs connection to FlowLog ([c31e985](https://github.com/cloudgraphdev/cloudgraph-policy-packs/commit/c31e985b4a2623fb01f8a29a4c5897becb2e4905))
+* Updated policy field for S3 schema ([dc3d6c8](https://github.com/cloudgraphdev/cloudgraph-policy-packs/commit/dc3d6c8b4b7e22ba58c1394d0b64e866ab3de519))
+
+
+### Features
+
+* Included 6.x rules for aws nist 800-53 ([b51f652](https://github.com/cloudgraphdev/cloudgraph-policy-packs/commit/b51f6522e7721928ea8dc30d009ac5530f6e86eb))
+
+# @cloudgraph/policy-pack-aws-cis-1.2.0 [0.11.0-beta.1](https://github.com/cloudgraphdev/cloudgraph-policy-packs/compare/@cloudgraph/[email protected]...@cloudgraph/[email protected]) (2022-05-02)
+
+
+### Bug Fixes
+
+* rename vpc flowLogs connection to FlowLog ([c31e985](https://github.com/cloudgraphdev/cloudgraph-policy-packs/commit/c31e985b4a2623fb01f8a29a4c5897becb2e4905))
+* Updated policy field for S3 schema ([dc3d6c8](https://github.com/cloudgraphdev/cloudgraph-policy-packs/commit/dc3d6c8b4b7e22ba58c1394d0b64e866ab3de519))
+
+
+### Features
+
+* Included 6.x rules for aws nist 800-53 ([b51f652](https://github.com/cloudgraphdev/cloudgraph-policy-packs/commit/b51f6522e7721928ea8dc30d009ac5530f6e86eb))
+
 # @cloudgraph/policy-pack-aws-cis-1.2.0 [0.11.0-alpha.1](https://github.com/cloudgraphdev/cloudgraph-policy-packs/compare/@cloudgraph/[email protected]...@cloudgraph/[email protected]) (2022-04-27)
 
 

src/aws/cis-1.2.0/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@cloudgraph/policy-pack-aws-cis-1.2.0",
   "description": "Policy pack implementing CIS Amazon Web Services Foundations 1.2.0 Benchmark",
-  "version": "0.11.0-alpha.1",
+  "version": "0.11.0",
   "author": "AutoCloud",
   "license": "MPL-2.0",
   "main": "dist/index.js",
@@ -57,7 +57,7 @@
     "build": "yarn prepack",
     "clean": "rm -rf dist",
     "lint": "eslint",
-    "prepack": "yarn clean && tsc -b",
+    "prepack": "rm -rf dist && tsc -b",
     "publish": "yarn npm publish",
     "test": "NODE_ENV=test jest"
   }

src/aws/cis-1.4.0/.npmignore

@@ -0,0 +1,8 @@
+rules/
+tests/
+*.bak
+.*
+jest.config.js
+tsconfig.json
+**/*.ts
+!dist/index.d.ts

src/aws/cis-1.4.0/.releaserc.yml

@@ -0,0 +1,35 @@
+---
+branches:
+  - name: main
+  - name: beta
+    prerelease: true
+  - name: alpha
+    prerelease: true
+plugins:
+  - "@semantic-release/commit-analyzer"
+  - "@semantic-release/release-notes-generator"
+  - - "@semantic-release/changelog"
+    - changelogFile: CHANGELOG.md
+  - - "@semantic-release/git"
+    - assets:
+      - CHANGELOG.md
+      - package.json
+  - - "@semantic-release/npm"
+    - npmPublish: false
+  - "@semantic-release/gitlab"
+verifyConditions:
+  - "@semantic-release/changelog"
+  - "@semantic-release/gitlab"
+prepare:
+  - "@semantic-release/changelog"
+  - "@semantic-release/npm"
+  - - "@semantic-release/git"
+    - message: "chore(publish): ${nextRelease.version} \n\n${nextRelease.notes}"
+publish:
+  - "@semantic-release/gitlab"
+release:
+   noCi: true
+success: false
+fail: false
+repositoryUrl: https://gitlab.com/auto-cloud/cloudgraph/policy-packs.git
+tagFormat: "${version}"

src/aws/cis-1.4.0/README.md

@@ -0,0 +1,68 @@
+# CIS Amazon Web Services Foundations 1.4.0
+
+Policy Pack based on the [AWS Foundations 1.4.0](https://docs.aws.amazon.com/audit-manager/latest/userguide/CIS-1-4.html) benchmark provided by the [Center for Internet Security (CIS)](https://www.cisecurity.org/benchmark/amazon_web_services/)
+
+## First Steps
+
+1. Install [Cloud Graph CLI](https://docs.cloudgraph.dev/quick-start).
+2. Set up the [AWS Provider](https://www.npmjs.com/package/@cloudgraph/cg-provider-aws) for CG with the `cg init aws` command.
+3. Add Policy Pack for CIS Amazon Web Services Foundations benchmark using `cg policy add aws-cis-1.4.0` command.
+4. Execute the ruleset using the scan command `cg scan aws`.
+5. Query the findings using the different options:
+
+   5a. Querying findings by provider:
+
+   ```graphql
+   query {
+     queryawsFindings {
+       CISFindings {
+         id
+         resourceId
+         result
+       }
+     }
+   }
+   ```
+
+   5b. Querying findings by specific benchmark:
+
+   ```graphql
+   query {
+     queryawsCISFindings {
+       id
+       resourceId
+       result
+     }
+   }
+   ```
+
+   5c. Querying findings by resource:
+
+   ```graphql
+   query {
+     queryawsIamUser {
+       id
+       arn
+       accountId
+       CISFindings {
+         id
+         resourceId
+         result
+       }
+     }
+   }
+   ```
+
+| Rule          | Description                                                                                                                 |
+| ------------  | --------------------------------------------------------------------------------------------------------------------------- |
+| AWS CIS 3.1   | Ensure CloudTrail is enabled in all regions                                                                                 |
+| AWS CIS 3.2   | Ensure CloudTrail log file validation is enabled                                                                            |
+| AWS CIS 3.3   | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible                                               |
+| AWS CIS 3.4   | Ensure CloudTrail trails are integrated with CloudWatch Logs                                                                |
+| AWS CIS 3.5   | Ensure AWS Config is enabled in all regions                                                                                 |
+| AWS CIS 3.6   | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket                                                      |
+| AWS CIS 3.7   | Ensure CloudTrail logs are encrypted at rest using KMS CMKs                                                                 |
+| AWS CIS 3.8   | Ensure rotation for customer created CMKs is enabled                                                                        |
+| AWS CIS 3.9   | Ensure VPC flow logging is enabled in all VPCs                                                                              |
+| AWS CIS 3.10  | Ensure that Object-level logging for write events is enabled for S3 bucket                                                  |
+| AWS CIS 3.11  | Ensure that Object-level logging for read events is enabled for S3 bucket                                                   |

src/aws/cis-1.4.0/index.ts

@@ -0,0 +1,8 @@
+import PolicyPacksRules from './rules'
+
+export default {
+  provider: 'aws',
+  entity: 'CIS',
+  rules: PolicyPacksRules,
+  extraFields: ['arn', 'accountId'],
+}

src/aws/cis-1.4.0/jest.config.js

@@ -0,0 +1,7 @@
+/** @type {import('@ts-jest/dist/types').InitialOptionsTsJest} */
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  testMatch: ['<rootDir>/tests/**/*.test.ts'],
+  testPathIgnorePatterns: ['<rootDir>/lib/', '<rootDir>/node_modules/'],
+}

src/aws/cis-1.4.0/package.json

@@ -0,0 +1,64 @@
+{
+  "name": "@cloudgraph/policy-pack-aws-cis-1.4.0",
+  "description": "Policy pack implementing CIS Amazon Web Services Foundations 1.4.0 Benchmark",
+  "version": "0.0.1",
+  "author": "AutoCloud",
+  "license": "MPL-2.0",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/cloudgraphdev/cloudgraph-policy-packs.git",
+    "directory": "src/aws/cis-1.4.0"
+  },
+  "bugs": {
+    "url": "https://github.com/cloudgraphdev/cloudgraph-policy-packs/issues"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "directories": {
+    "test": "tests"
+  },
+  "devDependencies": {
+    "@autocloud/eslint-config": "^0.1.0",
+    "@cloudgraph/sdk": "^0.18.1",
+    "@types/jest": "^27.0.3",
+    "@types/node": "^15.12.4",
+    "@types/pino": "^6.3.11",
+    "@typescript-eslint/eslint-plugin": "^4.28.5",
+    "@typescript-eslint/parser": "^4.28.5",
+    "cpx": "^1.5.0",
+    "cuid": "^2.1.8",
+    "eslint": "^7.25.0",
+    "eslint-config-airbnb-base": "14.2.1",
+    "eslint-config-prettier": "^6.11.0",
+    "eslint-plugin-import": "^2.22.1",
+    "eslint-plugin-prettier": "^3.4.0",
+    "jest": "^27.0.6",
+    "prettier": "^2.4.1",
+    "shx": "^0.3.3",
+    "ts-jest": "^27.0.4",
+    "tslib": "^1",
+    "typescript": "^4.3.5"
+  },
+  "engines": {
+    "node": ">=14.0.0"
+  },
+  "homepage": "https://www.cloudgraph.dev/",
+  "keywords": [
+    "cloudgraph"
+  ],
+  "prettier": {
+    "semi": false,
+    "singleQuote": true
+  },
+  "scripts": {
+    "build": "yarn prepublish",
+    "lint": "eslint",
+    "prepack": "rm -rf dist && tsc -b",
+    "prepublish": "rm -rf dist && tsc",
+    "publish": "yarn npm publish",
+    "test": "NODE_ENV=test jest"
+  }
+}

src/aws/cis-1.4.0/rules/aws-cis-1.4.0-3.1.ts

@@ -0,0 +1,118 @@
+// AWS CIS 1.2.0 Rule equivalent 2.1
+export default {
+  id: 'aws-cis-1.4.0-3.1',
+  title: 'AWS CIS 3.1 Ensure CloudTrail is enabled in all regions',
+  description: `AWS CloudTrail is a web service that records AWS API calls for your account and delivers
+  log files to you. The recorded information includes the identity of the API caller, the time of
+  the API call, the source IP address of the API caller, the request parameters, and the
+  response elements returned by the AWS service. CloudTrail provides a history of AWS API
+  calls for an account, including API calls made via the Management Console, SDKs, command
+  line tools, and higher-level AWS services (such as CloudFormation).`,
+  audit: `Perform the following to determine if CloudTrail is enabled for all regions:
+  Via the management Console
+
+  1. Sign in to the AWS Management Console and open the CloudTrail console at https://console.aws.amazon.com/cloudtrail
+  2. Click on *Trails* on the left navigation pane
+
+  - You will be presented with a list of trails across all regions
+
+  3. Ensure at least one Trail has *All* specified in the *Region* column
+  4. Click on a trail via the link in the *Name* column
+  5. Ensure *Logging* is set to *ON*
+  6. Ensure *Apply trail to all regions* is set to *Yes*
+  7. In section *Management Events* ensure *Read/Write Events* set to *ALL*
+
+  Via CLI
+
+    aws cloudtrail describe-trails
+
+  Ensure *IsMultiRegionTrail* is set to *true*
+
+    aws cloudtrail get-trail-status --name <trailname shown in describe-trails>
+
+  Ensure *IsLogging* is set to *true*
+
+    aws cloudtrail get-event-selectors --trail-name <trailname shown in describe-trails>
+
+  Ensure there is at least one Event Selector for a Trail with *IncludeManagementEvents* set to *true* and *ReadWriteType* set to *All*`,
+  rationale: `The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing. Additionally,
+
+  - ensuring that a multi-regions trail exists will ensure that unexpected activity occurring in otherwise unused regions is detected
+  - ensuring that a multi-regions trail exists will ensure that Global Service Logging is enabled for a trail by default to capture recording of events generated on AWS global services
+  - for a multi-regions trail, ensuring that management events configured for all type of Read/Writes ensures recording of management operations that are performed on all resources in an AWS account`,
+  remediation: `Perform the following to enable global (Multi-region) CloudTrail logging:
+  Via the management Console
+
+  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/cloudtrail
+  2. Click on *Trails* on the left navigation pane
+  3. Click *Get Started Now*, if presented
+
+
+  - Click *Add new trail*
+  - Enter a trail name in the *Trail* name box
+  - Set the *Apply trail to all regions* option to Yes
+  - Specify an S3 bucket name in the *S3 bucket* box
+  - Click *Create*
+
+  4. If 1 or more trails already exist, select the target trail to enable for global logging
+  5. Click the edit icon (pencil) next to *Apply trail to all regions* , Click *Yes* and Click *Save*.
+  6. Click the edit icon (pencil) next to *Management Events* click All for setting Read/Write Events and Click *Save*.
+
+  Via CLI
+
+    aws cloudtrail create-trail --name <trail_name> --bucket-name <s3_bucket_for_cloudtrail> --is-multi-region-trail
+    aws cloudtrail update-trail --name <trail_name> --is-multi-region-trail
+
+  Note: Creating CloudTrail via CLI without providing any overriding options configures *Management Events* to set *All* type of *Read/Writes* by default.`,
+  references: [
+    'CCE-78913-1',
+    'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-concepts.html#cloudtrail-concepts-management-events',
+    'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html?icmpid=docs_cloudtrail_console#logging-management-events',
+    'https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html#cloud-trail-supported-services-data-events',
+  ],
+  gql: `{
+    queryawsAccount { 
+      id
+      __typename
+      cloudtrail {
+        isMultiRegionTrail
+        status {
+          isLogging
+        }
+        eventSelectors {
+          readWriteType
+          includeManagementEvents
+        }
+      }
+    }
+  }`,
+  resource: 'queryawsAccount[*]',
+  severity: 'medium',
+  conditions: {
+    path: '@.cloudtrail',
+    array_any: {
+      and: [
+        {
+          path: '[*].isMultiRegionTrail',
+          equal: 'Yes',
+        },
+        {
+          path: '[*].status.isLogging',
+          equal: true,
+        },
+        {
+          path: '[*].eventSelectors',
+          array_any: {
+            and: [
+              { path: '[*].readWriteType', equal: 'All' },
+              {
+                path: '[*].includeManagementEvents',
+                equal: true,
+              },
+            ],
+          },
+        },
+      ],
+    },
+  },
+}