-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'alpha' into feature/CG-1099
- Loading branch information
Showing
24 changed files
with
2,951 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
// AWS CIS 1.2.0 Rule equivalent 1.2 | ||
export default { | ||
id: 'aws-cis-1.4.0-1.10', | ||
title: 'AWS CIS 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password', | ||
|
||
description: 'Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.', | ||
|
||
audit: `Perform the following to determine if a MFA device is enabled for all IAM users having a console password: | ||
**From Console:** | ||
1. Open the IAM console at https://console.aws.amazon.com/iam/. | ||
2. In the left pane, select *Users* | ||
3. If the *MFA* or *Password age* columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click *Close*. | ||
4. Ensure that for each user where the *Password age* column shows a password age, the MFA column shows *Virtual*, *U2F Security Key*, or *Hardware*. | ||
**From Command Line:** | ||
1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status: | ||
aws iam generate-credential-report | ||
aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8 | ||
2. The output of this command will produce a table similar to the following: | ||
user,password_enabled,mfa_active | ||
elise,false,false | ||
brandon,true,true | ||
rakesh,false,false | ||
helene,false,false | ||
paras,true,true | ||
anitha,false,false | ||
3. For any column having *password_enabled* set to *true*, ensure *mfa_active* is also set to *true*.`, | ||
|
||
rationale: 'Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.', | ||
|
||
remediation: `Perform the following to enable MFA: | ||
**From Console:** | ||
1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/' | ||
2. In the left pane, select *Users*. | ||
3. In the *User Name* list, choose the name of the intended MFA user. | ||
4. Choose the *Security Credentials* tab, and then choose *Manage MFA Device*. | ||
5. In the *Manage MFA Device wizard*, choose *Virtual MFA* device, and then choose *Continue*. | ||
IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes. | ||
6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device). | ||
7. Determine whether the MFA app supports QR codes, and then do one of the following: | ||
- Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code. | ||
- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application. | ||
When you are finished, the virtual MFA device starts generating one-time passwords. | ||
8. In the *Manage MFA Device wizard*, in the *MFA Code 1 box*, type the *one-time password* that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second *one-time password* into the *MFA Code 2 box*. | ||
9. Click *Assign MFA*.`, | ||
|
||
references: [ | ||
'https://tools.ietf.org/html/rfc6238', | ||
'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html', | ||
'https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users', | ||
'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html', | ||
'CCE-78901-6', | ||
'https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users', | ||
], | ||
gql: `{ | ||
queryawsIamUser { | ||
id | ||
arn | ||
accountId | ||
__typename | ||
passwordEnabled | ||
mfaActive | ||
} | ||
}`, | ||
resource: 'queryawsIamUser[*]', | ||
severity: 'high', | ||
conditions: { | ||
or: [ | ||
{ | ||
path: '@.passwordEnabled', | ||
equal: false, | ||
}, | ||
{ | ||
path: '@.mfaActive', | ||
equal: true, | ||
} | ||
] | ||
}, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
// AWS CIS 1.2.0 Rule equivalent 1.3 | ||
export default { | ||
id: 'aws-cis-1.4.0-1.12', | ||
title: 'AWS CIS 1.12 Ensure credentials unused for 45 days or greater are disabled', | ||
|
||
description: 'AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.', | ||
|
||
audit: `Perform the following to determine if unused credentials exist: | ||
**From Console:** | ||
1. Login to the AWS Management Console | ||
2. Click *Services* | ||
3. Click *IAM* | ||
4. Click on *Users* | ||
5. Click the *Settings* (gear) icon. | ||
6. Select *Console last sign-in*, *Access key last used*, and *Access Key Id* | ||
7. Click on *Close* | ||
8. Check and ensure that *Console last sign-in* is less than 45 days ago. | ||
**Note** - *Never* means the user has never logged in. | ||
9. Check and ensure that *Access key age* is less than 45 days and that *Access key last used* does not say *None* | ||
If the user hasn't signed into the Console in the last 45 days or Access keys are over 45 days old refer to the remediation. | ||
**From Command Line:** | ||
**Download Credential Report:** | ||
1. Run the following commands: | ||
aws iam generate-credential-report | ||
aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,5,6,9,10,11,14,15,16 | ||
**Ensure unused credentials do not exist:** | ||
2. For each user having *password_enabled* set to *TRUE*, ensure *password_last_used_date* is less than *45* days ago. | ||
- When *password_enabled* is set to *TRUE* and password_last_used is set to No_Information , ensure *password_last_changed* is less than *45* days ago. | ||
3. For each user having an *access_key_1_active* or *access_key_2_active* to *TRUE* , ensure the corresponding *access_key_n_last_used_date* is less than *45* days ago. | ||
- When a user having an *access_key_x_active* (where x is 1 or 2) to *TRUE* and corresponding access_key_x_last_used_date is set to *N/A*', *ensure* access_key_x_last_rotated is less than 45 days ago.`, | ||
|
||
rationale: 'Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.', | ||
|
||
remediation: `**From Console:** | ||
Perform the following to manage Unused Password (IAM user console access) | ||
1. Login to the AWS Management Console: | ||
2. Click *Services* | ||
3. Click *IAM* | ||
4. Click on *Users* | ||
5. Click on *Security Credentials* | ||
6. Select user whose *Console last sign-in* is greater than 45 days | ||
7. Click *Security credentials* | ||
8. In section *Sign-in credentials*, *Console password* click *Manage* | ||
9. Under Console Access select *Disable* | ||
10. Click *Apply* | ||
Perform the following to deactivate Access Keys: | ||
1. Login to the AWS Management Console: | ||
2. Click *Services* | ||
3. Click *IAM* | ||
4. Click on *Users* | ||
5. Click on *Security Credentials* | ||
6. Select any access keys that are over 45 days old and that have been used and | ||
- Click on *Make Inactive* | ||
7. Select any access keys that are over 45 days old and that have not been used and | ||
- Click the X to *Delete*`, | ||
|
||
references: [ | ||
'CCE-78900-8', | ||
'https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#remove-credentials', | ||
'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_finding-unused.html', | ||
'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html', | ||
'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html', | ||
], | ||
gql: `{ | ||
queryawsIamUser { | ||
id | ||
arn | ||
accountId | ||
__typename | ||
passwordLastUsed | ||
accessKeyData { | ||
lastUsedDate | ||
} | ||
} | ||
}`, | ||
resource: 'queryawsIamUser[*]', | ||
severity: 'medium', | ||
conditions: { | ||
or: [ | ||
{ | ||
and: [ | ||
{ | ||
path: '@.accessKeyData', | ||
isEmpty: true | ||
}, | ||
{ | ||
not: { | ||
path: '@.passwordLastUsed', | ||
notIn: [null, 'N/A', ''] | ||
} | ||
} | ||
] | ||
}, | ||
{ | ||
value: { daysAgo: {}, path: '@.passwordLastUsed' }, | ||
lessThanInclusive: 45, | ||
}, | ||
{ | ||
path: '@.accessKeyData', | ||
array_any: { | ||
value: { daysAgo: {}, path: '[*].lastUsedDate' }, | ||
lessThanInclusive: 45, | ||
}, | ||
}, | ||
], | ||
}, | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,92 @@ | ||
export default { | ||
id: 'aws-cis-1.4.0-1.13', | ||
title: 'AWS CIS 1.13 Ensure there is only one active access key available for any single IAM user', | ||
|
||
description: 'Access keys are long-term credentials for an IAM user or the AWS account \'root\' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK)', | ||
|
||
audit: `**From Console:** | ||
1. Sign in to the AWS Management Console and navigate to IAM dashboard at https://console.aws.amazon.com/iam/. | ||
2. In the left navigation panel, choose Users. | ||
3. Click on the IAM user name that you want to examine. | ||
4. On the IAM user configuration page, select Security Credentials tab. | ||
5. Under Access Keys section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access key activated then the users access configuration does not adhere to security best practices and the risk of accidental exposures increases. | ||
- Repeat steps no. 3 – 5 for each IAM user in your AWS account. | ||
**From Command Line:** | ||
1. Run list-users command to list all IAM users within your account: | ||
aws iam list-users --query "Users[*].UserName | ||
2. Run list-access-keys command using the IAM user name list to return the current status of each access key associated with the selected IAM user: | ||
aws iam list-access-keys --user-name <user-name> | ||
The command output should expose the metadata ("Username", "AccessKeyId", "Status", "CreateDate") for each access key on that user account. | ||
3. Check the Status property value for each key returned to determine each keys current state. If the Status property value for more than one IAM access key is set to Active, the user access configuration does not adhere to this recommendation, refer to the remediation below. | ||
- Repeat steps no. 2 and 3 for each IAM user in your AWS account." | ||
The command output should return an array that contains all your IAM user names.`, | ||
|
||
rationale: 'Access keys are long-term credentials for an IAM user or the AWS account \'root\' user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys.', | ||
|
||
remediation: `**From Console:** | ||
1. Sign in to the AWS Management Console and navigate to IAM dashboard at https://console.aws.amazon.com/iam/. | ||
2. In the left navigation panel, choose Users. | ||
3. Click on the IAM user name that you want to examine. | ||
4. On the IAM user configuration page, select Security Credentials tab. | ||
5. In Access Keys section, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. | ||
6. In the same Access Keys section, identify your non-operational access keys (other than the chosen one) and deactivate it by clicking the Make Inactive link. | ||
7. If you receive the Change Key Status confirmation box, click Deactivate to switch off the selected key. | ||
8. Repeat steps no. 3 – 7 for each IAM user in your AWS account. | ||
**From Command Line:** | ||
1. Using the IAM user and access key information provided in the Audit CLI, choose one access key that is less than 90 days old. This should be the only active key used by this IAM user to access AWS resources programmatically. Test your application(s) to make sure that the chosen access key is working. | ||
2. Run the update-access-key command below using the IAM user name and the non-operational access key IDs to deactivate the unnecessary key(s). Refer to the Audit section to identify the unnecessary access key ID for the selected IAM user | ||
**Note** - the command does not return any output: | ||
aws iam update-access-key --access-key-id <access-key-id> --status Inactive --user-name <user-name> | ||
3. To confirm that the selected access key pair has been successfully deactivated run the list-access-keys audit command again for that IAM User: | ||
aws iam list-access-keys --user-name <user-name> | ||
- The command output should expose the metadata for each access key associated with the IAM user. If the non-operational key pair(s) Status is set to Inactive, the key has been successfully deactivated and the IAM user access configuration adheres now to this recommendation. | ||
4. Repeat steps no. 1 – 3 for each IAM user in your AWS account.`, | ||
|
||
references: [ | ||
'https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html', | ||
'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html', | ||
], | ||
gql: `{ | ||
queryawsIamUser { | ||
id | ||
arn | ||
accountId | ||
__typename | ||
accessKeyData { | ||
status | ||
} | ||
} | ||
}`, | ||
resource: 'queryawsIamUser[*]', | ||
severity: 'medium', | ||
conditions: { | ||
jq: '.accessKeyData | map(select(.status == "Active")) | { "oneOrLess" : (length <= 1) }', | ||
path: '@', | ||
and: [ | ||
{ | ||
path: '@.oneOrLess', | ||
equal: true, | ||
}, | ||
], | ||
}, | ||
} |
Oops, something went wrong.