Skip to content

Commit

Permalink
Merge pull request #51 from cloudgraphdev/beta
Browse files Browse the repository at this point in the history
RELEASE
  • Loading branch information
ckoning authored May 26, 2022
2 parents e854a37 + ad3fcc3 commit 867de24
Show file tree
Hide file tree
Showing 137 changed files with 18,878 additions and 467 deletions.
2 changes: 2 additions & 0 deletions .npmrc
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
//registry.npmjs.org/:_authToken=${NPM_TOKEN}

2 changes: 2 additions & 0 deletions .yarnrc.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
nodeLinker: node-modules

npmScopes:
cloudgraph:
npmAlwaysAuth: true
Expand Down
11 changes: 7 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,10 @@ cg scan aws gcp azure

| Benchmark |
| ---------------------------
| [CIS Amazon Web Services Foundations 1.2.0](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-cis-1.2.0) |
| [CIS Google Cloud Platform Foundations 1.2.0](https://www.npmjs.com/package/@cloudgraph/policy-pack-gcp-cis-1.2.0) |
| [CIS Microsoft Azure Foundations 1.3.1](https://www.npmjs.com/package/@cloudgraph/policy-pack-azure-cis-1.3.1) |
| [PCI Data Security Standard version 3.2.1](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-pci-dss-3.2.1) |
| [CIS Amazon Web Services Foundations 1.2.0](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-cis-1.2.0) |
| [CIS Amazon Web Services Foundations 1.3.0](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-cis-1.3.0) |
| [CIS Amazon Web Services Foundations 1.4.0](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-cis-1.4.0) |
| [CIS Google Cloud Platform Foundations 1.2.0](https://www.npmjs.com/package/@cloudgraph/policy-pack-gcp-cis-1.2.0) |
| [CIS Microsoft Azure Foundations 1.3.1](https://www.npmjs.com/package/@cloudgraph/policy-pack-azure-cis-1.3.1) |
| [AWS PCI Data Security Standard version 3.2.1](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-pci-dss-3.2.1) |
| [NIST 800-53 Rev. 4 for Amazon Web Services](https://www.npmjs.com/package/@cloudgraph/policy-pack-aws-nist-800-53-rev4) |
3 changes: 2 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
"@semantic-release/github": "^8.0.1",
"@semantic-release/npm": "^9.0.1",
"@semrel-extra/npm": "^1.2.0",
"npm": "^8.8.0",
"semantic-release": "^19.0.2"
},
"resolutions": {
Expand All @@ -31,7 +32,7 @@
"singleQuote": true
},
"scripts": {
"release": "NPM_CONFIG_IGNORE_SCRIPTS='true' NODE_JQ_SKIP_INSTALL_BINARY='true' multi-semantic-release",
"release": "NODE_AUTH_TOKEN=$NPM_TOKEN NPM_CONFIG_IGNORE_SCRIPTS='true' NODE_JQ_SKIP_INSTALL_BINARY='true' multi-semantic-release --ignore-scripts",
"clean": "yarn workspaces foreach -p run clean",
"lint": "yarn workspaces foreach run lint",
"lint:fix": "yarn workspaces foreach run lint:fix",
Expand Down
32 changes: 17 additions & 15 deletions src/aws/cis-1.3.0/.releaserc.yml
Original file line number Diff line number Diff line change
@@ -1,35 +1,37 @@
---
branches:
- name: main
- name: beta
prerelease: true
- name: alpha
channel: alpha
prerelease: true
- name: beta
channel: beta
prerelease: true
- name: main

plugins:
- "@semantic-release/commit-analyzer"
- "@semantic-release/release-notes-generator"
- - "@semantic-release/changelog"
- changelogFile: CHANGELOG.md
- - "@semantic-release/git"
- assets:
- CHANGELOG.md
- package.json
- - "@semantic-release/npm"
- npmPublish: false
- "@semantic-release/gitlab"
- CHANGELOG.md
- package.json
- - "@semrel-extra/npm"
- npmPublish: true
- "@semantic-release/github"
verifyConditions:
- "@semantic-release/changelog"
- "@semantic-release/gitlab"
- "@semantic-release/github"
- "@semrel-extra/npm"
prepare:
- "@semantic-release/changelog"
- "@semantic-release/npm"
- "@semrel-extra/npm"
- - "@semantic-release/git"
- message: "chore(publish): ${nextRelease.version} \n\n${nextRelease.notes}"
- message: "chore(release): ${nextRelease.version} \n\n${nextRelease.notes}"
publish:
- "@semantic-release/gitlab"
release:
noCi: true
- "@semantic-release/github"
- "@semrel-extra/npm"
success: false
fail: false
repositoryUrl: https://gitlab.com/auto-cloud/cloudgraph/policy-packs.git
tagFormat: "${version}"
30 changes: 30 additions & 0 deletions src/aws/cis-1.3.0/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,12 +60,39 @@ Policy Pack based on the [AWS Foundations 1.3.0](https://docs.aws.amazon.com/aud
| AWS CIS 1.1 | Maintain current contact details |
| AWS CIS 1.2 | Ensure security contact information is registered |
| AWS CIS 1.3 | Ensure security questions are registered in the AWS account |
| AWS CIS 1.4 | Ensure no 'root' user account access key exists |
| AWS CIS 1.5 | Ensure MFA is enabled for the 'root user' account |
| AWS CIS 1.6 | Ensure hardware MFA is enabled for the 'root' user account |
| AWS CIS 1.7 | Eliminate use of the root user for administrative and daily tasks |
| AWS CIS 1.8 | Ensure IAM password policy requires minimum length of 14 or greater |
| AWS CIS 1.9 | Ensure IAM password policy prevents password reuse |
| AWS CIS 1.10 | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password |
| AWS CIS 1.11 | Do not setup access keys during initial user setup for all IAM users that have a console password |
| AWS CIS 1.12 | Ensure credentials unused for 90 days or greater are disabled |
| AWS CIS 1.13 | Ensure there is only one active access key available for any single IAM user |
| AWS CIS 1.14 | Ensure access keys are rotated every 90 days or less |
| AWS CIS 1.15 | Ensure IAM Users Receive Permissions Only Through Groups |
| AWS CIS 1.16 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached |
| AWS CIS 1.17 | Ensure a support role has been created to manage incidents with AWS Support |
| AWS CIS 1.18 | Ensure IAM instance roles are used for AWS resource access from instances |
| AWS CIS 1.19 | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed |
| AWS CIS 1.20 | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' |
| AWS CIS 1.21 | Ensure that IAM Access analyzer is enabled |
| AWS CIS 1.22 | Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments |
| AWS CIS 2.1.1 | Ensure all S3 buckets employ encryption-at-rest |
| AWS CIS 2.1.2 | Ensure S3 Bucket Policy allows HTTPS requests |
| AWS CIS 2.2.1 | Ensure EBS volume encryption is enabled |
| AWS CIS 3.1 | Ensure CloudTrail is enabled in all regions |
| AWS CIS 3.2 | Ensure CloudTrail log file validation is enabled |
| AWS CIS 3.3 | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible |
| AWS CIS 3.4 | Ensure CloudTrail trails are integrated with CloudWatch Logs |
| AWS CIS 3.5 | Ensure AWS Config is enabled in all regions |
| AWS CIS 3.6 | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket |
| AWS CIS 3.7 | Ensure CloudTrail logs are encrypted at rest using KMS CMKs |
| AWS CIS 3.8 | Ensure rotation for customer created CMKs is enabled |
| AWS CIS 3.9 | Ensure VPC flow logging is enabled in all VPCs |
| AWS CIS 3.10 | Ensure that Object-level logging for write events is enabled for S3 bucket |
| AWS CIS 3.11 | Ensure that Object-level logging for read events is enabled for S3 bucket |
| AWS CIS 4.1 | Ensure a log metric filter and alarm exist for unauthorized API calls |
| AWS CIS 4.2 | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA |
| AWS CIS 4.3 | Ensure a log metric filter and alarm exist for usage of 'root' account |
Expand All @@ -81,4 +108,7 @@ Policy Pack based on the [AWS Foundations 1.3.0](https://docs.aws.amazon.com/aud
| AWS CIS 4.13 | Ensure a log metric filter and alarm exist for route table changes |
| AWS CIS 4.14 | Ensure a log metric filter and alarm exist for VPC changes |
| AWS CIS 4.15 | Ensure a log metric filter and alarm exists for AWS Organizations changes |
| AWS CIS 5.1 | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports |
| AWS CIS 5.2 | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports |
| AWS CIS 5.3 | Ensure the default security group of every VPC restricts all traffic |
| AWS CIS 5.4 | Ensure routing tables for VPC peering are "least access" |
94 changes: 94 additions & 0 deletions src/aws/cis-1.3.0/rules/aws-cis-1.3.0-1.10.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
// AWS CIS 1.2.0 Rule equivalent 1.2
export default {
id: 'aws-cis-1.3.0-1.10',
title: 'AWS CIS 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password',

description: 'Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.',

audit: `Perform the following to determine if a MFA device is enabled for all IAM users having a console password:
**From Console:**
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. In the left pane, select *Users*
3. If the *MFA* or *Password age* columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click *Close*.
4. Ensure that for each user where the *Password age* column shows a password age, the MFA column shows *Virtual*, *U2F Security Key*, or *Hardware*.
**From Command Line:**
1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status:
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8
2. The output of this command will produce a table similar to the following:
user,password_enabled,mfa_active
elise,false,false
brandon,true,true
rakesh,false,false
helene,false,false
paras,true,true
anitha,false,false
3. For any column having *password_enabled* set to *true*, ensure *mfa_active* is also set to *true*.`,

rationale: 'Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.',

remediation: `Perform the following to enable MFA:
**From Console:**
1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/'
2. In the left pane, select *Users*.
3. In the *User Name* list, choose the name of the intended MFA user.
4. Choose the *Security Credentials* tab, and then choose *Manage MFA Device*.
5. In the *Manage MFA Device wizard*, choose *Virtual MFA* device, and then choose *Continue*.
IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.
6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).
7. Determine whether the MFA app supports QR codes, and then do one of the following:
- Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
- In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
When you are finished, the virtual MFA device starts generating one-time passwords.
8. In the *Manage MFA Device wizard*, in the *MFA Code 1 box*, type the *one-time password* that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second *one-time password* into the *MFA Code 2 box*.
9. Click *Assign MFA*.`,

references: [
'https://tools.ietf.org/html/rfc6238',
'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html',
'https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users',
'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html',
'CCE-78901-6',
'https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users',
],
gql: `{
queryawsIamUser {
id
arn
accountId
__typename
passwordEnabled
mfaActive
}
}`,
resource: 'queryawsIamUser[*]',
severity: 'high',
conditions: {
or: [
{
path: '@.passwordEnabled',
equal: false,
},
{
path: '@.mfaActive',
equal: true,
}
]
},
}
Loading

0 comments on commit 867de24

Please sign in to comment.