Skip to content

Commit

Permalink
feat: Support rules that overlaps with AWS CIS checks [NETWORK ACCESS…
Browse files Browse the repository at this point in the history
… RULES]
  • Loading branch information
m-pizarro committed Apr 21, 2022
1 parent ca64ba2 commit b96e357
Show file tree
Hide file tree
Showing 41 changed files with 4,638 additions and 30 deletions.
98 changes: 68 additions & 30 deletions src/aws/nist-800-53-rev4/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,33 +56,71 @@ Policy Pack based on the [800-53 Rev. 4](https://csrc.nist.gov/publications/deta

## Available Ruleset

| Rule | Description |
| ------------ | -------------------------------------------------------------------------------------------------------- |
| AWS NIS 1.1 | IAM role trust policies should not allow all principals to assume the role |
| AWS NIS 1.2 | IAM roles attached to instance profiles should not allow broad list actions on S3 buckets |
| AWS NIS 1.3 | S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files |
| AWS NIS 2.1 | Auto Scaling groups should span two or more availability zones |
| AWS NIS 2.2 | ELBv1 load balancer cross zone load balancing should be enabled |
| AWS NIS 2.3 | RDS Aurora cluster multi-AZ should be enabled |
| AWS NIS 2.4 | Require Multi Availability Zones turned on for RDS Instances |
| AWS NIS 2.5 | S3 bucket replication (cross-region or same-region) should be enabled |
| AWS NIS 3.1 | CloudTrail log files should be encrypted with customer managed KMS keys |
| AWS NIS 3.2 | CloudWatch log groups should be encrypted with customer managed KMS keys |
| AWS NIS 3.3 | DynamoDB tables should be encrypted with AWS or customer managed KMS keys |
| AWS NIS 3.4 | EBS volume encryption should be enabled |
| AWS NIS 3.5 | RDS instances should be encrypted |
| AWS NIS 3.6 | S3 bucket server-side encryption should be enabled |
| AWS NIS 3.7 | SQS queue server-side encryption should be enabled with KMS keys |
| AWS NIS 4.1 | CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only |
| AWS NIS 4.2 | CloudFront viewer protocol policy should be set to https-only or redirect-to-https |
| AWS NIS 4.3 | ElastiCache transport encryption should be enabled |
| AWS NIS 4.4 | ELBv1 listener protocol should not be set to http |
| AWS NIS 4.5 | S3 bucket policies should only allow requests that use HTTPS |
| AWS NIS 4.6 | SNS subscriptions should deny access via HTTP |
| AWS NIS 6.1 | CloudFront access logging should be enabled |
| AWS NIS 6.4 | CloudTrail should have at least one CloudTrail trail set to a multi-region trail |
| AWS NIS 6.6 | CloudTrail trails should be configured to log management events |
| AWS NIS 6.8 | Exactly one CloudTrail trail should monitor global services |
| AWS NIS 6.9 | Load balancer access logging should be enabled |
| AWS NIS 6.12 | S3 bucket object-level logging for read events should be enabled |
| AWS NIS 6.13 | S3 bucket object-level logging for write events should be enabled |
| Rule | Description |
| ------------ | ---------------------------------------------------------------------------------------------------------------------------------- |
| AWS NIS 1.1 | IAM role trust policies should not allow all principals to assume the role |
| AWS NIS 1.2 | IAM roles attached to instance profiles should not allow broad list actions on S3 buckets |
| AWS NIS 1.3 | S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files |
| AWS NIS 2.1 | Auto Scaling groups should span two or more availability zones |
| AWS NIS 2.2 | ELBv1 load balancer cross zone load balancing should be enabled |
| AWS NIS 2.3 | RDS Aurora cluster multi-AZ should be enabled |
| AWS NIS 2.4 | Require Multi Availability Zones turned on for RDS Instances |
| AWS NIS 2.5 | S3 bucket replication (cross-region or same-region) should be enabled |
| AWS NIS 3.1 | CloudTrail log files should be encrypted with customer managed KMS keys |
| AWS NIS 3.2 | CloudWatch log groups should be encrypted with customer managed KMS keys |
| AWS NIS 3.3 | DynamoDB tables should be encrypted with AWS or customer managed KMS keys |
| AWS NIS 3.4 | EBS volume encryption should be enabled |
| AWS NIS 3.5 | RDS instances should be encrypted |
| AWS NIS 3.6 | S3 bucket server-side encryption should be enabled |
| AWS NIS 3.7 | SQS queue server-side encryption should be enabled with KMS keys |
| AWS NIS 4.1 | CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only |
| AWS NIS 4.2 | CloudFront viewer protocol policy should be set to https-only or redirect-to-https |
| AWS NIS 4.3 | ElastiCache transport encryption should be enabled |
| AWS NIS 4.4 | ELBv1 listener protocol should not be set to http |
| AWS NIS 4.5 | S3 bucket policies should only allow requests that use HTTPS |
| AWS NIS 4.6 | SNS subscriptions should deny access via HTTP |
| AWS NIS 6.1 | CloudFront access logging should be enabled |
| AWS NIS 6.4 | CloudTrail should have at least one CloudTrail trail set to a multi-region trail |
| AWS NIS 6.6 | CloudTrail trails should be configured to log management events |
| AWS NIS 6.8 | Exactly one CloudTrail trail should monitor global services |
| AWS NIS 6.9 | Load balancer access logging should be enabled |
| AWS NIS 6.12 | S3 bucket object-level logging for read events should be enabled |
| AWS NIS 6.13 | S3 bucket object-level logging for write events should be enabled |
| AWS NIS 8.2 | VPC default security group should restrict all traffic |
| AWS NIS 8.9 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol) |
| AWS NIS 8.10 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent) |
| AWS NIS 8.11 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL) |
| AWS NIS 8.12 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra) |
| AWS NIS 8.13 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL) |
| AWS NIS 8.14 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL) |
| AWS NIS 8.15 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger) |
| AWS NIS 8.16 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service) |
| AWS NIS 8.17 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service) |
| AWS NIS 8.18 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service) |
| AWS NIS 8.19 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 1433 (MSSQL Server) |
| AWS NIS 8.20 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin) |
| AWS NIS 8.21 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH) |
| AWS NIS 8.22 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet) |
| AWS NIS 8.23 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd) |
| AWS NIS 8.24 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser) |
| AWS NIS 8.25 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services) |
| AWS NIS 8.26 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL) |
| AWS NIS 8.27 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB) |
| AWS NIS 8.28 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB) |
| AWS NIS 8.29 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB) |
| AWS NIS 8.30 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server) |
| AWS NIS 8.31 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB) |
| AWS NIS 8.32 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL) |
| AWS NIS 8.33 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master) |
| AWS NIS 8.34 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master) |
| AWS NIS 8.35 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL) |
| AWS NIS 8.36 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing) |
| AWS NIS 8.37 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs |
| AWS NIS 8.38 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing) |
| AWS NIS 8.39 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs |
| AWS NIS 8.40 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate) |
| AWS NIS 8.41 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch) |
| AWS NIS 8.42 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch) |
| AWS NIS 8.43 | VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports |
| AWS NIS 8.44 | VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP) |
| AWS NIS 8.45 | VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports |
101 changes: 101 additions & 0 deletions src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.10.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
export default {
id: 'aws-nist-800-53-rev4-8.10',
title: 'AWS NIST 8.10 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)',

description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent). Removing unfettered connectivity to a Cassandra OpsCenter Agent reduces the chance of exposing critical data.',

audit: `Perform the following to determine if the account is configured as prescribed:
1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
2. In the left pane, click *Security Groups*
3. For each security group, perform the following:
4. Select the security group
5. Click the *Inbound Rule*s tab
6. Ensure no rule exists that has a port range that includes port *61621* and has a *Source* of *0.0.0.0/0*`,

rationale: 'Removing unfettered connectivity to remote console services, such as Cassandra OpsCenter Agent, reduces a server\'s exposure to risk.',

remediation: `**AWS Console**
- Navigate to [VPC](https://console.aws.amazon.com/vpc/).
- In the left navigation pane, click Security Groups.
- Remove any rules that include port 61621 and have a source of 0.0.0.0/0.
- Click Save.
**AWS CLI**
List all security groups with an ingress rule of 0.0.0.0/0:
aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"
Remove the inbound rule(s) that permits unrestricted ingress to port 61621:
aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 61621 --cidr 0.0.0.0/0
Optionally add a more restrictive ingress rule to the selected Security Group:
aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol tcp --port 61621 --cidr <cidr_block>`,

references: [
'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules',
'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules',
'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html',
'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html',
],
gql: `{
queryawsSecurityGroup{
id
arn
accountId
__typename
inboundRules{
source
toPort
fromPort
}
}
}`,
resource: 'queryawsSecurityGroup[*]',
severity: 'high',
conditions: {
not: {
path: '@.inboundRules',
array_any: {
and: [
{
path: '[*].source',
in: ['0.0.0.0/0', '::/0'],
},
{
or: [
{
and: [
{
path: '[*].fromPort',
equal: null,
},
{
path: '[*].toPort',
equal: null,
},
],
},
{
and: [
{
path: '[*].fromPort',
lessThanInclusive: 61621,
},
{
path: '[*].toPort',
greaterThanInclusive: 61621,
},
],
},
],
},
],
},
},
},
}
Loading

0 comments on commit b96e357

Please sign in to comment.