diff --git a/src/aws/nist-800-53-rev4/README.md b/src/aws/nist-800-53-rev4/README.md index 0545cc26..2829c59a 100644 --- a/src/aws/nist-800-53-rev4/README.md +++ b/src/aws/nist-800-53-rev4/README.md @@ -56,33 +56,71 @@ Policy Pack based on the [800-53 Rev. 4](https://csrc.nist.gov/publications/deta ## Available Ruleset -| Rule | Description | -| ------------ | -------------------------------------------------------------------------------------------------------- | -| AWS NIS 1.1 | IAM role trust policies should not allow all principals to assume the role | -| AWS NIS 1.2 | IAM roles attached to instance profiles should not allow broad list actions on S3 buckets | -| AWS NIS 1.3 | S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files | -| AWS NIS 2.1 | Auto Scaling groups should span two or more availability zones | -| AWS NIS 2.2 | ELBv1 load balancer cross zone load balancing should be enabled | -| AWS NIS 2.3 | RDS Aurora cluster multi-AZ should be enabled | -| AWS NIS 2.4 | Require Multi Availability Zones turned on for RDS Instances | -| AWS NIS 2.5 | S3 bucket replication (cross-region or same-region) should be enabled | -| AWS NIS 3.1 | CloudTrail log files should be encrypted with customer managed KMS keys | -| AWS NIS 3.2 | CloudWatch log groups should be encrypted with customer managed KMS keys | -| AWS NIS 3.3 | DynamoDB tables should be encrypted with AWS or customer managed KMS keys | -| AWS NIS 3.4 | EBS volume encryption should be enabled | -| AWS NIS 3.5 | RDS instances should be encrypted | -| AWS NIS 3.6 | S3 bucket server-side encryption should be enabled | -| AWS NIS 3.7 | SQS queue server-side encryption should be enabled with KMS keys | -| AWS NIS 4.1 | CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only | -| AWS NIS 4.2 | CloudFront viewer protocol policy should be set to https-only or redirect-to-https | -| AWS NIS 4.3 | ElastiCache transport encryption should be enabled | -| AWS NIS 4.4 | ELBv1 listener protocol should not be set to http | -| AWS NIS 4.5 | S3 bucket policies should only allow requests that use HTTPS | -| AWS NIS 4.6 | SNS subscriptions should deny access via HTTP | -| AWS NIS 6.1 | CloudFront access logging should be enabled | -| AWS NIS 6.4 | CloudTrail should have at least one CloudTrail trail set to a multi-region trail | -| AWS NIS 6.6 | CloudTrail trails should be configured to log management events | -| AWS NIS 6.8 | Exactly one CloudTrail trail should monitor global services | -| AWS NIS 6.9 | Load balancer access logging should be enabled | -| AWS NIS 6.12 | S3 bucket object-level logging for read events should be enabled | -| AWS NIS 6.13 | S3 bucket object-level logging for write events should be enabled | +| Rule | Description | +| ------------ | ---------------------------------------------------------------------------------------------------------------------------------- | +| AWS NIS 1.1 | IAM role trust policies should not allow all principals to assume the role | +| AWS NIS 1.2 | IAM roles attached to instance profiles should not allow broad list actions on S3 buckets | +| AWS NIS 1.3 | S3 bucket ACLs should not have public access on S3 buckets that store CloudTrail log files | +| AWS NIS 2.1 | Auto Scaling groups should span two or more availability zones | +| AWS NIS 2.2 | ELBv1 load balancer cross zone load balancing should be enabled | +| AWS NIS 2.3 | RDS Aurora cluster multi-AZ should be enabled | +| AWS NIS 2.4 | Require Multi Availability Zones turned on for RDS Instances | +| AWS NIS 2.5 | S3 bucket replication (cross-region or same-region) should be enabled | +| AWS NIS 3.1 | CloudTrail log files should be encrypted with customer managed KMS keys | +| AWS NIS 3.2 | CloudWatch log groups should be encrypted with customer managed KMS keys | +| AWS NIS 3.3 | DynamoDB tables should be encrypted with AWS or customer managed KMS keys | +| AWS NIS 3.4 | EBS volume encryption should be enabled | +| AWS NIS 3.5 | RDS instances should be encrypted | +| AWS NIS 3.6 | S3 bucket server-side encryption should be enabled | +| AWS NIS 3.7 | SQS queue server-side encryption should be enabled with KMS keys | +| AWS NIS 4.1 | CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only | +| AWS NIS 4.2 | CloudFront viewer protocol policy should be set to https-only or redirect-to-https | +| AWS NIS 4.3 | ElastiCache transport encryption should be enabled | +| AWS NIS 4.4 | ELBv1 listener protocol should not be set to http | +| AWS NIS 4.5 | S3 bucket policies should only allow requests that use HTTPS | +| AWS NIS 4.6 | SNS subscriptions should deny access via HTTP | +| AWS NIS 6.1 | CloudFront access logging should be enabled | +| AWS NIS 6.4 | CloudTrail should have at least one CloudTrail trail set to a multi-region trail | +| AWS NIS 6.6 | CloudTrail trails should be configured to log management events | +| AWS NIS 6.8 | Exactly one CloudTrail trail should monitor global services | +| AWS NIS 6.9 | Load balancer access logging should be enabled | +| AWS NIS 6.12 | S3 bucket object-level logging for read events should be enabled | +| AWS NIS 6.13 | S3 bucket object-level logging for write events should be enabled | +| AWS NIS 8.2 | VPC default security group should restrict all traffic | +| AWS NIS 8.9 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol) | +| AWS NIS 8.10 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent) | +| AWS NIS 8.11 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL) | +| AWS NIS 8.12 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra) | +| AWS NIS 8.13 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL) | +| AWS NIS 8.14 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL) | +| AWS NIS 8.15 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger) | +| AWS NIS 8.16 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service) | +| AWS NIS 8.17 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service) | +| AWS NIS 8.18 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service) | +| AWS NIS 8.19 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 1433 (MSSQL Server) | +| AWS NIS 8.20 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin) | +| AWS NIS 8.21 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH) | +| AWS NIS 8.22 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet) | +| AWS NIS 8.23 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd) | +| AWS NIS 8.24 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser) | +| AWS NIS 8.25 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services) | +| AWS NIS 8.26 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL) | +| AWS NIS 8.27 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB) | +| AWS NIS 8.28 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB) | +| AWS NIS 8.29 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB) | +| AWS NIS 8.30 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server) | +| AWS NIS 8.31 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB) | +| AWS NIS 8.32 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL) | +| AWS NIS 8.33 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master) | +| AWS NIS 8.34 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master) | +| AWS NIS 8.35 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL) | +| AWS NIS 8.36 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing) | +| AWS NIS 8.37 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs | +| AWS NIS 8.38 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing) | +| AWS NIS 8.39 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs | +| AWS NIS 8.40 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate) | +| AWS NIS 8.41 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch) | +| AWS NIS 8.42 | VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch) | +| AWS NIS 8.43 | VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports | +| AWS NIS 8.44 | VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP) | +| AWS NIS 8.45 | VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports | diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.10.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.10.ts new file mode 100644 index 00000000..fd72da21 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.10.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.10', + title: 'AWS NIST 8.10 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent). Removing unfettered connectivity to a Cassandra OpsCenter Agent reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *61621* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Cassandra OpsCenter Agent, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 61621 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 61621: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol tcp --port 61621 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol tcp --port 61621 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 61621, + }, + { + path: '[*].toPort', + greaterThanInclusive: 61621, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.11.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.11.ts new file mode 100644 index 00000000..101b2c2b --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.11.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.11', + title: 'AWS NIST 8.11 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL). Removing unfettered connectivity to a LDAP SSL server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *636* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as LDAP SSL, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 636 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 636: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol tcp --port 636 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol tcp --port 636 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 636, + }, + { + path: '[*].toPort', + greaterThanInclusive: 636, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.12.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.12.ts new file mode 100644 index 00000000..eb67fcbf --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.12.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.12', + title: 'AWS NIST 8.12 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra). Removing unfettered connectivity to a Cassandra server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *7001* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Cassandra, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 7001 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 7001: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol tcp --port 7001 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol tcp --port 7001 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 7001, + }, + { + path: '[*].toPort', + greaterThanInclusive: 7001, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.13.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.13.ts new file mode 100644 index 00000000..1695414a --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.13.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.13', + title: 'AWS NIST 8.13 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL). Removing unfettered connectivity to a Memcached SSL server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *11214* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Memcached SSL, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 11214 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 11214: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 11214 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 11214 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 11214, + }, + { + path: '[*].toPort', + greaterThanInclusive: 11214, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.14.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.14.ts new file mode 100644 index 00000000..f98ff46b --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.14.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.14', + title: 'AWS NIST 8.14 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL). Removing unfettered connectivity to a Memcached SSL server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *11215* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Memcached SSL, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 11215 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 11215: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 11215 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 11215 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 11215, + }, + { + path: '[*].toPort', + greaterThanInclusive: 11215, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.15.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.15.ts new file mode 100644 index 00000000..ed4e76e7 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.15.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.15', + title: 'AWS NIST 8.15 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger). Removing unfettered connectivity to a MSSQL Debugger server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *135* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as MSSQL Debugger, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 135 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 135: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 135 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 135 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 135, + }, + { + path: '[*].toPort', + greaterThanInclusive: 135, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.16.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.16.ts new file mode 100644 index 00000000..5b36895f --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.16.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.16', + title: 'AWS NIST 8.16 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service). Removing unfettered connectivity to a NetBIOS Name Service server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *137* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as NetBios Name Service, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 137 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 137: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 137 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 137 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 137, + }, + { + path: '[*].toPort', + greaterThanInclusive: 137, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.17.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.17.ts new file mode 100644 index 00000000..4fcb7c1b --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.17.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.17', + title: 'AWS NIST 8.17 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service). Removing unfettered connectivity to a NetBios Datagram Service server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *138* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as NetBios Datagram Service, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 138 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 138: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 138 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 138 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 138, + }, + { + path: '[*].toPort', + greaterThanInclusive: 138, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.18.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.18.ts new file mode 100644 index 00000000..9bedad20 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.18.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.18', + title: 'AWS NIST 8.18 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service). Removing unfettered connectivity to a NetBios Session Service server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *139* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as NetBios Session Service, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 139 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 139: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 139 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 139 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 139, + }, + { + path: '[*].toPort', + greaterThanInclusive: 139, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.19.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.19.ts new file mode 100644 index 00000000..9a4f0802 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.19.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.19', + title: 'AWS NIST 8.19 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 1433 (MSSQL Server)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1433 (MSSQL Server). Removing unfettered connectivity to a MSSQL Server server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *1433* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as MSSQL Server, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 1433 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 1433: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 1433 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 1433 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 1433, + }, + { + path: '[*].toPort', + greaterThanInclusive: 1433, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.2.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.2.ts new file mode 100644 index 00000000..bf520f11 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.2.ts @@ -0,0 +1,116 @@ +export default { + id: 'aws-nist-800-53-rev4-8.2', + title: 'AWS NIST 8.2 VPC default security group should restrict all traffic', + + description: `A VPC comes with a default security group whose initial settings deny all inbound traffic, + allow all outbound traffic, and allow all traffic between instances assigned to the security + group. If you don't specify a security group when you launch an instance, the instance is + automatically assigned to this default security group. Security groups provide stateful + filtering of ingress/egress network traffic to AWS resources. It is recommended that the + default security group restrict all traffic. + + The default VPC in every region should have its default security group updated to comply. + Any newly created VPCs will automatically contain a default security group that will need + remediation to comply with this recommendation. + + **NOTE:** When implementing this recommendation, VPC flow logging is invaluable in + determining the least privilege port access required by systems to work properly because it + can log all packet acceptances and rejections occurring under the current security groups. + This dramatically reduces the primary barrier to least privilege engineering - discovering + the minimum ports required by systems in the environment. Even if the VPC flow logging + recommendation in this benchmark is not adopted as a permanent security measure, it + should be used during any period of discovery and engineering for least privileged security + groups.`, + + audit: `Perform the following to determine if the account is configured as prescribed: + Security Group State + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: + 3. In the left pane, click *Security Groups* + 4. For each default security group, perform the following: + 5. Select the *default* security group + 6. Click the *Inbound Rules* tab + 7. Ensure no rule exist + 8. Click the *Outbound Rules* tab + 9. Ensure no rules exist + + Security Group Members + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region: + 3. In the left pane, click *Security Groups* + 4. Copy the id of the default security group. + 5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home + 6. In the filter column type 'Security Group ID : < security group id from #4 >`, + + rationale: 'Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will, in turn, reduce the exposure of those resources.', + + remediation: `Security Group Members + Perform the following to implement the prescribed state: + + 1. Identify AWS resources that exist within the default security group + 2. Create a set of least privilege security groups for those resources + 3. Place the resources in those security groups + 4. Remove the resources noted in #1 from the default security group + + Security Group State + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. Repeat the next steps for all VPCs - including the default VPC in each AWS region: + 3. In the left pane, click *Security Groups* + 4. For each default security group, perform the following: + 5. Select the *default* security group + 6. Click the *Inbound Rules* tab + 7. Remove any inbound rules + 8. Click the *Outbound Rules* tab + 9. Remove any inbound rules + + Recommended: + IAM groups allow you to edit the "name" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to "DO NOT USE. DO NOT ADD RULES"`, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html', + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-egress.html', + ], + gql: `{ + queryawsSecurityGroup(filter: { name: { eq: "default" } }) { + id + name + arn + accountId + __typename + inboundRules { + source + } + outboundRules{ + destination + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + or: [ + { + path: '@.inboundRules', + array_any: { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + }, + { + path: '@.outboundRules', + array_any: { + path: '[*].destination', + in: ['0.0.0.0/0', '::/0'], + }, + }, + ], + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.20.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.20.ts new file mode 100644 index 00000000..449fcb7f --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.20.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.20', + title: 'AWS NIST 8.20 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UPD port 1434 (MSSQL Admin). Removing unfettered connectivity to a MSSQL Admin server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *1434* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as MSSQL Admin, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 1434 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 1434: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 1434 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 1434 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 1434, + }, + { + path: '[*].toPort', + greaterThanInclusive: 1434, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.21.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.21.ts new file mode 100644 index 00000000..7bfe6a6e --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.21.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.21', + title: 'AWS NIST 8.21 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)', + + description: 'VPC security groups should not permit unrestricted access from the internet to port 22 (SSH). Removing unfettered connectivity to remote console services, such as SSH, reduces a server’s exposure to risk.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *1434* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as SSH, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 22 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 22: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 22 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 22 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 22, + }, + { + path: '[*].toPort', + greaterThanInclusive: 22, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.22.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.22.ts new file mode 100644 index 00000000..e2272548 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.22.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.22', + title: 'AWS NIST 8.22 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)', + + description: 'Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allows unrestricted ingress access to port 23. Removing unfettered connectivity to remote console services reduces a server’s exposure to risk.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *23* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Telnet, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 23 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 23: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 23 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 23 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 23, + }, + { + path: '[*].toPort', + greaterThanInclusive: 23, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.23.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.23.ts new file mode 100644 index 00000000..1ccf335e --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.23.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.23', + title: 'AWS NIST 8.23 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd). Removing unfettered connectivity to an etcd server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *2379* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as etcd, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 2379 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 2379: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 2379 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 2379 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 2379, + }, + { + path: '[*].toPort', + greaterThanInclusive: 2379, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.24.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.24.ts new file mode 100644 index 00000000..07d8410c --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.24.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.24', + title: 'AWS NIST 8.24 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services Browser). Removing unfettered connectivity to a SQL Server Analysis Services Browser server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *2382* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as SQL Server Analysis Services Browser, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 2382 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 2382: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 2382 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 2382 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 2382, + }, + { + path: '[*].toPort', + greaterThanInclusive: 2382, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.25.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.25.ts new file mode 100644 index 00000000..5bba224a --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.25.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.25', + title: 'AWS NIST 8.25 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services). Removing unfettered connectivity to a SQL Server Analysis Services server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *2383* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as SQL Server Analysis Services Browser, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 2383 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 2383: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 2383 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 2383 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 2383, + }, + { + path: '[*].toPort', + greaterThanInclusive: 2383, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.26.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.26.ts new file mode 100644 index 00000000..f36056c8 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.26.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.26', + title: 'AWS NIST 8.26 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL). Removing unfettered connectivity to an Oracle DB SSL server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *2484* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Oracle DB SSL, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 2484 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 2484: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 2484 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 2484 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 2484, + }, + { + path: '[*].toPort', + greaterThanInclusive: 2484, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.27.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.27.ts new file mode 100644 index 00000000..efcdbb09 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.27.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.27', + title: 'AWS NIST 8.27 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB). Removing unfettered connectivity to a MongoDB server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *27017* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as MongoDB, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 27017 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 27017: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 27017 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 27017 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 27017, + }, + { + path: '[*].toPort', + greaterThanInclusive: 27017, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.28.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.28.ts new file mode 100644 index 00000000..d69e8123 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.28.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.28', + title: 'AWS NIST 8.28 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB). Removing unfettered connectivity to a MongoDB server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *27018* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as MongoDB, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 27018 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 27018: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 27018 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 27018 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 27018, + }, + { + path: '[*].toPort', + greaterThanInclusive: 27018, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.29.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.29.ts new file mode 100644 index 00000000..ba0a758d --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.29.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.29', + title: 'AWS NIST 8.29 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB). Removing unfettered connectivity to a MongoDB server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *27019* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as MongoDB, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 27019 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 27019: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 27019 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 27019 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 27019, + }, + { + path: '[*].toPort', + greaterThanInclusive: 27019, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.30.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.30.ts new file mode 100644 index 00000000..8da037ad --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.30.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.30', + title: 'AWS NIST 8.30 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server). Removing unfettered connectivity to a Ruby on Rails web server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *3000* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Ruby on Rails web server, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 3000 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 3000: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 3000 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 3000 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 3000, + }, + { + path: '[*].toPort', + greaterThanInclusive: 3000, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.31.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.31.ts new file mode 100644 index 00000000..b5da977b --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.31.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.31', + title: 'AWS NIST 8.31 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB). Removing unfettered connectivity to CIFS / SMB ports reduces a server’s exposure to risk.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *3020* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as CIFS / SMB, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 3020 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 3020: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 3020 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 3020 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 3020, + }, + { + path: '[*].toPort', + greaterThanInclusive: 3020, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.32.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.32.ts new file mode 100644 index 00000000..967df7d2 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.32.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.32', + title: 'AWS NIST 8.32 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL). Removing unfettered connectivity to a MySQL server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *3306* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as MySQL, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 3306 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 3306: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 3306 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 3306 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 3306, + }, + { + path: '[*].toPort', + greaterThanInclusive: 3306, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.33.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.33.ts new file mode 100644 index 00000000..6b99a5fd --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.33.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.33', + title: 'AWS NIST 8.33 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master). Removing unfettered connectivity to a SaltStack Master server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *4505* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as SaltStack Master, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 4505 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 4505: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 4505 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 4505 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 4505, + }, + { + path: '[*].toPort', + greaterThanInclusive: 4505, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.34.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.34.ts new file mode 100644 index 00000000..03a1823c --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.34.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.34', + title: 'AWS NIST 8.34 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master). Removing unfettered connectivity to a SaltStack Master server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *4506* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as SaltStack Master, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 4506 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 4506: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 4506 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 4506 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 4506, + }, + { + path: '[*].toPort', + greaterThanInclusive: 4506, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.35.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.35.ts new file mode 100644 index 00000000..c6594977 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.35.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.35', + title: 'AWS NIST 8.35 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL). Removing unfettered connectivity to a PostgreSQL server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *5432* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as PostgreSQL, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 5432 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 5432: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 5432 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 5432 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 5432, + }, + { + path: '[*].toPort', + greaterThanInclusive: 5432, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.36.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.36.ts new file mode 100644 index 00000000..7464e221 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.36.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.36', + title: 'AWS NIST 8.36 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)', + + description: 'Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allow unrestricted ingress access to port 5500. Removing unfettered connectivity to remote console services reduces a server’s exposure to risk.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *5500* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Virtual Network Computing, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 5500 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 5500: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 5500 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 5500 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 5500, + }, + { + path: '[*].toPort', + greaterThanInclusive: 5500, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.37.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.37.ts new file mode 100644 index 00000000..b168f895 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.37.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.37', + title: 'AWS NIST 8.37 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs', + + description: 'Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allow unrestricted ingress access to port 5800, unless it is from an AWS Elastic Load Balancer. Removing unfettered connectivity to remote console services reduces a server’s exposure to risk.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *5800* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Virtual Network Computing, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 5800 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 5800: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 5800 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 5800 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 5800, + }, + { + path: '[*].toPort', + greaterThanInclusive: 5800, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.38.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.38.ts new file mode 100644 index 00000000..430d01ad --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.38.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.38', + title: 'AWS NIST 8.38 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)', + + description: 'Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allow unrestricted ingress access to port 5900. Removing unfettered connectivity to remote console services reduces a server’s exposure to risk.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *5900* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Virtual Network Computing, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 5900 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 5900: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 5900 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 5900 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 5900, + }, + { + path: '[*].toPort', + greaterThanInclusive: 5900, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.39.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.39.ts new file mode 100644 index 00000000..4072f818 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.39.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.39', + title: 'AWS NIST 8.39 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs', + + description: 'Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. AWS recommends that no security group allow unrestricted ingress access to port 80, unless it is from an AWS Elastic Load Balancer.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *80* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as HTTP, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 80 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 80: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 80 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 80 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 80, + }, + { + path: '[*].toPort', + greaterThanInclusive: 80, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.40.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.40.ts new file mode 100644 index 00000000..2cb6a079 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.40.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.40', + title: 'AWS NIST 8.40 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate). Removing unfettered connectivity to a HTTP Alternate server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *8000* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as HTTP Alternate, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 8000 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 8000: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol --port 8000 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 8000 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 8000, + }, + { + path: '[*].toPort', + greaterThanInclusive: 8000, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.41.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.41.ts new file mode 100644 index 00000000..b43ae2d4 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.41.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.41', + title: 'AWS NIST 8.41 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)', + + description: 'VPC security groups should not permit unrestricted access from the internet to port 9200 (Elasticsearch). Removing unfettered connectivity to an Elasticsearch server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *9200* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Elasticsearch, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 9200 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 9200: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 9200 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 9200 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 9200, + }, + { + path: '[*].toPort', + greaterThanInclusive: 9200, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.42.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.42.ts new file mode 100644 index 00000000..4180446b --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.42.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.42', + title: 'AWS NIST 8.42 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)', + + description: 'VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch). Removing unfettered connectivity to an Elasticsearch server reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *9300* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as Elasticsearch, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation pane, click Security Groups. + - Remove any rules that include port 9300 and have a source of 0.0.0.0/0. + - Click Save. + + **AWS CLI** + + List all security groups with an ingress rule of 0.0.0.0/0: + + aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}" + + Remove the inbound rule(s) that permits unrestricted ingress to port 9300: + + ws ec2 revoke-security-group-ingress --region --group-name --protocol --port 9300 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected Security Group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol --port 9300 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 9300, + }, + { + path: '[*].toPort', + greaterThanInclusive: 9300, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.43.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.43.ts new file mode 100644 index 00000000..c929d91f --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.43.ts @@ -0,0 +1,94 @@ +export default { + id: 'aws-nist-800-53-rev4-8.43', + title: 'AWS NIST 8.43 VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports', + + description: 'EC2 security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *0-65535* and has a *Source* of *0.0.0.0/0*`, + + rationale: '', + + remediation: `**AWS Console** + + - Navigate to [EC2](https://console.aws.amazon.com/ec2/). + - In the left navigation, select Security Groups. + - Select the desired security group and click the Inbound tab. + - Click Edit rules. + - Remove any permissions that allow ‘0.0.0.0/0’ to all ports. + + **AWS CLI** + + Remove ingress rules which allow connectivity from anywhere to all ports and protocols: + + aws ec2 revoke-security-group-ingress --group-id --ip-permissions `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + equal: 0, + }, + { + path: '[*].toPort', + equal: 65535, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.44.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.44.ts new file mode 100644 index 00000000..02f648b7 --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.44.ts @@ -0,0 +1,101 @@ +export default { + id: 'aws-nist-800-53-rev4-8.44', + title: 'AWS NIST 8.44 VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)', + + description: 'VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP). Removing unfettered connectivity to LDAP reduces the chance of exposing critical data.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *389* and has a *Source* of *0.0.0.0/0*`, + + rationale: 'Removing unfettered connectivity to remote console services, such as LDAP, reduces a server\'s exposure to risk.', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left pane, click Security Groups. + - For each security group, perform the following: + - Select the security group. + - Click the Inbound Rules tab. + - Identify the rules to be removed. + - Click the x in the Remove column. + - Click Save. + + **AWS CLI** + + Remove the inbound rule(s) that permits unrestricted ingress to TCP port 389 from the selected security group: + + aws ec2 revoke-security-group-ingress --region --group-name --protocol tcp --port 389 --cidr 0.0.0.0/0 + + Optionally add a more restrictive ingress rule to the selected security group: + + aws ec2 authorize-security-group-ingress --region --group-name --protocol tcp --port 389 --cidr `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 389, + }, + { + path: '[*].toPort', + greaterThanInclusive: 389, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.45.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.45.ts new file mode 100644 index 00000000..491ec78b --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.45.ts @@ -0,0 +1,94 @@ +export default { + id: 'aws-nist-800-53-rev4-8.45', + title: 'AWS NIST 8.45 VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports', + + description: 'RDS security groups should permit access only to necessary ports to prevent access to potentially vulnerable services on other ports.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rule*s tab + 6. Ensure no rule exists that has a port range that includes port *0-65535* and has a *Source* of *0.0.0.0/0*`, + + rationale: '', + + remediation: `**AWS Console** + + - Navigate to [VPC](https://console.aws.amazon.com/vpc/). + - In the left navigation, select Security Groups. + - Select the desired security group and click the Inbound tab. + - Click Edit rules. + - Remove any permissions that allow ‘0.0.0.0/0’ to all ports. + + **AWS CLI** + + Remove ingress rules which allow connectivity from anywhere to all ports and protocols: + + aws ec2 revoke-security-group-ingress --group-id --ip-permissions `, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/working-with-security-groups.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + equal: 0, + }, + { + path: '[*].toPort', + equal: 65535, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.9.ts b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.9.ts new file mode 100644 index 00000000..49411cba --- /dev/null +++ b/src/aws/nist-800-53-rev4/rules/aws-nist-800-53-rev4-8.9.ts @@ -0,0 +1,93 @@ +export default { + id: 'aws-nist-800-53-rev4-8.9', + title: 'AWS NIST 8.9 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)', + + description: 'Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to port 3389.', + + audit: `Perform the following to determine if the account is configured as prescribed: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rules* tab + 6. Ensure no rule exists that has a port range that includes port *3389* and has a *Source* of *0.0.0.0/0* + + Note: A *Port* value of *ALL* or a port range such as *1024 - 4098* are inclusive of port *3389*.`, + + rationale: 'Removing unfettered connectivity to remote console services, such as RDP, reduces a server\'s exposure to risk.', + + remediation: `Perform the following to implement the prescribed state: + + 1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home + 2. In the left pane, click *Security Groups* + 3. For each security group, perform the following: + 4. Select the security group + 5. Click the *Inbound Rules* tab + 6. Identify the rules to be removed + 7. Click the *x* in the *Remove* column + 8. Click *Save*`, + + references: [ + 'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRules', + 'https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-network-security.html#updating-security-group-rules', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html', + 'https://docs.aws.amazon.com/cli/latest/reference/ec2/revoke-security-group-ingress.html', + ], + gql: `{ + queryawsSecurityGroup{ + id + arn + accountId + __typename + inboundRules{ + source + toPort + fromPort + } + } + }`, + resource: 'queryawsSecurityGroup[*]', + severity: 'high', + conditions: { + not: { + path: '@.inboundRules', + array_any: { + and: [ + { + path: '[*].source', + in: ['0.0.0.0/0', '::/0'], + }, + { + or: [ + { + and: [ + { + path: '[*].fromPort', + equal: null, + }, + { + path: '[*].toPort', + equal: null, + }, + ], + }, + { + and: [ + { + path: '[*].fromPort', + lessThanInclusive: 3389, + }, + { + path: '[*].toPort', + greaterThanInclusive: 3389, + }, + ], + }, + ], + }, + ], + }, + }, + }, +} diff --git a/src/aws/nist-800-53-rev4/rules/index.ts b/src/aws/nist-800-53-rev4/rules/index.ts index 3940e9ee..329413ba 100644 --- a/src/aws/nist-800-53-rev4/rules/index.ts +++ b/src/aws/nist-800-53-rev4/rules/index.ts @@ -27,6 +27,44 @@ import Aws_NIST_800_53_68 from './aws-nist-800-53-rev4-6.8' import Aws_NIST_800_53_69 from './aws-nist-800-53-rev4-6.9' import Aws_NIST_800_53_612 from './aws-nist-800-53-rev4-6.12' import Aws_NIST_800_53_613 from './aws-nist-800-53-rev4-6.13' +import Aws_NIST_800_53_82 from './aws-nist-800-53-rev4-8.2' +import Aws_NIST_800_53_89 from './aws-nist-800-53-rev4-8.9' +import Aws_NIST_800_53_810 from './aws-nist-800-53-rev4-8.10' +import Aws_NIST_800_53_811 from './aws-nist-800-53-rev4-8.11' +import Aws_NIST_800_53_812 from './aws-nist-800-53-rev4-8.12' +import Aws_NIST_800_53_813 from './aws-nist-800-53-rev4-8.13' +import Aws_NIST_800_53_814 from './aws-nist-800-53-rev4-8.14' +import Aws_NIST_800_53_815 from './aws-nist-800-53-rev4-8.15' +import Aws_NIST_800_53_816 from './aws-nist-800-53-rev4-8.16' +import Aws_NIST_800_53_817 from './aws-nist-800-53-rev4-8.17' +import Aws_NIST_800_53_818 from './aws-nist-800-53-rev4-8.18' +import Aws_NIST_800_53_819 from './aws-nist-800-53-rev4-8.19' +import Aws_NIST_800_53_820 from './aws-nist-800-53-rev4-8.20' +import Aws_NIST_800_53_821 from './aws-nist-800-53-rev4-8.21' +import Aws_NIST_800_53_822 from './aws-nist-800-53-rev4-8.22' +import Aws_NIST_800_53_823 from './aws-nist-800-53-rev4-8.23' +import Aws_NIST_800_53_824 from './aws-nist-800-53-rev4-8.24' +import Aws_NIST_800_53_825 from './aws-nist-800-53-rev4-8.25' +import Aws_NIST_800_53_826 from './aws-nist-800-53-rev4-8.26' +import Aws_NIST_800_53_827 from './aws-nist-800-53-rev4-8.27' +import Aws_NIST_800_53_828 from './aws-nist-800-53-rev4-8.28' +import Aws_NIST_800_53_829 from './aws-nist-800-53-rev4-8.29' +import Aws_NIST_800_53_830 from './aws-nist-800-53-rev4-8.30' +import Aws_NIST_800_53_831 from './aws-nist-800-53-rev4-8.31' +import Aws_NIST_800_53_832 from './aws-nist-800-53-rev4-8.32' +import Aws_NIST_800_53_833 from './aws-nist-800-53-rev4-8.33' +import Aws_NIST_800_53_834 from './aws-nist-800-53-rev4-8.34' +import Aws_NIST_800_53_835 from './aws-nist-800-53-rev4-8.35' +import Aws_NIST_800_53_836 from './aws-nist-800-53-rev4-8.36' +import Aws_NIST_800_53_837 from './aws-nist-800-53-rev4-8.37' +import Aws_NIST_800_53_838 from './aws-nist-800-53-rev4-8.38' +import Aws_NIST_800_53_839 from './aws-nist-800-53-rev4-8.39' +import Aws_NIST_800_53_840 from './aws-nist-800-53-rev4-8.40' +import Aws_NIST_800_53_841 from './aws-nist-800-53-rev4-8.41' +import Aws_NIST_800_53_842 from './aws-nist-800-53-rev4-8.42' +import Aws_NIST_800_53_843 from './aws-nist-800-53-rev4-8.43' +import Aws_NIST_800_53_844 from './aws-nist-800-53-rev4-8.44' +import Aws_NIST_800_53_845 from './aws-nist-800-53-rev4-8.45' export default [ Aws_NIST_800_53_11, @@ -58,4 +96,42 @@ export default [ Aws_NIST_800_53_69, Aws_NIST_800_53_612, Aws_NIST_800_53_613, + Aws_NIST_800_53_82, + Aws_NIST_800_53_89, + Aws_NIST_800_53_810, + Aws_NIST_800_53_811, + Aws_NIST_800_53_812, + Aws_NIST_800_53_813, + Aws_NIST_800_53_814, + Aws_NIST_800_53_815, + Aws_NIST_800_53_816, + Aws_NIST_800_53_817, + Aws_NIST_800_53_818, + Aws_NIST_800_53_819, + Aws_NIST_800_53_820, + Aws_NIST_800_53_821, + Aws_NIST_800_53_822, + Aws_NIST_800_53_823, + Aws_NIST_800_53_824, + Aws_NIST_800_53_825, + Aws_NIST_800_53_826, + Aws_NIST_800_53_827, + Aws_NIST_800_53_828, + Aws_NIST_800_53_829, + Aws_NIST_800_53_830, + Aws_NIST_800_53_831, + Aws_NIST_800_53_832, + Aws_NIST_800_53_833, + Aws_NIST_800_53_834, + Aws_NIST_800_53_835, + Aws_NIST_800_53_836, + Aws_NIST_800_53_837, + Aws_NIST_800_53_838, + Aws_NIST_800_53_839, + Aws_NIST_800_53_840, + Aws_NIST_800_53_841, + Aws_NIST_800_53_842, + Aws_NIST_800_53_843, + Aws_NIST_800_53_844, + Aws_NIST_800_53_845, ] diff --git a/src/aws/nist-800-53-rev4/tests/nist-800-53-rev4-8.x.test.ts b/src/aws/nist-800-53-rev4/tests/nist-800-53-rev4-8.x.test.ts new file mode 100644 index 00000000..5b5f2144 --- /dev/null +++ b/src/aws/nist-800-53-rev4/tests/nist-800-53-rev4-8.x.test.ts @@ -0,0 +1,663 @@ +import CloudGraph, { Rule, Result, Engine } from '@cloudgraph/sdk' +import cuid from 'cuid' + +import Aws_NIST_800_53_82 from '../rules/aws-nist-800-53-rev4-8.2' +import Aws_NIST_800_53_89 from '../rules/aws-nist-800-53-rev4-8.9' +import Aws_NIST_800_53_810 from '../rules/aws-nist-800-53-rev4-8.10' +import Aws_NIST_800_53_811 from '../rules/aws-nist-800-53-rev4-8.11' +import Aws_NIST_800_53_812 from '../rules/aws-nist-800-53-rev4-8.12' +import Aws_NIST_800_53_813 from '../rules/aws-nist-800-53-rev4-8.13' +import Aws_NIST_800_53_814 from '../rules/aws-nist-800-53-rev4-8.14' +import Aws_NIST_800_53_815 from '../rules/aws-nist-800-53-rev4-8.15' +import Aws_NIST_800_53_816 from '../rules/aws-nist-800-53-rev4-8.16' +import Aws_NIST_800_53_817 from '../rules/aws-nist-800-53-rev4-8.17' +import Aws_NIST_800_53_818 from '../rules/aws-nist-800-53-rev4-8.18' +import Aws_NIST_800_53_819 from '../rules/aws-nist-800-53-rev4-8.19' +import Aws_NIST_800_53_820 from '../rules/aws-nist-800-53-rev4-8.20' +import Aws_NIST_800_53_821 from '../rules/aws-nist-800-53-rev4-8.21' +import Aws_NIST_800_53_822 from '../rules/aws-nist-800-53-rev4-8.22' +import Aws_NIST_800_53_823 from '../rules/aws-nist-800-53-rev4-8.23' +import Aws_NIST_800_53_824 from '../rules/aws-nist-800-53-rev4-8.24' +import Aws_NIST_800_53_825 from '../rules/aws-nist-800-53-rev4-8.25' +import Aws_NIST_800_53_826 from '../rules/aws-nist-800-53-rev4-8.26' +import Aws_NIST_800_53_827 from '../rules/aws-nist-800-53-rev4-8.27' +import Aws_NIST_800_53_828 from '../rules/aws-nist-800-53-rev4-8.28' +import Aws_NIST_800_53_829 from '../rules/aws-nist-800-53-rev4-8.29' +import Aws_NIST_800_53_830 from '../rules/aws-nist-800-53-rev4-8.30' +import Aws_NIST_800_53_831 from '../rules/aws-nist-800-53-rev4-8.31' +import Aws_NIST_800_53_832 from '../rules/aws-nist-800-53-rev4-8.32' +import Aws_NIST_800_53_833 from '../rules/aws-nist-800-53-rev4-8.33' +import Aws_NIST_800_53_834 from '../rules/aws-nist-800-53-rev4-8.34' +import Aws_NIST_800_53_835 from '../rules/aws-nist-800-53-rev4-8.35' +import Aws_NIST_800_53_836 from '../rules/aws-nist-800-53-rev4-8.36' +import Aws_NIST_800_53_837 from '../rules/aws-nist-800-53-rev4-8.37' +import Aws_NIST_800_53_838 from '../rules/aws-nist-800-53-rev4-8.38' +import Aws_NIST_800_53_839 from '../rules/aws-nist-800-53-rev4-8.39' +import Aws_NIST_800_53_840 from '../rules/aws-nist-800-53-rev4-8.40' +import Aws_NIST_800_53_841 from '../rules/aws-nist-800-53-rev4-8.41' +import Aws_NIST_800_53_842 from '../rules/aws-nist-800-53-rev4-8.42' +import Aws_NIST_800_53_843 from '../rules/aws-nist-800-53-rev4-8.43' +import Aws_NIST_800_53_844 from '../rules/aws-nist-800-53-rev4-8.44' +import Aws_NIST_800_53_845 from '../rules/aws-nist-800-53-rev4-8.45' + +const ipV4WildcardAddress = '0.0.0.0/0' +const ipV6WildcardAddress = '::/0' + +export interface InboundRule { + source: string + toPort?: number + fromPort?: number + protocol?: string +} + +export interface OutboundRule { + destination?: string +} + +export interface QueryawsSecurityGroup { + id: string + inboundRules?: InboundRule[] + outboundRules?: OutboundRule[] +} + +export interface NIS8xQueryResponse { + queryawsSecurityGroup: QueryawsSecurityGroup[] +} + +describe('AWS NIST 800-53: Rev. 4', () => { + let rulesEngine: Engine + beforeAll(() => { + rulesEngine = new CloudGraph.RulesEngine({ + providerName: 'aws', + entityName: 'NIST', + }) + }) + + const testRule = async ( + fromPort: number | undefined, + toPort: number | undefined, + sourceAddress: string, + rule: Rule, + expectedResult: Result, + includeRandomValidData = false + ): Promise => { + // Arrange + const validInboundRule = { + toPort: 123, + fromPort: 456, + source: '10.10.10.10/16', + } + + const data: NIS8xQueryResponse = { + queryawsSecurityGroup: [ + { + id: cuid(), + inboundRules: [ + { + toPort, + fromPort, + source: sourceAddress, + }, + ], + }, + ], + } + + if (includeRandomValidData) { + data.queryawsSecurityGroup[0].inboundRules?.push(validInboundRule) + data.queryawsSecurityGroup.push({ + id: cuid(), + inboundRules: [validInboundRule, validInboundRule], + }) + } + + // Act + const [processedRule] = await rulesEngine.processRule(rule, { ...data }) + + // Asserts + expect(processedRule.result).toBe(expectedResult) + } + + const testSecurityGroupRule = ( + rule: Rule, + fromPort: number, + toPort: number + ): void => { + test(`No Security Issue when there is an inbound rule with a random IPv4 address and port ${fromPort}`, async () => { + await testRule(fromPort, toPort, '10.10.10.10/16', rule, Result.PASS) + }) + + test('No Security Issue when there is an inbound rule with IPv4 wilcard address and port 80', async () => { + await testRule(80, 80, ipV4WildcardAddress, rule, Result.PASS) + }) + + test('No Security Issue when there is an inbound rule with IPv6 wilcard address and port 80', async () => { + await testRule(80, 80, ipV6WildcardAddress, rule, Result.PASS) + }) + + test(`No Security Issue when there is an inbound rule with a random IPv4 and a port range not including the port ${fromPort}`, async () => { + await testRule( + fromPort + 100, + fromPort + 200, + '10.10.10.10/16', + rule, + Result.PASS + ) + }) + + test(`No Security Issue when there is an inbound rule with IPv4 wilcard address and a port range not including the port ${fromPort}`, async () => { + await testRule( + fromPort + 100, + fromPort + 200, + ipV4WildcardAddress, + rule, + Result.PASS + ) + }) + + test(`No Security Issue when there is an inbound rule with IPv6 wilcard address and a port range not including the port ${fromPort}`, async () => { + await testRule( + fromPort + 100, + fromPort + 200, + ipV6WildcardAddress, + rule, + Result.PASS + ) + }) + + test(`No Security Issue when there is an inbound rule with IPv6 wilcard address and a port range not including the port ${fromPort} (multiple values)`, async () => { + await testRule( + fromPort + 100, + fromPort + 200, + ipV6WildcardAddress, + rule, + Result.PASS, + true + ) + }) + + test(`Security Issue when IPv4 wilcard address and port ${fromPort}`, async () => { + await testRule(fromPort, toPort, ipV4WildcardAddress, rule, Result.FAIL) + }) + + test(`Security Issue when IPv6 wilcard address and port ${fromPort}`, async () => { + await testRule(fromPort, toPort, ipV6WildcardAddress, rule, Result.FAIL) + }) + + test(`Security Issue when IPv4 wilcard address and port ${fromPort} (multiple values)`, async () => { + await testRule( + fromPort, + toPort, + ipV4WildcardAddress, + rule, + Result.FAIL, + true + ) + }) + + test('Security Issue when there is an inbound rule with IPv4 wilcard address and no port range is specified', async () => { + await testRule( + undefined, + undefined, + ipV4WildcardAddress, + rule, + Result.FAIL + ) + }) + + test('Security Issue when there is an inbound rule with IPv6 wilcard address and no port range is specified', async () => { + await testRule( + undefined, + undefined, + ipV6WildcardAddress, + rule, + Result.FAIL + ) + }) + + test(`Security Issue when there is an inbound rule with IPv4 wilcard address and port range includes the port ${fromPort}`, async () => { + await testRule(0, fromPort + 100, ipV4WildcardAddress, rule, Result.FAIL) + }) + + test(`Security Issue when there is an inbound rule with IPv6 wilcard address and port range includes the port ${fromPort}`, async () => { + await testRule(0, fromPort + 100, ipV6WildcardAddress, rule, Result.FAIL) + }) + } + + describe('AWS NIST 8.2 VPC default security group should restrict all traffic', () => { + const getTestRuleFixture = ( + source: string, + destination: string + ): NIS8xQueryResponse => { + return { + queryawsSecurityGroup: [ + { + id: cuid(), + inboundRules: [ + { + source, + }, + ], + outboundRules: [ + { + destination, + }, + ], + }, + ], + } + } + + // Act + const testRule = async ( + data: NIS8xQueryResponse, + expectedResult: Result + ): Promise => { + // Act + const [processedRule] = await rulesEngine.processRule( + Aws_NIST_800_53_82 as Rule, + { ...data } + ) + + // Asserts + expect(processedRule.result).toBe(expectedResult) + } + + test('No Security Issue when there is not an inbound/outbound rules with the wildcard addresses', async () => { + const data: NIS8xQueryResponse = getTestRuleFixture( + '10.10.10.10/16', + '2001:db8:3333:4444:5555:6666:7777:8888' + ) + await testRule(data, Result.PASS) + }) + + test('Security Issue when there is an inbound rule with a IPv4 wilcard address', async () => { + const data: NIS8xQueryResponse = getTestRuleFixture( + ipV4WildcardAddress, + '' + ) + await testRule(data, Result.FAIL) + }) + test('Security Issue when there is an inbound rule with a IPv6 wilcard address', async () => { + const data: NIS8xQueryResponse = getTestRuleFixture( + ipV6WildcardAddress, + '' + ) + await testRule(data, Result.FAIL) + }) + test('Security Issue when there is an outbound rule with a IPv4 wilcard address', async () => { + const data: NIS8xQueryResponse = getTestRuleFixture( + '', + ipV4WildcardAddress + ) + await testRule(data, Result.FAIL) + }) + test('Security Issue when there is an outbound rule with a IPv6 wilcard address', async () => { + const data: NIS8xQueryResponse = getTestRuleFixture( + '', + ipV6WildcardAddress + ) + await testRule(data, Result.FAIL) + }) + test('Security Issue when there is an inbound and an outbound rule with a IPv4 wilcard address', async () => { + const data: NIS8xQueryResponse = getTestRuleFixture( + ipV4WildcardAddress, + ipV4WildcardAddress + ) + await testRule(data, Result.FAIL) + }) + test('Security Issue when there is an inbound and an outbound rule with a IPv6 wilcard address', async () => { + const data: NIS8xQueryResponse = getTestRuleFixture( + ipV6WildcardAddress, + ipV6WildcardAddress + ) + await testRule(data, Result.FAIL) + }) + }) + + describe('AWS NIST 8.9 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 3389 (Remote Desktop Protocol)', () => { + testSecurityGroupRule(Aws_NIST_800_53_89 as Rule, 3389, 3389) + }) + + describe('AWS NIST 8.10 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 61621 (Cassandra OpsCenter Agent)', () => { + testSecurityGroupRule(Aws_NIST_800_53_810 as Rule, 61621, 61621) + }) + + describe('AWS NIST 8.11 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 636 (LDAP SSL)', () => { + testSecurityGroupRule(Aws_NIST_800_53_811 as Rule, 636, 636) + }) + + describe('AWS NIST 8.12 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 7001 (Cassandra)', () => { + testSecurityGroupRule(Aws_NIST_800_53_812 as Rule, 7001, 7001) + }) + + describe('AWS NIST 8.13 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11214 (Memcached SSL)', () => { + testSecurityGroupRule(Aws_NIST_800_53_813 as Rule, 11214, 11214) + }) + + describe('AWS NIST 8.14 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 11215 (Memcached SSL)', () => { + testSecurityGroupRule(Aws_NIST_800_53_814 as Rule, 11215, 11215) + }) + + describe('AWS NIST 8.15 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 135 (MSSQL Debugger)', () => { + testSecurityGroupRule(Aws_NIST_800_53_815 as Rule, 135, 135) + }) + + describe('AWS NIST 8.16 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 137 (NetBIOS Name Service)', () => { + testSecurityGroupRule(Aws_NIST_800_53_816 as Rule, 137, 137) + }) + + describe('AWS NIST 8.17 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 138 (NetBios Datagram Service)', () => { + testSecurityGroupRule(Aws_NIST_800_53_817 as Rule, 138, 138) + }) + + describe('AWS NIST 8.18 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 139 (NetBios Session Service)', () => { + testSecurityGroupRule(Aws_NIST_800_53_818 as Rule, 139, 139) + }) + + describe('AWS NIST 8.19 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 1433 (MSSQL Server)', () => { + testSecurityGroupRule(Aws_NIST_800_53_819 as Rule, 1433, 1433) + }) + + describe('AWS NIST 8.20 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 1434 (MSSQL Admin)', () => { + testSecurityGroupRule(Aws_NIST_800_53_820 as Rule, 1434, 1434) + }) + + describe('AWS NIST 8.21 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to port 22 (SSH)', () => { + testSecurityGroupRule(Aws_NIST_800_53_821 as Rule, 22, 22) + }) + + describe('AWS NIST 8.22 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 23 (Telnet)', () => { + testSecurityGroupRule(Aws_NIST_800_53_822 as Rule, 23, 23) + }) + + describe('AWS NIST 8.23 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 2379 (etcd)', () => { + testSecurityGroupRule(Aws_NIST_800_53_823 as Rule, 2379, 2379) + }) + + describe('AWS NIST 8.24 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2382 (SQL Server Analysis Services browser)', () => { + testSecurityGroupRule(Aws_NIST_800_53_824 as Rule, 2382, 2382) + }) + + describe('AWS NIST 8.25 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2383 (SQL Server Analysis Services)', () => { + testSecurityGroupRule(Aws_NIST_800_53_825 as Rule, 2383, 2383) + }) + + describe('AWS NIST 8.26 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 2484 (Oracle DB SSL)', () => { + testSecurityGroupRule(Aws_NIST_800_53_826 as Rule, 2484, 2484) + }) + + describe('AWS NIST 8.27 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27017 (MongoDB)', () => { + testSecurityGroupRule(Aws_NIST_800_53_827 as Rule, 27017, 27017) + }) + + describe('AWS NIST 8.28 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27018 (MongoDB)', () => { + testSecurityGroupRule(Aws_NIST_800_53_828 as Rule, 27018, 27018) + }) + + describe('AWS NIST 8.29 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 27019 (MongoDB)', () => { + testSecurityGroupRule(Aws_NIST_800_53_829 as Rule, 27019, 27019) + }) + + describe('AWS NIST 8.30 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3000 (Ruby on Rails web server)', () => { + testSecurityGroupRule(Aws_NIST_800_53_830 as Rule, 3000, 3000) + }) + + describe('AWS NIST 8.31 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3020 (CIFS / SMB)', () => { + testSecurityGroupRule(Aws_NIST_800_53_831 as Rule, 3020, 3020) + }) + + describe('AWS NIST 8.32 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 3306 (MySQL)', () => { + testSecurityGroupRule(Aws_NIST_800_53_832 as Rule, 3306, 3306) + }) + + describe('AWS NIST 8.33 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4505 (SaltStack Master)', () => { + testSecurityGroupRule(Aws_NIST_800_53_833 as Rule, 4505, 4505) + }) + + describe('AWS NIST 8.34 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 4506 (SaltStack Master)', () => { + testSecurityGroupRule(Aws_NIST_800_53_834 as Rule, 4506, 4506) + }) + + describe('AWS NIST 8.35 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5432 (PostgreSQL)', () => { + testSecurityGroupRule(Aws_NIST_800_53_835 as Rule, 5432, 5432) + }) + + describe('AWS NIST 8.36 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 5500 (Virtual Network Computing)', () => { + testSecurityGroupRule(Aws_NIST_800_53_836 as Rule, 5500, 5500) + }) + + describe('AWS NIST 8.37 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5800 (Virtual Network Computing), unless from ELBs', () => { + testSecurityGroupRule(Aws_NIST_800_53_837 as Rule, 5800, 5800) + }) + + describe('AWS NIST 8.38 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 5900 (Virtual Network Computing)', () => { + testSecurityGroupRule(Aws_NIST_800_53_838 as Rule, 5900, 5900) + }) + + describe('AWS NIST 8.39 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 80 (HTTP), unless from ELBs', () => { + const rule = Aws_NIST_800_53_839 as Rule + const fromPort = 80 + const toPort = 80 + + test(`No Security Issue when there is an inbound rule with a random IPv4 address and port ${fromPort}`, async () => { + await testRule(fromPort, toPort, '10.10.10.10/16', rule, Result.PASS) + }) + + test(`No Security Issue when there is an inbound rule with a random IPv4 and a port range not including the port ${fromPort}`, async () => { + await testRule( + fromPort + 100, + fromPort + 200, + '10.10.10.10/16', + rule, + Result.PASS + ) + }) + + test(`No Security Issue when there is an inbound rule with IPv4 wilcard address and a port range not including the port ${fromPort}`, async () => { + await testRule( + fromPort + 100, + fromPort + 200, + ipV4WildcardAddress, + rule, + Result.PASS + ) + }) + + test(`No Security Issue when there is an inbound rule with IPv6 wilcard address and a port range not including the port ${fromPort}`, async () => { + await testRule( + fromPort + 100, + fromPort + 200, + ipV6WildcardAddress, + rule, + Result.PASS + ) + }) + + test(`No Security Issue when there is an inbound rule with IPv6 wilcard address and a port range not including the port ${fromPort} (multiple values)`, async () => { + await testRule( + fromPort + 100, + fromPort + 200, + ipV6WildcardAddress, + rule, + Result.PASS, + true + ) + }) + + test(`Security Issue when IPv4 wilcard address and port ${fromPort}`, async () => { + await testRule(fromPort, toPort, ipV4WildcardAddress, rule, Result.FAIL) + }) + + test(`Security Issue when IPv6 wilcard address and port ${fromPort}`, async () => { + await testRule(fromPort, toPort, ipV6WildcardAddress, rule, Result.FAIL) + }) + + test(`Security Issue when IPv4 wilcard address and port ${fromPort} (multiple values)`, async () => { + await testRule( + fromPort, + toPort, + ipV4WildcardAddress, + rule, + Result.FAIL, + true + ) + }) + + test('Security Issue when there is an inbound rule with IPv4 wilcard address and no port range is specified', async () => { + await testRule( + undefined, + undefined, + ipV4WildcardAddress, + rule, + Result.FAIL + ) + }) + + test('Security Issue when there is an inbound rule with IPv6 wilcard address and no port range is specified', async () => { + await testRule( + undefined, + undefined, + ipV6WildcardAddress, + rule, + Result.FAIL + ) + }) + + test(`Security Issue when there is an inbound rule with IPv4 wilcard address and port range includes the port ${fromPort}`, async () => { + await testRule(0, fromPort + 100, ipV4WildcardAddress, rule, Result.FAIL) + }) + + test(`Security Issue when there is an inbound rule with IPv6 wilcard address and port range includes the port ${fromPort}`, async () => { + await testRule(0, fromPort + 100, ipV6WildcardAddress, rule, Result.FAIL) + }) + }) + + describe('AWS NIST 8.40 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP/UDP port 8000 (HTTP Alternate)', () => { + testSecurityGroupRule(Aws_NIST_800_53_840 as Rule, 8000, 8000) + }) + + describe('AWS NIST 8.41 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9200 (Elasticsearch)', () => { + testSecurityGroupRule(Aws_NIST_800_53_841 as Rule, 9200, 9200) + }) + + describe('AWS NIST 8.42 VPC security group rules should not permit ingress from ‘0.0.0.0/0’ to TCP port 9300 (Elasticsearch)', () => { + testSecurityGroupRule(Aws_NIST_800_53_842 as Rule, 9300, 9300) + }) + + describe('AWS NIST 8.43 VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to all ports', () => { + const rule = Aws_NIST_800_53_843 as Rule + + test('No Security Issue when there is an inbound rule with a random IPv4 address and all ports range', async () => { + await testRule(0, 65535, '10.10.10.10/16', rule, Result.PASS) + }) + + test('No Security Issue when there is an inbound rule with IPv4 wilcard address and a port range not allow all ports', async () => { + await testRule(1000, 2000, ipV4WildcardAddress, rule, Result.PASS) + }) + + test('No Security Issue when there is an inbound rule with IPv6 wilcard address and a port range not allow all ports', async () => { + await testRule(1000, 2000, ipV6WildcardAddress, rule, Result.PASS) + }) + + test('Security Issue when IPv4 wilcard address and allow all ports', async () => { + await testRule(0, 65535, ipV4WildcardAddress, rule, Result.FAIL) + }) + + test('Security Issue when IPv6 wilcard address and allow all ports', async () => { + await testRule(0, 65535, ipV6WildcardAddress, rule, Result.FAIL) + }) + + test('Security Issue when IPv4 wilcard address and allow all ports (multiple values)', async () => { + await testRule(0, 65535, ipV4WildcardAddress, rule, Result.FAIL, true) + }) + + test('Security Issue when there is an inbound rule with IPv4 wilcard address and no port range is specified', async () => { + await testRule( + undefined, + undefined, + ipV4WildcardAddress, + rule, + Result.FAIL + ) + }) + + test('Security Issue when there is an inbound rule with IPv6 wilcard address and no port range is specified', async () => { + await testRule( + undefined, + undefined, + ipV6WildcardAddress, + rule, + Result.FAIL + ) + }) + + test('Security Issue when there is an inbound rule with IPv4 wilcard address and port range allow all ports', async () => { + await testRule(0, 65535, ipV4WildcardAddress, rule, Result.FAIL) + }) + + test('Security Issue when there is an inbound rule with IPv6 wilcard address and port range allow all ports', async () => { + await testRule(0, 65535, ipV6WildcardAddress, rule, Result.FAIL) + }) + }) + + describe('AWS NIST 8.44 VPC security groups attached to EC2 instances should not permit ingress from ‘0.0.0.0/0’ to TCP port 389 (LDAP)', () => { + testSecurityGroupRule(Aws_NIST_800_53_844 as Rule, 389, 389) + }) + + describe('AWS NIST 8.45 VPC security groups attached to RDS instances should not permit ingress from ‘0.0.0.0/0’ to all ports', () => { + const rule = Aws_NIST_800_53_845 as Rule + + test('No Security Issue when there is an inbound rule with a random IPv4 address and all ports range', async () => { + await testRule(0, 65535, '10.10.10.10/16', rule, Result.PASS) + }) + + test('No Security Issue when there is an inbound rule with IPv4 wilcard address and a port range not allow all ports', async () => { + await testRule(1000, 2000, ipV4WildcardAddress, rule, Result.PASS) + }) + + test('No Security Issue when there is an inbound rule with IPv6 wilcard address and a port range not allow all ports', async () => { + await testRule(1000, 2000, ipV6WildcardAddress, rule, Result.PASS) + }) + + test('Security Issue when IPv4 wilcard address and allow all ports', async () => { + await testRule(0, 65535, ipV4WildcardAddress, rule, Result.FAIL) + }) + + test('Security Issue when IPv6 wilcard address and allow all ports', async () => { + await testRule(0, 65535, ipV6WildcardAddress, rule, Result.FAIL) + }) + + test('Security Issue when IPv4 wilcard address and allow all ports (multiple values)', async () => { + await testRule(0, 65535, ipV4WildcardAddress, rule, Result.FAIL, true) + }) + + test('Security Issue when there is an inbound rule with IPv4 wilcard address and no port range is specified', async () => { + await testRule( + undefined, + undefined, + ipV4WildcardAddress, + rule, + Result.FAIL + ) + }) + + test('Security Issue when there is an inbound rule with IPv6 wilcard address and no port range is specified', async () => { + await testRule( + undefined, + undefined, + ipV6WildcardAddress, + rule, + Result.FAIL + ) + }) + + test('Security Issue when there is an inbound rule with IPv4 wilcard address and port range allow all ports', async () => { + await testRule(0, 65535, ipV4WildcardAddress, rule, Result.FAIL) + }) + + test('Security Issue when there is an inbound rule with IPv6 wilcard address and port range allow all ports', async () => { + await testRule(0, 65535, ipV6WildcardAddress, rule, Result.FAIL) + }) + }) +})