Skip to content

Commit

Permalink
feat: Added ACL Grants checks to 3.3 rule
Browse files Browse the repository at this point in the history
  • Loading branch information
m-pizarro committed May 12, 2022
1 parent 4a59586 commit c387273
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 22 deletions.
56 changes: 35 additions & 21 deletions src/aws/cis-1.3.0/rules/aws-cis-1.3.0-3.3.ts
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,9 @@ export default {
accountId
__typename
s3 {
aclGrants {
granteeUri
}
policy {
statement {
effect
Expand All @@ -81,30 +84,41 @@ export default {
not: {
path: '@.s3',
array_any: {
path: '[*].policy.statement',
array_any: {
and: [
{
path: '[*].effect',
equal: 'Allow',
or: [
{
path: '[*].aclGrants',
array_any: {
path: '[*].granteeUri',
match: /^.*(AllUsers|AuthenticatedUsers).*$/,
},
{
path: '[*].principal',
array_any: {
and: [
{
path: '[*].key',
in: ['', 'AWS'],
},
{
path: '[*].value',
contains: '*',
},
{
path: '[*].policy.statement',
array_any: {
and: [
{
path: '[*].effect',
equal: 'Allow',
},
{
path: '[*].principal',
array_any: {
and: [
{
path: '[*].key',
in: ['', 'AWS'],
},
{
path: '[*].value',
contains: '*',
},
],
},
],
},
},
],
},
],
},
},
],
},
},
},
Expand Down
34 changes: 33 additions & 1 deletion src/aws/cis-1.3.0/tests/aws-cis-1.3.0-3.x.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -50,9 +50,14 @@ export interface Policy {
statement?: Statement[]
}

export interface AclGrant {
granteeUri: string | undefined
}

export interface S3 {
policy?: Policy
logging?: string
aclGrants?: AclGrant[]
}

export interface RecordingGroup {
Expand Down Expand Up @@ -247,14 +252,20 @@ describe('CIS Amazon Web Services Foundations: 1.3.0', () => {
const getTestRuleFixture = (
effect: string,
key: string,
value: string[]
value: string[],
granteeUri?: string | undefined,
): CIS3xQueryResponse => {
return {
queryawsCloudtrail: [
{
id: cuid(),
s3: [
{
aclGrants: [
{
granteeUri
}
],
policy: {
statement: [
{
Expand Down Expand Up @@ -297,6 +308,13 @@ describe('CIS Amazon Web Services Foundations: 1.3.0', () => {
await testRule(data, Result.PASS)
})

test('No Security Issue when no exists any ACL Grantee set to Everyone or Any Authenticated User.', async () => {
const data: CIS3xQueryResponse = getTestRuleFixture('Allow', 'Service', [
'cloudtrail.amazonaws.com',
], 'http://acs.amazonaws.com/groups/s3/LogDelivery')
await testRule(data, Result.PASS)
})

test('Security Issue when a policy contains a statement having an Effect set to Allow and a Principal set to "*"', async () => {
const data: CIS3xQueryResponse = getTestRuleFixture('Allow', '', ['*'])
await testRule(data, Result.FAIL)
Expand All @@ -306,6 +324,20 @@ describe('CIS Amazon Web Services Foundations: 1.3.0', () => {
const data: CIS3xQueryResponse = getTestRuleFixture('Allow', 'AWS', ['*'])
await testRule(data, Result.FAIL)
})

test('Security Issue when exists an ACL Grantee set to Everyone.', async () => {
const data: CIS3xQueryResponse = getTestRuleFixture('Allow', 'Service', [
'cloudtrail.amazonaws.com',
], 'http://acs.amazonaws.com/groups/global/AllUsers')
await testRule(data, Result.FAIL)
})

test('Security Issue when exists an ACL Grantee set to Any Authenticated User.', async () => {
const data: CIS3xQueryResponse = getTestRuleFixture('Allow', 'Service', [
'cloudtrail.amazonaws.com',
], 'http://acs.amazonaws.com/groups/global/AuthenticatedUsers')
await testRule(data, Result.FAIL)
})
})

describe('AWS CIS 3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs', () => {
Expand Down

0 comments on commit c387273

Please sign in to comment.