From 730c83fd46183cb3031a3deade09d7600e27e354 Mon Sep 17 00:00:00 2001 From: Gaurav Gogia <16029099+gaurav-gogia@users.noreply.github.com> Date: Wed, 19 Oct 2022 16:50:47 +0530 Subject: [PATCH 1/2] update rds instance cft map (#1422) --- .../iac-providers/cft/config/db-instance.go | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/pkg/mapper/iac-providers/cft/config/db-instance.go b/pkg/mapper/iac-providers/cft/config/db-instance.go index a814c02b3..590e348f5 100644 --- a/pkg/mapper/iac-providers/cft/config/db-instance.go +++ b/pkg/mapper/iac-providers/cft/config/db-instance.go @@ -31,6 +31,16 @@ type DBInstanceConfig struct { KmsKeyID string `json:"kms_key_id,omitempty"` IamDBAuthEnabled bool `json:"iam_database_authentication_enabled"` PubliclyAccessible bool `json:"publicly_accessible"` + BackupRetentionPeriod int `json:"backup_retention_period"` + Username string `json:"username"` + Password string `json:"password"` + InstanceClass string `json:"instance_class"` + Engine string `json:"engine"` + EngineVersion string `json:"engine_version"` + Identifier string `json:"identifier"` + StorageType string `json:"storage_type"` + DeleteAutomatedBackups bool `json:"delete_automated_backups"` + DeletionProtection bool `json:"deletion_protection"` } // GetDBInstanceConfig returns config for aws_db_instance @@ -47,7 +57,18 @@ func GetDBInstanceConfig(d *rds.DBInstance) []AWSResourceConfig { CaCertIdentifier: functions.GetVal(d.CACertificateIdentifier), IamDBAuthEnabled: functions.GetVal(d.EnableIAMDatabaseAuthentication), PubliclyAccessible: functions.GetVal(d.PubliclyAccessible), + BackupRetentionPeriod: functions.GetVal(d.BackupRetentionPeriod), + Username: functions.GetVal(d.MasterUsername), + Password: functions.GetVal(d.MasterUserPassword), + InstanceClass: functions.GetVal(d.DBInstanceClass), + Engine: functions.GetVal(d.Engine), + EngineVersion: functions.GetVal(d.EngineVersion), + Identifier: functions.GetVal(d.DBInstanceIdentifier), + StorageType: functions.GetVal(d.StorageType), + DeleteAutomatedBackups: functions.GetVal(d.DeleteAutomatedBackups), + DeletionProtection: functions.GetVal(d.DeletionProtection), } + return []AWSResourceConfig{{ Resource: cf, Metadata: d.AWSCloudFormationMetadata, From e289cc65ebec3be5625f4c6ea581469c4e206a6d Mon Sep 17 00:00:00 2001 From: Gaurav Gogia <16029099+gaurav-gogia@users.noreply.github.com> Date: Wed, 19 Oct 2022 21:02:17 +0530 Subject: [PATCH 2/2] Update RDS Policies (#1424) * fix cloudwatch log export policy * add backup retention policy --- .../rego/aws/aws_db_instance/AC_AWS_0052.json | 17 +++++++++++++++++ .../aws_db_instance/AWS.ADI.LM.MEDIUM.0076.json | 10 ++++++---- .../dbInstanceLoggingDisabled.rego | 16 ---------------- .../aws/aws_db_instance/rdsBackupDisabled.rego | 9 +++++++++ .../aws_db_instance/rdsLogExportDisabled.rego | 6 ++++++ 5 files changed, 38 insertions(+), 20 deletions(-) create mode 100644 pkg/policies/opa/rego/aws/aws_db_instance/AC_AWS_0052.json delete mode 100644 pkg/policies/opa/rego/aws/aws_db_instance/dbInstanceLoggingDisabled.rego create mode 100644 pkg/policies/opa/rego/aws/aws_db_instance/rdsBackupDisabled.rego create mode 100644 pkg/policies/opa/rego/aws/aws_db_instance/rdsLogExportDisabled.rego diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/AC_AWS_0052.json b/pkg/policies/opa/rego/aws/aws_db_instance/AC_AWS_0052.json new file mode 100644 index 000000000..8fa3ef3e5 --- /dev/null +++ b/pkg/policies/opa/rego/aws/aws_db_instance/AC_AWS_0052.json @@ -0,0 +1,17 @@ +{ + "name": "rdsBackupDisabled", + "file": "rdsBackupDisabled.rego", + "policy_type": "aws", + "resource_type": "aws_db_instance", + "template_args": { + "prefix": "", + "name": "rdsBackupDisabled", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure automated backups are enabled for AWS RDS instances", + "reference_id": "AC_AWS_0052", + "category": "Data Protection", + "id": "AC_AWS_0052", + "version": 2 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/AWS.ADI.LM.MEDIUM.0076.json b/pkg/policies/opa/rego/aws/aws_db_instance/AWS.ADI.LM.MEDIUM.0076.json index 6c1ffc92e..bcb419054 100644 --- a/pkg/policies/opa/rego/aws/aws_db_instance/AWS.ADI.LM.MEDIUM.0076.json +++ b/pkg/policies/opa/rego/aws/aws_db_instance/AWS.ADI.LM.MEDIUM.0076.json @@ -1,13 +1,15 @@ { - "name": "dbInstanceLoggingDisabled", - "file": "dbInstanceLoggingDisabled.rego", + "name": "rdsLogExportDisabled", + "file": "rdsLogExportDisabled.rego", "policy_type": "aws", "resource_type": "aws_db_instance", "template_args": { - "prefix": "" + "prefix": "", + "name": "rdsLogExportDisabled", + "suffix": "" }, "severity": "MEDIUM", - "description": "Ensure AWS RDS instances have logging enabled.", + "description": "Ensure CloudWatch logging is enabled for AWS DB instances", "reference_id": "AWS.ADI.LM.MEDIUM.0076", "category": "Logging and Monitoring", "id": "AC_AWS_0454", diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/dbInstanceLoggingDisabled.rego b/pkg/policies/opa/rego/aws/aws_db_instance/dbInstanceLoggingDisabled.rego deleted file mode 100644 index 43f35750c..000000000 --- a/pkg/policies/opa/rego/aws/aws_db_instance/dbInstanceLoggingDisabled.rego +++ /dev/null @@ -1,16 +0,0 @@ -package accurics - -{{.prefix}}dbInstanceLoggingDisabled[db_instance.id] { - db_instance := input.aws_db_instance[_] - object.get(db_instance.config, "enabled_cloudwatch_logs_exports", "undefined") == "undefined" -} - -{{.prefix}}dbInstanceLoggingDisabled[db_instance.id] { - db_instance := input.aws_db_instance[_] - db_instance.config.enabled_cloudwatch_logs_exports == [] -} - -{{.prefix}}dbInstanceLoggingDisabled[db_instance.id] { - db_instance := input.aws_db_instance[_] - db_instance.config.enabled_cloudwatch_logs_exports == null -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/rdsBackupDisabled.rego b/pkg/policies/opa/rego/aws/aws_db_instance/rdsBackupDisabled.rego new file mode 100644 index 000000000..0c547d68b --- /dev/null +++ b/pkg/policies/opa/rego/aws/aws_db_instance/rdsBackupDisabled.rego @@ -0,0 +1,9 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[retVal] { + backup := input.aws_db_instance[_] + object.get(backup.config, "backup_retention_period", "undefined") == ["undefined", null, 0, []][_] + + traverse = "backup_retention_period" + retVal := { "Id": backup.id, "ReplaceType": "add", "CodeType": "attribute", "Traverse": traverse, "Attribute": "backup_retention_period", "AttributeDataType": "int", "Expected": 30, "Actual": null } +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/rdsLogExportDisabled.rego b/pkg/policies/opa/rego/aws/aws_db_instance/rdsLogExportDisabled.rego new file mode 100644 index 000000000..fa729c0b3 --- /dev/null +++ b/pkg/policies/opa/rego/aws/aws_db_instance/rdsLogExportDisabled.rego @@ -0,0 +1,6 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[db_instance.id] { + db_instance := input.aws_db_instance[_] + object.get(db_instance.config, "enabled_cloudwatch_logs_exports", "undefined") == ["undefined", [], null][_] +} \ No newline at end of file