diff --git a/cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml b/cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml new file mode 100644 index 0000000000..d551fc5418 --- /dev/null +++ b/cloud/aws/rds/rds-auto-minor-upgrade-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-auto-minor-upgrade-disabled + +info: + name: RDS Auto Minor Version Upgrade - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that your Amazon RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. + impact: | + The RDS instance may miss critical security patches and minor feature updates, increasing vulnerability to security risks and bugs. + remediation: | + Enable auto minor version upgrades for the RDS instance through the AWS Management Console, CLI, or API to ensure timely application of security patches and updates. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-auto-minor-version-upgrade.html + - http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []' --output json + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].AutoMinorVersionUpgrade' --output json + + matchers: + - type: word + words: + - 'false' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Auto Minor Version Upgrade is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-automated-backup-disabled.yaml b/cloud/aws/rds/rds-automated-backup-disabled.yaml new file mode 100644 index 0000000000..291708599d --- /dev/null +++ b/cloud/aws/rds/rds-automated-backup-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-automated-backup-disabled + +info: + name: RDS Automated Backups - Disabled + author: DhiyaneshDK + severity: high + description: | + Ensure that your Amazon RDS database instances have automated backups enabled for point-in-time recovery. + impact: | + Data loss risk increases, as the RDS instance cannot be automatically restored to a previous state in case of failure or accidental deletion. + remediation: | + Enable automated backups for the RDS instance in the AWS Management Console, CLI, or API to ensure regular, automatic backups are created and retained. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-automated-backups-enabled.html + - http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --query 'DBInstances[*].DBInstanceIdentifier' --output json + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].BackupRetentionPeriod' --output json + + matchers: + - type: word + words: + - '0' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Automated Backups is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-backtrack-disabled.yaml b/cloud/aws/rds/rds-backtrack-disabled.yaml new file mode 100644 index 0000000000..74f607a631 --- /dev/null +++ b/cloud/aws/rds/rds-backtrack-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-backtrack-disabled + +info: + name: AWS RDS Backtrack - Disabled + author: DhiyaneshDK + severity: low + description: | + Ensure that the Backtrack feature is enabled for your Amazon Aurora (with MySQL compatibility) database clusters in order to backtrack your clusters to a specific time, without using backups. + impact: | + Unable to quickly revert the database to a previous state, leading to longer recovery times in case of accidental changes or data corruption. + remediation: | + Enable Backtrack for the RDS instance through the AWS Management Console, CLI, or API, and configure the desired backtrack window to allow quick recovery. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/backtrack.html + - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Managing.Backtrack.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-clusters --region $region --output json --query 'DBClusters[?Engine==`aurora-mysql`].DBClusterIdentifier | []' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-clusters --region $region --db-cluster-identifier $dbcluster --query 'DBClusters[*].BacktrackWindow' --output json + + matchers: + - type: word + words: + - '[]' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " AWS RDS Backtrack is Disabled"' diff --git a/cloud/aws/rds/rds-cluster-protection-disabled.yaml b/cloud/aws/rds/rds-cluster-protection-disabled.yaml new file mode 100644 index 0000000000..1693286df3 --- /dev/null +++ b/cloud/aws/rds/rds-cluster-protection-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-cluster-protection-disabled + +info: + name: RDS Cluster Deletion Protection - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that all your provisioned Amazon Aurora database clusters are protected from accidental deletion by having the Deletion Protection feature enabled at the Aurora cluster level. + impact: | + The RDS cluster can be accidentally deleted, leading to potential data loss and service disruption. + remediation: | + Enable deletion protection for the RDS cluster via the AWS Management Console, CLI, or API to prevent accidental deletion. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/cluster-deletion-protection.html + - https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/ + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-clusters --region $region --output json --query 'DBClusters[?Engine==`aurora-mysql`].DBClusterIdentifier | []' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-clusters --region $region --db-cluster-identifier $dbcluster --query 'DBClusters[*].DeletionProtection' --output json + + matchers: + - type: word + words: + - 'false' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Cluster Deletion Protection is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-copy-snap.yaml b/cloud/aws/rds/rds-copy-snap.yaml new file mode 100644 index 0000000000..da686cb154 --- /dev/null +++ b/cloud/aws/rds/rds-copy-snap.yaml @@ -0,0 +1,59 @@ +id: rds-copy-snap + +info: + name: RDS Copy Tags to Snapshots - Disabled + author: DhiyaneshDK + severity: low + description: | + Ensure that your Amazon RDS database instances make use of the Copy Tags to Snapshots feature in order to allow tags set on your database instances to be automatically copied to any automated or manual database snapshots that are created from these RDS instances. + impact: | + Tags are not copied to snapshots, making it harder to track, manage, and identify snapshots for cost allocation, compliance, or organization. + remediation: | + Enable the "Copy Tags to Snapshots" option for the RDS instance in the AWS Management Console, CLI, or API to ensure that tags are automatically applied to any created snapshots. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/copy-tags-to-snapshot.html + - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].CopyTagsToSnapshot' + + matchers: + - type: word + words: + - 'false' + + extractors: + - type: dsl + dsl: + - '"Copy Tags To Snapshot is not enable for instance " + dbcluster' \ No newline at end of file diff --git a/cloud/aws/rds/rds-insights-disabled.yaml b/cloud/aws/rds/rds-insights-disabled.yaml new file mode 100644 index 0000000000..a7506fb4f2 --- /dev/null +++ b/cloud/aws/rds/rds-insights-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-insights-disabled + +info: + name: RDS Performance Insights - Disabled + author: DhiyaneshDK + severity: low + description: | + Ensure that your Amazon RDS MySQL and PostgreSQL database instances have the Performance Insights feature enabled in order to allow you to obtain a better overview of your databases performance as well as help you to identify potential performance issues. + impact: | + Inability to monitor and analyze database performance metrics, making it harder to identify and resolve performance bottlenecks. + remediation: | + Enable Performance Insights for the RDS instance in the AWS Management Console or via CLI/API to monitor and analyze database performance metrics. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/performance-insights.html + - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.Enabling.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`aurora-mysql` || Engine==`aurora-postgresql` || Engine==`postgres`].DBInstanceIdentifier | []' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].PerformanceInsightsEnabled' --output json + + matchers: + - type: word + words: + - 'false' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Performance Insights is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-instance-autoscaling-disabled.yaml b/cloud/aws/rds/rds-instance-autoscaling-disabled.yaml new file mode 100644 index 0000000000..aca686526f --- /dev/null +++ b/cloud/aws/rds/rds-instance-autoscaling-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-instance-autoscaling-disabled + +info: + name: RDS Instance Storage AutoScaling - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that the Storage AutoScaling feature is enabled for your Amazon RDS database instances in order to provide dynamic scaling support for the database's storage based on your RDS application needs. + impact: | + The RDS instance may run out of storage, leading to potential application downtime or performance degradation due to lack of disk space. + remediation: | + Enable storage autoscaling for the RDS instance in the AWS Management Console or via CLI/API to automatically adjust storage capacity as needed. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/enable-rds-storage-autoscaling.html + - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIOPS.StorageTypes.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].MaxAllocatedStorage' --output json + + matchers: + - type: word + words: + - '[]' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Instance Storage AutoScaling is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-log-export-disabled.yaml b/cloud/aws/rds/rds-log-export-disabled.yaml new file mode 100644 index 0000000000..d9d08ffdfb --- /dev/null +++ b/cloud/aws/rds/rds-log-export-disabled.yaml @@ -0,0 +1,59 @@ +id: rds-log-export-disabled + +info: + name: RDS Log Exports - Disabled + author: DhiyaneshDK + severity: low + description: | + Ensure that your Amazon RDS database instances have the Log Exports feature enabled in order to publish database log events directly to CloudWatch Logs. + impact: | + Critical database logs are not exported, limiting visibility into performance issues, security events, and troubleshooting capabilities. + remediation: | + Enable RDS log exports in the AWS Management Console or via CLI/API by configuring the desired logs (e.g., slow query, general, error logs) for export to CloudWatch. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/log-exports.html + - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output table --query 'DBInstances[?Engine==`mysql` || Engine==`aurora-mysql` || Engine==`mariadb`].DBInstanceIdentifier | []' --output json + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].EnabledCloudwatchLogsExports' --output json + + matchers: + - type: word + words: + - '[]' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Log Exports is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-multi-az.yaml b/cloud/aws/rds/rds-multi-az.yaml new file mode 100644 index 0000000000..2368ed26dd --- /dev/null +++ b/cloud/aws/rds/rds-multi-az.yaml @@ -0,0 +1,59 @@ +id: rds-multi-az + +info: + name: RDS Multi-AZ - Disabled + author: DhiyaneshDK + severity: medium + description: | + Ensure that your Amazon RDS instances are using the Multi-AZ deployment configuration for high availability and automatic failover support, fully managed by AWS. + impact: | + The RDS instance lacks high availability and failover support, increasing the risk of downtime during instance failures or maintenance events. + remediation: | + Enable Multi-AZ deployment for the RDS instance in the AWS Management Console, CLI, or API to enhance availability and automatic failover. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-multi-az.html + - http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].MultiAZ' + + matchers: + - type: word + words: + - 'false' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Multi-AZ is Disabled"' \ No newline at end of file diff --git a/cloud/aws/rds/rds-public-access.yaml b/cloud/aws/rds/rds-public-access.yaml new file mode 100644 index 0000000000..c4f3f9afa1 --- /dev/null +++ b/cloud/aws/rds/rds-public-access.yaml @@ -0,0 +1,59 @@ +id: rds-public-access + +info: + name: RDS Publicly Accessible - Enabled + author: DhiyaneshDK + severity: high + description: | + Check for any public-facing Amazon RDS database instances provisioned within your AWS cloud account and restrict unauthorized access in order to minimize security risks. + impact: | + The RDS instance is exposed to the internet, increasing the risk of unauthorized access, attacks, and data breaches. + remediation: | + To restrict access to a publicly accessible database instance, you must disable the PubliclyAccessible configuration flag, and update the security group associated with the database instance. + reference: + - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/RDS/rds-publicly-accessible.html + - http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html + tags: cloud,devops,aws,amazon,rds,aws-cloud-config + +variables: + region: "us-west-2" + +flow: | + code(1) + for(let DBClusterIdentifier of iterate(template.dbclusters)){ + set("dbcluster", DBClusterIdentifier) + code(2) + } + +self-contained: true + +code: + - engine: + - sh + - bash + source: | + aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier' + + extractors: + - type: json + name: dbclusters + internal: true + json: + - '.[]' + + - engine: + - sh + - bash + + source: | + aws rds describe-db-instances --region $region --db-instance-identifier $dbcluster --query 'DBInstances[*].PubliclyAccessible' --output json + + matchers: + - type: word + words: + - 'true' + + extractors: + - type: dsl + dsl: + - 'dbcluster + " RDS Publicly Accessible Enabled"' \ No newline at end of file