Merge pull request #11036 from projectdiscovery/firehose-aws

AWS - Firehose (2 Templates)
2024-10-28 15:21:56 +07:00 · 2024-10-28 15:21:56 +07:00 · 6c8d3ea58e
parent 6bc7eb089e 6ff6ff9f4b
commit 6c8d3ea58e
2 changed files with 116 additions and 0 deletions
--- a/cloud/aws/firehose/firehose-server-destination-encryption.yaml
+++ b/cloud/aws/firehose/firehose-server-destination-encryption.yaml
@ -0,0 +1,58 @@
+id: firehose-server-destination-encryption
+
+info:
+  name: Firehose Delivery Stream Destination Encryption - Disabled
+  author: DhiyaneshDK
+  severity: medium
+  description: |
+    Ensure that your Kinesis Firehose delivery stream data records are encrypted at destination (i.e. Amazon S3) in order to meet regulatory requirements and protect your Firehose data at rest.
+  impact: |
+    Disabling encryption for Firehose delivery stream destinations can lead to sensitive data being stored unencrypted, increasing the risk of data exposure and unauthorized access.
+  remediation: |
+    Enable encryption for Firehose delivery stream destinations to ensure that all data is encrypted at rest, safeguarding sensitive information from unauthorized access and potential data breaches.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Firehose/delivery-stream-destination-encryption.html
+    - https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
+  tags: cloud,devops,aws,amazon,firehose,aws-cloud-config
+
+variables:
+  region: "us-west-2"
+
+flow: |
+  code(1)
+  for(let DeliveryStreamNames of iterate(template.deliverys)){
+    set("delivery", DeliveryStreamNames)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aws firehose list-delivery-streams --region $region --query 'DeliveryStreamNames' --output json
+
+    extractors:
+      - type: json
+        name: deliverys
+        internal: true
+        json:
+          - '.[]'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+        aws firehose describe-delivery-stream --region $region --delivery-stream-name $delivery --query 'DeliveryStreamDescription.Destinations[*].ExtendedS3DestinationDescription.EncryptionConfiguration' --output json
+
+    matchers:
+      - type: word
+        words:
+          - "NoEncryption"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Firehose Delivery Stream Destination " + delivery + " Encryption is Disabled"'
--- a/cloud/aws/firehose/firehose-server-side-encryption.yaml
+++ b/cloud/aws/firehose/firehose-server-side-encryption.yaml
@ -0,0 +1,58 @@
+id: firehose-server-side-encryption
+
+info:
+  name: Firehose Delivery Stream Server-Side Encryption - Disabled
+  author: DhiyaneshDK
+  severity: high
+  description: |
+    Ensure that your Amazon Kinesis Data Firehose delivery streams are encrypted using Server-Side Encryption.
+  impact: |
+    Disabling server-side encryption for Firehose delivery streams can result in unencrypted data being stored, exposing sensitive information to unauthorized access and increasing the risk of data breaches.
+  remediation: |
+    Enable server-side encryption for Firehose delivery streams to ensure that data is securely encrypted at rest, protecting sensitive information from unauthorized access.
+  reference:
+    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/Firehose/delivery-stream-encrypted-with-kms-customer-master-keys.html
+    - https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
+  tags: cloud,devops,aws,amazon,firehose,aws-cloud-config
+
+variables:
+  region: "us-west-2"
+
+flow: |
+  code(1)
+  for(let DeliveryStreamNames of iterate(template.deliverys)){
+    set("delivery", DeliveryStreamNames)
+    code(2)
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      aws firehose list-delivery-streams --region $region --query 'DeliveryStreamNames' --output json
+
+    extractors:
+      - type: json
+        name: deliverys
+        internal: true
+        json:
+          - '.[]'
+
+  - engine:
+      - sh
+      - bash
+    source: |
+        aws firehose describe-delivery-stream --region $region --delivery-stream-name $delivery --query 'DeliveryStreamDescription.DeliveryStreamEncryptionConfiguration.KeyType' --output json
+
+    matchers:
+      - type: word
+        words:
+          - "null"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Firehose delivery stream " + delivery + " is not encrypted using SSE"'