AWS Code Templates (#8915)
* s3 bucket checks * fixed lint errors * IAM checks * added ec2 templates * rdp * fixed lint error * acm & cloudwatch templates * cloudtrail * vpc templates added * added aws profile * fixed lint * added aws-code-env * added iterate in flow * added scan profile + updated tags * Delete config/cloud/aws.yml * updated scan profile * syntax update * removed local digest * added comments --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> Co-authored-by: Sandeep Singh <sandeep@projectdiscovery.io>patch-1
parent
3aa158940c
commit
95df0d0b53
|
@ -0,0 +1,40 @@
|
||||||
|
id: acm-cert-expired
|
||||||
|
info:
|
||||||
|
name: Expired ACM Certificates
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure removal of expired SSL/TLS certificates in AWS Certificate Manager to comply with Amazon Security Best Practices.
|
||||||
|
impact: |
|
||||||
|
Expired certificates can lead to service interruptions and expose applications to man-in-the-middle attacks.
|
||||||
|
remediation: |
|
||||||
|
Regularly review ACM for expired certificates and delete them or replace with updated versions.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html
|
||||||
|
tags: cloud,devops,aws,amazon,acm,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws acm list-certificates --region $region --certificate-statuses EXPIRED
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'CertificateArn'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: certificatearn
|
||||||
|
json:
|
||||||
|
- '.CertificateSummaryList[] | .CertificateArn'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'region + " AWS region have expired SSL/TLS certificates"'
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: acm-cert-renewal-30days
|
||||||
|
info:
|
||||||
|
name: ACM Certificates Pre-expiration Renewal
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure AWS ACM SSL/TLS certificates are renewed at least 30 days before expiration to prevent service disruptions.
|
||||||
|
impact: |
|
||||||
|
Failure to renew certificates timely may lead to expired certificates causing service access issues or downtimes.
|
||||||
|
remediation: |
|
||||||
|
Set up Amazon CloudWatch to monitor ACM certificate expiration and automate renewal notifications or processes.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/acm/latest/userguide/acm-renewal.html
|
||||||
|
tags: cloud,devops,aws,amazon,acm,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let arns of iterate(template.certificatearns)){
|
||||||
|
set("certificatearn", arns)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws acm list-certificates --region $region --certificate-statuses ISSUED --query 'CertificateSummaryList[*].CertificateArn' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: certificatearns
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.CertificateSummaryList[] | .CertificateArn'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.[NotAfter, CertificateArn]' --output json | jq -r 'select((.[0] | fromdateiso8601 | mktime) - (now | mktime) < (30 * 86400)) | .[1]'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex # type of the extractor
|
||||||
|
name: certificate
|
||||||
|
internal: true
|
||||||
|
regex:
|
||||||
|
- '^arn.*'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The AWS ACM Certificate " + certificate +" is about to expire in 30 days"'
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: acm-cert-renewal-45days
|
||||||
|
info:
|
||||||
|
name: ACM Certificates Pre-expiration Renewal
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure AWS ACM SSL/TLS certificates are renewed at least 45 days before expiration to prevent service disruptions.
|
||||||
|
impact: |
|
||||||
|
Failure to renew certificates timely may lead to expired certificates causing service access issues or downtimes.
|
||||||
|
remediation: |
|
||||||
|
Set up Amazon CloudWatch to monitor ACM certificate expiration and automate renewal notifications or processes.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/acm/latest/userguide/acm-renewal.html
|
||||||
|
tags: cloud,devops,aws,amazon,acm,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let arns of iterate(template.certificatearns)){
|
||||||
|
set("certificatearn", arns)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws acm list-certificates --region $region --certificate-statuses ISSUED --query 'CertificateSummaryList[*].CertificateArn' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: certificatearns
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.CertificateSummaryList[] | .CertificateArn'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.[NotAfter, CertificateArn]' --output json | jq -r 'select((.[0] | fromdateiso8601 | mktime) - (now | mktime) < (45 * 86400)) | .[1]'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex # type of the extractor
|
||||||
|
name: certificate
|
||||||
|
internal: true
|
||||||
|
regex:
|
||||||
|
- '^arn.*'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The AWS ACM Certificate " + certificate +" is about to expire in 30 days"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: acm-cert-validation
|
||||||
|
info:
|
||||||
|
name: ACM Certificate Validation Check
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure ACM SSL/TLS certificates are properly validated during issue or renewal, indicating secure communication channels.
|
||||||
|
impact: |
|
||||||
|
Lack of validation may allow unauthorized certificates, leading to potential man-in-the-middle attacks or data breaches.
|
||||||
|
remediation: |
|
||||||
|
Use AWS ACM for certificate provisioning and ensure domain validation steps are correctly followed for each certificate issued or renewed.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate.html
|
||||||
|
tags: cloud,devops,aws,amazon,acm,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let arns of iterate(template.certificatearns)){
|
||||||
|
set("certificatearn", arns)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws acm list-certificates --region $region --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: certificatearns
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.CertificateSummaryList[] | .CertificateArn'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.Status'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "PENDING_VALIDATION"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The issue/renewal request for " + certificatearn + " SSL/TLS certificate was not validated"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: acm-wildcard-cert
|
||||||
|
info:
|
||||||
|
name: Wildcard ACM Certificate Usage
|
||||||
|
author: princechaddha
|
||||||
|
severity: low
|
||||||
|
description: |
|
||||||
|
Ensure ACM certificates for specific domain names are used over wildcard certificates to adhere to best security practices, providing unique private keys for each domain/subdomain.
|
||||||
|
impact: |
|
||||||
|
Using wildcard certificates can expose your AWS environment to increased risk by potentially allowing unauthorized subdomains to be protected under the same certificate, reducing the granularity of access control and increasing the blast radius in the event of a key compromise.
|
||||||
|
remediation: |
|
||||||
|
Replace wildcard ACM certificates with single domain name certificates for each domain/subdomain within your AWS account. This enhances security by ensuring each domain/subdomain has its own unique private key and certificate.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html
|
||||||
|
tags: cloud,devops,aws,amazon,acm,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let arns of iterate(template.certificatearns)){
|
||||||
|
set("certificatearn", arns)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws acm list-certificates --region $region --certificate-statuses ISSUED --query 'CertificateSummaryList[*].CertificateArn' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: certificatearns
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.DomainName'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "*."
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'certificatearn + " AWS ACM certificate is a wildcard certificate"'
|
|
@ -0,0 +1,52 @@
|
||||||
|
id: aws-code-env
|
||||||
|
info:
|
||||||
|
name: AWS Cloud Environment Validation
|
||||||
|
author: princechaddha
|
||||||
|
severity: info
|
||||||
|
description: |
|
||||||
|
Checks if AWS CLI is set up and all necessary tools are installed on the environment.
|
||||||
|
reference:
|
||||||
|
- https://aws.amazon.com/cli/
|
||||||
|
tags: cloud,devops,aws,amazone,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: code(1) && code(2)
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws sts get-caller-identity --output json
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
internal: true
|
||||||
|
words:
|
||||||
|
- '"UserId"'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: account
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.Account'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
jq --version >/dev/null 2>&1 && echo "jq is installed." || echo "jq is not installed."
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "jq is installed"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"AWS CLI is properly configured for account \"" + account + "\" and all the necessary tools required are installed"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: cloudtrail-data-events
|
||||||
|
info:
|
||||||
|
name: CloudTrail S3 Data Events Logging
|
||||||
|
author: princechaddha
|
||||||
|
severity: low
|
||||||
|
description: |
|
||||||
|
Ensure Amazon CloudTrail trails log S3 data events to monitor object-level operations like GetObject, DeleteObject, and PutObject.
|
||||||
|
impact: |
|
||||||
|
Without logging S3 data events, you lose visibility into object-level operations which could help detect unauthorized access or modifications.
|
||||||
|
remediation: |
|
||||||
|
Enable data event logging in CloudTrail for S3 buckets to ensure detailed activity monitoring and logging for better security and compliance.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,cloudtrail,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail get-event-selectors --region $region --trail-name $trail --query 'EventSelectors[*].DataResources[]'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "[]"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"CloudTrail trail" + trail + " is not configured to capture resource operations performed on or within an AWS cloud resource"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: cloudtrail-disabled
|
||||||
|
info:
|
||||||
|
name: CloudTrail Disabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensures AWS CloudTrail is enabled in all regions to monitor and record account activity across your AWS infrastructure, enhancing security and compliance.
|
||||||
|
impact: |
|
||||||
|
Lack of region-wide CloudTrail logging can lead to insufficient visibility into account activities, hindering anomaly detection and forensic analysis.
|
||||||
|
remediation: |
|
||||||
|
Enable CloudTrail in all AWS regions through the AWS Management Console or CLI to ensure comprehensive activity logging and monitoring.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-getting-started.html
|
||||||
|
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].IsMultiRegionTrail'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "false"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"CloudTrail trail" + trail + " is not configured to receive log files from all the AWS cloud regions"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: cloudtrail-dup-logs
|
||||||
|
info:
|
||||||
|
name: CloudTrail Duplicate Log Avoidance
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure CloudTrail logging is configured to prevent duplicate recording of global service events across multiple trails.
|
||||||
|
impact: |
|
||||||
|
Duplicate log entries can lead to increased storage costs and complicate log analysis and anomaly detection efforts.
|
||||||
|
remediation: |
|
||||||
|
Configure only one multi-region trail to log global service events and disable global service logging for all other trails.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html
|
||||||
|
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].IncludeGlobalServiceEvents' --output json
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "true"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Ensure only one trail in Amazon CloudTrail is configured for global service events to avoid duplicates: " + trail'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: cloudtrail-global-disabled
|
||||||
|
info:
|
||||||
|
name: CloudTrail Global Events Enablement
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure Amazon CloudTrail trails are configured to capture both regional and global API activity for enhanced security and compliance in your AWS account.
|
||||||
|
impact: |
|
||||||
|
Lacking global event logging reduces visibility across AWS services that operate at the global level, potentially missing critical security and compliance data.
|
||||||
|
remediation: |
|
||||||
|
Enable global service logging in CloudTrail by creating or updating a trail to include global services. This ensures comprehensive activity monitoring.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html
|
||||||
|
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].IncludeGlobalServiceEvents'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "false"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"CloudTrail trail" + trail + " is not configured to record API calls for AWS global services"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: cloudtrail-integrated-cloudwatch
|
||||||
|
info:
|
||||||
|
name: CloudTrail CloudWatch Integration
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure Amazon CloudTrail logs are integrated with CloudWatch Logs for real-time monitoring and analysis.
|
||||||
|
impact: |
|
||||||
|
Without integration, detecting and responding to critical events or unauthorized actions within AWS environment could be delayed.
|
||||||
|
remediation: |
|
||||||
|
Enable CloudTrail log file validation and configure CloudWatch Logs to monitor CloudTrail log files. Create CloudWatch Alarms for specific events of interest.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html
|
||||||
|
tags: cloud,devops,aws,amazon,cloudtrail,cloudwatch,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].CloudWatchLogsLogGroupArn'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "[]"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"CloudTrail trail" + trail + " is not configured to send events to CloudWatch Logs for monitoring purposes"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: cloudtrail-log-integrity
|
||||||
|
info:
|
||||||
|
name: CloudTrail Log Integrity Validation not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure CloudTrail log file integrity validation is enabled to detect unauthorized file modifications.
|
||||||
|
impact: |
|
||||||
|
Without log file integrity validation, it's harder to detect if CloudTrail logs have been tampered with, potentially hiding malicious activity.
|
||||||
|
remediation: |
|
||||||
|
Enable log file integrity validation on all CloudTrail trails to ensure the integrity and authenticity of your logs.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
|
||||||
|
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].LogFileValidationEnabled'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "false"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The log file integrity validation is not enabled for CloudTrail trail" + trail'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: cloudtrail-logs-not-encrypted
|
||||||
|
info:
|
||||||
|
name: CloudTrail Logs Not Encrypted
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure Amazon CloudTrail logs are encrypted at rest using AWS Key Management Service (KMS) to secure log data.
|
||||||
|
impact: |
|
||||||
|
Non-encrypted CloudTrail logs pose a risk of unauthorized access, compromising the integrity and confidentiality of log data.
|
||||||
|
remediation: |
|
||||||
|
Enable Server-Side Encryption (SSE) for CloudTrail logs using an AWS KMS key through the CloudTrail console or AWS CLI.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
|
||||||
|
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].KmsKeyId'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "[]"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"CloudTrail trail" + trail + " is not configured to encrypt log files using SSE-KMS encryption"'
|
|
@ -0,0 +1,72 @@
|
||||||
|
id: cloudtrail-mfa-delete
|
||||||
|
info:
|
||||||
|
name: CloudTrail MFA Delete
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure Amazon CloudTrail buckets have MFA Delete enabled to protect log file deletion.
|
||||||
|
impact: |
|
||||||
|
Prevents unauthorized deletion of CloudTrail logs, enhancing security and compliance.
|
||||||
|
remediation: |
|
||||||
|
Enable MFA Delete on CloudTrail buckets via the S3 console or AWS CLI.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
for(let BucketNames of iterate(template.buckets)){
|
||||||
|
set("bucket", BucketNames)
|
||||||
|
code(3)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].S3BucketName'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: buckets
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-versioning --bucket $bucket --query 'MFADelete'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'null'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The MFA Delete feature is not enabled for the S3 bucket " + bucket + " associated with the CloudTrail " + trail'
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: cloudtrail-mgmt-events
|
||||||
|
info:
|
||||||
|
name: CloudTrail Management Events Logging Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensures Amazon CloudTrail trails are configured to log management events, capturing crucial API calls and console actions for security and audit purposes.
|
||||||
|
impact: |
|
||||||
|
Failure to log management events can lead to insufficient audit trails, hindering the ability to investigate and respond to suspicious activities.
|
||||||
|
remediation: |
|
||||||
|
Enable management event logging in CloudTrail by creating a new trail or updating existing trails to include management events.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html
|
||||||
|
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
|
||||||
|
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail get-event-selectors --region $region --trail-name $trail --query 'EventSelectors[*].IncludeManagementEvents'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "false"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"CloudTrail trail" + trail + " is not configured to capture management operations performed on your AWS cloud resources"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: cloudtrail-public-buckets
|
||||||
|
info:
|
||||||
|
name: Public CloudTrail Buckets
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Identifies AWS CloudTrail S3 buckets that are publicly accessible, risking exposure of sensitive log data.
|
||||||
|
impact: |
|
||||||
|
Unauthorized access to CloudTrail logs can lead to data leakage, compromising the integrity and confidentiality of cloud operations.
|
||||||
|
remediation: |
|
||||||
|
Restrict S3 bucket access using bucket policies or IAM policies to ensure that CloudTrail logs are not publicly accessible.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].IncludeGlobalServiceEvents'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "false"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"CloudTrail trail" + trail + " is not configured to record API calls for AWS global services"'
|
|
@ -0,0 +1,72 @@
|
||||||
|
id: cloudtrail-s3-bucket-logging
|
||||||
|
info:
|
||||||
|
name: CloudTrail S3 Logging
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure AWS CloudTrail logs are captured in S3 buckets with Server Access Logging enabled for audit and forensic purposes.
|
||||||
|
impact: |
|
||||||
|
Without S3 Server Access Logging for CloudTrail, tracking unauthorized access or modifications to CloudTrail logs becomes difficult, impacting incident response and forensic analysis.
|
||||||
|
remediation: |
|
||||||
|
Enable Server Access Logging on the S3 bucket used by CloudTrail. Configure the logging feature to capture all requests made to the CloudTrail bucket.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,cloudtrail,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
for(let BucketNames of iterate(template.buckets)){
|
||||||
|
set("bucket", BucketNames)
|
||||||
|
code(3)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].S3BucketName'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: buckets
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-logging --bucket $bucket --query 'LoggingEnabled'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'null'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Access logging is not enabled for the S3 bucket associated with CloudTrail trail " + trail'
|
|
@ -0,0 +1,73 @@
|
||||||
|
id: s3-object-lock-not-enabled
|
||||||
|
info:
|
||||||
|
name: CloudTrail S3 Object Lock
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure Amazon CloudTrail S3 buckets have Object Lock enabled to prevent log deletion and ensure regulatory compliance.
|
||||||
|
impact: |
|
||||||
|
Without Object Lock, S3 objects such as CloudTrail logs can be deleted, compromising audit trails and violating compliance requirements.
|
||||||
|
remediation: |
|
||||||
|
Enable S3 Object Lock in Governance mode with a retention period that meets your compliance requirements for CloudTrail S3 buckets.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-south-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let CloudTrail of iterate(template.cloudtrailname)){
|
||||||
|
set("trail", CloudTrail)
|
||||||
|
code(2)
|
||||||
|
for(let BucketNames of iterate(template.buckets)){
|
||||||
|
set("bucket", BucketNames)
|
||||||
|
code(3)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: cloudtrailname
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].S3BucketName'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: buckets
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-object-lock-configuration --bucket $bucket --query 'ObjectLockConfiguration.ObjectLockEnabled' --output json
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: code_3_stderr
|
||||||
|
words:
|
||||||
|
- 'ObjectLockConfigurationNotFoundError'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The Object Lock feature is not enabled for the S3 bucket associated with the CloudTrail trail " + trail'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: cw-alarm-action-set
|
||||||
|
info:
|
||||||
|
name: CloudWatch Alarm Action Not Set
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure Amazon CloudWatch alarms have actions configured for the ALARM state to automate response to incidents.
|
||||||
|
impact: |
|
||||||
|
Without actions, CloudWatch alarms may not trigger automated incident response or notifications, potentially delaying mitigation.
|
||||||
|
remediation: |
|
||||||
|
Configure at least one action for each CloudWatch alarm to ensure timely response to monitored issues.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html
|
||||||
|
tags: cloud,devops,aws,amazon,cloudwatch,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let AlarmName of iterate(template.alarms)){
|
||||||
|
set("alarm", AlarmName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudwatch describe-alarms --region $region --query 'MetricAlarms[].AlarmName' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: alarms
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudwatch describe-alarms --region $region --alarm-names "$alarm" --query 'MetricAlarms[*].AlarmActions[]' --output json
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "[]"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The Amazon CloudWatch " + alarm +" is not configured with any actions for the ALARM state."'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: cw-alarms-actions
|
||||||
|
info:
|
||||||
|
name: CloudWatch Alarms Actions Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure that all Amazon CloudWatch alarms have actions enabled (ActionEnabled: true) to respond to state changes.
|
||||||
|
impact: |
|
||||||
|
Without actions enabled, CloudWatch alarms cannot perform automated actions in response to state changes, potentially missing critical alerts.
|
||||||
|
remediation: |
|
||||||
|
Enable actions for each CloudWatch alarm by setting the ActionEnabled parameter to true, allowing for automated responses to alarms.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html
|
||||||
|
tags: cloud,devops,aws,amazon,cloudwatch,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let AlarmName of iterate(template.alarms)){
|
||||||
|
set("alarm", AlarmName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudwatch describe-alarms --region $region --query 'MetricAlarms[].AlarmName' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: alarms
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws cloudwatch describe-alarms --region $region --alarm-names "DiskWritesOpsAlarm" --query 'MetricAlarms[*].ActionsEnabled'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "false"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The Amazon CloudWatch " + alarm + " does not have any active actions configured"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: ec2-imdsv2
|
||||||
|
info:
|
||||||
|
name: Enforce IMDSv2 on EC2 Instances
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure all EC2 instances use Instance Metadata Service Version 2 (IMDSv2) for enhanced security when requesting instance metadata, protecting against certain types of attacks that target the older version, IMDSv1.
|
||||||
|
impact: |
|
||||||
|
Using IMDSv1 can expose EC2 instances to server-side request forgery (SSRF) attacks, potentially allowing attackers to access sensitive instance metadata.
|
||||||
|
remediation: |
|
||||||
|
Modify the EC2 instance metadata options to set `HttpTokens` to `required`, enforcing the use of IMDSv2. This can be done via the AWS Management Console, CLI, or EC2 API.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let InstancesName of iterate(template.instances)){
|
||||||
|
set("ec2instance", InstancesName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-instances --region $region --output table --query 'Reservations[*].Instances[*].InstanceId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: instances
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-instances --region $region --instance-ids $ec2instance --query 'Reservations[*].Instances[*].MetadataOptions.HttpTokens[]'
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "optional"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'ami + " is publically shared"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: ec2-public-ip
|
||||||
|
info:
|
||||||
|
name: Public IP on EC2 Instances
|
||||||
|
author: princechaddha
|
||||||
|
severity: unknown
|
||||||
|
description: |
|
||||||
|
Ensures Amazon EC2 instances, especially backend ones, do not use public IP addresses to minimize Internet exposure.
|
||||||
|
impact: |
|
||||||
|
Instances with public IP addresses are more vulnerable to Internet-based threats, compromising network security.
|
||||||
|
remediation: |
|
||||||
|
Restrict public IP assignment for EC2 instances, particularly for backend instances. Use private IPs and manage access via AWS VPC and security groups.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let InstancesName of iterate(template.instances)){
|
||||||
|
set("ec2instance", InstancesName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-instances --region $region --output json --query 'Reservations[*].Instances[*].InstanceId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: instances
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[].[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-instances --region $region --instance-ids $ec2instance --query "Reservations[*].Instances[*].NetworkInterfaces[*].Association.IpOwnerId[] | []"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "amazon"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The Amazon Instance " + ec2instance + " uses public IP addresses"'
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: ec2-sg-egress-open
|
||||||
|
info:
|
||||||
|
name: Open Egress in EC2 Security Group
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Checks for unrestricted outbound/egress rules in Amazon EC2 security groups, highlighting potential over-permissive configurations.
|
||||||
|
impact: |
|
||||||
|
Allows unrestricted outbound traffic from EC2 instances, increasing the risk of data exfiltration and malicious external communications.
|
||||||
|
remediation: |
|
||||||
|
Restrict egress traffic in EC2 security groups to only necessary IP addresses and ranges, adhering to the Principle of Least Privilege.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#sg-rules
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let SecurityGroup of iterate(template.securitygroups)){
|
||||||
|
set("groupid", SecurityGroup)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroups
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --group-ids $groupid --query 'SecurityGroups[*].IpPermissionsEgress[]'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "0.0.0.0/0"
|
||||||
|
- "::/0"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Amazon EC2 security group(s) " + groupid + " allows unrestricted outbound traffic"'
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: ec2-sg-ingress
|
||||||
|
info:
|
||||||
|
name: Unrestricted Access on Uncommon EC2 Ports
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure Amazon EC2 security groups do not allow unrestricted access (0.0.0.0/0, ::/0) on uncommon ports, protecting against brute force attacks on EC2 instances.
|
||||||
|
impact: |
|
||||||
|
Unrestricted ingress on uncommon ports increases the risk of unauthorized access and potential brute force attacks on EC2 instances.
|
||||||
|
remediation: |
|
||||||
|
Restrict access to uncommon ports in EC2 security groups, permitting only necessary traffic and implementing stringent access controls.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let SecurityGroup of iterate(template.securitygroups)){
|
||||||
|
set("groupid", SecurityGroup)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroups
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --group-ids $groupid --query 'SecurityGroups[*].IpPermissions[]'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "0.0.0.0/0"
|
||||||
|
- "::/0"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Amazon EC2 security group(s) " + groupid + " allows unrestricted inbound traffic"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-cifs
|
||||||
|
info:
|
||||||
|
name: EC2 Unrestricted CIFS Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks for inbound rules in Amazon EC2 security groups allowing unrestricted access (0.0.0.0/0 or ::/0) on TCP port 445, used for CIFS/SMB file sharing, posing a high security risk.
|
||||||
|
impact: |
|
||||||
|
Unrestricted CIFS access can expose EC2 instances to unwanted external access, increasing the risk of data breaches and unauthorized control over resources.
|
||||||
|
remediation: |
|
||||||
|
Restrict inbound access on TCP port 445 to known IPs or ranges. Regularly review security group configurations to ensure compliance with security policies.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=445 Name=ip-permission.to-port,Values=445 Name=ip-permission.cidr,Values='0.0.0.0/0' Name=ip-permission.ipv6-cidr,Values='::/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 445"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-dns
|
||||||
|
info:
|
||||||
|
name: Unrestricted DNS Access in EC2
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks for inbound rules in Amazon EC2 security groups that allow unrestricted access (0.0.0.0/0 or ::/0) on TCP/UDP port 53, which can expose DNS servers to potential attacks.
|
||||||
|
impact: |
|
||||||
|
Allowing unrestricted access to DNS services can lead to DNS spoofing, DDoS attacks, and unauthorized access to internal networks.
|
||||||
|
remediation: |
|
||||||
|
Restrict the inbound rules for TCP/UDP port 53 in EC2 security groups to known, trusted IPs only. Ensure security group rules are tightly controlled and monitored.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=53 Name=ip-permission.to-port,Values=53 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 53"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-ftp
|
||||||
|
info:
|
||||||
|
name: Restrict EC2 FTP Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Ensure Amazon EC2 security groups disallow unrestricted inbound FTP access on TCP ports 20 and 21 to prevent brute force attacks.
|
||||||
|
impact: |
|
||||||
|
Unrestricted FTP access can expose EC2 instances to unauthorized access and brute force attacks, compromising security.
|
||||||
|
remediation: |
|
||||||
|
Restrict inbound access on TCP ports 20 and 21 for EC2 security groups to known IPs or remove the rules if FTP is not required.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=20,21 Name=ip-permission.to-port,Values=20,21 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 20 or 21"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-http
|
||||||
|
info:
|
||||||
|
name: Unrestricted HTTP on EC2
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks for inbound rules in EC2 security groups allowing unrestricted access (0.0.0.0/0) to TCP port 80, increasing exposure to potential breaches.
|
||||||
|
impact: |
|
||||||
|
Unrestricted access to TCP port 80 can lead to unauthorized data exposure and increases the risk of security breaches.
|
||||||
|
remediation: |
|
||||||
|
Restrict inbound traffic on TCP port 80 to only necessary IP addresses, adhering to the principle of least privilege.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=80 Name=ip-permission.to-port,Values=80 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 80"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-https
|
||||||
|
info:
|
||||||
|
name: Unrestricted HTTPs on EC2
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks for inbound rules in EC2 security groups allowing unrestricted access (0.0.0.0/0) to TCP port 443, increasing exposure to potential breaches.
|
||||||
|
impact: |
|
||||||
|
Unrestricted access to TCP port 443 can lead to unauthorized data exposure and increases the risk of security breaches.
|
||||||
|
remediation: |
|
||||||
|
Restrict inbound traffic on TCP port 443 to only necessary IP addresses, adhering to the principle of least privilege.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=443 Name=ip-permission.to-port,Values=443 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 443"'
|
|
@ -0,0 +1,37 @@
|
||||||
|
id: ec2-unrestricted-icmp
|
||||||
|
info:
|
||||||
|
name: Restrict EC2 ICMP Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks for Amazon EC2 security groups with inbound rules allowing unrestricted ICMP access. Advises restricting ICMP to trusted IPs to uphold the Principle of Least Privilege and minimize the attack surface.
|
||||||
|
impact: |
|
||||||
|
Unrestricted ICMP can be used for network reconnaissance and Distributed Denial of Service (DDoS) attacks, posing a significant security risk.
|
||||||
|
remediation: |
|
||||||
|
Modify EC2 security group rules to limit ICMP access to necessary, trusted IP addresses/ranges only.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted ICMP access (0.0.0.0/0 or ::/0)"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-memcached
|
||||||
|
info:
|
||||||
|
name: Unrestricted Access to Memcached
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Detects unrestricted inbound access to Memcached on Amazon EC2 instances, which can lead to cache poisoning, unauthorized access, and DDoS attacks.
|
||||||
|
impact: |
|
||||||
|
Unrestricted access increases the risk of cache poisoning, unauthorized data access, and potential DDoS attacks on the Memcached server.
|
||||||
|
remediation: |
|
||||||
|
Restrict inbound access to Memcached by updating EC2 security group rules to allow only trusted IPs to connect on TCP/UDP port 11211.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=11211 Name=ip-permission.to-port,Values=11211 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 11211"'
|
|
@ -0,0 +1,38 @@
|
||||||
|
id: ec2-unrestricted-mongodb
|
||||||
|
info:
|
||||||
|
name: Unrestricted MongoDB Access in EC2
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Identifies open access to MongoDB in AWS EC2 security groups, where inbound rules allow unrestricted access (0.0.0.0/0 or ::/0) to TCP port 27017. This poses a significant risk as it can lead to unauthorized access and potential data breaches.
|
||||||
|
impact: |
|
||||||
|
Allowing unrestricted access to MongoDB in EC2 can lead to unauthorized data access, data manipulation, or denial of service attacks, potentially resulting in critical data breaches and compliance violations.
|
||||||
|
remediation: |
|
||||||
|
Restrict MongoDB's TCP port 27017 access in EC2 security groups to only those IP addresses that require it, adhering to the principle of least privilege.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
|
||||||
|
- https://www.mongodb.com/docs/manual/security/
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,mongodb,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=27017 Name=ip-permission.to-port,Values=27017 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=27017 Name=ip-permission.to-port,Values=27017 Name=ip-permission.ipv6-cidr,Values='::/0' --query 'SecurityGroups[*].GroupId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted mongodb access (0.0.0.0/0 or ::/0) on port 27017"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-mssql
|
||||||
|
info:
|
||||||
|
name: Unrestricted Access to SQL on EC2
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Identifies open inbound access to Microsoft SQL Server on Amazon EC2 instances. Checks for security groups allowing unrestricted access (0.0.0.0/0 or ::/0) on TCP port 1433, increasing risks to SQL databases.
|
||||||
|
impact: |
|
||||||
|
Unrestricted access on port 1433 exposes Microsoft SQL Server instances to potential unauthorized access, data breaches, and other security vulnerabilities.
|
||||||
|
remediation: |
|
||||||
|
Restrict inbound traffic on TCP port 1433 to known, secure IP addresses. Regularly review and update security group rules to maintain minimal access requirements.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=1433 Name=ip-permission.to-port,Values=1433 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 1433"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-mysql
|
||||||
|
info:
|
||||||
|
name: Unrestricted MySQL Access on EC2
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Identifies unrestricted inbound access to MySQL database servers on Amazon EC2 instances, specifically targeting TCP port 3306.
|
||||||
|
impact: |
|
||||||
|
Unrestricted access to MySQL can lead to unauthorized data access, data manipulation, or exploitation of the database server.
|
||||||
|
remediation: |
|
||||||
|
Restrict inbound access on TCP port 3306 to known, necessary IP addresses or ranges, and avoid using 0.0.0.0/0 or ::/0.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=3306 Name=ip-permission.to-port,Values=3306 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted mongodb access (0.0.0.0/0 or ::/0) on port 3306"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-netbios
|
||||||
|
info:
|
||||||
|
name: Unrestricted NetBIOS Access in EC2
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks for inbound rules in Amazon EC2 security groups that allow unrestricted access on TCP port 139 and UDP ports 137 and 138, increasing the risk of unauthorized access and potential security breaches.
|
||||||
|
impact: |
|
||||||
|
Unrestricted NetBIOS access can expose EC2 instances to network-based attacks, compromising data integrity and system availability.
|
||||||
|
remediation: |
|
||||||
|
Restrict access to TCP port 139 and UDP ports 137 and 138 in EC2 security groups. Implement strict access control based on the principle of least privilege.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=137,138,139 Name=ip-permission.to-port,Values=137,138,139 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on ports 137, 138 or 139"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-opensearch
|
||||||
|
info:
|
||||||
|
name: Unrestricted OpenSearch Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks EC2 security groups for inbound rules allowing unrestricted access to OpenSearch on TCP port 9200. Restricts access to essential IP addresses only.
|
||||||
|
impact: |
|
||||||
|
Unrestricted access to OpenSearch can lead to unauthorized data access, modification, or denial of service attacks.
|
||||||
|
remediation: |
|
||||||
|
Modify EC2 security group rules to limit access to TCP port 9200 for OpenSearch, allowing only necessary IPs, implementing the principle of least privilege.
|
||||||
|
reference:
|
||||||
|
- https://en.wikipedia.org/wiki/OpenSearch
|
||||||
|
tags: cloud,devops,aws,amazon,opensearch,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=9200 Name=ip-permission.to-port,Values=9200 Name=ip-permission.cidr,Values='0.0.0.0/0 or ::/0' --query 'SecurityGroups[*].GroupId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 9200"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-oracle
|
||||||
|
info:
|
||||||
|
name: Unrestricted Oracle DB Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Identifies unrestricted inbound access to Oracle databases in Amazon EC2 instances, which increases the risk of unauthorized access and attacks.
|
||||||
|
impact: |
|
||||||
|
Allows potential unauthorized access to the Oracle database, leading to data leakage, data manipulation, or further exploitation.
|
||||||
|
remediation: |
|
||||||
|
Restrict inbound traffic on TCP port 1521 to known IPs or ranges and employ strict access controls.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=1521 Name=ip-permission.to-port,Values=1521 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 1521"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-pgsql
|
||||||
|
info:
|
||||||
|
name: Unrestricted PostgreSQL Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Identifies unrestricted inbound access to PostgreSQL databases in Amazon EC2 security groups, which can expose databases to security risks.
|
||||||
|
impact: |
|
||||||
|
Unrestricted access on TCP port 5432 increases vulnerability to unauthorized access and potential data breaches.
|
||||||
|
remediation: |
|
||||||
|
Restrict inbound traffic to PostgreSQL servers by setting stringent rules in EC2 security groups, limiting access to specific IPs or ranges.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=5432 Name=ip-permission.to-port,Values=5432 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 5432"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-rdp
|
||||||
|
info:
|
||||||
|
name: Restrict EC2 RDP Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Check Amazon EC2 security groups for inbound rules that allow unrestricted RDP access and restrict access to trusted IPs.
|
||||||
|
impact: |
|
||||||
|
Unrestricted RDP access increases the risk of unauthorized access and potential breaches.
|
||||||
|
remediation: |
|
||||||
|
Modify the EC2 security group rules to limit RDP access (TCP 3389) to known, trusted IP addresses or ranges.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=3389 Name=ip-permission.to-port,Values=3389 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 3389"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-redis
|
||||||
|
info:
|
||||||
|
name: Unrestricted Redis Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks for inbound rules in Amazon EC2 security groups that allow unrestricted access to Redis cache server instances on TCP port 6379.
|
||||||
|
impact: |
|
||||||
|
Unrestricted access can expose Redis instances to unauthorized access and potential security breaches.
|
||||||
|
remediation: |
|
||||||
|
Restrict inbound access to Redis instances by updating EC2 security group rules to allow only specific, trusted IP addresses.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=6379 Name=ip-permission.to-port,Values=6379 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 6379"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-smtp
|
||||||
|
info:
|
||||||
|
name: Unrestricted SMTP Access in EC2
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Identifies unrestricted inbound access on TCP port 25 for EC2 security groups, which increases the risk of SMTP-related attacks.
|
||||||
|
impact: |
|
||||||
|
Allowing unrestricted SMTP access can lead to spamming, mail relay abuse, and potentially compromise mail servers.
|
||||||
|
remediation: |
|
||||||
|
Restrict TCP port 25 access to known, necessary IP addresses only. Avoid using 0.0.0.0/0 or ::/0 in security group rules.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=25 Name=ip-permission.to-port,Values=25 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 25"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-ssh
|
||||||
|
info:
|
||||||
|
name: Unrestricted SSH Access in EC2
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Checks for inbound rules in Amazon EC2 security groups that allow unrestricted SSH access (0.0.0.0/0 or ::/0) on TCP port 22, indicating a security risk by exposing the SSH server to the internet.
|
||||||
|
impact: |
|
||||||
|
Unrestricted SSH access increases the risk of unauthorized access and potential brute force attacks against the SSH server, compromising the security of the EC2 instances.
|
||||||
|
remediation: |
|
||||||
|
Restrict SSH access in EC2 security groups to trusted IP addresses or ranges, adhering to the Principle of Least Privilege (POLP) and mitigating the risk of unauthorized access.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=22 Name=ip-permission.to-port,Values=22 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 22"'
|
|
@ -0,0 +1,36 @@
|
||||||
|
id: ec2-unrestricted-telnet
|
||||||
|
info:
|
||||||
|
name: Restrict EC2 Telnet Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks for unrestricted inbound Telnet access (TCP port 23) in Amazon EC2 security groups, highlighting potential security risks.
|
||||||
|
impact: |
|
||||||
|
Unrestricted Telnet access can expose EC2 instances to unauthorized access and potential security breaches.
|
||||||
|
remediation: |
|
||||||
|
Restrict inbound Telnet access by updating EC2 security group rules to allow only trusted IP ranges or disabling Telnet if not required.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=23 Name=ip-permission.to-port,Values=23 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: securitygroup
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 23"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: publicly-shared-ami
|
||||||
|
info:
|
||||||
|
name: Publicly Shared AMI
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Checks if Amazon Machine Images (AMIs) are publicly shared, potentially exposing sensitive data.
|
||||||
|
impact: |
|
||||||
|
Public sharing of AMIs can lead to unauthorized access and compromise of sensitive information contained within these images.
|
||||||
|
remediation: |
|
||||||
|
Restrict AMI sharing to specific, trusted AWS accounts and ensure they are not publicly accessible.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html
|
||||||
|
tags: cloud,devops,aws,amazon,ami,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let AmiName of iterate(template.amis)){
|
||||||
|
set("ami", AmiName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-images --region $region --owners self --output json --query 'Images[*].ImageId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: amis
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-images --region $region --image-ids $ami --owners self --query 'Images[*].Public'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "true"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'ami + " AMI is publically shared"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: unencrypted-aws-ami
|
||||||
|
info:
|
||||||
|
name: Unencrypted AWS AMI
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure Amazon Machine Images (AMIs) are encrypted to meet data-at-rest encryption compliance and protect sensitive data.
|
||||||
|
impact: |
|
||||||
|
Unencrypted AMIs can expose sensitive data to unauthorized access, risking data breaches and non-compliance with data protection regulations.
|
||||||
|
remediation: |
|
||||||
|
Encrypt your AMIs using AWS managed keys or customer-managed keys in the AWS Key Management Service (KMS) to ensure data security.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html
|
||||||
|
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let AmiName of iterate(template.amis)){
|
||||||
|
set("ami", AmiName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-images --region $region --owners self --output json --query 'Images[*].ImageId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: amis
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-images --region $region --image-ids $ami --query 'Images[*].BlockDeviceMappings[*].Ebs.Encrypted[]'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "false"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'ami + " AMI is not encrypted"'
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: iam-access-analyzer
|
||||||
|
info:
|
||||||
|
name: IAM Access Analyzer is not Used
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Checks if Amazon IAM Access Analyzer is active for identifying unsolicited access risks in AWS resources
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/list-analyzers.html
|
||||||
|
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws accessanalyzer list-analyzers --query 'analyzers[*].arn'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "[]"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"IAM Access Analyzer is not Used in your AWS account"'
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: iam-expired-ssl
|
||||||
|
info:
|
||||||
|
name: Remove Expired SSL/TLS Certificates in AWS IAM
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Checks for expired SSL/TLS certificates from AWS IAM
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-server-certificates.html
|
||||||
|
tags: cloud,devops,aws,amazon,iam,ssl,aws-cloud-config
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam list-server-certificates | jq -r '.ServerCertificateMetadataList[] | select(.Expiration | fromdateiso8601 < now) | .ServerCertificateName'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: certificate
|
||||||
|
internal: true
|
||||||
|
regex:
|
||||||
|
- '\b[a-zA-Z0-9]+\b'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'certificate + " Certificate is expired in your AWS account"'
|
|
@ -0,0 +1,51 @@
|
||||||
|
id: iam-full-admin-privileges
|
||||||
|
info:
|
||||||
|
name: Overly Permissive IAM Policies
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Verifies that no Amazon IAM policies grant full administrative privileges, ensuring adherence to the Principle of Least Privilege
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy-version.html
|
||||||
|
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let PolicyName of iterate(template.policies)){
|
||||||
|
set("policy", PolicyName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam list-policies --scope Local --query 'Policies[*].Arn'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: policies
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam get-policy-version --policy-arn $policy --version-id v1 --query 'PolicyVersion.Document'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"Effect": "Allow"'
|
||||||
|
- '"Action": "*"'
|
||||||
|
- '"Resource": "*"'
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The IAM policy " + policy +" is Overly Permissive"'
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: iam-key-rotation-90days
|
||||||
|
info:
|
||||||
|
name: IAM Access Key Rotation - 90-Day Policy
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Checks if IAM user access keys are rotated every 90 days to minimize accidental exposures and unauthorized access risks
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-access-keys.html
|
||||||
|
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let UserName of iterate(template.users)){
|
||||||
|
set("user", UserName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam list-users --query 'Users[*].UserName'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: users
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam list-access-keys --user-name $user | jq -r '.AccessKeyMetadata[] | select((.CreateDate[:-6] | strptime("%Y-%m-%dT%H:%M:%S") | mktime) < (now - (90 * 86400))) | .AccessKeyId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex # type of the extractor
|
||||||
|
name: accesskey
|
||||||
|
internal: true
|
||||||
|
regex:
|
||||||
|
- '^AK.*'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The IAM Key " + accesskey +" is older than 90 days"'
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: iam-mfa-enable
|
||||||
|
info:
|
||||||
|
name: MFA not enabled for AWS IAM Console User
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Verifies that Multi-Factor Authentication (MFA) is enabled for all IAM users with console access in AWS
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-mfa-devices.html
|
||||||
|
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let UserName of iterate(template.users)){
|
||||||
|
set("user", UserName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam list-users --query 'Users[*].UserName'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: users
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam list-mfa-devices --user-name $user --query 'MFADevices'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "[]"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"MFA is no enabled for IAM User " + user'
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: iam-password-policy
|
||||||
|
info:
|
||||||
|
name: IAM Password Policy Not Configured
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Verifies that Amazon IAM users adhere to a strong password policy, including requirements for minimum length, expiration, and pattern
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html
|
||||||
|
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam get-account-password-policy
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "NoSuchEntity"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"AWS cloud account is not configured with a custom IAM password policy"'
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: iam-root-mfa
|
||||||
|
info:
|
||||||
|
name: MFA not enabled on AWS Root Account
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Checks if Multi-Factor Authentication (MFA) is enabled for the AWS root account
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-summary.html
|
||||||
|
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam get-account-summary | jq -r '.SummaryMap.AccountMFAEnabled'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "0"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"MFA is not enabled on your AWS Root account"'
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: iam-ssh-keys-rotation
|
||||||
|
info:
|
||||||
|
name: SSH Key Rotation - 90-Day Policy
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Verifies that IAM SSH public keys are rotated every 90 days, enhancing security and preventing unauthorized access to AWS CodeCommit repositories
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-ssh-public-keys.html
|
||||||
|
tags: cloud,devops,aws,amazon,iam,ssh,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let UserName of iterate(template.users)){
|
||||||
|
set("user", UserName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam list-users --query 'Users[*].UserName'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: users
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam list-ssh-public-keys --user-name $user | jq -r '.SSHPublicKeys[] | select(.UploadDate | fromdateiso8601 < (now - (90 * 86400))) | .SSHPublicKeyId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex # type of the extractor
|
||||||
|
name: accesskey
|
||||||
|
internal: true
|
||||||
|
regex:
|
||||||
|
- '^AP.*'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The SSH Public Key " + accesskey +" is older than 90 days"'
|
|
@ -0,0 +1,37 @@
|
||||||
|
id: iam-unapproved-policy
|
||||||
|
info:
|
||||||
|
name: Unapproved IAM Policy Attachments
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Checks for the attachment of unapproved Amazon IAM managed policies to IAM roles, users, or groups, ensuring compliance with organizational access policies
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html
|
||||||
|
tags: cloud,devops,aws,amazon,iam,ssl,tls,aws-cloud-config
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess --query 'Policy.{"AttachmentCount": AttachmentCount}'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "AttachmentCount"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"AttachmentCount": 0'
|
||||||
|
negative: true
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Unapproved IAM policy is used within your AWS cloud account"'
|
|
@ -0,0 +1,28 @@
|
||||||
|
id: iam-user-password-change
|
||||||
|
info:
|
||||||
|
name: Enable Self-Service Password Change for IAM Users
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Verifies that all Amazon IAM users have permissions to change their own console passwords, allowing access to 'iam:ChangePassword' for their accounts and 'iam:GetAccountPasswordPolicy' action.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html
|
||||||
|
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam get-account-password-policy --query 'PasswordPolicy.AllowUsersToChangePassword'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "true"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"AllowUsersToChangePassword Policy is not enabled in your AWS account"'
|
|
@ -0,0 +1,29 @@
|
||||||
|
id: ssl-cert-renewal
|
||||||
|
info:
|
||||||
|
name: SSL/TLS Certificates in AWS IAM about to expire in 30 days
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Checks if SSL/TLS certificates in AWS IAM are set for renewal 30 days before expiration.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html
|
||||||
|
tags: cloud,devops,aws,amazon,iam,ssl,tls,aws-cloud-config
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws iam list-server-certificates | jq -r '.ServerCertificateMetadataList[] | select(.Expiration | fromdateiso8601 - now < (30 * 86400)) | .ServerCertificateName'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: certificate
|
||||||
|
internal: true
|
||||||
|
regex:
|
||||||
|
- '\b[a-zA-Z0-9]+\b'
|
||||||
|
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'certificate + " Certificate is about to expire in 30 days"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: aurora-copy-tags-snap
|
||||||
|
info:
|
||||||
|
name: Aurora Snapshot Tag Copy
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensures Amazon Aurora clusters have Copy Tags to Snapshots feature enabled to automatically copy tags from clusters to snapshots.
|
||||||
|
impact: |
|
||||||
|
Without this, tags identifying ownership, purpose, or other critical information aren't propagated to snapshots, complicating management and compliance.
|
||||||
|
remediation: |
|
||||||
|
Enable Copy Tags to Snapshots for Aurora clusters via the AWS Management Console or modify the DB cluster to include this feature using AWS CLI.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html
|
||||||
|
tags: cloud,devops,aws,amazon,aurora,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let clustername of iterate(template.clusters)){
|
||||||
|
set("cluster", clustername)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-clusters --region $region --output json --query 'DBClusters[?Engine==`aurora-mysql` || Engine==`aurora-postgresql`].DBClusterIdentifier | []'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: clusters
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-clusters --region $region --db-cluster-identifier $cluster --query 'DBClusters[*].CopyTagsToSnapshot'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'false'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Copy Tags To Snapshot is not enable for cluster " + cluster'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: aurora-delete-protect
|
||||||
|
info:
|
||||||
|
name: Aurora Cluster Deletion Protection
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure Amazon Aurora clusters have Deletion Protection enabled to prevent accidental data loss.
|
||||||
|
impact: |
|
||||||
|
Without Deletion Protection, Aurora clusters can be accidentally deleted, leading to irreversible data loss.
|
||||||
|
remediation: |
|
||||||
|
Enable Deletion Protection by modifying the Aurora cluster settings in the AWS Management Console or via the AWS CLI.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBInstanceDeletionProtection.html
|
||||||
|
tags: cloud,devops,aws,amazon,aurora,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let clustername of iterate(template.clusters)){
|
||||||
|
set("cluster", clustername)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-clusters --region $region --output json --query 'DBClusters[?Engine==`aurora-mysql` || Engine==`aurora-postgresql`].DBClusterIdentifier | []'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: clusters
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-clusters --region $region --db-cluster-identifier $cluster--query 'DBClusters[*].DeletionProtection'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'false'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Deletion Protection safety feature is not enabled for " + cluster'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: iam-db-auth
|
||||||
|
info:
|
||||||
|
name: IAM Database Authentication
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure IAM Database Authentication is enabled for RDS instances, allowing IAM service to manage database access, thereby removing the need to store user credentials within database configurations.
|
||||||
|
impact: |
|
||||||
|
Without IAM Database Authentication, database credentials need to be managed internally, increasing the risk of credential leakage and unauthorized access.
|
||||||
|
remediation: |
|
||||||
|
Enable IAM Database Authentication for MySQL and PostgreSQL RDS database instances to leverage IAM for secure, token-based access control.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let DBInstances of iterate(template.instances)){
|
||||||
|
set("db", DBInstances)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: instances
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].IAMDatabaseAuthenticationEnabled'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'false'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Database Authentication feature is not enabled for RDS database instance " + db'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: rds-backup-enable
|
||||||
|
info:
|
||||||
|
name: RDS Automated Backup Check
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure that your Amazon RDS database instances have automated backups enabled for point-in-time recovery.
|
||||||
|
impact: |
|
||||||
|
Lack of automated backups can lead to data loss in case of accidental deletion or database corruption.
|
||||||
|
remediation: |
|
||||||
|
Enable automated backups for RDS instances by setting the backup retention period to a value other than 0.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let DBInstances of iterate(template.instances)){
|
||||||
|
set("db", DBInstances)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: instances
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].BackupRetentionPeriod'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '0'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Automated backups are not enabled for " + db + " RDS database instance"'
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: rds-deletion-protection
|
||||||
|
info:
|
||||||
|
name: RDS Deletion Protection
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure Amazon RDS instances have Deletion Protection enabled to prevent accidental deletions.
|
||||||
|
impact: |
|
||||||
|
Without Deletion Protection, RDS instances can be inadvertently deleted, leading to potential data loss and service disruption.
|
||||||
|
remediation: |
|
||||||
|
Enable Deletion Protection for all Amazon RDS instances via the AWS Management Console or using the AWS CLI.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let DBInstances of iterate(template.instances)){
|
||||||
|
set("db", DBInstances)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: instances
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].DeletionProtection' --output json
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'false'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"RDS Deletion protection feature is not enabled for RDS database instance " + db'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: rds-encryption-check
|
||||||
|
info:
|
||||||
|
name: RDS Instance Encryption
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure that your Amazon RDS database instances are encrypted to fulfill compliance requirements for data-at-rest encryption.
|
||||||
|
impact: |
|
||||||
|
Non-encrypted RDS instances may lead to data breaches, failing to comply with data protection regulations, which could result in hefty fines and loss of reputation.
|
||||||
|
remediation: |
|
||||||
|
Enable encryption for your Amazon RDS instances by modifying the instance and setting the "Storage Encrypted" option to true. For new instances, enable encryption within the launch wizard.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let DBInstances of iterate(template.instances)){
|
||||||
|
set("db", DBInstances)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: instances
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].{"StorageEncrypted":StorageEncrypted,"KmsKeyId":KmsKeyId}'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'false'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The encryption of data at rest is not enabled for " + db + " RDS database instance"'
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: rds-event-notify
|
||||||
|
info:
|
||||||
|
name: RDS Event Notification Absence
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Checks for the activation of event notifications for Amazon RDS instances to monitor significant database events.
|
||||||
|
impact: |
|
||||||
|
Without event notifications, there's a risk of missing critical database events, impacting operational awareness and incident response.
|
||||||
|
remediation: |
|
||||||
|
Enable event notifications in Amazon RDS by creating an event subscription with Amazon SNS to receive notifications.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-event-subscriptions --region $region --query 'EventSubscriptionsList'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '[]'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"No event notifications for RDS resources in " + region + " AWS region"'
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: rds-event-sub-enable
|
||||||
|
info:
|
||||||
|
name: RDS Event Subscription Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensures Amazon RDS event notifications are enabled for database instance level events, allowing for real-time alerts on operational changes.
|
||||||
|
impact: |
|
||||||
|
Lack of event notifications may delay the response to critical RDS operational events, affecting database availability and performance.
|
||||||
|
remediation: |
|
||||||
|
Enable RDS event notification subscriptions for relevant database instance level events through the AWS Management Console or AWS CLI.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-event-subscriptions --region $region --query "EventSubscriptionsList[?SourceType == 'db-instance'].CustSubscriptionId"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '[]'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"There are no Amazon RDS event subscriptions created for instance level events in " + region + " AWS region"'
|
|
@ -0,0 +1,35 @@
|
||||||
|
id: rds-event-sub
|
||||||
|
info:
|
||||||
|
name: RDS Security Group Event Notifications
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure RDS event notification subscriptions are active for database security group events to monitor and react to changes in security configurations.
|
||||||
|
impact: |
|
||||||
|
Without notifications for security group events, unauthorized changes may go unnoticed, potentially leading to security breaches or data exposure.
|
||||||
|
remediation: |
|
||||||
|
Enable Amazon RDS event notification subscriptions for relevant database security group events through the AWS Management Console or AWS CLI.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-event-subscriptions --region $region --query "EventSubscriptionsList[?SourceType == 'db-security-group'].CustSubscriptionId"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '[]'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"There are no Amazon RDS event subscriptions created for database security groups available in " + region + " AWS region."'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: rds-gp-ssd-usage
|
||||||
|
info:
|
||||||
|
name: RDS General Purpose SSD Usage
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure Amazon RDS instances use General Purpose SSDs for cost-effective storage suitable for a wide range of workloads, except for applications needing over 10000 IOPS or 160 MiB/s throughput.
|
||||||
|
impact: |
|
||||||
|
Using Provisioned IOPS SSDs when not required can significantly increase AWS costs without providing necessary performance benefits.
|
||||||
|
remediation: |
|
||||||
|
Convert RDS instances from Provisioned IOPS to General Purpose SSDs to optimize costs without sacrificing I/O performance for most database workloads.
|
||||||
|
reference:
|
||||||
|
- https://aws.amazon.com/rds/features/storage/
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let DBInstances of iterate(template.instances)){
|
||||||
|
set("db", DBInstances)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: instances
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].StorageType'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'io1'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'db + " RDS instance uses Provisioned IOPS SSD, not the most cost-effective storage"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: rds-public-snapshot
|
||||||
|
info:
|
||||||
|
name: RDS Public Snapshot Exposure
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Checks if AWS RDS database snapshots are publicly accessible, risking exposure of sensitive data.
|
||||||
|
impact: |
|
||||||
|
Public snapshots can expose sensitive data to unauthorized users, leading to potential data breaches.
|
||||||
|
remediation: |
|
||||||
|
Modify the snapshot's visibility settings to ensure it is not public, only shared with specific AWS accounts.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let RDPsnaps of iterate(template.snapshots)){
|
||||||
|
set("snapshot", RDPsnaps)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-snapshots --region $region --snapshot-type manual --output json --query 'DBSnapshots[*].DBSnapshotIdentifier'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: snapshots
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-snapshot-attributes --region $region --db-snapshot-identifier $snapshot --query 'DBSnapshotAttributesResult.DBSnapshotAttributes'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"all"'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"RDS snapshot " + snapshot + " is public"'
|
|
@ -0,0 +1,73 @@
|
||||||
|
id: rds-public-subnet
|
||||||
|
info:
|
||||||
|
name: RDS Instance Private Subnet
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensure Amazon RDS database instances are not provisioned in VPC public subnets to avoid direct Internet exposure.
|
||||||
|
impact: |
|
||||||
|
RDS instances in public subnets can be directly accessed from the Internet, increasing the risk of unauthorized access and potential data breaches.
|
||||||
|
remediation: |
|
||||||
|
Migrate RDS instances to private subnets within the VPC and ensure proper network ACLs and security group settings are in place to restrict access.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Subnets
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let DBInstances of iterate(template.instances)){
|
||||||
|
set("db", DBInstances)
|
||||||
|
code(2)
|
||||||
|
for(let SubnetNames of iterate(template.subnets)){
|
||||||
|
set("subnet", SubnetNames)
|
||||||
|
code(3)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: instances
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].DBSubnetGroup.Subnets[*].SubnetIdentifier[]'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: subnets
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-route-tables --region $region --filters "Name=association.subnet-id,Values=$subnet" --query 'RouteTables[*].Routes[]'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'igw-'
|
||||||
|
- '0.0.0.0/0'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'db + " RDS instance is setup within a public subnet"'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: rds-ri-payment-fail
|
||||||
|
info:
|
||||||
|
name: RDS RI Payment Failure
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Identifies failed RDS Reserved Instance purchases due to payment failures, affecting potential cost savings.
|
||||||
|
impact: |
|
||||||
|
Prevents utilization of reserved instance discounts, potentially leading to higher operational costs.
|
||||||
|
remediation: |
|
||||||
|
Review the payment methods on file and retry the reservation purchase for RDS instances to secure discounted rates.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithReservedDBInstances.html
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let DBInstances of iterate(template.instances)){
|
||||||
|
set("db", DBInstances)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-reserved-db-instances --region $region --output json --query 'ReservedDBInstances[*].ReservedDBInstanceId'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: snapshots
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-reserved-db-instances --region $region --reserved-db-instance-id $db --query 'ReservedDBInstances[*].State'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'payment-failed'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"RDS Reserved Instance purchase has failed for " + db'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: rds-snapshot-encryption
|
||||||
|
info:
|
||||||
|
name: RDS Snapshot Encryption
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure Amazon RDS database snapshots are encrypted for data-at-rest compliance within AWS environments.
|
||||||
|
impact: |
|
||||||
|
Unencrypted RDS snapshots can expose sensitive data to unauthorized access, risking data breach and non-compliance penalties.
|
||||||
|
remediation: |
|
||||||
|
Enable encryption for RDS snapshots by using AWS KMS Customer Master Keys (CMKs) for enhanced data security and compliance.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_EncryptSnapshot.html
|
||||||
|
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "ap-northeast-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let RDPsnaps of iterate(template.snapshots)){
|
||||||
|
set("snapshot", RDPsnaps)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-snapshots --region $region --snapshot-type manual --output json --query 'DBSnapshots[*].DBSnapshotIdentifier'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: snapshots
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws rds describe-db-snapshots --region $region --db-snapshot-identifier $snapshot --query 'DBSnapshots[*].Encrypted'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- 'false'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Amazon RDS database snapshot " + snapshot + " is not encrypted"'
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: s3-access-logging
|
||||||
|
info:
|
||||||
|
name: S3 Bucket - Access Logging Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
This template verifies if the Server Access Logging feature is enabled for Amazon S3 buckets, which is essential for tracking access requests for security and audit purposes.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-encryption.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let bucketName of iterate(template.buckets)){
|
||||||
|
set("bucket", bucketName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api list-buckets --query 'Buckets[*].Name'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: buckets
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-logging --bucket $bucket --query 'LoggingEnabled'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "null"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The S3 bucket " + bucket +" does not have access logging enabled."'
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: s3-auth-fullcontrol
|
||||||
|
info:
|
||||||
|
name: Restrict S3 Buckets FULL_CONTROL Access for Authenticated Users
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks if Amazon S3 buckets grant FULL_CONTROL access to authenticated users, preventing unauthorized operations
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let bucketName of iterate(template.buckets)){
|
||||||
|
set("bucket", bucketName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api list-buckets --query 'Buckets[*].Name'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: buckets
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/global/AuthenticatedUsers`)]'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"Permission": "FULL_CONTROL"'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"FULL_CONTROL is enabled for Authenticated Users on S3 Bucket " + bucket'
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: s3-bucket-key
|
||||||
|
info:
|
||||||
|
name: S3 Bucket Key not enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
This template verifies if Amazon S3 buckets have bucket keys enabled to optimize the cost of AWS Key Management Service (SSE-KMS) for server-side encryption
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let bucketName of iterate(template.buckets)){
|
||||||
|
set("bucket", bucketName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api list-buckets --query 'Buckets[*].Name'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: buckets
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-encryption --bucket cc-prod-log-bucket --query 'ServerSideEncryptionConfiguration.Rules[?ApplyServerSideEncryptionByDefault.SSEAlgorithm==`aws:kms`].BucketKeyEnabled'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- false
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Key is not enabled for S3 Bucket " + bucket'
|
|
@ -0,0 +1,56 @@
|
||||||
|
id: s3-bucket-policy-public-access
|
||||||
|
info:
|
||||||
|
name: Public Access of S3 Buckets via Policy
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
This template checks if Amazon S3 buckets are configured to prevent public access via bucket policies
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-policy.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let bucketName of iterate(template.buckets)){
|
||||||
|
set("bucket", bucketName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api list-buckets --query 'Buckets[*].Name'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: buckets
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-policy --bucket $bucket --query Policy --output text
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"Effect":"Allow"'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- '"Principal":"*"'
|
||||||
|
- '"AWS":"*"'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The S3 bucket " + bucket +" is publicly accessible via Policy"'
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: s3-mfa-delete-check
|
||||||
|
info:
|
||||||
|
name: S3 Bucket MFA Delete Configuration Check
|
||||||
|
author: princechaddha
|
||||||
|
severity: low
|
||||||
|
description: |
|
||||||
|
This template verifies that Amazon S3 buckets are configured with Multi-Factor Authentication (MFA) Delete feature, ensuring enhanced protection against unauthorized deletion of versioned objects
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-versioning.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let bucketName of iterate(template.buckets)){
|
||||||
|
set("bucket", bucketName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api list-buckets --query 'Buckets[*].Name'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: buckets
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-versioning --bucket $bucket --query 'MFADelete'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "null"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The S3 bucket " + bucket +" is not configured to use MFA Delete feature"'
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: s3-public-read-acp
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: S3 Bucket with Public READ_ACP Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Verifies that Amazon S3 buckets do not permit public 'READ_ACP' (LIST) access to anonymous users, protecting against unauthorized data exposure
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-acl.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let bucketName of iterate(template.buckets)){
|
||||||
|
set("bucket", bucketName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api list-buckets --query 'Buckets[*].Name'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: buckets
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`)]'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"Permission": "READ_ACP"'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The S3 bucket " + bucket +" have public READ_ACP access"'
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: s3-public-read
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: S3 Bucket with Public READ Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Verifies that Amazon S3 buckets do not permit public 'READ' (LIST) access to anonymous users, protecting against unauthorized data exposure
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-acl.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let bucketName of iterate(template.buckets)){
|
||||||
|
set("bucket", bucketName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api list-buckets --query 'Buckets[*].Name'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: buckets
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`)]'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"Permission": "READ"'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The S3 bucket " + bucket +" have public READ access"'
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: s3-public-write-acp
|
||||||
|
info:
|
||||||
|
name: S3 Bucket with Public WRITE_ACP Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks if Amazon S3 buckets are secured against public WRITE_ACP access, preventing unauthorized modifications to access control permissions.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-acl.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let bucketName of iterate(template.buckets)){
|
||||||
|
set("bucket", bucketName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api list-buckets --query 'Buckets[*].Name'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: buckets
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`)]'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"Permission": "WRITE_ACP"'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The S3 bucket " + bucket +" have public WRITE_ACP access"'
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: s3-public-write
|
||||||
|
info:
|
||||||
|
name: S3 Bucket with Public WRITE Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
Checks if Amazon S3 buckets are secured against public WRITE access, preventing unauthorized modifications to access control permissions.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-acl.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let bucketName of iterate(template.buckets)){
|
||||||
|
set("bucket", bucketName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api list-buckets --query 'Buckets[*].Name'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: buckets
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`)]'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"Permission": "WRITE"'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The S3 bucket " + bucket +" have public WRITE access"'
|
|
@ -0,0 +1,48 @@
|
||||||
|
id: s3-server-side-encryption
|
||||||
|
info:
|
||||||
|
name: Server-Side Encryption on Amazon S3 Buckets
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
This template verifies if Amazon S3 buckets have server-side encryption enabled for protecting sensitive content at rest, using either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-encryption.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let bucketName of iterate(template.buckets)){
|
||||||
|
set("bucket", bucketName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api list-buckets --query 'Buckets[*].Name'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: buckets
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-encryption --bucket $bucket
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "ServerSideEncryptionConfigurationNotFoundError"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"The S3 bucket " + bucket +" is not encrypted at rest"'
|
|
@ -0,0 +1,49 @@
|
||||||
|
id: s3-versioning
|
||||||
|
info:
|
||||||
|
name: S3 Bucket Versioning not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: low
|
||||||
|
description: |
|
||||||
|
Verifies that Amazon S3 buckets have object versioning enabled, providing a safeguard for recovering overwritten or deleted objects
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html
|
||||||
|
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let bucketName of iterate(template.buckets)){
|
||||||
|
set("bucket", bucketName)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api list-buckets --query 'Buckets[*].Name'
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json # type of the extractor
|
||||||
|
internal: true
|
||||||
|
name: buckets
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws s3api get-bucket-versioning --bucket $bucket --query 'Status'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "null"
|
||||||
|
- "Suspended"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Versioning is not enabled for S3 Bucket " + bucket'
|
|
@ -0,0 +1,62 @@
|
||||||
|
id: nacl-open-inbound
|
||||||
|
info:
|
||||||
|
name: Open Inbound NACL Traffic
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Checks for Amazon VPC Network ACLs with inbound rules allowing traffic from all IPs across all ports, increasing the risk of unauthorized access.
|
||||||
|
impact: |
|
||||||
|
Allows unrestricted access to resources within the subnet, potentially exposing sensitive data or services to unauthorized users.
|
||||||
|
remediation: |
|
||||||
|
Restrict Network ACL inbound rules to only allow necessary IP ranges and ports as per the Principle of Least Privilege.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
|
||||||
|
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let NACLIDs of template.nacls){
|
||||||
|
set("naclid", NACLIDs)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-network-acls --region $region --query 'NetworkAcls[*].NetworkAclId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: nacls
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-network-acls --region $region --network-acl-ids $naclid --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`false`)] | []'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "allow"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "PortRange"
|
||||||
|
negative: true
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Access to the VPC subnets associated with your NACL " + naclid + " is not restricted."'
|
|
@ -0,0 +1,62 @@
|
||||||
|
id: nacl-outbound-restrict
|
||||||
|
info:
|
||||||
|
name: Unrestricted NACL Outbound Traffic
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Checks for Amazon VPC NACLs allowing outbound traffic to all ports, recommending restriction to necessary ports only.
|
||||||
|
impact: |
|
||||||
|
Potential for data exfiltration or unauthorized access if outbound traffic is not properly restricted.
|
||||||
|
remediation: |
|
||||||
|
Modify NACL outbound rules to limit traffic to only the ports required for legitimate business needs.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
|
||||||
|
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let NACLIDs of template.nacls){
|
||||||
|
set("naclid", NACLIDs)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-network-acls --region $region --query 'NetworkAcls[*].NetworkAclId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: nacls
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-network-acls --region $region --network-acl-ids $naclid --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`true`)] | []'
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "allow"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "PortRange"
|
||||||
|
negative: true
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Access to the VPC subnets associated with your NACL " + naclid + " is not restricted."'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: nat-gateway-use
|
||||||
|
info:
|
||||||
|
name: Managed NAT Gateway Usage
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensure the use of Amazon Managed NAT Gateway for better availability and bandwidth in VPC networks instead of self-managed NAT instances.
|
||||||
|
impact: |
|
||||||
|
Using self-managed NAT instances can lead to single points of failure and potential bandwidth bottlenecks.
|
||||||
|
remediation: |
|
||||||
|
Replace NAT instances with Amazon Managed NAT Gateway to ensure high availability and scalability in your VPC network.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
|
||||||
|
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let VPCIds of template.vpcid){
|
||||||
|
set("vpc", VPCIds)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-vpcs --region $region --query 'Vpcs[*].VpcId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vpcid
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-nat-gateways --region $region --filter "Name=vpc-id,Values=$vpc" "Name=state,Values=available" --query 'NatGateways'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "[]"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'vpc + " VPC is not using Managed NAT Gateways"'
|
|
@ -0,0 +1,64 @@
|
||||||
|
id: unrestricted-admin-ports
|
||||||
|
info:
|
||||||
|
name: Unrestricted Admin Port Access
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Checks for unrestricted ingress on TCP ports 22 (SSH) and 3389 (RDP) in Amazon VPC NACLs, exposing remote server administration to potentially malicious traffic.
|
||||||
|
impact: |
|
||||||
|
Allows unrestricted remote access, increasing the risk of unauthorized access and potential compromise.
|
||||||
|
remediation: |
|
||||||
|
Restrict access to ports 22 and 3389 to trusted IPs or IP ranges to adhere to the Principle of Least Privilege (POLP).
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
|
||||||
|
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let NACLIDs of template.nacls){
|
||||||
|
set("naclid", NACLIDs)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-network-acls --region $region --query 'NetworkAcls[*].NetworkAclId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: nacls
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-network-acls --region $region --network-acl-ids $naclid --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`false`)] | []' --output json
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "0.0.0.0/0"
|
||||||
|
- "CidrBlock"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "22"
|
||||||
|
- "3389"
|
||||||
|
condition: or
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Access to the VPC subnets associated with your NACL " + naclid + " is not restricted."'
|
|
@ -0,0 +1,62 @@
|
||||||
|
id: vpc-endpoint-exposed
|
||||||
|
info:
|
||||||
|
name: Exposed VPC Endpoint
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Identify and secure fully accessible Amazon VPC endpoints to prevent unauthorized access to AWS services.
|
||||||
|
impact: |
|
||||||
|
Allows unrestricted access to AWS services via the exposed VPC endpoint, potentially leading to data leakage or unauthorized operations.
|
||||||
|
remediation: |
|
||||||
|
Update the VPC endpoint's policy to restrict access only to authorized entities and ensure all requests are signed.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html
|
||||||
|
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let VpcIds of template.VpcId){
|
||||||
|
set("vpc", VpcIds)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-vpc-endpoints --region $region --output table --query 'VpcEndpoints[*].VpcEndpointId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: VpcId
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-vpc-endpoints --region $region --vpc-endpoint-ids $vpc --query 'VpcEndpoints[*].PolicyDocument' --output json
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- '"AWS": "*"'
|
||||||
|
- '"Principal": "*"'
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "Condition"
|
||||||
|
negative: true
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"VPC endpoints for " + vpc + "are exposed."'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: vpc-endpoints-not-deployed
|
||||||
|
info:
|
||||||
|
name: VPC Endpoints Not Deployed
|
||||||
|
author: princechaddha
|
||||||
|
severity: medium
|
||||||
|
description: |
|
||||||
|
Ensures VPC endpoints are utilized for secure AWS service connectivity without needing an Internet Gateway, enhancing network security and efficiency.
|
||||||
|
impact: |
|
||||||
|
Avoids data exposure and reduces bandwidth use by ensuring AWS traffic remains within the AWS network, without public IP requirements for EC2 instances.
|
||||||
|
remediation: |
|
||||||
|
Implement VPC endpoints for supported AWS services to secure and optimize connectivity within your VPC, minimizing external access risks.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html
|
||||||
|
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let VpcIds of template.VpcId){
|
||||||
|
set("vpc", VpcIds)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-vpcs --region $region --query 'Vpcs[*].VpcId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: VpcId
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-vpc-endpoints --region $region --filters Name=vpc-id,Values=$vpc --query 'VpcEndpoints[*].VpcEndpointId'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "[]"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"VPC Endpoints Not Deployed in the VPC network " + vpc'
|
|
@ -0,0 +1,57 @@
|
||||||
|
id: vpc-flowlogs-not-enabled
|
||||||
|
info:
|
||||||
|
name: VPC Flow Logs Not Enabled
|
||||||
|
author: princechaddha
|
||||||
|
severity: low
|
||||||
|
description: |
|
||||||
|
Ensures Amazon VPC Flow Logs are enabled for tracking network traffic to and from VPCs, aiding in security and troubleshooting.
|
||||||
|
impact: |
|
||||||
|
Without VPC Flow Logs, detecting abnormal traffic patterns or breaches becomes difficult, increasing risk of undetected threats.
|
||||||
|
remediation: |
|
||||||
|
Enable VPC Flow Logs in the AWS Management Console under the VPC dashboard to collect data on IP traffic going to and from network interfaces in your VPC.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
|
||||||
|
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let VpcIds of template.VpcId){
|
||||||
|
set("vpc", VpcIds)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-vpcs --region $region --query 'Vpcs[*].VpcId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: VpcId
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-flow-logs --region $region --filter "Name=resource-id,Values=$vpc"
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "[]"
|
||||||
|
condition: and
|
||||||
|
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- '"Flow Logs feature is not enabled for the VPC " + vpc'
|
|
@ -0,0 +1,55 @@
|
||||||
|
id: vpn-tunnel-down
|
||||||
|
info:
|
||||||
|
name: AWS VPN Tunnel Down
|
||||||
|
author: princechaddha
|
||||||
|
severity: high
|
||||||
|
description: |
|
||||||
|
Ensures AWS VPN tunnels are in an UP state, facilitating uninterrupted network traffic through the Virtual Private Network.
|
||||||
|
impact: |
|
||||||
|
If a VPN tunnel is DOWN, it could disrupt network connectivity and access to resources in your VPC, impacting business operations.
|
||||||
|
remediation: |
|
||||||
|
Monitor VPN tunnel status via the AWS Management Console or CLI. If a tunnel is DOWN, troubleshoot according to AWS documentation and ensure redundancy by configuring multiple tunnels.
|
||||||
|
reference:
|
||||||
|
- https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNConnections.html
|
||||||
|
tags: cloud,devops,aws,amazon,vpn,aws-cloud-config
|
||||||
|
|
||||||
|
variables:
|
||||||
|
region: "us-east-1"
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
code(1)
|
||||||
|
for(let VpnConnectionIds of template.vpnconnactions){
|
||||||
|
set("vpnid", VpnConnectionIds)
|
||||||
|
code(2)
|
||||||
|
}
|
||||||
|
|
||||||
|
self-contained: true
|
||||||
|
code:
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-vpn-connections --region $region --filters "Name=state,Values=available" --query 'VpnConnections[*].VpnConnectionId' --output json
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: json
|
||||||
|
name: vpnconnactions
|
||||||
|
internal: true
|
||||||
|
json:
|
||||||
|
- '.[]'
|
||||||
|
|
||||||
|
- engine:
|
||||||
|
- sh
|
||||||
|
- bash
|
||||||
|
source: |
|
||||||
|
aws ec2 describe-vpn-connections --region $region --vpn-connection-ids $vpnid --query 'VpnConnections[*].VgwTelemetry[*].Status[]'
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
words:
|
||||||
|
- "DOWN"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: dsl
|
||||||
|
dsl:
|
||||||
|
- 'vpnid + " VPN tunnel is down"'
|
|
@ -34,4 +34,5 @@ http:
|
||||||
- 200
|
- 200
|
||||||
- 302
|
- 302
|
||||||
condition: or
|
condition: or
|
||||||
|
|
||||||
# digest: 490a0046304402200ead17d9381546ddc9f16663c90d8511969313ccc238f43ffde6040eb1190a3e02204f529c738530581af958cd8d83110cdb30cfc8f14818c8a379fb398f975045f8:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402200ead17d9381546ddc9f16663c90d8511969313ccc238f43ffde6040eb1190a3e02204f529c738530581af958cd8d83110cdb30cfc8f14818c8a379fb398f975045f8:922c64590222798bb761d5b6d8e72950
|
|
@ -29,4 +29,5 @@ dns:
|
||||||
part: answer
|
part: answer
|
||||||
words:
|
words:
|
||||||
- "IN\tA"
|
- "IN\tA"
|
||||||
|
|
||||||
# digest: 4a0a0047304502206a999e317308128dc9a9f3114f003b2c29cad9f569d6922502a8ac90971cf927022100c4fe9eea1496997e9ef66f8a46c2ece4bd511dede88aaf58d36410be3f2cc758:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502206a999e317308128dc9a9f3114f003b2c29cad9f569d6922502a8ac90971cf927022100c4fe9eea1496997e9ef66f8a46c2ece4bd511dede88aaf58d36410be3f2cc758:922c64590222798bb761d5b6d8e72950
|
|
@ -63,4 +63,5 @@ dns:
|
||||||
part: answer
|
part: answer
|
||||||
words:
|
words:
|
||||||
- "IN\tA"
|
- "IN\tA"
|
||||||
|
|
||||||
# digest: 490a0046304402200614bd35195e042742d9840244b46d9f68e4918956d5672a7549edaedbfe5f2e022051271716ac72339c39f76569585c0a256b19ce6238da5e3ea6a9d36b2d80011e:922c64590222798bb761d5b6d8e72950
|
# digest: 490a0046304402200614bd35195e042742d9840244b46d9f68e4918956d5672a7549edaedbfe5f2e022051271716ac72339c39f76569585c0a256b19ce6238da5e3ea6a9d36b2d80011e:922c64590222798bb761d5b6d8e72950
|
|
@ -34,4 +34,5 @@ http:
|
||||||
- 200
|
- 200
|
||||||
- 302
|
- 302
|
||||||
condition: or
|
condition: or
|
||||||
|
|
||||||
# digest: 4a0a0047304502201886de38da3a1bc0e95ff00b7cbf1e6cb0ef6f13197aa042a25d3a4f1ee588ad022100e067b58657d10e3b2d41283022c15120ed1d17f20d58b821418e953bfbfe2b0f:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502201886de38da3a1bc0e95ff00b7cbf1e6cb0ef6f13197aa042a25d3a4f1ee588ad022100e067b58657d10e3b2d41283022c15120ed1d17f20d58b821418e953bfbfe2b0f:922c64590222798bb761d5b6d8e72950
|
|
@ -40,4 +40,5 @@ http:
|
||||||
- "status_code==302"
|
- "status_code==302"
|
||||||
- contains(location, "login")
|
- contains(location, "login")
|
||||||
condition: and
|
condition: and
|
||||||
|
|
||||||
# digest: 490a00463044022049b2ab788a102342c3ee4b36d87315f145c3e963f1bd8389d1b2d9f90540f05402203bb1fa138a4e29c568c6bd421cb97c526e822c25fc952368295259787bc159d4:922c64590222798bb761d5b6d8e72950
|
# digest: 490a00463044022049b2ab788a102342c3ee4b36d87315f145c3e963f1bd8389d1b2d9f90540f05402203bb1fa138a4e29c568c6bd421cb97c526e822c25fc952368295259787bc159d4:922c64590222798bb761d5b6d8e72950
|
|
@ -37,4 +37,5 @@ http:
|
||||||
name: "Protected GCP Bucket"
|
name: "Protected GCP Bucket"
|
||||||
status:
|
status:
|
||||||
- 403
|
- 403
|
||||||
|
|
||||||
# digest: 4a0a00473045022038ad1830fc8e77debc4c9fcab4d7eb4c62b9930c3f98860f5e6877c1e72578a4022100e3ea9b5730d32e9219e4716c79b5203733ff802460ee921d0f0c2199ecca7989:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a00473045022038ad1830fc8e77debc4c9fcab4d7eb4c62b9930c3f98860f5e6877c1e72578a4022100e3ea9b5730d32e9219e4716c79b5203733ff802460ee921d0f0c2199ecca7989:922c64590222798bb761d5b6d8e72950
|
|
@ -32,4 +32,5 @@ http:
|
||||||
name: "Open GCP Firebase App"
|
name: "Open GCP Firebase App"
|
||||||
status:
|
status:
|
||||||
- 200
|
- 200
|
||||||
|
|
||||||
# digest: 4a0a0047304502202cb00f1926f91f36e3db3668c74866756cfda2081ea2a15ae99606c13542a8d3022100e57e4412254764ae84c84ff3fbf3932c79895e187f380a33749e25519df189f5:922c64590222798bb761d5b6d8e72950
|
# digest: 4a0a0047304502202cb00f1926f91f36e3db3668c74866756cfda2081ea2a15ae99606c13542a8d3022100e57e4412254764ae84c84ff3fbf3932c79895e187f380a33749e25519df189f5:922c64590222798bb761d5b6d8e72950
|
|
@ -48,4 +48,5 @@ http:
|
||||||
name: "Deactivated GCP Firebase RTDB"
|
name: "Deactivated GCP Firebase RTDB"
|
||||||
status:
|
status:
|
||||||
- 423
|
- 423
|
||||||
|
|
||||||
# digest: 4b0a00483046022100c5f895d4aa3a88d0917500200d33cf6c779e563a27cfcb1c1849c6740af720b30221009b12087b38af6b723bd3add8f08dd28e76b18133a03396b5d1af3693bfbdcecc:922c64590222798bb761d5b6d8e72950
|
# digest: 4b0a00483046022100c5f895d4aa3a88d0917500200d33cf6c779e563a27cfcb1c1849c6740af720b30221009b12087b38af6b723bd3add8f08dd28e76b18133a03396b5d1af3693bfbdcecc:922c64590222798bb761d5b6d8e72950
|
|
@ -0,0 +1,9 @@
|
||||||
|
# Nuclei scan profile for scanning aws ACLs
|
||||||
|
|
||||||
|
code: true # enable code templates
|
||||||
|
|
||||||
|
tags:
|
||||||
|
- aws-cloud-config # filter templates with "aws-cloud-config" tags
|
||||||
|
|
||||||
|
var:
|
||||||
|
- region=us-east-1 # template input for "region" variable
|
Loading…
Reference in New Issue