daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into smb-detect-linux-and-windows

patch-4
Dhiyaneshwaran 2024-06-05 13:48:45 +05:30 committed by GitHub
parent 285ced4811 99034eaada
commit fb3fee821b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2248 changed files with 30363 additions and 13210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/template-checksum.yml vendored
View File

@ -24,7 +24,7 @@ jobs:
- name: install checksum generator
run: |
go install -v github.com/projectdiscovery/nuclei/v3/cmd/generate-checksum@dev
go install -v github.com/projectdiscovery/nuclei/v3/cmd/generate-checksum@latest
- name: generate checksum
id: checksum
@ -46,4 +46,4 @@ jobs:
git pull --rebase
git push origin ${{ github.ref }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

2
.github/workflows/template-db-indexer.yml vendored
View File

@ -28,4 +28,4 @@ jobs:
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_KEY: ${{ secrets.AWS_SECRET_KEY }}
run: |
generate-index -mode templates
generate-index -mode templates -eft

2
.github/workflows/template-sign.yml vendored
View File

@ -23,7 +23,7 @@ jobs:
go-version: 1.21.x
- name: nuclei install
run: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@dev
run: go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
- name: Template Sign
id: sign

93
.github/workflows/templates-sync.yml vendored
View File

@ -3,27 +3,78 @@ on:
push:
paths:
- '.new-additions'
- 'code/cves/2024/CVE-2024-3094.yaml'
- 'http/cves/2022/CVE-2022-0424.yaml'
- 'http/cves/2024/CVE-2024-0337.yaml'
- 'http/cves/2024/CVE-2024-2879.yaml'
- 'http/cves/2024/CVE-2024-3273.yaml'
- 'http/default-logins/allnet/allnet-default-login.yaml'
- 'http/default-logins/asus/asus-rtn16-default-login.yaml'
- 'http/default-logins/asus/asus-wl500g-default-login.yaml'
- 'http/default-logins/asus/asus-wl520GU-default-login.yaml'
- 'http/exposed-panels/beyondtrust-priv-panel.yaml'
- 'http/exposed-panels/mitel-micollab-panel.yaml'
- 'http/exposed-panels/mitric-checker-panel.yaml'
- 'http/exposed-panels/outsystems-servicecenter-panel.yaml'
- 'http/exposed-panels/zenml-dashboard-panel.yaml'
- 'http/exposures/apis/aspnet-soap-webservices-asmx.yaml'
- 'http/misconfiguration/dlink-unauth-cgi-script.yaml'
- 'http/misconfiguration/helm-dashboard-exposure.yaml'
- 'http/misconfiguration/intelbras-dvr-unauth.yaml'
- 'http/misconfiguration/thanos-prometheus-exposure.yaml'
- 'http/technologies/citrix-xenmobile-version.yaml'
- 'http/technologies/splunkhec-detect.yaml'
- 'headless/webpack-sourcemap.yaml'
- 'http/cnvd/2024/CNVD-2024-15077.yaml'
- 'http/cves/2022/CVE-2022-0666.yaml'
- 'http/cves/2022/CVE-2022-1580.yaml'
- 'http/cves/2022/CVE-2022-34534.yaml'
- 'http/cves/2023/CVE-2023-2059.yaml'
- 'http/cves/2023/CVE-2023-3077.yaml'
- 'http/cves/2023/CVE-2023-48084.yaml'
- 'http/cves/2024/CVE-2024-1380.yaml'
- 'http/cves/2024/CVE-2024-21683.yaml'
- 'http/cves/2024/CVE-2024-24919.yaml'
- 'http/cves/2024/CVE-2024-27348.yaml'
- 'http/cves/2024/CVE-2024-34470.yaml'
- 'http/cves/2024/CVE-2024-3495.yaml'
- 'http/cves/2024/CVE-2024-3822.yaml'
- 'http/cves/2024/CVE-2024-4358.yaml'
- 'http/cves/2024/CVE-2024-5230.yaml'
- 'http/default-logins/ampjuke-default-login.yaml'
- 'http/default-logins/cambium-networks/cambium-networks-default-login.yaml'
- 'http/default-logins/digital-watchdog/digital-watchdog-default-login.yaml'
- 'http/exposed-panels/busybox-repository-browser.yaml'
- 'http/exposed-panels/cisco-firepower-panel.yaml'
- 'http/exposed-panels/cox-business-panel.yaml'
- 'http/exposed-panels/digital-watchdog-panel.yaml'
- 'http/exposed-panels/fortinet/fortisiem-panel.yaml'
- 'http/exposed-panels/oracle-access-management.yaml'
- 'http/exposed-panels/oracle-peoplesoft-panel.yaml'
- 'http/exposed-panels/vrealize-hyperic-login-panel.yaml'
- 'http/exposures/tokens/wechat/wechat-secret-key.yaml'
- 'http/iot/netgear-boarddataww-rce.yaml'
- 'http/miscellaneous/directory-listing.yaml'
- 'http/misconfiguration/dont-panic-traceback.yaml'
- 'http/misconfiguration/installer/activecollab-installer.yaml'
- 'http/misconfiguration/installer/call-com-installer.yaml'
- 'http/misconfiguration/installer/cms-made-simple-installer.yaml'
- 'http/misconfiguration/installer/confluence-installer.yaml'
- 'http/misconfiguration/installer/cubebackup-setup-installer.yaml'
- 'http/misconfiguration/installer/easy-wi-installer.yaml'
- 'http/misconfiguration/installer/ejbca-enterprise-installer.yaml'
- 'http/misconfiguration/installer/flarum-installer.yaml'
- 'http/misconfiguration/installer/fleetcart-installer.yaml'
- 'http/misconfiguration/installer/glpi-installer.yaml'
- 'http/misconfiguration/installer/invicti-enterprise-installer.yaml'
- 'http/misconfiguration/installer/invoice-ninja-installer.yaml'
- 'http/misconfiguration/installer/jfa-go-installer.yaml'
- 'http/misconfiguration/installer/justfans-installer.yaml'
- 'http/misconfiguration/installer/librenms-installer.yaml'
- 'http/misconfiguration/installer/mura-cms-setup-installer.yaml'
- 'http/misconfiguration/installer/onlyoffice-installer.yaml'
- 'http/misconfiguration/installer/openemr-setup-installer.yaml'
- 'http/misconfiguration/installer/orchard-installer.yaml'
- 'http/misconfiguration/installer/pandora-fms-installer.yaml'
- 'http/misconfiguration/installer/profittrailer-installer.yaml'
- 'http/misconfiguration/installer/projectsend-installer.yaml'
- 'http/misconfiguration/installer/snipe-it-installer.yaml'
- 'http/misconfiguration/installer/stackposts-installer.yaml'
- 'http/misconfiguration/installer/tastyigniter-installer.yaml'
- 'http/misconfiguration/installer/ubersmith-installer.yaml'
- 'http/misconfiguration/installer/uvdesk-helpdesk-installer.yaml'
- 'http/misconfiguration/installer/virtual-smartzone-installer.yaml'
- 'http/misconfiguration/installer/wowonder-installer.yaml'
- 'http/technologies/cowboy-detect.yaml'
- 'http/technologies/gabia-server-detect.yaml'
- 'http/technologies/gotweb-detect.yaml'
- 'http/technologies/sparklighter-detect.yaml'
- 'http/vulnerabilities/other/aquatronica-info-leak.yaml'
- 'http/vulnerabilities/other/array-vpn-lfi.yaml'
- 'http/vulnerabilities/other/cerio-dt-rce.yaml'
- 'http/vulnerabilities/other/easycvr-info-leak.yaml'
- 'javascript/backdoor/proftpd-backdoor.yaml'
- 'network/detection/bitvise-ssh-detect.yaml'
- 'passive/cves/2024/CVE-2024-25723.yaml'
workflow_dispatch:
jobs:
triggerRemoteWorkflow:

3
.github/workflows/wordpress-plugins-update.yml vendored
View File

@ -1,7 +1,8 @@
name: ✨ WordPress Plugins - Update
on:
workflow_dispatch:
schedule:
- cron: "0 0 * * *"
jobs:
Update:

93
.new-additions
View File

@ -1,21 +1,72 @@
code/cves/2024/CVE-2024-3094.yaml
http/cves/2022/CVE-2022-0424.yaml
http/cves/2024/CVE-2024-0337.yaml
http/cves/2024/CVE-2024-2879.yaml
http/cves/2024/CVE-2024-3273.yaml
http/default-logins/allnet/allnet-default-login.yaml
http/default-logins/asus/asus-rtn16-default-login.yaml
http/default-logins/asus/asus-wl500g-default-login.yaml
http/default-logins/asus/asus-wl520GU-default-login.yaml
http/exposed-panels/beyondtrust-priv-panel.yaml
http/exposed-panels/mitel-micollab-panel.yaml
http/exposed-panels/mitric-checker-panel.yaml
http/exposed-panels/outsystems-servicecenter-panel.yaml
http/exposed-panels/zenml-dashboard-panel.yaml
http/exposures/apis/aspnet-soap-webservices-asmx.yaml
http/misconfiguration/dlink-unauth-cgi-script.yaml
http/misconfiguration/helm-dashboard-exposure.yaml
http/misconfiguration/intelbras-dvr-unauth.yaml
http/misconfiguration/thanos-prometheus-exposure.yaml
http/technologies/citrix-xenmobile-version.yaml
http/technologies/splunkhec-detect.yaml
headless/webpack-sourcemap.yaml
http/cnvd/2024/CNVD-2024-15077.yaml
http/cves/2022/CVE-2022-0666.yaml
http/cves/2022/CVE-2022-1580.yaml
http/cves/2022/CVE-2022-34534.yaml
http/cves/2023/CVE-2023-2059.yaml
http/cves/2023/CVE-2023-3077.yaml
http/cves/2023/CVE-2023-48084.yaml
http/cves/2024/CVE-2024-1380.yaml
http/cves/2024/CVE-2024-21683.yaml
http/cves/2024/CVE-2024-24919.yaml
http/cves/2024/CVE-2024-27348.yaml
http/cves/2024/CVE-2024-34470.yaml
http/cves/2024/CVE-2024-3495.yaml
http/cves/2024/CVE-2024-3822.yaml
http/cves/2024/CVE-2024-4358.yaml
http/cves/2024/CVE-2024-5230.yaml
http/default-logins/ampjuke-default-login.yaml
http/default-logins/cambium-networks/cambium-networks-default-login.yaml
http/default-logins/digital-watchdog/digital-watchdog-default-login.yaml
http/exposed-panels/busybox-repository-browser.yaml
http/exposed-panels/cisco-firepower-panel.yaml
http/exposed-panels/cox-business-panel.yaml
http/exposed-panels/digital-watchdog-panel.yaml
http/exposed-panels/fortinet/fortisiem-panel.yaml
http/exposed-panels/oracle-access-management.yaml
http/exposed-panels/oracle-peoplesoft-panel.yaml
http/exposed-panels/vrealize-hyperic-login-panel.yaml
http/exposures/tokens/wechat/wechat-secret-key.yaml
http/iot/netgear-boarddataww-rce.yaml
http/miscellaneous/directory-listing.yaml
http/misconfiguration/dont-panic-traceback.yaml
http/misconfiguration/installer/activecollab-installer.yaml
http/misconfiguration/installer/call-com-installer.yaml
http/misconfiguration/installer/cms-made-simple-installer.yaml
http/misconfiguration/installer/confluence-installer.yaml
http/misconfiguration/installer/cubebackup-setup-installer.yaml
http/misconfiguration/installer/easy-wi-installer.yaml
http/misconfiguration/installer/ejbca-enterprise-installer.yaml
http/misconfiguration/installer/flarum-installer.yaml
http/misconfiguration/installer/fleetcart-installer.yaml
http/misconfiguration/installer/glpi-installer.yaml
http/misconfiguration/installer/invicti-enterprise-installer.yaml
http/misconfiguration/installer/invoice-ninja-installer.yaml
http/misconfiguration/installer/jfa-go-installer.yaml
http/misconfiguration/installer/justfans-installer.yaml
http/misconfiguration/installer/librenms-installer.yaml
http/misconfiguration/installer/mura-cms-setup-installer.yaml
http/misconfiguration/installer/onlyoffice-installer.yaml
http/misconfiguration/installer/openemr-setup-installer.yaml
http/misconfiguration/installer/orchard-installer.yaml
http/misconfiguration/installer/pandora-fms-installer.yaml
http/misconfiguration/installer/profittrailer-installer.yaml
http/misconfiguration/installer/projectsend-installer.yaml
http/misconfiguration/installer/snipe-it-installer.yaml
http/misconfiguration/installer/stackposts-installer.yaml
http/misconfiguration/installer/tastyigniter-installer.yaml
http/misconfiguration/installer/ubersmith-installer.yaml
http/misconfiguration/installer/uvdesk-helpdesk-installer.yaml
http/misconfiguration/installer/virtual-smartzone-installer.yaml
http/misconfiguration/installer/wowonder-installer.yaml
http/technologies/cowboy-detect.yaml
http/technologies/gabia-server-detect.yaml
http/technologies/gotweb-detect.yaml
http/technologies/sparklighter-detect.yaml
http/vulnerabilities/other/aquatronica-info-leak.yaml
http/vulnerabilities/other/array-vpn-lfi.yaml
http/vulnerabilities/other/cerio-dt-rce.yaml
http/vulnerabilities/other/easycvr-info-leak.yaml
javascript/backdoor/proftpd-backdoor.yaml
network/detection/bitvise-ssh-detect.yaml
passive/cves/2024/CVE-2024-25723.yaml

26
README.md
View File

@ -40,20 +40,20 @@ An overview of the nuclei template project, including statistics on unique tags,
## Nuclei Templates Top 10 statistics
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2425 | dhiyaneshdk | 1251 | http | 7306 | info | 3621 | file | 337 |
| panel | 1108 | daffainfo | 864 | file | 337 | high | 1635 | dns | 24 |
| wordpress | 959 | dwisiswant0 | 803 | workflows | 191 | medium | 1473 | | |
| xss | 895 | pikpikcu | 353 | network | 136 | critical | 981 | | |
| exposure | 894 | pussycat0x | 345 | code | 80 | low | 258 | | |
| wp-plugin | 834 | ritikchaddha | 320 | javascript | 55 | unknown | 36 | | |
| osint | 803 | pdteam | 296 | ssl | 28 | | | | |
| tech | 670 | ricardomaia | 232 | dast | 21 | | | | |
| lfi | 647 | geeknik | 229 | dns | 21 | | | | |
| edb | 598 | theamanrawat | 223 | headless | 11 | | | | |
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2490 | dhiyaneshdk | 1289 | http | 7477 | info | 3683 | file | 337 |
| panel | 1145 | daffainfo | 864 | file | 337 | high | 1728 | dns | 25 |
| wordpress | 976 | dwisiswant0 | 803 | workflows | 191 | medium | 1520 | | |
| exposure | 916 | pussycat0x | 354 | network | 135 | critical | 1035 | | |
| xss | 906 | pikpikcu | 353 | cloud | 98 | low | 263 | | |
| wp-plugin | 847 | ritikchaddha | 346 | code | 81 | unknown | 39 | | |
| osint | 804 | pdteam | 297 | javascript | 57 | | | | |
| tech | 682 | princechaddha | 269 | ssl | 29 | | | | |
| lfi | 658 | ricardomaia | 232 | dns | 22 | | | | |
| misconfig | 620 | geeknik | 231 | dast | 21 | | | | |
**621 directories, 8482 files**.
**640 directories, 8753 files**.
</td>
</tr>

2
TEMPLATES-STATS.json
View File

File diff suppressed because one or more lines are too long

10637
TEMPLATES-STATS.md
View File

File diff suppressed because it is too large Load Diff

24
TOP-10.md
View File

@ -1,12 +1,12 @@
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|--------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2425 | dhiyaneshdk | 1251 | http | 7306 | info | 3621 | file | 337 |
| panel | 1108 | daffainfo | 864 | file | 337 | high | 1635 | dns | 24 |
| wordpress | 959 | dwisiswant0 | 803 | workflows | 191 | medium | 1473 | | |
| xss | 895 | pikpikcu | 353 | network | 136 | critical | 981 | | |
| exposure | 894 | pussycat0x | 345 | code | 80 | low | 258 | | |
| wp-plugin | 834 | ritikchaddha | 320 | javascript | 55 | unknown | 36 | | |
| osint | 803 | pdteam | 296 | ssl | 28 | | | | |
| tech | 670 | ricardomaia | 232 | dast | 21 | | | | |
| lfi | 647 | geeknik | 229 | dns | 21 | | | | |
| edb | 598 | theamanrawat | 223 | headless | 11 | | | | |
| TAG | COUNT | AUTHOR | COUNT | DIRECTORY | COUNT | SEVERITY | COUNT | TYPE | COUNT |
|-----------|-------|---------------|-------|------------|-------|----------|-------|------|-------|
| cve | 2490 | dhiyaneshdk | 1289 | http | 7477 | info | 3683 | file | 337 |
| panel | 1145 | daffainfo | 864 | file | 337 | high | 1728 | dns | 25 |
| wordpress | 976 | dwisiswant0 | 803 | workflows | 191 | medium | 1520 | | |
| exposure | 916 | pussycat0x | 354 | network | 135 | critical | 1035 | | |
| xss | 906 | pikpikcu | 353 | cloud | 98 | low | 263 | | |
| wp-plugin | 847 | ritikchaddha | 346 | code | 81 | unknown | 39 | | |
| osint | 804 | pdteam | 297 | javascript | 57 | | | | |
| tech | 682 | princechaddha | 269 | ssl | 29 | | | | |
| lfi | 658 | ricardomaia | 232 | dns | 22 | | | | |
| misconfig | 620 | geeknik | 231 | dast | 21 | | | | |

41
cloud/aws/acm/acm-cert-expired.yaml Normal file
View File

@ -0,0 +1,41 @@
id: acm-cert-expired
info:
name: Expired ACM Certificates
author: princechaddha
severity: high
description: |
Ensure removal of expired SSL/TLS certificates in AWS Certificate Manager to comply with Amazon Security Best Practices.
impact: |
Expired certificates can lead to service interruptions and expose applications to man-in-the-middle attacks.
remediation: |
Regularly review ACM for expired certificates and delete them or replace with updated versions.
reference:
- https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html
tags: cloud,devops,aws,amazon,acm,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws acm list-certificates --region $region --certificate-statuses EXPIRED
matchers:
- type: word
words:
- 'CertificateArn'
extractors:
- type: json
name: certificatearn
json:
- '.CertificateSummaryList[] | .CertificateArn'
- type: dsl
dsl:
- 'region + " AWS region have expired SSL/TLS certificates"'
# digest: 490a00463044022020875df0814bb41d33d015a50a6a2d23309be5b695bad8ba9840f77e139f719b02205052abd88786969a3d7dcc2594b881841f82308df082a71df3b221085d1e9ceb:922c64590222798bb761d5b6d8e72950

57
cloud/aws/acm/acm-cert-renewal-30days.yaml Normal file
View File

@ -0,0 +1,57 @@
id: acm-cert-renewal-30days
info:
name: ACM Certificates Pre-expiration Renewal
author: princechaddha
severity: medium
description: |
Ensure AWS ACM SSL/TLS certificates are renewed at least 30 days before expiration to prevent service disruptions.
impact: |
Failure to renew certificates timely may lead to expired certificates causing service access issues or downtimes.
remediation: |
Set up Amazon CloudWatch to monitor ACM certificate expiration and automate renewal notifications or processes.
reference:
- https://docs.aws.amazon.com/acm/latest/userguide/acm-renewal.html
tags: cloud,devops,aws,amazon,acm,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let arns of iterate(template.certificatearns)){
set("certificatearn", arns)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws acm list-certificates --region $region --certificate-statuses ISSUED --query 'CertificateSummaryList[*].CertificateArn' --output json
extractors:
- type: json
name: certificatearns
internal: true
json:
- '.CertificateSummaryList[] | .CertificateArn'
- engine:
- sh
- bash
source: |
aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.[NotAfter, CertificateArn]' --output json | jq -r 'select((.[0] | fromdateiso8601 | mktime) - (now | mktime) < (30 * 86400)) | .[1]'
extractors:
- type: regex # type of the extractor
name: certificate
internal: true
regex:
- '^arn.*'
- type: dsl
dsl:
- '"The AWS ACM Certificate " + certificate +" is about to expire in 30 days"'
# digest: 4a0a004730450220756b5be6dcc7136b4b633c69403bc8a7d096c35c2a8275b99855b974e5c6ddd102210097de27a237f011112a45966e4320e15b0b9ee2af6762bd66817106963c31b0d8:922c64590222798bb761d5b6d8e72950

57
cloud/aws/acm/acm-cert-renewal-45days.yaml Normal file
View File

@ -0,0 +1,57 @@
id: acm-cert-renewal-45days
info:
name: ACM Certificates Pre-expiration Renewal
author: princechaddha
severity: medium
description: |
Ensure AWS ACM SSL/TLS certificates are renewed at least 45 days before expiration to prevent service disruptions.
impact: |
Failure to renew certificates timely may lead to expired certificates causing service access issues or downtimes.
remediation: |
Set up Amazon CloudWatch to monitor ACM certificate expiration and automate renewal notifications or processes.
reference:
- https://docs.aws.amazon.com/acm/latest/userguide/acm-renewal.html
tags: cloud,devops,aws,amazon,acm,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let arns of iterate(template.certificatearns)){
set("certificatearn", arns)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws acm list-certificates --region $region --certificate-statuses ISSUED --query 'CertificateSummaryList[*].CertificateArn' --output json
extractors:
- type: json
name: certificatearns
internal: true
json:
- '.CertificateSummaryList[] | .CertificateArn'
- engine:
- sh
- bash
source: |
aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.[NotAfter, CertificateArn]' --output json | jq -r 'select((.[0] | fromdateiso8601 | mktime) - (now | mktime) < (45 * 86400)) | .[1]'
extractors:
- type: regex # type of the extractor
name: certificate
internal: true
regex:
- '^arn.*'
- type: dsl
dsl:
- '"The AWS ACM Certificate " + certificate +" is about to expire in 30 days"'
# digest: 490a00463044022030b5597eb0c060a9e40e23a74f07216222b2df8f53391b091624a8fb3a5fc7b8022007201e8fa3b8699eed20222e46d207fb8b271fbc1c20092e96bb5a2d3740a5d5:922c64590222798bb761d5b6d8e72950

56
cloud/aws/acm/acm-cert-validation.yaml Normal file
View File

@ -0,0 +1,56 @@
id: acm-cert-validation
info:
name: ACM Certificate Validation Check
author: princechaddha
severity: medium
description: |
Ensure ACM SSL/TLS certificates are properly validated during issue or renewal, indicating secure communication channels.
impact: |
Lack of validation may allow unauthorized certificates, leading to potential man-in-the-middle attacks or data breaches.
remediation: |
Use AWS ACM for certificate provisioning and ensure domain validation steps are correctly followed for each certificate issued or renewed.
reference:
- https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-validate.html
tags: cloud,devops,aws,amazon,acm,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let arns of iterate(template.certificatearns)){
set("certificatearn", arns)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws acm list-certificates --region $region --output json
extractors:
- type: json
name: certificatearns
internal: true
json:
- '.CertificateSummaryList[] | .CertificateArn'
- engine:
- sh
- bash
source: |
aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.Status'
matchers:
- type: word
words:
- "PENDING_VALIDATION"
extractors:
- type: dsl
dsl:
- '"The issue/renewal request for " + certificatearn + " SSL/TLS certificate was not validated"'
# digest: 4a0a0047304502210089639de3f7c36e53216707ebb4296d7ca7744e1227c45977772e3a5a2fa492e2022032c5f3a8a70224d2aad87a042558ad554bc58170e274510715cca40dc0e67ec3:922c64590222798bb761d5b6d8e72950

56
cloud/aws/acm/acm-wildcard-cert.yaml Normal file
View File

@ -0,0 +1,56 @@
id: acm-wildcard-cert
info:
name: Wildcard ACM Certificate Usage
author: princechaddha
severity: low
description: |
Ensure ACM certificates for specific domain names are used over wildcard certificates to adhere to best security practices, providing unique private keys for each domain/subdomain.
impact: |
Using wildcard certificates can expose your AWS environment to increased risk by potentially allowing unauthorized subdomains to be protected under the same certificate, reducing the granularity of access control and increasing the blast radius in the event of a key compromise.
remediation: |
Replace wildcard ACM certificates with single domain name certificates for each domain/subdomain within your AWS account. This enhances security by ensuring each domain/subdomain has its own unique private key and certificate.
reference:
- https://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html
tags: cloud,devops,aws,amazon,acm,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let arns of iterate(template.certificatearns)){
set("certificatearn", arns)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws acm list-certificates --region $region --certificate-statuses ISSUED --query 'CertificateSummaryList[*].CertificateArn' --output json
extractors:
- type: json
name: certificatearns
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws acm describe-certificate --region $region --certificate-arn $certificatearn --query 'Certificate.DomainName'
matchers:
- type: word
words:
- "*."
extractors:
- type: dsl
dsl:
- 'certificatearn + " AWS ACM certificate is a wildcard certificate"'
# digest: 4a0a00473045022100f6ea9830b40920522f8151d891ae384572efefa30076cbf061bb313303abe50d022030dcf2a11227f66c51c43294228e264bf6b0eee1ae359cc2b84272c834de6351:922c64590222798bb761d5b6d8e72950

53
cloud/aws/aws-code-env.yaml Normal file
View File

@ -0,0 +1,53 @@
id: aws-code-env
info:
name: AWS Cloud Environment Validation
author: princechaddha
severity: info
description: |
Checks if AWS CLI is set up and all necessary tools are installed on the environment.
reference:
- https://aws.amazon.com/cli/
tags: cloud,devops,aws,amazone,aws-cloud-config
variables:
region: "us-east-1"
flow: code(1) && code(2)
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws sts get-caller-identity --output json
matchers:
- type: word
internal: true
words:
- '"UserId"'
extractors:
- type: json
name: account
internal: true
json:
- '.Account'
- engine:
- sh
- bash
source: |
jq --version >/dev/null 2>&1 && echo "jq is installed." || echo "jq is not installed."
matchers:
- type: word
words:
- "jq is installed"
extractors:
- type: dsl
dsl:
- '"AWS CLI is properly configured for account \"" + account + "\" and all the necessary tools required are installed"'
# digest: 4b0a00483046022100a05a196d8113f7a6f2a0ad341f9cecb882fe6fb7067812b6fc3d60482a736759022100a2d1867891aecfc696770bef70553de20c1cf97b6dbb29a4158fee3a08522c69:922c64590222798bb761d5b6d8e72950

56
cloud/aws/cloudtrail/cloudtrail-data-events.yaml Normal file
View File

@ -0,0 +1,56 @@
id: cloudtrail-data-events
info:
name: CloudTrail S3 Data Events Logging
author: princechaddha
severity: low
description: |
Ensure Amazon CloudTrail trails log S3 data events to monitor object-level operations like GetObject, DeleteObject, and PutObject.
impact: |
Without logging S3 data events, you lose visibility into object-level operations which could help detect unauthorized access or modifications.
remediation: |
Enable data event logging in CloudTrail for S3 buckets to ensure detailed activity monitoring and logging for better security and compliance.
reference:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-data-events-with-cloudtrail.html
tags: cloud,devops,aws,amazon,s3,cloudtrail,aws-cloud-config
variables:
region: "ap-south-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudtrail get-event-selectors --region $region --trail-name $trail --query 'EventSelectors[*].DataResources[]'
matchers:
- type: word
words:
- "[]"
extractors:
- type: dsl
dsl:
- '"CloudTrail trail" + trail + " is not configured to capture resource operations performed on or within an AWS cloud resource"'
# digest: 490a0046304402201faa9752ffea7342ad3012c17528ce7ac93a419f258bc0022f82daca0c116b060220047829932aa4d96d6a578faf2884e39bb46badf9ec8f4f4704a2cabdc2cc93a5:922c64590222798bb761d5b6d8e72950

56
cloud/aws/cloudtrail/cloudtrail-disabled.yaml Normal file
View File

@ -0,0 +1,56 @@
id: cloudtrail-disabled
info:
name: CloudTrail Disabled
author: princechaddha
severity: high
description: |
Ensures AWS CloudTrail is enabled in all regions to monitor and record account activity across your AWS infrastructure, enhancing security and compliance.
impact: |
Lack of region-wide CloudTrail logging can lead to insufficient visibility into account activities, hindering anomaly detection and forensic analysis.
remediation: |
Enable CloudTrail in all AWS regions through the AWS Management Console or CLI to ensure comprehensive activity logging and monitoring.
reference:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-getting-started.html
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
variables:
region: "ap-south-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].IsMultiRegionTrail'
matchers:
- type: word
words:
- "false"
extractors:
- type: dsl
dsl:
- '"CloudTrail trail" + trail + " is not configured to receive log files from all the AWS cloud regions"'
# digest: 490a0046304402201443ece0d6b4fbc1cddf7c13cedcdea324540e873081d0b64225178ee3dc2d1402203d677bdd02490a8f5a90d8e2abfa5499df844303bd18b1c2250ee3737a6ce1c3:922c64590222798bb761d5b6d8e72950

56
cloud/aws/cloudtrail/cloudtrail-dup-logs.yaml Normal file
View File

@ -0,0 +1,56 @@
id: cloudtrail-dup-logs
info:
name: CloudTrail Duplicate Log Avoidance
author: princechaddha
severity: medium
description: |
Ensure CloudTrail logging is configured to prevent duplicate recording of global service events across multiple trails.
impact: |
Duplicate log entries can lead to increased storage costs and complicate log analysis and anomaly detection efforts.
remediation: |
Configure only one multi-region trail to log global service events and disable global service logging for all other trails.
reference:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
variables:
region: "ap-south-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].IncludeGlobalServiceEvents' --output json
matchers:
- type: word
words:
- "true"
extractors:
- type: dsl
dsl:
- '"Ensure only one trail in Amazon CloudTrail is configured for global service events to avoid duplicates: " + trail'
# digest: 4a0a00473045022100863a23e0d723ae8fd1912b96f52fdd5a22168d4fedd110138ac6b8e75434ef83022040c6c4f2d88276a08fc5faa9c4601c70615bcf8d0969cbe2dbf642c7f8186b43:922c64590222798bb761d5b6d8e72950

56
cloud/aws/cloudtrail/cloudtrail-global-disabled.yaml Normal file
View File

@ -0,0 +1,56 @@
id: cloudtrail-global-disabled
info:
name: CloudTrail Global Events Enablement
author: princechaddha
severity: high
description: |
Ensure Amazon CloudTrail trails are configured to capture both regional and global API activity for enhanced security and compliance in your AWS account.
impact: |
Lacking global event logging reduces visibility across AWS services that operate at the global level, potentially missing critical security and compliance data.
remediation: |
Enable global service logging in CloudTrail by creating or updating a trail to include global services. This ensures comprehensive activity monitoring.
reference:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
variables:
region: "ap-south-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].IncludeGlobalServiceEvents'
matchers:
- type: word
words:
- "false"
extractors:
- type: dsl
dsl:
- '"CloudTrail trail" + trail + " is not configured to record API calls for AWS global services"'
# digest: 4a0a004730450221009edff671d27bdeaf0556428297d56afb1404ff3032d9ae4b61578c2b239ec4c502202ea0baf81ef1917992591736e8dfd44578f85f84bbb8c869fca718fecefac3c0:922c64590222798bb761d5b6d8e72950

56
cloud/aws/cloudtrail/cloudtrail-integrated-cloudwatch.yaml Normal file
View File

@ -0,0 +1,56 @@
id: cloudtrail-integrated-cloudwatch
info:
name: CloudTrail CloudWatch Integration
author: princechaddha
severity: medium
description: |
Ensure Amazon CloudTrail logs are integrated with CloudWatch Logs for real-time monitoring and analysis.
impact: |
Without integration, detecting and responding to critical events or unauthorized actions within AWS environment could be delayed.
remediation: |
Enable CloudTrail log file validation and configure CloudWatch Logs to monitor CloudTrail log files. Create CloudWatch Alarms for specific events of interest.
reference:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html
tags: cloud,devops,aws,amazon,cloudtrail,cloudwatch,aws-cloud-config
variables:
region: "ap-south-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].CloudWatchLogsLogGroupArn'
matchers:
- type: word
words:
- "[]"
extractors:
- type: dsl
dsl:
- '"CloudTrail trail" + trail + " is not configured to send events to CloudWatch Logs for monitoring purposes"'
# digest: 4a0a00473045022003841e6c5e526ca9c51573554cb8b79f921518607b91025823f13325bc700fd7022100c936d849e5d2106d6079dc7524894c444881996c94755ba76bff9a313b01b47b:922c64590222798bb761d5b6d8e72950

56
cloud/aws/cloudtrail/cloudtrail-log-integrity.yaml Normal file
View File

@ -0,0 +1,56 @@
id: cloudtrail-log-integrity
info:
name: CloudTrail Log Integrity Validation not Enabled
author: princechaddha
severity: high
description: |
Ensure CloudTrail log file integrity validation is enabled to detect unauthorized file modifications.
impact: |
Without log file integrity validation, it's harder to detect if CloudTrail logs have been tampered with, potentially hiding malicious activity.
remediation: |
Enable log file integrity validation on all CloudTrail trails to ensure the integrity and authenticity of your logs.
reference:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
variables:
region: "ap-south-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].LogFileValidationEnabled'
matchers:
- type: word
words:
- "false"
extractors:
- type: dsl
dsl:
- '"The log file integrity validation is not enabled for CloudTrail trail" + trail'
# digest: 4a0a00473045022100facdee59eb1d2eca53313cf4f8de941c2f7a0857645f153ad2a64c81b51d9a67022059981aa1842b49de13fc78b6673e74c755632f673f08c402ad66f59074cc2e37:922c64590222798bb761d5b6d8e72950

63
cloud/aws/cloudtrail/cloudtrail-logs-not-encrypted.yaml Normal file
View File

@ -0,0 +1,63 @@
id: cloudtrail-logs-not-encrypted
info:
name: CloudTrail Logs Not Encrypted
author: princechaddha
severity: medium
description: |
Ensure Amazon CloudTrail logs are encrypted at rest using AWS Key Management Service (KMS) to secure log data.
impact: |
Non-encrypted CloudTrail logs pose a risk of unauthorized access, compromising the integrity and confidentiality of log data.
remediation: |
Enable Server-Side Encryption (SSE) for CloudTrail logs using an AWS KMS key through the CloudTrail console or AWS CLI.
reference:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
set("region", template.trailregion)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].[Name, HomeRegion]' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[] | .[0]'
- type: json
name: trailregion
internal: true
json:
- '.[] | .[1]'
- engine:
- sh
- bash
source: |
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].KmsKeyId'
matchers:
- type: word
words:
- "[]"
extractors:
- type: dsl
dsl:
- '"CloudTrail trail " + trail + " is not configured to encrypt log files using SSE-KMS encryption"'
# digest: 4b0a00483046022100b39586900f3cb7a7ce2582be709c7b3d1b25bceaf0f6d35887c3a3d62bfff8d80221009aa3a72ddade09b522655349a54b6cb7e6e0ebd3b36d85b30899b283e77dc90d:922c64590222798bb761d5b6d8e72950

73
cloud/aws/cloudtrail/cloudtrail-mfa-delete.yaml Normal file
View File

@ -0,0 +1,73 @@
id: cloudtrail-mfa-delete
info:
name: CloudTrail MFA Delete
author: princechaddha
severity: high
description: |
Ensure Amazon CloudTrail buckets have MFA Delete enabled to protect log file deletion.
impact: |
Prevents unauthorized deletion of CloudTrail logs, enhancing security and compliance.
remediation: |
Enable MFA Delete on CloudTrail buckets via the S3 console or AWS CLI.
reference:
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
variables:
region: "ap-south-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
code(2)
for(let BucketNames of iterate(template.buckets)){
set("bucket", BucketNames)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].S3BucketName'
extractors:
- type: json
name: buckets
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-versioning --bucket $bucket --query 'MFADelete'
matchers:
- type: word
words:
- 'null'
extractors:
- type: dsl
dsl:
- '"The MFA Delete feature is not enabled for the S3 bucket " + bucket + " associated with the CloudTrail " + trail'
# digest: 490a00463044022042298637fc3947aaaab32dc59fb448c2c08e310bc0ca8a81f04d219b3e3643e4022029d99b37008c16622b5f08d7c27548c42cbfa80b8face6e766a180fe14abb003:922c64590222798bb761d5b6d8e72950

57
cloud/aws/cloudtrail/cloudtrail-mgmt-events.yaml Normal file
View File

@ -0,0 +1,57 @@
id: cloudtrail-mgmt-events
info:
name: CloudTrail Management Events Logging Not Enabled
author: princechaddha
severity: medium
description: |
Ensures Amazon CloudTrail trails are configured to log management events, capturing crucial API calls and console actions for security and audit purposes.
impact: |
Failure to log management events can lead to insufficient audit trails, hindering the ability to investigate and respond to suspicious activities.
remediation: |
Enable management event logging in CloudTrail by creating a new trail or updating existing trails to include management events.
reference:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html
tags: cloud,devops,aws,amazon,cloudtrail,aws-cloud-config
variables:
region: "ap-south-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudtrail get-event-selectors --region $region --trail-name $trail --query 'EventSelectors[*].IncludeManagementEvents'
matchers:
- type: word
words:
- "false"
extractors:
- type: dsl
dsl:
- '"CloudTrail trail" + trail + " is not configured to capture management operations performed on your AWS cloud resources"'
# digest: 4a0a00473045022071c61afb61f0c431e2f7edf10563f582ede9a3a52e70a847ac8c6423758f5777022100e921cca38de3640c42ba86369837d9015c0b7b371c218eac3281f789392f77bd:922c64590222798bb761d5b6d8e72950

56
cloud/aws/cloudtrail/cloudtrail-public-buckets.yaml Normal file
View File

@ -0,0 +1,56 @@
id: cloudtrail-public-buckets
info:
name: Public CloudTrail Buckets
author: princechaddha
severity: critical
description: |
Identifies AWS CloudTrail S3 buckets that are publicly accessible, risking exposure of sensitive log data.
impact: |
Unauthorized access to CloudTrail logs can lead to data leakage, compromising the integrity and confidentiality of cloud operations.
remediation: |
Restrict S3 bucket access using bucket policies or IAM policies to ensure that CloudTrail logs are not publicly accessible.
reference:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-find-log-files.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
variables:
region: "ap-south-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].IncludeGlobalServiceEvents'
matchers:
- type: word
words:
- "false"
extractors:
- type: dsl
dsl:
- '"CloudTrail trail" + trail + " is not configured to record API calls for AWS global services"'
# digest: 4a0a00473045022039127acbaf7f578247fb47cdfe1a2fdd2a67e57bca815a7786011743df98451c022100c8e1b247da863d14ae8ba023a1f7d05ea77faf28cc1d1c4eb5752c0976d54b0b:922c64590222798bb761d5b6d8e72950

73
cloud/aws/cloudtrail/cloudtrail-s3-bucket-logging.yaml Normal file
View File

@ -0,0 +1,73 @@
id: cloudtrail-s3-bucket-logging
info:
name: CloudTrail S3 Logging
author: princechaddha
severity: high
description: |
Ensure AWS CloudTrail logs are captured in S3 buckets with Server Access Logging enabled for audit and forensic purposes.
impact: |
Without S3 Server Access Logging for CloudTrail, tracking unauthorized access or modifications to CloudTrail logs becomes difficult, impacting incident response and forensic analysis.
remediation: |
Enable Server Access Logging on the S3 bucket used by CloudTrail. Configure the logging feature to capture all requests made to the CloudTrail bucket.
reference:
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html
tags: cloud,devops,aws,amazon,s3,cloudtrail,aws-cloud-config
variables:
region: "ap-south-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
code(2)
for(let BucketNames of iterate(template.buckets)){
set("bucket", BucketNames)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].S3BucketName'
extractors:
- type: json
name: buckets
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-logging --bucket $bucket --query 'LoggingEnabled'
matchers:
- type: word
words:
- 'null'
extractors:
- type: dsl
dsl:
- '"Access logging is not enabled for the S3 bucket associated with CloudTrail trail " + trail'
# digest: 4a0a00473045022100fc881c1ddc9a2e0229e8f3fbac211a1e5c3b7dac4363cd0611c002a55f455dc602201c3c0d885e1b03e7c10a09dbe42871bd2eeb1ffb62360ece9e5297a0d07e6953:922c64590222798bb761d5b6d8e72950

74
cloud/aws/cloudtrail/s3-object-lock-not-enabled.yaml Normal file
View File

@ -0,0 +1,74 @@
id: s3-object-lock-not-enabled
info:
name: CloudTrail S3 Object Lock
author: princechaddha
severity: medium
description: |
Ensure Amazon CloudTrail S3 buckets have Object Lock enabled to prevent log deletion and ensure regulatory compliance.
impact: |
Without Object Lock, S3 objects such as CloudTrail logs can be deleted, compromising audit trails and violating compliance requirements.
remediation: |
Enable S3 Object Lock in Governance mode with a retention period that meets your compliance requirements for CloudTrail S3 buckets.
reference:
- https://docs.aws.amazon.com/AmazonS3/latest/dev/object-lock-overview.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
variables:
region: "ap-south-1"
flow: |
code(1)
for(let CloudTrail of iterate(template.cloudtrailname)){
set("trail", CloudTrail)
code(2)
for(let BucketNames of iterate(template.buckets)){
set("bucket", BucketNames)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudtrail list-trails --region $region --query 'Trails[*].Name' --output json
extractors:
- type: json
name: cloudtrailname
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudtrail describe-trails --region $region --trail-name-list $trail --query 'trailList[*].S3BucketName'
extractors:
- type: json
name: buckets
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-object-lock-configuration --bucket $bucket --query 'ObjectLockConfiguration.ObjectLockEnabled' --output json
matchers:
- type: word
part: code_3_stderr
words:
- 'ObjectLockConfigurationNotFoundError'
extractors:
- type: dsl
dsl:
- '"The Object Lock feature is not enabled for the S3 bucket associated with the CloudTrail trail " + trail'
# digest: 4b0a00483046022100cdae2dc4719a039aae0873a5c1a1b4f5797593a1f555ee93a6752d408a181ebd022100f0decf46ad9b338bbcd2ea531acf088dcb76a0e605d9d7032130351113b92b43:922c64590222798bb761d5b6d8e72950

56
cloud/aws/cloudwatch/cw-alarm-action-set.yaml Normal file
View File

@ -0,0 +1,56 @@
id: cw-alarm-action-set
info:
name: CloudWatch Alarm Action Not Set
author: princechaddha
severity: medium
description: |
Ensure Amazon CloudWatch alarms have actions configured for the ALARM state to automate response to incidents.
impact: |
Without actions, CloudWatch alarms may not trigger automated incident response or notifications, potentially delaying mitigation.
remediation: |
Configure at least one action for each CloudWatch alarm to ensure timely response to monitored issues.
reference:
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html
tags: cloud,devops,aws,amazon,cloudwatch,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let AlarmName of iterate(template.alarms)){
set("alarm", AlarmName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudwatch describe-alarms --region $region --query 'MetricAlarms[].AlarmName' --output json
extractors:
- type: json
name: alarms
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudwatch describe-alarms --region $region --alarm-names "$alarm" --query 'MetricAlarms[*].AlarmActions[]' --output json
matchers:
- type: word
words:
- "[]"
extractors:
- type: dsl
dsl:
- '"The Amazon CloudWatch " + alarm +" is not configured with any actions for the ALARM state."'
# digest: 4a0a004730450220699edd21da9a908d8160230a38300e78c76cce31988d83565ed8b7a0c9b41d70022100c607f34933362074e992f81390dae32347f888ffa68a9d97aac8aad03a388f55:922c64590222798bb761d5b6d8e72950

56
cloud/aws/cloudwatch/cw-alarms-actions.yaml Normal file
View File

@ -0,0 +1,56 @@
id: cw-alarms-actions
info:
name: CloudWatch Alarms Actions Enabled
author: princechaddha
severity: high
description: |
Ensure that all Amazon CloudWatch alarms have actions enabled (ActionEnabled: true) to respond to state changes.
impact: |
Without actions enabled, CloudWatch alarms cannot perform automated actions in response to state changes, potentially missing critical alerts.
remediation: |
Enable actions for each CloudWatch alarm by setting the ActionEnabled parameter to true, allowing for automated responses to alarms.
reference:
- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html
tags: cloud,devops,aws,amazon,cloudwatch,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let AlarmName of iterate(template.alarms)){
set("alarm", AlarmName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws cloudwatch describe-alarms --region $region --query 'MetricAlarms[].AlarmName' --output json
extractors:
- type: json
name: alarms
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws cloudwatch describe-alarms --region $region --alarm-names "DiskWritesOpsAlarm" --query 'MetricAlarms[*].ActionsEnabled'
matchers:
- type: word
words:
- "false"
extractors:
- type: dsl
dsl:
- '"The Amazon CloudWatch " + alarm + " does not have any active actions configured"'
# digest: 4b0a00483046022100c25b4a5bed3d8e28421708a03ab05c2b09f619f6c38472a34377d2db18e4d730022100d057819cf7fbf55503e3a93b82daa4b438fb204056422e34bbcb5a6ddb4d425e:922c64590222798bb761d5b6d8e72950

56
cloud/aws/ec2/ec2-imdsv2.yaml Normal file
View File

@ -0,0 +1,56 @@
id: ec2-imdsv2
info:
name: Enforce IMDSv2 on EC2 Instances
author: princechaddha
severity: medium
description: |
Ensure all EC2 instances use Instance Metadata Service Version 2 (IMDSv2) for enhanced security when requesting instance metadata, protecting against certain types of attacks that target the older version, IMDSv1.
impact: |
Using IMDSv1 can expose EC2 instances to server-side request forgery (SSRF) attacks, potentially allowing attackers to access sensitive instance metadata.
remediation: |
Modify the EC2 instance metadata options to set `HttpTokens` to `required`, enforcing the use of IMDSv2. This can be done via the AWS Management Console, CLI, or EC2 API.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let InstancesName of iterate(template.instances)){
set("ec2instance", InstancesName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-instances --region $region --output table --query 'Reservations[*].Instances[*].InstanceId' --output json
extractors:
- type: json
name: instances
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-instances --region $region --instance-ids $ec2instance --query 'Reservations[*].Instances[*].MetadataOptions.HttpTokens[]'
matchers:
- type: word
words:
- "optional"
extractors:
- type: dsl
dsl:
- 'ami + " is publically shared"'
# digest: 4b0a00483046022100a9c93182cc816c3d5bc33cf11b0b8fa7f667153ee8f1c742c1c50da21309f666022100eec3b3b58d54dc9609e9b3b5cbe5feefd239ed07c12958cf75456d961aa3258a:922c64590222798bb761d5b6d8e72950

56
cloud/aws/ec2/ec2-public-ip.yaml Normal file
View File

@ -0,0 +1,56 @@
id: ec2-public-ip
info:
name: Public IP on EC2 Instances
author: princechaddha
severity: unknown
description: |
Ensures Amazon EC2 instances, especially backend ones, do not use public IP addresses to minimize Internet exposure.
impact: |
Instances with public IP addresses are more vulnerable to Internet-based threats, compromising network security.
remediation: |
Restrict public IP assignment for EC2 instances, particularly for backend instances. Use private IPs and manage access via AWS VPC and security groups.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let InstancesName of iterate(template.instances)){
set("ec2instance", InstancesName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-instances --region $region --output json --query 'Reservations[*].Instances[*].InstanceId'
extractors:
- type: json
name: instances
internal: true
json:
- '.[].[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-instances --region $region --instance-ids $ec2instance --query "Reservations[*].Instances[*].NetworkInterfaces[*].Association.IpOwnerId[] | []"
matchers:
- type: word
words:
- "amazon"
extractors:
- type: dsl
dsl:
- '"The Amazon Instance " + ec2instance + " uses public IP addresses"'
# digest: 4a0a00473045022100f1dcc6e7fab82b9688102b0f02fddc8c9930007bc885800ac26e4e5ea412ed670220667fdf2d67ebff9d4346a853856402dbd78197c727feae253e6629f53de0f957:922c64590222798bb761d5b6d8e72950

57
cloud/aws/ec2/ec2-sg-egress-open.yaml Normal file
View File

@ -0,0 +1,57 @@
id: ec2-sg-egress-open
info:
name: Open Egress in EC2 Security Group
author: princechaddha
severity: high
description: |
Checks for unrestricted outbound/egress rules in Amazon EC2 security groups, highlighting potential over-permissive configurations.
impact: |
Allows unrestricted outbound traffic from EC2 instances, increasing the risk of data exfiltration and malicious external communications.
remediation: |
Restrict egress traffic in EC2 security groups to only necessary IP addresses and ranges, adhering to the Principle of Least Privilege.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#sg-rules
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let SecurityGroup of iterate(template.securitygroups)){
set("groupid", SecurityGroup)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroups
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --group-ids $groupid --query 'SecurityGroups[*].IpPermissionsEgress[]'
matchers:
- type: word
words:
- "0.0.0.0/0"
- "::/0"
extractors:
- type: dsl
dsl:
- '"Amazon EC2 security group(s) " + groupid + " allows unrestricted outbound traffic"'
# digest: 490a0046304402200e8c75db5d5e8809d4e97173605a8d845e49d80bd788de5a7ba6cefc77f9110202200e57d1342300e4858c189e8dd15e8084cbf17f2f75ab3f8fbe8134979f4a6bbe:922c64590222798bb761d5b6d8e72950

57
cloud/aws/ec2/ec2-sg-ingress.yaml Normal file
View File

@ -0,0 +1,57 @@
id: ec2-sg-ingress
info:
name: Unrestricted Access on Uncommon EC2 Ports
author: princechaddha
severity: high
description: |
Ensure Amazon EC2 security groups do not allow unrestricted access (0.0.0.0/0, ::/0) on uncommon ports, protecting against brute force attacks on EC2 instances.
impact: |
Unrestricted ingress on uncommon ports increases the risk of unauthorized access and potential brute force attacks on EC2 instances.
remediation: |
Restrict access to uncommon ports in EC2 security groups, permitting only necessary traffic and implementing stringent access controls.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let SecurityGroup of iterate(template.securitygroups)){
set("groupid", SecurityGroup)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroups
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --group-ids $groupid --query 'SecurityGroups[*].IpPermissions[]'
matchers:
- type: word
words:
- "0.0.0.0/0"
- "::/0"
extractors:
- type: dsl
dsl:
- '"Amazon EC2 security group(s) " + groupid + " allows unrestricted inbound traffic"'
# digest: 4b0a004830460221009b9e3e94679739de1a688c3b15bc4f592472272245df9bfbc675211eeaa6f45602210097597c2bae7f04a1d2440e25e37986679daa91e6e8fe277cb1fb99874d2e5fd0:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-cifs.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-cifs
info:
name: EC2 Unrestricted CIFS Access
author: princechaddha
severity: critical
description: |
Checks for inbound rules in Amazon EC2 security groups allowing unrestricted access (0.0.0.0/0 or ::/0) on TCP port 445, used for CIFS/SMB file sharing, posing a high security risk.
impact: |
Unrestricted CIFS access can expose EC2 instances to unwanted external access, increasing the risk of data breaches and unauthorized control over resources.
remediation: |
Restrict inbound access on TCP port 445 to known IPs or ranges. Regularly review security group configurations to ensure compliance with security policies.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=445 Name=ip-permission.to-port,Values=445 Name=ip-permission.cidr,Values='0.0.0.0/0' Name=ip-permission.ipv6-cidr,Values='::/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 445"'
# digest: 4a0a00473045022100d07b38ee532d1cb1f6cca8d1384049e416bf72bae10727fe3f0fdd70bddf65730220384a7997d216466edabd10fe2f011460f0ade329929e41bf322977aac2d21a43:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-dns.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-dns
info:
name: Unrestricted DNS Access in EC2
author: princechaddha
severity: critical
description: |
Checks for inbound rules in Amazon EC2 security groups that allow unrestricted access (0.0.0.0/0 or ::/0) on TCP/UDP port 53, which can expose DNS servers to potential attacks.
impact: |
Allowing unrestricted access to DNS services can lead to DNS spoofing, DDoS attacks, and unauthorized access to internal networks.
remediation: |
Restrict the inbound rules for TCP/UDP port 53 in EC2 security groups to known, trusted IPs only. Ensure security group rules are tightly controlled and monitored.
reference:
- https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=53 Name=ip-permission.to-port,Values=53 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 53"'
# digest: 490a0046304402207a2ebb618db4c24fc0d9e868b09e8689a7ccee1c419c1e446d549e2231bf20d202202c9b7cdcef58014affe10a86649a319995447be182a50a5910e13f4911bb9676:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-ftp.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-ftp
info:
name: Restrict EC2 FTP Access
author: princechaddha
severity: critical
description: |
Ensure Amazon EC2 security groups disallow unrestricted inbound FTP access on TCP ports 20 and 21 to prevent brute force attacks.
impact: |
Unrestricted FTP access can expose EC2 instances to unauthorized access and brute force attacks, compromising security.
remediation: |
Restrict inbound access on TCP ports 20 and 21 for EC2 security groups to known IPs or remove the rules if FTP is not required.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=20,21 Name=ip-permission.to-port,Values=20,21 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 20 or 21"'
# digest: 4a0a0047304502205f388ef25cd4e10ea8b0ca947a8100c1b849e7503e01c6485d3d23c30e190d16022100a24ea5679098a9da74b661c8375a32c2e91cb9e9e82682ffdd981cc1b1c78e79:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-http.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-http
info:
name: Unrestricted HTTP on EC2
author: princechaddha
severity: critical
description: |
Checks for inbound rules in EC2 security groups allowing unrestricted access (0.0.0.0/0) to TCP port 80, increasing exposure to potential breaches.
impact: |
Unrestricted access to TCP port 80 can lead to unauthorized data exposure and increases the risk of security breaches.
remediation: |
Restrict inbound traffic on TCP port 80 to only necessary IP addresses, adhering to the principle of least privilege.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=80 Name=ip-permission.to-port,Values=80 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 80"'
# digest: 490a00463044022039ebe4ac309956dc8ff7776b17a3982b8cfeadd66b69889950778ef07fca54e3022046047a1017a92794e037d6ad1472d3365ca94835c8071764cad1e8996d99eae0:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-https.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-https
info:
name: Unrestricted HTTPs on EC2
author: princechaddha
severity: critical
description: |
Checks for inbound rules in EC2 security groups allowing unrestricted access (0.0.0.0/0) to TCP port 443, increasing exposure to potential breaches.
impact: |
Unrestricted access to TCP port 443 can lead to unauthorized data exposure and increases the risk of security breaches.
remediation: |
Restrict inbound traffic on TCP port 443 to only necessary IP addresses, adhering to the principle of least privilege.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=443 Name=ip-permission.to-port,Values=443 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 443"'
# digest: 4a0a00473045022011c3ec5cdc908912df52c3e254be0010bede95ce080cf0083b2080a5b08b3779022100d719db5872cfb0485e6384332bf6b256c00ce754226c59fd1f4a9ce5d7956750:922c64590222798bb761d5b6d8e72950

38
cloud/aws/ec2/ec2-unrestricted-icmp.yaml Normal file
View File

@ -0,0 +1,38 @@
id: ec2-unrestricted-icmp
info:
name: Restrict EC2 ICMP Access
author: princechaddha
severity: critical
description: |
Checks for Amazon EC2 security groups with inbound rules allowing unrestricted ICMP access. Advises restricting ICMP to trusted IPs to uphold the Principle of Least Privilege and minimize the attack surface.
impact: |
Unrestricted ICMP can be used for network reconnaissance and Distributed Denial of Service (DDoS) attacks, posing a significant security risk.
remediation: |
Modify EC2 security group rules to limit ICMP access to necessary, trusted IP addresses/ranges only.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.protocol,Values=icmp Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted ICMP access (0.0.0.0/0 or ::/0)"'
# digest: 4a0a0047304502201c1e1628656627c21447c7abc8072f76f2a62c9d1e6cadb470ecb80db95258ce022100b4302e8fb947bc6c9bdcd1344ce69898da49781c66a9574bba9bd2eb7920ed35:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-memcached.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-memcached
info:
name: Unrestricted Access to Memcached
author: princechaddha
severity: critical
description: |
Detects unrestricted inbound access to Memcached on Amazon EC2 instances, which can lead to cache poisoning, unauthorized access, and DDoS attacks.
impact: |
Unrestricted access increases the risk of cache poisoning, unauthorized data access, and potential DDoS attacks on the Memcached server.
remediation: |
Restrict inbound access to Memcached by updating EC2 security group rules to allow only trusted IPs to connect on TCP/UDP port 11211.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=11211 Name=ip-permission.to-port,Values=11211 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 11211"'
# digest: 490a0046304402202b6556d6f2df24efabf60ee89f51b5d4d241a0017dfc7b025c95824cdcc26e290220204a2254be4259786fc50401c47fbb35ad21e621c90cf829f74c56d8297ef644:922c64590222798bb761d5b6d8e72950

39
cloud/aws/ec2/ec2-unrestricted-mongodb.yaml Normal file
View File

@ -0,0 +1,39 @@
id: ec2-unrestricted-mongodb
info:
name: Unrestricted MongoDB Access in EC2
author: princechaddha
severity: critical
description: |
Identifies open access to MongoDB in AWS EC2 security groups, where inbound rules allow unrestricted access (0.0.0.0/0 or ::/0) to TCP port 27017. This poses a significant risk as it can lead to unauthorized access and potential data breaches.
impact: |
Allowing unrestricted access to MongoDB in EC2 can lead to unauthorized data access, data manipulation, or denial of service attacks, potentially resulting in critical data breaches and compliance violations.
remediation: |
Restrict MongoDB's TCP port 27017 access in EC2 security groups to only those IP addresses that require it, adhering to the principle of least privilege.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
- https://www.mongodb.com/docs/manual/security/
tags: cloud,devops,aws,amazon,ec2,mongodb,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=27017 Name=ip-permission.to-port,Values=27017 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=27017 Name=ip-permission.to-port,Values=27017 Name=ip-permission.ipv6-cidr,Values='::/0' --query 'SecurityGroups[*].GroupId' --output json
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted mongodb access (0.0.0.0/0 or ::/0) on port 27017"'
# digest: 4b0a0048304602210083e0104b459e8885610b9980b58d725caea579be4660fb40a27750097b47336d022100bc5f067c97ab723d4b4282cfabbf3795e702259686d1d368963d120707913ee5:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-mssql.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-mssql
info:
name: Unrestricted Access to SQL on EC2
author: princechaddha
severity: high
description: |
Identifies open inbound access to Microsoft SQL Server on Amazon EC2 instances. Checks for security groups allowing unrestricted access (0.0.0.0/0 or ::/0) on TCP port 1433, increasing risks to SQL databases.
impact: |
Unrestricted access on port 1433 exposes Microsoft SQL Server instances to potential unauthorized access, data breaches, and other security vulnerabilities.
remediation: |
Restrict inbound traffic on TCP port 1433 to known, secure IP addresses. Regularly review and update security group rules to maintain minimal access requirements.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=1433 Name=ip-permission.to-port,Values=1433 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 1433"'
# digest: 4a0a0047304502207fea1bdfd1275fd4132e71cafa55258390fdaaa1ed649df3bbac41baa9abf1b2022100965299640f42e2ce5f12a3f624939a120518421a38e91ecbcdcdbae3066a6843:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-mysql.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-mysql
info:
name: Unrestricted MySQL Access on EC2
author: princechaddha
severity: critical
description: |
Identifies unrestricted inbound access to MySQL database servers on Amazon EC2 instances, specifically targeting TCP port 3306.
impact: |
Unrestricted access to MySQL can lead to unauthorized data access, data manipulation, or exploitation of the database server.
remediation: |
Restrict inbound access on TCP port 3306 to known, necessary IP addresses or ranges, and avoid using 0.0.0.0/0 or ::/0.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=3306 Name=ip-permission.to-port,Values=3306 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted mongodb access (0.0.0.0/0 or ::/0) on port 3306"'
# digest: 4a0a00473045022100ff19bb5e8c3dfe1f8e153bd309d866713f3e33c0b54882652f6489cc4bac292c02200d43740086e393886f7dbaca0a05947741687ed853c8e128a7b53bc2d926d995:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-netbios.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-netbios
info:
name: Unrestricted NetBIOS Access in EC2
author: princechaddha
severity: critical
description: |
Checks for inbound rules in Amazon EC2 security groups that allow unrestricted access on TCP port 139 and UDP ports 137 and 138, increasing the risk of unauthorized access and potential security breaches.
impact: |
Unrestricted NetBIOS access can expose EC2 instances to network-based attacks, compromising data integrity and system availability.
remediation: |
Restrict access to TCP port 139 and UDP ports 137 and 138 in EC2 security groups. Implement strict access control based on the principle of least privilege.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=137,138,139 Name=ip-permission.to-port,Values=137,138,139 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on ports 137, 138 or 139"'
# digest: 4b0a00483046022100b04e63ff33e72a571e6fd0e696ab8a39a420f24de0a1d398686da93124a96e50022100bc0a89161a20972f692bba232833227053093823f47628cbb97ca0564c8d6c54:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-opensearch.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-opensearch
info:
name: Unrestricted OpenSearch Access
author: princechaddha
severity: critical
description: |
Checks EC2 security groups for inbound rules allowing unrestricted access to OpenSearch on TCP port 9200. Restricts access to essential IP addresses only.
impact: |
Unrestricted access to OpenSearch can lead to unauthorized data access, modification, or denial of service attacks.
remediation: |
Modify EC2 security group rules to limit access to TCP port 9200 for OpenSearch, allowing only necessary IPs, implementing the principle of least privilege.
reference:
- https://en.wikipedia.org/wiki/OpenSearch
tags: cloud,devops,aws,amazon,opensearch,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=9200 Name=ip-permission.to-port,Values=9200 Name=ip-permission.cidr,Values='0.0.0.0/0 or ::/0' --query 'SecurityGroups[*].GroupId' --output json
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 9200"'
# digest: 490a004630440220592b35acadc3d541d7bab687bb36ff879999897d4c57bee946714c37eef4c37a0220303632eb1d63cfd0d31301ed29423993181942dae0da7a842b80921b989b6b4c:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-oracle.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-oracle
info:
name: Unrestricted Oracle DB Access
author: princechaddha
severity: critical
description: |
Identifies unrestricted inbound access to Oracle databases in Amazon EC2 instances, which increases the risk of unauthorized access and attacks.
impact: |
Allows potential unauthorized access to the Oracle database, leading to data leakage, data manipulation, or further exploitation.
remediation: |
Restrict inbound traffic on TCP port 1521 to known IPs or ranges and employ strict access controls.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=1521 Name=ip-permission.to-port,Values=1521 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 1521"'
# digest: 490a00463044022016b07bbcc6591afe7642ce52428085c7c2e5f2d923acb812a880bc658d607d5a022073f1dc85bb8b3e17f760ded2efa94b2aea4c14a6eb0fa135a1adb12bf604084a:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-pgsql.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-pgsql
info:
name: Unrestricted PostgreSQL Access
author: princechaddha
severity: critical
description: |
Identifies unrestricted inbound access to PostgreSQL databases in Amazon EC2 security groups, which can expose databases to security risks.
impact: |
Unrestricted access on TCP port 5432 increases vulnerability to unauthorized access and potential data breaches.
remediation: |
Restrict inbound traffic to PostgreSQL servers by setting stringent rules in EC2 security groups, limiting access to specific IPs or ranges.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-rules
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=5432 Name=ip-permission.to-port,Values=5432 Name=ip-permission.cidr,Values='0.0.0.0/0' --query 'SecurityGroups[*].GroupId' --output json
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 5432"'
# digest: 4a0a004730450221009dc490795c723cfe321511e129d2e6ff3de628de4b81979843eae48bb1b3ba7502200ffde00d7cb8957a0b72aa8bd39b4adde0bbc0236d7b671dd8eade57d62b69bc:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-rdp.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-rdp
info:
name: Restrict EC2 RDP Access
author: princechaddha
severity: high
description: |
Check Amazon EC2 security groups for inbound rules that allow unrestricted RDP access and restrict access to trusted IPs.
impact: |
Unrestricted RDP access increases the risk of unauthorized access and potential breaches.
remediation: |
Modify the EC2 security group rules to limit RDP access (TCP 3389) to known, trusted IP addresses or ranges.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=3389 Name=ip-permission.to-port,Values=3389 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 3389"'
# digest: 4a0a00473045022002ecd5ab647c14882b81b474962bb00f2efc2099d867125b8deb662e1c7a8e70022100877b207077fd1c5a89c0529f98c757af212d85b0d086a8ef00052ebc9005f0a6:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-redis.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-redis
info:
name: Unrestricted Redis Access
author: princechaddha
severity: critical
description: |
Checks for inbound rules in Amazon EC2 security groups that allow unrestricted access to Redis cache server instances on TCP port 6379.
impact: |
Unrestricted access can expose Redis instances to unauthorized access and potential security breaches.
remediation: |
Restrict inbound access to Redis instances by updating EC2 security group rules to allow only specific, trusted IP addresses.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=6379 Name=ip-permission.to-port,Values=6379 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 6379"'
# digest: 4b0a00483046022100a19a6281bbac4a97ec0b09a1eaa1f789d3eb364bb152c2110e8aacaba4da4895022100c385619aae77905775c394990ef99a35e78f11941d2cb7579db73b2f6a4ef013:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-smtp.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-smtp
info:
name: Unrestricted SMTP Access in EC2
author: princechaddha
severity: critical
description: |
Identifies unrestricted inbound access on TCP port 25 for EC2 security groups, which increases the risk of SMTP-related attacks.
impact: |
Allowing unrestricted SMTP access can lead to spamming, mail relay abuse, and potentially compromise mail servers.
remediation: |
Restrict TCP port 25 access to known, necessary IP addresses only. Avoid using 0.0.0.0/0 or ::/0 in security group rules.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=25 Name=ip-permission.to-port,Values=25 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 25"'
# digest: 490a0046304402207f49f7b3e8b59a10d998936b7fa721458e3659599ca2f4f284aedc250af454e902206668d8d3207fa24654b24c96d1df3b590be443aa8f26d5ed0e2a6e7bef4919a2:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-ssh.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-ssh
info:
name: Unrestricted SSH Access in EC2
author: princechaddha
severity: high
description: |
Checks for inbound rules in Amazon EC2 security groups that allow unrestricted SSH access (0.0.0.0/0 or ::/0) on TCP port 22, indicating a security risk by exposing the SSH server to the internet.
impact: |
Unrestricted SSH access increases the risk of unauthorized access and potential brute force attacks against the SSH server, compromising the security of the EC2 instances.
remediation: |
Restrict SSH access in EC2 security groups to trusted IP addresses or ranges, adhering to the Principle of Least Privilege (POLP) and mitigating the risk of unauthorized access.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=22 Name=ip-permission.to-port,Values=22 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 22"'
# digest: 4a0a0047304502205ba8e3a283bd695b4f0267dab41892b97e7ea38371e15259616ac64c78fe117c0221008ab0347e4be89942208e1bf266891d41678a76a3ec0ce920f060d80429539688:922c64590222798bb761d5b6d8e72950

37
cloud/aws/ec2/ec2-unrestricted-telnet.yaml Normal file
View File

@ -0,0 +1,37 @@
id: ec2-unrestricted-telnet
info:
name: Restrict EC2 Telnet Access
author: princechaddha
severity: critical
description: |
Checks for unrestricted inbound Telnet access (TCP port 23) in Amazon EC2 security groups, highlighting potential security risks.
impact: |
Unrestricted Telnet access can expose EC2 instances to unauthorized access and potential security breaches.
remediation: |
Restrict inbound Telnet access by updating EC2 security group rules to allow only trusted IP ranges or disabling Telnet if not required.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-security-groups --region $region --filters Name=ip-permission.from-port,Values=23 Name=ip-permission.to-port,Values=23 Name=ip-permission.cidr,Values='0.0.0.0/0' --output json --query 'SecurityGroups[*].GroupId'
extractors:
- type: json
name: securitygroup
internal: true
json:
- '.[]'
- type: dsl
dsl:
- 'securitygroup + " security group(s) alows unrestricted access (0.0.0.0/0 or ::/0) on TCP port 23"'
# digest: 4a0a004730450221009249024faa045e4c4a777389a760b53b294ea9285a93048a108e694ffdb7401302201be48e1ed82fb8dc69023ae0a15c891a5592f4c00d1c979e07e084456aed7bc6:922c64590222798bb761d5b6d8e72950

56
cloud/aws/ec2/publicly-shared-ami.yaml Normal file
View File

@ -0,0 +1,56 @@
id: publicly-shared-ami
info:
name: Publicly Shared AMI
author: princechaddha
severity: medium
description: |
Checks if Amazon Machine Images (AMIs) are publicly shared, potentially exposing sensitive data.
impact: |
Public sharing of AMIs can lead to unauthorized access and compromise of sensitive information contained within these images.
remediation: |
Restrict AMI sharing to specific, trusted AWS accounts and ensure they are not publicly accessible.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html
tags: cloud,devops,aws,amazon,ami,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let AmiName of iterate(template.amis)){
set("ami", AmiName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-images --region $region --owners self --output json --query 'Images[*].ImageId' --output json
extractors:
- type: json
name: amis
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-images --region $region --image-ids $ami --owners self --query 'Images[*].Public'
matchers:
- type: word
words:
- "true"
extractors:
- type: dsl
dsl:
- 'ami + " AMI is publically shared"'
# digest: 4a0a004730450220193e6725ccb97bbd7071e4dad36601e0e8625dd4901a653eacf3141faf6e8a82022100d7d61c14183f4a6563ac749634aa9af5e01332d52583cba6e703cf4958bbe63f:922c64590222798bb761d5b6d8e72950

56
cloud/aws/ec2/unencrypted-aws-ami.yaml Normal file
View File

@ -0,0 +1,56 @@
id: unencrypted-aws-ami
info:
name: Unencrypted AWS AMI
author: princechaddha
severity: high
description: |
Ensure Amazon Machine Images (AMIs) are encrypted to meet data-at-rest encryption compliance and protect sensitive data.
impact: |
Unencrypted AMIs can expose sensitive data to unauthorized access, risking data breaches and non-compliance with data protection regulations.
remediation: |
Encrypt your AMIs using AWS managed keys or customer-managed keys in the AWS Key Management Service (KMS) to ensure data security.
reference:
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html
tags: cloud,devops,aws,amazon,ec2,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let AmiName of iterate(template.amis)){
set("ami", AmiName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-images --region $region --owners self --output json --query 'Images[*].ImageId'
extractors:
- type: json
name: amis
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-images --region $region --image-ids $ami --query 'Images[*].BlockDeviceMappings[*].Ebs.Encrypted[]'
matchers:
- type: word
words:
- "false"
extractors:
- type: dsl
dsl:
- 'ami + " AMI is not encrypted"'
# digest: 4a0a00473045022100a7b00e475c508994eab83d044d65086d511d0dcdde83abed644133c35775d4a402203ff217b94895c174e5d6036a27c3cedba4e74cc0b2a4fb957b71390c2d7454eb:922c64590222798bb761d5b6d8e72950

29
cloud/aws/iam/iam-access-analyzer.yaml Normal file
View File

@ -0,0 +1,29 @@
id: iam-access-analyzer
info:
name: IAM Access Analyzer is not Used
author: princechaddha
severity: medium
description: |
Checks if Amazon IAM Access Analyzer is active for identifying unsolicited access risks in AWS resources
reference:
- https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/list-analyzers.html
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws accessanalyzer list-analyzers --query 'analyzers[*].arn'
matchers:
- type: word
words:
- "[]"
extractors:
- type: dsl
dsl:
- '"IAM Access Analyzer is not Used in your AWS account"'
# digest: 4a0a00473045022030390836bad5e6468e11d2dbf56d7f809db536831d633867e2d605ec841e8b9d022100ea2e18d9be8f713b472d94507e0df31148e1a1403df2ba103fbf8dacee76173d:922c64590222798bb761d5b6d8e72950

30
cloud/aws/iam/iam-expired-ssl.yaml Normal file
View File

@ -0,0 +1,30 @@
id: iam-expired-ssl
info:
name: Remove Expired SSL/TLS Certificates in AWS IAM
author: princechaddha
severity: high
description: |
Checks for expired SSL/TLS certificates from AWS IAM
reference:
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-server-certificates.html
tags: cloud,devops,aws,amazon,iam,ssl,aws-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws iam list-server-certificates | jq -r '.ServerCertificateMetadataList[] | select(.Expiration | fromdateiso8601 < now) | .ServerCertificateName'
extractors:
- type: regex
name: certificate
internal: true
regex:
- '\b[a-zA-Z0-9]+\b'
- type: dsl
dsl:
- 'certificate + " Certificate is expired in your AWS account"'
# digest: 490a0046304402203c1c60995a3652d60b90c6b18c6aa5e9239fa9cc964b9ccd50e5e1660af1ab29022055d501dd4c86142b75633db268ceb4a226c09b9e1e69b04c8cc7278b5f4fdf48:922c64590222798bb761d5b6d8e72950

52
cloud/aws/iam/iam-full-admin-privileges.yaml Normal file
View File

@ -0,0 +1,52 @@
id: iam-full-admin-privileges
info:
name: Overly Permissive IAM Policies
author: princechaddha
severity: high
description: |
Verifies that no Amazon IAM policies grant full administrative privileges, ensuring adherence to the Principle of Least Privilege
reference:
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy-version.html
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
flow: |
code(1)
for(let PolicyName of iterate(template.policies)){
set("policy", PolicyName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws iam list-policies --scope Local --query 'Policies[*].Arn'
extractors:
- type: json # type of the extractor
internal: true
name: policies
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws iam get-policy-version --policy-arn $policy --version-id v1 --query 'PolicyVersion.Document'
matchers:
- type: word
words:
- '"Effect": "Allow"'
- '"Action": "*"'
- '"Resource": "*"'
condition: and
extractors:
- type: dsl
dsl:
- '"The IAM policy " + policy +" is Overly Permissive"'
# digest: 4a0a0047304502203eeeb24dbf1cfd3f41550e0c0b66bfb9ba23ea9912139aa2385e48b3a668d336022100dcb4c90fbb816ab247ea9d506497b900640b3d052bb2ce2b2f8b9a9e7fe58d9e:922c64590222798bb761d5b6d8e72950

50
cloud/aws/iam/iam-key-rotation-90days.yaml Normal file
View File

@ -0,0 +1,50 @@
id: iam-key-rotation-90days
info:
name: IAM Access Key Rotation - 90-Day Policy
author: princechaddha
severity: high
description: |
Checks if IAM user access keys are rotated every 90 days to minimize accidental exposures and unauthorized access risks
reference:
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-access-keys.html
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
flow: |
code(1)
for(let UserName of iterate(template.users)){
set("user", UserName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws iam list-users --query 'Users[*].UserName'
extractors:
- type: json # type of the extractor
internal: true
name: users
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws iam list-access-keys --user-name $user | jq -r '.AccessKeyMetadata[] | select((.CreateDate[:-6] | strptime("%Y-%m-%dT%H:%M:%S") | mktime) < (now - (90 * 86400))) | .AccessKeyId'
extractors:
- type: regex # type of the extractor
name: accesskey
internal: true
regex:
- '^AK.*'
- type: dsl
dsl:
- '"The IAM Key " + accesskey +" is older than 90 days"'
# digest: 4a0a00473045022100d15b76ce838fa09da565afb9414204e3a5bc5487d1cca1ea4fb3560c339ac6f60220291edc1503af6dfa14709487d50d0eff776aafaaf1d07580cc1199ea21fb48ed:922c64590222798bb761d5b6d8e72950

49
cloud/aws/iam/iam-mfa-enable.yaml Normal file
View File

@ -0,0 +1,49 @@
id: iam-mfa-enable
info:
name: MFA not enabled for AWS IAM Console User
author: princechaddha
severity: high
description: |
Verifies that Multi-Factor Authentication (MFA) is enabled for all IAM users with console access in AWS
reference:
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-mfa-devices.html
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
flow: |
code(1)
for(let UserName of iterate(template.users)){
set("user", UserName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws iam list-users --query 'Users[*].UserName'
extractors:
- type: json # type of the extractor
internal: true
name: users
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws iam list-mfa-devices --user-name $user --query 'MFADevices'
matchers:
- type: word
words:
- "[]"
extractors:
- type: dsl
dsl:
- '"MFA is no enabled for IAM User " + user'
# digest: 4a0a00473045022100f326cf9a9fdd5f737d1126dd4938a233059a58f816e7e75a9a0bbab2f9a5d8230220219f4277870b52c124be28db9d8adfe6b88d2ea8b1570756a3f7772384887eff:922c64590222798bb761d5b6d8e72950

29
cloud/aws/iam/iam-password-policy.yaml Normal file
View File

@ -0,0 +1,29 @@
id: iam-password-policy
info:
name: IAM Password Policy Not Configured
author: princechaddha
severity: medium
description: |
Verifies that Amazon IAM users adhere to a strong password policy, including requirements for minimum length, expiration, and pattern
reference:
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws iam get-account-password-policy
matchers:
- type: word
words:
- "NoSuchEntity"
extractors:
- type: dsl
dsl:
- '"AWS cloud account is not configured with a custom IAM password policy"'
# digest: 490a00463044022055c5e7c44c862bac281cda22b1f74de43c5c590680abbfdef4c7814f844af67702205eb87929fe29247fa90db958e8c56b23e62472b680ae98f265da4a2e57d53f95:922c64590222798bb761d5b6d8e72950

29
cloud/aws/iam/iam-root-mfa.yaml Normal file
View File

@ -0,0 +1,29 @@
id: iam-root-mfa
info:
name: MFA not enabled on AWS Root Account
author: princechaddha
severity: high
description: |
Checks if Multi-Factor Authentication (MFA) is enabled for the AWS root account
reference:
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-summary.html
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws iam get-account-summary | jq -r '.SummaryMap.AccountMFAEnabled'
matchers:
- type: word
words:
- "0"
extractors:
- type: dsl
dsl:
- '"MFA is not enabled on your AWS Root account"'
# digest: 4b0a00483046022100add350e50addd6d7c475c7ab805a9869384178065cc1aef7e96777448765fa2e022100cd5ae007e6406f2f721bc5d308de70f92456f2d0280b778690b85a80cd2fdb23:922c64590222798bb761d5b6d8e72950

50
cloud/aws/iam/iam-ssh-keys-rotation.yaml Normal file
View File

@ -0,0 +1,50 @@
id: iam-ssh-keys-rotation
info:
name: SSH Key Rotation - 90-Day Policy
author: princechaddha
severity: high
description: |
Verifies that IAM SSH public keys are rotated every 90 days, enhancing security and preventing unauthorized access to AWS CodeCommit repositories
reference:
- https://docs.aws.amazon.com/cli/latest/reference/iam/list-ssh-public-keys.html
tags: cloud,devops,aws,amazon,iam,ssh,aws-cloud-config
flow: |
code(1)
for(let UserName of iterate(template.users)){
set("user", UserName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws iam list-users --query 'Users[*].UserName'
extractors:
- type: json # type of the extractor
internal: true
name: users
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws iam list-ssh-public-keys --user-name $user | jq -r '.SSHPublicKeys[] | select(.UploadDate | fromdateiso8601 < (now - (90 * 86400))) | .SSHPublicKeyId'
extractors:
- type: regex # type of the extractor
name: accesskey
internal: true
regex:
- '^AP.*'
- type: dsl
dsl:
- '"The SSH Public Key " + accesskey +" is older than 90 days"'
# digest: 490a00463044022017e707c66f9a058bd875e7a516d99585a1be526405545647011958874bd784a702201259fdf89b05b2fa171d789e014fe98d7949010ff420be02f0ef7183565544ef:922c64590222798bb761d5b6d8e72950

38
cloud/aws/iam/iam-unapproved-policy.yaml Normal file
View File

@ -0,0 +1,38 @@
id: iam-unapproved-policy
info:
name: Unapproved IAM Policy Attachments
author: princechaddha
severity: high
description: |
Checks for the attachment of unapproved Amazon IAM managed policies to IAM roles, users, or groups, ensuring compliance with organizational access policies
reference:
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html
tags: cloud,devops,aws,amazon,iam,ssl,tls,aws-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/AmazonRDSFullAccess --query 'Policy.{"AttachmentCount": AttachmentCount}'
matchers-condition: and
matchers:
- type: word
part: body
words:
- "AttachmentCount"
- type: word
part: body
words:
- '"AttachmentCount": 0'
negative: true
extractors:
- type: dsl
dsl:
- '"Unapproved IAM policy is used within your AWS cloud account"'
# digest: 4a0a00473045022100cf22f4542262ded32bcf64050e268d3b514e907385f8c67a8a4f888302bb48b202206b2ee99707ba578560bc83ad3ceeae5e3981288199d898d27d0090f34f6af408:922c64590222798bb761d5b6d8e72950

29
cloud/aws/iam/iam-user-password-change.yaml Normal file
View File

@ -0,0 +1,29 @@
id: iam-user-password-change
info:
name: Enable Self-Service Password Change for IAM Users
author: princechaddha
severity: high
description: |
Verifies that all Amazon IAM users have permissions to change their own console passwords, allowing access to 'iam:ChangePassword' for their accounts and 'iam:GetAccountPasswordPolicy' action.
reference:
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html
tags: cloud,devops,aws,amazon,iam,aws-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws iam get-account-password-policy --query 'PasswordPolicy.AllowUsersToChangePassword'
matchers:
- type: word
words:
- "true"
extractors:
- type: dsl
dsl:
- '"AllowUsersToChangePassword Policy is not enabled in your AWS account"'
# digest: 4b0a00483046022100b046545d3c72c54dee9c4051661d61c8241cbce1fb0f655fa4bb1e8461b3f295022100a7bb33ba3ddff07e68db9bd748802715215b8d62be69ab27fab22c5e539cbb28:922c64590222798bb761d5b6d8e72950

30
cloud/aws/iam/ssl-cert-renewal.yaml Normal file
View File

@ -0,0 +1,30 @@
id: ssl-cert-renewal
info:
name: SSL/TLS Certificates in AWS IAM about to expire in 30 days
author: princechaddha
severity: medium
description: |
Checks if SSL/TLS certificates in AWS IAM are set for renewal 30 days before expiration.
reference:
- https://docs.aws.amazon.com/cli/latest/reference/iam/get-account-password-policy.html
tags: cloud,devops,aws,amazon,iam,ssl,tls,aws-cloud-config
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws iam list-server-certificates | jq -r '.ServerCertificateMetadataList[] | select(.Expiration | fromdateiso8601 - now < (30 * 86400)) | .ServerCertificateName'
extractors:
- type: regex
name: certificate
internal: true
regex:
- '\b[a-zA-Z0-9]+\b'
- type: dsl
dsl:
- 'certificate + " Certificate is about to expire in 30 days"'
# digest: 4a0a00473045022100a517288f527ffb0f08d1f6803d7d738d8c9ed2a34f35e32b824cabbe7f3fa41b022028ebdfe7453cc66f3f511e46c5ffbda6db8dc43551271a101edb11021fad7fd3:922c64590222798bb761d5b6d8e72950

56
cloud/aws/rds/aurora-copy-tags-snap.yaml Normal file
View File

@ -0,0 +1,56 @@
id: aurora-copy-tags-snap
info:
name: Aurora Snapshot Tag Copy
author: princechaddha
severity: high
description: |
Ensures Amazon Aurora clusters have Copy Tags to Snapshots feature enabled to automatically copy tags from clusters to snapshots.
impact: |
Without this, tags identifying ownership, purpose, or other critical information aren't propagated to snapshots, complicating management and compliance.
remediation: |
Enable Copy Tags to Snapshots for Aurora clusters via the AWS Management Console or modify the DB cluster to include this feature using AWS CLI.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html
tags: cloud,devops,aws,amazon,aurora,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let clustername of iterate(template.clusters)){
set("cluster", clustername)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-clusters --region $region --output json --query 'DBClusters[?Engine==`aurora-mysql` || Engine==`aurora-postgresql`].DBClusterIdentifier | []'
extractors:
- type: json
name: clusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-clusters --region $region --db-cluster-identifier $cluster --query 'DBClusters[*].CopyTagsToSnapshot'
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- '"Copy Tags To Snapshot is not enable for cluster " + cluster'
# digest: 490a00463044022017828b27f24bd205df0e6c14c80b4cae52d2f6366dde8c60cc58302d7ca9c8ba022062233631583c3e674bb1daebdb9375c3501900fb1ba9ed7a06d972f8b7265b85:922c64590222798bb761d5b6d8e72950

56
cloud/aws/rds/aurora-delete-protect.yaml Normal file
View File

@ -0,0 +1,56 @@
id: aurora-delete-protect
info:
name: Aurora Cluster Deletion Protection
author: princechaddha
severity: medium
description: |
Ensure Amazon Aurora clusters have Deletion Protection enabled to prevent accidental data loss.
impact: |
Without Deletion Protection, Aurora clusters can be accidentally deleted, leading to irreversible data loss.
remediation: |
Enable Deletion Protection by modifying the Aurora cluster settings in the AWS Management Console or via the AWS CLI.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/DBInstanceDeletionProtection.html
tags: cloud,devops,aws,amazon,aurora,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let clustername of iterate(template.clusters)){
set("cluster", clustername)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-clusters --region $region --output json --query 'DBClusters[?Engine==`aurora-mysql` || Engine==`aurora-postgresql`].DBClusterIdentifier | []'
extractors:
- type: json
name: clusters
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-clusters --region $region --db-cluster-identifier $cluster--query 'DBClusters[*].DeletionProtection'
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- '"Deletion Protection safety feature is not enabled for " + cluster'
# digest: 4b0a00483046022100c1c1ed75c7401266f13e1fc388a357df843c7994ab44ae8f501b14842ab7ec24022100b6c077b49006fb9ca13885abddf6be9c787d64eb415a13972e5fa3ea637792f3:922c64590222798bb761d5b6d8e72950

56
cloud/aws/rds/iam-db-auth.yaml Normal file
View File

@ -0,0 +1,56 @@
id: iam-db-auth
info:
name: IAM Database Authentication
author: princechaddha
severity: medium
description: |
Ensure IAM Database Authentication is enabled for RDS instances, allowing IAM service to manage database access, thereby removing the need to store user credentials within database configurations.
impact: |
Without IAM Database Authentication, database credentials need to be managed internally, increasing the risk of credential leakage and unauthorized access.
remediation: |
Enable IAM Database Authentication for MySQL and PostgreSQL RDS database instances to leverage IAM for secure, token-based access control.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let DBInstances of iterate(template.instances)){
set("db", DBInstances)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[?Engine==`mysql` || Engine==`postgres`].DBInstanceIdentifier | []'
extractors:
- type: json
name: instances
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].IAMDatabaseAuthenticationEnabled'
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- '"Database Authentication feature is not enabled for RDS database instance " + db'
# digest: 4a0a00473045022100de421600413f2bb3306a9173334cd465c628dd5a198cec9ebe3bf5a373b4479602200bd9a29ac4bc3efe52763411a53243855f599f703baa22c7292da16898754f12:922c64590222798bb761d5b6d8e72950

56
cloud/aws/rds/rds-backup-enable.yaml Normal file
View File

@ -0,0 +1,56 @@
id: rds-backup-enable
info:
name: RDS Automated Backup Check
author: princechaddha
severity: high
description: |
Ensure that your Amazon RDS database instances have automated backups enabled for point-in-time recovery.
impact: |
Lack of automated backups can lead to data loss in case of accidental deletion or database corruption.
remediation: |
Enable automated backups for RDS instances by setting the backup retention period to a value other than 0.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let DBInstances of iterate(template.instances)){
set("db", DBInstances)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
extractors:
- type: json
name: instances
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].BackupRetentionPeriod'
matchers:
- type: word
words:
- '0'
extractors:
- type: dsl
dsl:
- '"Automated backups are not enabled for " + db + " RDS database instance"'
# digest: 490a0046304402202cafc27efb26d112eaeeda54182636abc27e1c7d4c685250eee139e6016ad0e00220696ff967f5e74543e24b1f563a48870e20c7a651ebf098221cb3aa53d92d0a4a:922c64590222798bb761d5b6d8e72950

57
cloud/aws/rds/rds-deletion-protection.yaml Normal file
View File

@ -0,0 +1,57 @@
id: rds-deletion-protection
info:
name: RDS Deletion Protection
author: princechaddha
severity: high
description: |
Ensure Amazon RDS instances have Deletion Protection enabled to prevent accidental deletions.
impact: |
Without Deletion Protection, RDS instances can be inadvertently deleted, leading to potential data loss and service disruption.
remediation: |
Enable Deletion Protection for all Amazon RDS instances via the AWS Management Console or using the AWS CLI.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_DeleteInstance.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let DBInstances of iterate(template.instances)){
set("db", DBInstances)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
extractors:
- type: json
name: instances
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].DeletionProtection' --output json
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- '"RDS Deletion protection feature is not enabled for RDS database instance " + db'
# digest: 4b0a00483046022100914032dbc9479e0c23f03d553ff358b24dbb159d2b0e39591c929e1b7392f357022100dd0d109579a0dba307e0e203996af0754cc7d40cf1ef7adb218b01cba7fae2a0:922c64590222798bb761d5b6d8e72950

56
cloud/aws/rds/rds-encryption-check.yaml Normal file
View File

@ -0,0 +1,56 @@
id: rds-encryption-check
info:
name: RDS Instance Encryption
author: princechaddha
severity: high
description: |
Ensure that your Amazon RDS database instances are encrypted to fulfill compliance requirements for data-at-rest encryption.
impact: |
Non-encrypted RDS instances may lead to data breaches, failing to comply with data protection regulations, which could result in hefty fines and loss of reputation.
remediation: |
Enable encryption for your Amazon RDS instances by modifying the instance and setting the "Storage Encrypted" option to true. For new instances, enable encryption within the launch wizard.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let DBInstances of iterate(template.instances)){
set("db", DBInstances)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
extractors:
- type: json
name: instances
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].{"StorageEncrypted":StorageEncrypted,"KmsKeyId":KmsKeyId}'
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- '"The encryption of data at rest is not enabled for " + db + " RDS database instance"'
# digest: 4a0a00473045022057333f0cba59e048aec18908bd8cbda6a4ab5398581190a3602a82d1f7f63f140221008c6002f40daa4eef203c0be542377e675dd0b28d3595fa4664449f30f13f325d:922c64590222798bb761d5b6d8e72950

36
cloud/aws/rds/rds-event-notify.yaml Normal file
View File

@ -0,0 +1,36 @@
id: rds-event-notify
info:
name: RDS Event Notification Absence
author: princechaddha
severity: medium
description: |
Checks for the activation of event notifications for Amazon RDS instances to monitor significant database events.
impact: |
Without event notifications, there's a risk of missing critical database events, impacting operational awareness and incident response.
remediation: |
Enable event notifications in Amazon RDS by creating an event subscription with Amazon SNS to receive notifications.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-event-subscriptions --region $region --query 'EventSubscriptionsList'
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- '"No event notifications for RDS resources in " + region + " AWS region"'
# digest: 4a0a0047304502203da20f61e273f1598025e8b5fc491882b2b9b93d743bf7be37209af3351653b0022100b109b8c9e591621fe1c087381073e5d49cad3d424fa9a3491609c28d4bb8cbdf:922c64590222798bb761d5b6d8e72950

36
cloud/aws/rds/rds-event-sub-enable.yaml Normal file
View File

@ -0,0 +1,36 @@
id: rds-event-sub-enable
info:
name: RDS Event Subscription Not Enabled
author: princechaddha
severity: high
description: |
Ensures Amazon RDS event notifications are enabled for database instance level events, allowing for real-time alerts on operational changes.
impact: |
Lack of event notifications may delay the response to critical RDS operational events, affecting database availability and performance.
remediation: |
Enable RDS event notification subscriptions for relevant database instance level events through the AWS Management Console or AWS CLI.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-event-subscriptions --region $region --query "EventSubscriptionsList[?SourceType == 'db-instance'].CustSubscriptionId"
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- '"There are no Amazon RDS event subscriptions created for instance level events in " + region + " AWS region"'
# digest: 4a0a00473045022046dbc7d74b95e340ebc6d0bc27c308f378cea938470e758605822ac111ed6843022100ba1ee6fdbb6940216c57cbd8666cb56a4645ad5f8138bd63b649fb85abf80b5f:922c64590222798bb761d5b6d8e72950

36
cloud/aws/rds/rds-event-sub.yaml Normal file
View File

@ -0,0 +1,36 @@
id: rds-event-sub
info:
name: RDS Security Group Event Notifications
author: princechaddha
severity: high
description: |
Ensure RDS event notification subscriptions are active for database security group events to monitor and react to changes in security configurations.
impact: |
Without notifications for security group events, unauthorized changes may go unnoticed, potentially leading to security breaches or data exposure.
remediation: |
Enable Amazon RDS event notification subscriptions for relevant database security group events through the AWS Management Console or AWS CLI.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-event-subscriptions --region $region --query "EventSubscriptionsList[?SourceType == 'db-security-group'].CustSubscriptionId"
matchers:
- type: word
words:
- '[]'
extractors:
- type: dsl
dsl:
- '"There are no Amazon RDS event subscriptions created for database security groups available in " + region + " AWS region."'
# digest: 4a0a00473045022100d0e7c297ffbf01f4d58eb375f52c497c11d13d84ee6bef8ed036f4a106d379c202206dc81dfc93a492e7f043e3f0e9ca706ce541e875fcf1cec0345a2082cb41fdb6:922c64590222798bb761d5b6d8e72950

56
cloud/aws/rds/rds-gp-ssd-usage.yaml Normal file
View File

@ -0,0 +1,56 @@
id: rds-gp-ssd-usage
info:
name: RDS General Purpose SSD Usage
author: princechaddha
severity: high
description: |
Ensure Amazon RDS instances use General Purpose SSDs for cost-effective storage suitable for a wide range of workloads, except for applications needing over 10000 IOPS or 160 MiB/s throughput.
impact: |
Using Provisioned IOPS SSDs when not required can significantly increase AWS costs without providing necessary performance benefits.
remediation: |
Convert RDS instances from Provisioned IOPS to General Purpose SSDs to optimize costs without sacrificing I/O performance for most database workloads.
reference:
- https://aws.amazon.com/rds/features/storage/
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let DBInstances of iterate(template.instances)){
set("db", DBInstances)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
extractors:
- type: json
name: instances
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].StorageType'
matchers:
- type: word
words:
- 'io1'
extractors:
- type: dsl
dsl:
- 'db + " RDS instance uses Provisioned IOPS SSD, not the most cost-effective storage"'
# digest: 4a0a00473045022002f5c7fdd4d9d80a6820cfc1f222bfed3a1d9ad2e9f25cd1ef7757d60774a7dc022100c202e64f627d1aadd2a131aecdc048917a11798572597b382064897ed0848d3d:922c64590222798bb761d5b6d8e72950

56
cloud/aws/rds/rds-public-snapshot.yaml Normal file
View File

@ -0,0 +1,56 @@
id: rds-public-snapshot
info:
name: RDS Public Snapshot Exposure
author: princechaddha
severity: high
description: |
Checks if AWS RDS database snapshots are publicly accessible, risking exposure of sensitive data.
impact: |
Public snapshots can expose sensitive data to unauthorized users, leading to potential data breaches.
remediation: |
Modify the snapshot's visibility settings to ensure it is not public, only shared with specific AWS accounts.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let RDPsnaps of iterate(template.snapshots)){
set("snapshot", RDPsnaps)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-snapshots --region $region --snapshot-type manual --output json --query 'DBSnapshots[*].DBSnapshotIdentifier'
extractors:
- type: json
name: snapshots
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-snapshot-attributes --region $region --db-snapshot-identifier $snapshot --query 'DBSnapshotAttributesResult.DBSnapshotAttributes'
matchers:
- type: word
words:
- '"all"'
extractors:
- type: dsl
dsl:
- '"RDS snapshot " + snapshot + " is public"'
# digest: 4a0a0047304502210081a28e626fa15113ec4728cae1cd78218b292f7c71adc72cdb0b6d957475955302207063c6eda8c853ca2b1041f2751246979a75381a89e64b262b679667da1eb1eb:922c64590222798bb761d5b6d8e72950

74
cloud/aws/rds/rds-public-subnet.yaml Normal file
View File

@ -0,0 +1,74 @@
id: rds-public-subnet
info:
name: RDS Instance Private Subnet
author: princechaddha
severity: high
description: |
Ensure Amazon RDS database instances are not provisioned in VPC public subnets to avoid direct Internet exposure.
impact: |
RDS instances in public subnets can be directly accessed from the Internet, increasing the risk of unauthorized access and potential data breaches.
remediation: |
Migrate RDS instances to private subnets within the VPC and ensure proper network ACLs and security group settings are in place to restrict access.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Subnets
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let DBInstances of iterate(template.instances)){
set("db", DBInstances)
code(2)
for(let SubnetNames of iterate(template.subnets)){
set("subnet", SubnetNames)
code(3)
}
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --output json --query 'DBInstances[*].DBInstanceIdentifier'
extractors:
- type: json
name: instances
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-instances --region $region --db-instance-identifier $db --query 'DBInstances[*].DBSubnetGroup.Subnets[*].SubnetIdentifier[]'
extractors:
- type: json
name: subnets
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-route-tables --region $region --filters "Name=association.subnet-id,Values=$subnet" --query 'RouteTables[*].Routes[]'
matchers:
- type: word
words:
- 'igw-'
- '0.0.0.0/0'
extractors:
- type: dsl
dsl:
- 'db + " RDS instance is setup within a public subnet"'
# digest: 4b0a00483046022100d05dd8cfd16004c66141210fee94b5b5b1bdca54b4320091e86f7b7d018c336e022100fcf57d954bb32ef2d5eaf09ca000c729ef9d372ef651d5066f8d1a1e6aee8746:922c64590222798bb761d5b6d8e72950

56
cloud/aws/rds/rds-ri-payment-fail.yaml Normal file
View File

@ -0,0 +1,56 @@
id: rds-ri-payment-fail
info:
name: RDS RI Payment Failure
author: princechaddha
severity: high
description: |
Identifies failed RDS Reserved Instance purchases due to payment failures, affecting potential cost savings.
impact: |
Prevents utilization of reserved instance discounts, potentially leading to higher operational costs.
remediation: |
Review the payment methods on file and retry the reservation purchase for RDS instances to secure discounted rates.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithReservedDBInstances.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let DBInstances of iterate(template.instances)){
set("db", DBInstances)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-reserved-db-instances --region $region --output json --query 'ReservedDBInstances[*].ReservedDBInstanceId'
extractors:
- type: json
name: snapshots
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-reserved-db-instances --region $region --reserved-db-instance-id $db --query 'ReservedDBInstances[*].State'
matchers:
- type: word
words:
- 'payment-failed'
extractors:
- type: dsl
dsl:
- '"RDS Reserved Instance purchase has failed for " + db'
# digest: 4a0a00473045022040705df585fbeec117d8605a7eb385b6fb0ae5cca87f948b79aef51f4a4b5b19022100a62f52ca4c10ab087a8d672d8288e120540531595b354c0663a7b5c7426ee198:922c64590222798bb761d5b6d8e72950

56
cloud/aws/rds/rds-snapshot-encryption.yaml Normal file
View File

@ -0,0 +1,56 @@
id: rds-snapshot-encryption
info:
name: RDS Snapshot Encryption
author: princechaddha
severity: medium
description: |
Ensure Amazon RDS database snapshots are encrypted for data-at-rest compliance within AWS environments.
impact: |
Unencrypted RDS snapshots can expose sensitive data to unauthorized access, risking data breach and non-compliance penalties.
remediation: |
Enable encryption for RDS snapshots by using AWS KMS Customer Master Keys (CMKs) for enhanced data security and compliance.
reference:
- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_EncryptSnapshot.html
tags: cloud,devops,aws,amazon,rds,aws-cloud-config
variables:
region: "ap-northeast-1"
flow: |
code(1)
for(let RDPsnaps of iterate(template.snapshots)){
set("snapshot", RDPsnaps)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws rds describe-db-snapshots --region $region --snapshot-type manual --output json --query 'DBSnapshots[*].DBSnapshotIdentifier'
extractors:
- type: json
name: snapshots
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws rds describe-db-snapshots --region $region --db-snapshot-identifier $snapshot --query 'DBSnapshots[*].Encrypted'
matchers:
- type: word
words:
- 'false'
extractors:
- type: dsl
dsl:
- '"Amazon RDS database snapshot " + snapshot + " is not encrypted"'
# digest: 490a0046304402207212f314b007f635435474f0ab2253e018047b2f878450e253223d5daa74da3f022064293bf9b3a736189797d2b46e1ad224dd05fa73dfe1ff2d0531a229ab2c89c5:922c64590222798bb761d5b6d8e72950

49
cloud/aws/s3/s3-access-logging.yaml Normal file
View File

@ -0,0 +1,49 @@
id: s3-access-logging
info:
name: S3 Bucket - Access Logging Not Enabled
author: princechaddha
severity: medium
description: |
This template verifies if the Server Access Logging feature is enabled for Amazon S3 buckets, which is essential for tracking access requests for security and audit purposes.
reference:
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-encryption.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-logging --bucket $bucket --query 'LoggingEnabled'
matchers:
- type: word
words:
- "null"
extractors:
- type: dsl
dsl:
- '"The S3 bucket " + bucket +" does not have access logging enabled."'
# digest: 4b0a004830460221009c7c7b0d5efd419b91df9f3a9c18cbb5c3cf3e05586c1a2feaf8e1c1c1b5d5b5022100ac7392ba990a22432ad62945a93d61578dd95013697d6c3aefd30fa5e9decaac:922c64590222798bb761d5b6d8e72950

49
cloud/aws/s3/s3-auth-fullcontrol.yaml Normal file
View File

@ -0,0 +1,49 @@
id: s3-auth-fullcontrol
info:
name: Restrict S3 Buckets FULL_CONTROL Access for Authenticated Users
author: princechaddha
severity: critical
description: |
Checks if Amazon S3 buckets grant FULL_CONTROL access to authenticated users, preventing unauthorized operations
reference:
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/global/AuthenticatedUsers`)]'
matchers:
- type: word
words:
- '"Permission": "FULL_CONTROL"'
extractors:
- type: dsl
dsl:
- '"FULL_CONTROL is enabled for Authenticated Users on S3 Bucket " + bucket'
# digest: 4b0a00483046022100ae50a09843b165ba2fcd9f5fb5774c60c2ba2ca3ec8461b893c6eb47cce50cf8022100ab31d7ca772ca4fdce476fb02441aaae4130fe68605b346dd30bcaa9f2fb0c3d:922c64590222798bb761d5b6d8e72950

49
cloud/aws/s3/s3-bucket-key.yaml Normal file
View File

@ -0,0 +1,49 @@
id: s3-bucket-key
info:
name: S3 Bucket Key not enabled
author: princechaddha
severity: medium
description: |
This template verifies if Amazon S3 buckets have bucket keys enabled to optimize the cost of AWS Key Management Service (SSE-KMS) for server-side encryption
reference:
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-encryption --bucket cc-prod-log-bucket --query 'ServerSideEncryptionConfiguration.Rules[?ApplyServerSideEncryptionByDefault.SSEAlgorithm==`aws:kms`].BucketKeyEnabled'
matchers:
- type: word
words:
- false
extractors:
- type: dsl
dsl:
- '"Key is not enabled for S3 Bucket " + bucket'
# digest: 490a0046304402207628f02f223a9c45013004373f631bfe358fe0898a91b4558b461cdbcb0cb33f02204c02ff4be552778912c6b81a4d7f06b0436bf0facd4066dd1b7b6a60c7fe8727:922c64590222798bb761d5b6d8e72950

57
cloud/aws/s3/s3-bucket-policy-public-access.yaml Normal file
View File

@ -0,0 +1,57 @@
id: s3-bucket-policy-public-access
info:
name: Public Access of S3 Buckets via Policy
author: princechaddha
severity: critical
description: |
This template checks if Amazon S3 buckets are configured to prevent public access via bucket policies
reference:
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-policy.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-policy --bucket $bucket --query Policy --output text
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"Effect":"Allow"'
- type: word
part: body
words:
- '"Principal":"*"'
- '"AWS":"*"'
extractors:
- type: dsl
dsl:
- '"The S3 bucket " + bucket +" is publicly accessible via Policy"'
# digest: 4b0a004830460221009b48d546c9c75d61879e6371e646807f994d64408c3f84d48c9a9b344b9743410221009ed66db2acf2d13fb22b03344e70b7679191e4d76de5615fb69753c02d49306d:922c64590222798bb761d5b6d8e72950

49
cloud/aws/s3/s3-mfa-delete-check.yaml Normal file
View File

@ -0,0 +1,49 @@
id: s3-mfa-delete-check
info:
name: S3 Bucket MFA Delete Configuration Check
author: princechaddha
severity: low
description: |
This template verifies that Amazon S3 buckets are configured with Multi-Factor Authentication (MFA) Delete feature, ensuring enhanced protection against unauthorized deletion of versioned objects
reference:
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-versioning.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-versioning --bucket $bucket --query 'MFADelete'
matchers:
- type: word
words:
- "null"
extractors:
- type: dsl
dsl:
- '"The S3 bucket " + bucket +" is not configured to use MFA Delete feature"'
# digest: 4a0a0047304502207b18bcd326a382b691f9645ba66223e79733146fbaaa7632197a652cb7319085022100d690b22a500eb8036ca670d596ead85d56ce5e576f1147e5e73430a5d49c3765:922c64590222798bb761d5b6d8e72950

50
cloud/aws/s3/s3-public-read-acp.yaml Normal file
View File

@ -0,0 +1,50 @@
id: s3-public-read-acp
info:
name: S3 Bucket with Public READ_ACP Access
author: princechaddha
severity: critical
description: |
Verifies that Amazon S3 buckets do not permit public 'READ_ACP' (LIST) access to anonymous users, protecting against unauthorized data exposure
reference:
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-acl.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`)]'
matchers:
- type: word
words:
- '"Permission": "READ_ACP"'
extractors:
- type: dsl
dsl:
- '"The S3 bucket " + bucket +" have public READ_ACP access"'
# digest: 4b0a00483046022100ed3c7c8177b632e1968b920b9eef94ffdc0784d3b4cfef7073e31fa45879d929022100a4515cf3df6e19fdcc7f9c9460074d6310983bbdd4687e83cce86c290cb62c18:922c64590222798bb761d5b6d8e72950

50
cloud/aws/s3/s3-public-read.yaml Normal file
View File

@ -0,0 +1,50 @@
id: s3-public-read
info:
name: S3 Bucket with Public READ Access
author: princechaddha
severity: critical
description: |
Verifies that Amazon S3 buckets do not permit public 'READ' (LIST) access to anonymous users, protecting against unauthorized data exposure
reference:
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-acl.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`)]'
matchers:
- type: word
words:
- '"Permission": "READ"'
extractors:
- type: dsl
dsl:
- '"The S3 bucket " + bucket +" have public READ access"'
# digest: 4a0a0047304502210096282cee509cda8603576b6bf36e9726a85cd0e5c7ffbf1a1b521840e04b9a0f022003295ca19e84cf783276bd6c7a2fa978a92543199f6da355ddfb130e465442da:922c64590222798bb761d5b6d8e72950

49
cloud/aws/s3/s3-public-write-acp.yaml Normal file
View File

@ -0,0 +1,49 @@
id: s3-public-write-acp
info:
name: S3 Bucket with Public WRITE_ACP Access
author: princechaddha
severity: critical
description: |
Checks if Amazon S3 buckets are secured against public WRITE_ACP access, preventing unauthorized modifications to access control permissions.
reference:
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-acl.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`)]'
matchers:
- type: word
words:
- '"Permission": "WRITE_ACP"'
extractors:
- type: dsl
dsl:
- '"The S3 bucket " + bucket +" have public WRITE_ACP access"'
# digest: 490a004630440220164c9d55d2b50ac44caa26edd47e799e3ec62871676e74736d108a8541f0c2440220136ef5897894c74ad7fb3f936e269b6a777cc4e8f520c42142558990bea8eba9:922c64590222798bb761d5b6d8e72950

49
cloud/aws/s3/s3-public-write.yaml Normal file
View File

@ -0,0 +1,49 @@
id: s3-public-write
info:
name: S3 Bucket with Public WRITE Access
author: princechaddha
severity: critical
description: |
Checks if Amazon S3 buckets are secured against public WRITE access, preventing unauthorized modifications to access control permissions.
reference:
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-acl.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-acl --bucket $bucket --query 'Grants[?(Grantee.URI==`http://acs.amazonaws.com/groups/global/AllUsers`)]'
matchers:
- type: word
words:
- '"Permission": "WRITE"'
extractors:
- type: dsl
dsl:
- '"The S3 bucket " + bucket +" have public WRITE access"'
# digest: 490a004630440220795c3882ab9cb8a093b5e2e83c7822aaf15bfe4cff0426f3a6e5743196aa67730220375072f3c8dff6626dd361a31d12615188c7e8bd445e92f41fe755c323cefc22:922c64590222798bb761d5b6d8e72950

49
cloud/aws/s3/s3-server-side-encryption.yaml Normal file
View File

@ -0,0 +1,49 @@
id: s3-server-side-encryption
info:
name: Server-Side Encryption on Amazon S3 Buckets
author: princechaddha
severity: high
description: |
This template verifies if Amazon S3 buckets have server-side encryption enabled for protecting sensitive content at rest, using either AWS S3-managed keys (SSE-S3) or AWS KMS-managed keys (SSE-KMS).
reference:
- https://docs.aws.amazon.com/cli/latest/reference/s3api/get-bucket-encryption.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-encryption --bucket $bucket
matchers:
- type: word
words:
- "ServerSideEncryptionConfigurationNotFoundError"
extractors:
- type: dsl
dsl:
- '"The S3 bucket " + bucket +" is not encrypted at rest"'
# digest: 490a0046304402203e012cd857cace30b445932f893b9bd0f7bc709eec9f6cb5689fd30a520525e0022029cde524c58042593e654d36bfd7dcfb81b9508c534ec7750afe9ff96ad921d1:922c64590222798bb761d5b6d8e72950

50
cloud/aws/s3/s3-versioning.yaml Normal file
View File

@ -0,0 +1,50 @@
id: s3-versioning
info:
name: S3 Bucket Versioning not Enabled
author: princechaddha
severity: low
description: |
Verifies that Amazon S3 buckets have object versioning enabled, providing a safeguard for recovering overwritten or deleted objects
reference:
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/manage-versioning-examples.html
tags: cloud,devops,aws,amazon,s3,aws-cloud-config
flow: |
code(1)
for(let bucketName of iterate(template.buckets)){
set("bucket", bucketName)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws s3api list-buckets --query 'Buckets[*].Name'
extractors:
- type: json # type of the extractor
internal: true
name: buckets
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws s3api get-bucket-versioning --bucket $bucket --query 'Status'
matchers:
- type: word
words:
- "null"
- "Suspended"
extractors:
- type: dsl
dsl:
- '"Versioning is not enabled for S3 Bucket " + bucket'
# digest: 4b0a00483046022100ceb8b6be9871b6b9b57c5aa9add8902c3177845310afee02c6f8acc0cec48331022100fc98d53a049eaf0f8450f979233fffec17fd5c23d4c90fb78e68d8f05869f7d4:922c64590222798bb761d5b6d8e72950

63
cloud/aws/vpc/nacl-open-inbound.yaml Normal file
View File

@ -0,0 +1,63 @@
id: nacl-open-inbound
info:
name: Open Inbound NACL Traffic
author: princechaddha
severity: medium
description: |
Checks for Amazon VPC Network ACLs with inbound rules allowing traffic from all IPs across all ports, increasing the risk of unauthorized access.
impact: |
Allows unrestricted access to resources within the subnet, potentially exposing sensitive data or services to unauthorized users.
remediation: |
Restrict Network ACL inbound rules to only allow necessary IP ranges and ports as per the Principle of Least Privilege.
reference:
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let NACLIDs of iterate(template.nacls)){
set("naclid", NACLIDs)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-network-acls --region $region --query 'NetworkAcls[*].NetworkAclId' --output json
extractors:
- type: json
name: nacls
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-network-acls --region $region --network-acl-ids $naclid --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`false`)] | []'
matchers-condition: and
matchers:
- type: word
words:
- "allow"
condition: and
- type: word
words:
- "PortRange"
negative: true
extractors:
- type: dsl
dsl:
- '"Access to the VPC subnets associated with your NACL " + naclid + " is not restricted."'
# digest: 4a0a0047304502200de3239f933f1b468292a1ac4504bc398cad18ac3aa6f2de12357bd0e8a65759022100ee901336ec076eb9058f105f779e66be7bac556e1751713419df333cca4eaddf:922c64590222798bb761d5b6d8e72950

63
cloud/aws/vpc/nacl-outbound-restrict.yaml Normal file
View File

@ -0,0 +1,63 @@
id: nacl-outbound-restrict
info:
name: Unrestricted NACL Outbound Traffic
author: princechaddha
severity: medium
description: |
Checks for Amazon VPC NACLs allowing outbound traffic to all ports, recommending restriction to necessary ports only.
impact: |
Potential for data exfiltration or unauthorized access if outbound traffic is not properly restricted.
remediation: |
Modify NACL outbound rules to limit traffic to only the ports required for legitimate business needs.
reference:
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let NACLIDs of iterate(template.nacls)){
set("naclid", NACLIDs)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-network-acls --region $region --query 'NetworkAcls[*].NetworkAclId' --output json
extractors:
- type: json
name: nacls
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-network-acls --region $region --network-acl-ids $naclid --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`true`)] | []'
matchers-condition: and
matchers:
- type: word
words:
- "allow"
condition: and
- type: word
words:
- "PortRange"
negative: true
extractors:
- type: dsl
dsl:
- '"Access to the VPC subnets associated with your NACL " + naclid + " is not restricted."'
# digest: 4a0a00473045022021e25dd23124572a8f6dbe6381024f3ecb8f78907d7ba0aafa2eb9c63990e140022100ba7669b283e58bf5b0fd08f3d5501d54221fc7a48b73b088c95330ea4c633f67:922c64590222798bb761d5b6d8e72950

56
cloud/aws/vpc/nat-gateway-usage.yaml Normal file
View File

@ -0,0 +1,56 @@
id: nat-gateway-use
info:
name: Managed NAT Gateway Usage
author: princechaddha
severity: medium
description: |
Ensure the use of Amazon Managed NAT Gateway for better availability and bandwidth in VPC networks instead of self-managed NAT instances.
impact: |
Using self-managed NAT instances can lead to single points of failure and potential bandwidth bottlenecks.
remediation: |
Replace NAT instances with Amazon Managed NAT Gateway to ensure high availability and scalability in your VPC network.
reference:
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let VPCIds of iterate(template.vpcid)){
set("vpc", VPCIds)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-vpcs --region $region --query 'Vpcs[*].VpcId' --output json
extractors:
- type: json
name: vpcid
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-nat-gateways --region $region --filter "Name=vpc-id,Values=$vpc" "Name=state,Values=available" --query 'NatGateways'
matchers:
- type: word
words:
- "[]"
extractors:
- type: dsl
dsl:
- 'vpc + " VPC is not using Managed NAT Gateways"'
# digest: 4b0a00483046022100f5f55c1da4e2aaca4b9547bf032c91c95a45a559e294e66e3a04343878e6416c022100919f04f7539cccd971883f2ac51a5a40f17c588dc2bb561902f5397715facf2a:922c64590222798bb761d5b6d8e72950

65
cloud/aws/vpc/unrestricted-admin-ports.yaml Normal file
View File

@ -0,0 +1,65 @@
id: unrestricted-admin-ports
info:
name: Unrestricted Admin Port Access
author: princechaddha
severity: high
description: |
Checks for unrestricted ingress on TCP ports 22 (SSH) and 3389 (RDP) in Amazon VPC NACLs, exposing remote server administration to potentially malicious traffic.
impact: |
Allows unrestricted remote access, increasing the risk of unauthorized access and potential compromise.
remediation: |
Restrict access to ports 22 and 3389 to trusted IPs or IP ranges to adhere to the Principle of Least Privilege (POLP).
reference:
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let NACLIDs of iterate(template.nacls)){
set("naclid", NACLIDs)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-network-acls --region $region --query 'NetworkAcls[*].NetworkAclId' --output json
extractors:
- type: json
name: nacls
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-network-acls --region $region --network-acl-ids $naclid --query 'NetworkAcls[*].Entries[?(RuleAction==`allow`) && (Egress==`false`)] | []' --output json
matchers-condition: and
matchers:
- type: word
words:
- "0.0.0.0/0"
- "CidrBlock"
condition: and
- type: word
words:
- "22"
- "3389"
condition: or
extractors:
- type: dsl
dsl:
- '"Access to the VPC subnets associated with your NACL " + naclid + " is not restricted."'
# digest: 4a0a0047304502204e05c381a073d28047bdf9026597e5d331abca5011bbd8887ac323dd2b2983fb02210097ddd0dd706718f37b2c2f54820e543a9c6549883adc31296235e4b04fe04e97:922c64590222798bb761d5b6d8e72950

63
cloud/aws/vpc/vpc-endpoint-exposed.yaml Normal file
View File

@ -0,0 +1,63 @@
id: vpc-endpoint-exposed
info:
name: Exposed VPC Endpoint
author: princechaddha
severity: medium
description: |
Identify and secure fully accessible Amazon VPC endpoints to prevent unauthorized access to AWS services.
impact: |
Allows unrestricted access to AWS services via the exposed VPC endpoint, potentially leading to data leakage or unauthorized operations.
remediation: |
Update the VPC endpoint's policy to restrict access only to authorized entities and ensure all requests are signed.
reference:
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let VpcIds of iterate(template.VpcId)){
set("vpc", VpcIds)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-vpc-endpoints --region $region --output table --query 'VpcEndpoints[*].VpcEndpointId' --output json
extractors:
- type: json
name: VpcId
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-vpc-endpoints --region $region --vpc-endpoint-ids $vpc --query 'VpcEndpoints[*].PolicyDocument' --output json
matchers-condition: and
matchers:
- type: word
words:
- '"AWS": "*"'
- '"Principal": "*"'
- type: word
words:
- "Condition"
negative: true
extractors:
- type: dsl
dsl:
- '"VPC endpoints for " + vpc + "are exposed."'
# digest: 4a0a004730450221009cd9ca7d1c7ce5d6db43cc95291be7e509c29f9ed1c7559ee1aeb31a6579920902206e30e36ec371d03d1c5d805d349458ee43fd27bd65917e4f33050e359de8ea3b:922c64590222798bb761d5b6d8e72950

56
cloud/aws/vpc/vpc-endpoints-not-deployed.yaml Normal file
View File

@ -0,0 +1,56 @@
id: vpc-endpoints-not-deployed
info:
name: VPC Endpoints Not Deployed
author: princechaddha
severity: medium
description: |
Ensures VPC endpoints are utilized for secure AWS service connectivity without needing an Internet Gateway, enhancing network security and efficiency.
impact: |
Avoids data exposure and reduces bandwidth use by ensuring AWS traffic remains within the AWS network, without public IP requirements for EC2 instances.
remediation: |
Implement VPC endpoints for supported AWS services to secure and optimize connectivity within your VPC, minimizing external access risks.
reference:
- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let VpcIds of iterate(template.VpcId)){
set("vpc", VpcIds)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-vpcs --region $region --query 'Vpcs[*].VpcId' --output json
extractors:
- type: json
name: VpcId
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-vpc-endpoints --region $region --filters Name=vpc-id,Values=$vpc --query 'VpcEndpoints[*].VpcEndpointId'
matchers:
- type: word
words:
- "[]"
extractors:
- type: dsl
dsl:
- '"VPC Endpoints Not Deployed in the VPC network " + vpc'
# digest: 4a0a004730450220305c7cb9ef27a7249c71a3e30664db9f051b0f5438fe8ce42f2024ea91bfa24e022100e5b9e9b019adf2b1fcfd5121540efdbaf0c5fd39072523eacf41b5a50319666e:922c64590222798bb761d5b6d8e72950

58
cloud/aws/vpc/vpc-flowlogs-not-enabled.yaml Normal file
View File

@ -0,0 +1,58 @@
id: vpc-flowlogs-not-enabled
info:
name: VPC Flow Logs Not Enabled
author: princechaddha
severity: low
description: |
Ensures Amazon VPC Flow Logs are enabled for tracking network traffic to and from VPCs, aiding in security and troubleshooting.
impact: |
Without VPC Flow Logs, detecting abnormal traffic patterns or breaches becomes difficult, increasing risk of undetected threats.
remediation: |
Enable VPC Flow Logs in the AWS Management Console under the VPC dashboard to collect data on IP traffic going to and from network interfaces in your VPC.
reference:
- https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
tags: cloud,devops,aws,amazon,vpc,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let VpcIds of iterate(template.VpcId)){
set("vpc", VpcIds)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-vpcs --region $region --query 'Vpcs[*].VpcId' --output json
extractors:
- type: json
name: VpcId
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-flow-logs --region $region --filter "Name=resource-id,Values=$vpc"
matchers:
- type: word
words:
- "[]"
condition: and
extractors:
- type: dsl
dsl:
- '"Flow Logs feature is not enabled for the VPC " + vpc'
# digest: 4a0a00473045022016d83c316f318298be2c514542422c1a2f3a42517ac740d4b85ca980c9bf4676022100e7af7b416817f374b418962094ee777893f8fed6b17880fea736d1eb6caa38b2:922c64590222798bb761d5b6d8e72950

56
cloud/aws/vpc/vpn-tunnel-down.yaml Normal file
View File

@ -0,0 +1,56 @@
id: vpn-tunnel-down
info:
name: AWS VPN Tunnel Down
author: princechaddha
severity: high
description: |
Ensures AWS VPN tunnels are in an UP state, facilitating uninterrupted network traffic through the Virtual Private Network.
impact: |
If a VPN tunnel is DOWN, it could disrupt network connectivity and access to resources in your VPC, impacting business operations.
remediation: |
Monitor VPN tunnel status via the AWS Management Console or CLI. If a tunnel is DOWN, troubleshoot according to AWS documentation and ensure redundancy by configuring multiple tunnels.
reference:
- https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNConnections.html
tags: cloud,devops,aws,amazon,vpn,aws-cloud-config
variables:
region: "us-east-1"
flow: |
code(1)
for(let VpnConnectionIds of iterate(template.vpnconnactions)){
set("vpnid", VpnConnectionIds)
code(2)
}
self-contained: true
code:
- engine:
- sh
- bash
source: |
aws ec2 describe-vpn-connections --region $region --filters "Name=state,Values=available" --query 'VpnConnections[*].VpnConnectionId' --output json
extractors:
- type: json
name: vpnconnactions
internal: true
json:
- '.[]'
- engine:
- sh
- bash
source: |
aws ec2 describe-vpn-connections --region $region --vpn-connection-ids $vpnid --query 'VpnConnections[*].VgwTelemetry[*].Status[]'
matchers:
- type: word
words:
- "DOWN"
extractors:
- type: dsl
dsl:
- 'vpnid + " VPN tunnel is down"'
# digest: 490a0046304402205ecec5a00e3d0521ad5a2e9ac0cebbe83e91d206c2233f683dcd750ff5b3841c02205528afb57d459d2c5075638280afcf53459f71aaeb2a5cabc21c41659d91f510:922c64590222798bb761d5b6d8e72950

1
cloud/enum/aws-app-enum.yaml
View File

@ -34,4 +34,5 @@ http:
- 200
- 302
condition: or
# digest: 490a0046304402200ead17d9381546ddc9f16663c90d8511969313ccc238f43ffde6040eb1190a3e02204f529c738530581af958cd8d83110cdb30cfc8f14818c8a379fb398f975045f8:922c64590222798bb761d5b6d8e72950

Some files were not shown because too many files have changed in this diff Show More