generated from adobe/aem-boilerplate
-
Notifications
You must be signed in to change notification settings - Fork 79
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #699 from tsmithv11/jun24-build-policies
Build policy docs additions
- Loading branch information
Showing
18 changed files
with
861 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
73 changes: 73 additions & 0 deletions
73
...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-367.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| == AWS Sagemaker data quality job not encrypting model artifacts with KMS | ||
|
|
||
| === Policy Details | ||
|
|
||
| [width=45%] | ||
| [cols="1,1"] | ||
| |=== | ||
| |Prisma Cloud Policy ID | ||
| | 9ce055f8-7939-4888-9bb7-544605c0a87a | ||
|
|
||
| |Checkov ID | ||
| | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionEncryption.py[CKV_AWS_367] | ||
|
|
||
| |Severity | ||
| |LOW | ||
|
|
||
| |Subtype | ||
| |Build | ||
|
|
||
| |Frameworks | ||
| |Terraform,TerraformPlan,CloudFormation | ||
|
|
||
| |=== | ||
|
|
||
| === Description | ||
|
|
||
| This policy checks whether Amazon SageMaker Data Quality Jobs leverage AWS Key Management Service (KMS) to encrypt model artifacts. Unencrypted model artifacts pose a significant security concern. Without encryption, sensitive information within your models could be exposed to malicious actors. This could lead to data breaches, compromising the integrity and confidentiality of the data used by your models. KMS provides a secure solution for managing encryption keys, ensuring the protection of your machine learning assets. | ||
|
|
||
| === Fix - Buildtime | ||
|
|
||
| *Terraform* | ||
|
|
||
| * *Resource:* aws_sagemaker_data_quality_job_definition | ||
| * *Arguments:* data_quality_job_output_config/kms_key_id | ||
|
|
||
| Encrypt your AWS SageMaker Data Quality Job output. Specify the KMS key in the data_quality_job_output_config block of your Terraform configuration file, as displayed in the example below. | ||
|
|
||
| [source,go] | ||
| ---- | ||
| resource "aws_sagemaker_data_quality_job_definition" "example" { | ||
| ... | ||
| data_quality_job_output_config { | ||
| + kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id" | ||
| ... | ||
| } | ||
| ... | ||
| } | ||
| ---- | ||
|
|
||
|
|
||
| *CloudFormation* | ||
|
|
||
| * *Resource:* AWS::SageMaker::DataQualityJobDefinition | ||
| * *Arguments:* Properties/DataQualityJobOutputConfig/KmsKeyId | ||
|
|
||
| Encrypt your AWS SageMaker Data Quality Job output. Specify the KMS key in the DataQualityJobOutputConfig block of your CloudFormation configuration file, as displayed in the example below. | ||
|
|
||
| [source,yaml] | ||
| ---- | ||
| ... | ||
| AWSTemplateFormatVersion: '2010-09-09' | ||
| ... | ||
| MyDataQualityJobDefinitionPass: | ||
| Type: "AWS::SageMaker::DataQualityJobDefinition" | ||
| Properties: | ||
| ... | ||
| DataQualityJobOutputConfig: | ||
| + KmsKeyId: "arn:aws:kms:us-west-2:123456789012:key/my-existing-kms-key-id" | ||
| ... | ||
| ---- | ||
|
|
69 changes: 69 additions & 0 deletions
69
...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-368.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| == AWS Sagemaker Data Quality Job not using KMS to encrypt data on attached storage volume | ||
|
|
||
| === Policy Details | ||
|
|
||
| [width=45%] | ||
| [cols="1,1"] | ||
| |=== | ||
| |Prisma Cloud Policy ID | ||
| | d9fd5ad2-b0ce-44e4-98c8-242499c852ee | ||
|
|
||
| |Checkov ID | ||
| | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionVolumeEncryption.py[CKV_AWS_368] | ||
|
|
||
| |Severity | ||
| |LOW | ||
|
|
||
| |Subtype | ||
| |Build | ||
|
|
||
| |Frameworks | ||
| |Terraform,TerraformPlan,CloudFormation | ||
|
|
||
| |=== | ||
|
|
||
| === Description | ||
|
|
||
| This policy checks whether Amazon SageMaker Data Quality Jobs leverage AWS Key Management Service (KMS) to encrypt data on the attached storage volume. KMS encryption is crucial to safeguard sensitive information as it encrypts data on storage volumes attached to the Sagemaker instance. This prevents unauthorized access and data breaches and helps ensure compliance with regulations requiring the protection of specific data types. | ||
|
|
||
| === Fix - Buildtime | ||
|
|
||
| *Terraform* | ||
|
|
||
| * *Resource:* aws_sagemaker_monitoring_schedule | ||
| * *Arguments:* job_resources/cluster_config/volume_kms_key_id | ||
|
|
||
| Provide a `volume_kms_key_id` attribute in your `aws_sagemaker_monitoring_schedule` of your Terraform configuration file to enable encryption using AWS KMS, as displayed in the example below. | ||
|
|
||
| [source,go] | ||
| ---- | ||
| resource "aws_sagemaker_data_quality_job_definition" "example" { | ||
| ... | ||
| job_resources { | ||
| cluster_config { | ||
| ... | ||
| + volume_kms_key_id = "arn:aws:kms:us-west-2:123456789012:key/my-existing-volume-kms-key-id" | ||
| } | ||
| } | ||
| } | ||
| ---- | ||
|
|
||
| *CloudFormation* | ||
|
|
||
| * *Resource:* AWS::SageMaker::DataQualityJobDefinition | ||
| * *Arguments:* JobResources/ClusterConfig/VolumeKmsKeyId | ||
|
|
||
| Provide a `VolumeKmsKeyId` attribute in your `AWS::SageMaker::DataQualityJobDefinition` of your CloudFormation configuration file, as displayed in the example below. | ||
|
|
||
| [source,yaml] | ||
| ---- | ||
| MyDataQualityJobDefinitionPass: | ||
| Type: "AWS::SageMaker::DataQualityJobDefinition" | ||
| Properties: | ||
| ... | ||
| JobResources: | ||
| ClusterConfig: | ||
| ... | ||
| VolumeKmsKeyId: "arn:aws:kms:us-west-2:123456789012:key/my-existing-volume-kms-key-id" | ||
| ---- | ||
|
|
66 changes: 66 additions & 0 deletions
66
...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-369.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
|
|
||
| == AWS Sagemaker Data Quality Job not encrypting communications between instances used for monitoring jobs | ||
|
|
||
| === Policy Details | ||
|
|
||
| [width=45%] | ||
| [cols="1,1"] | ||
| |=== | ||
| |Prisma Cloud Policy ID | ||
| | 404594b6-5d5e-4fab-a439-f6615572aed4 | ||
|
|
||
| |Checkov ID | ||
| | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerDataQualityJobDefinitionTrafficEncryption.py[CKV_AWS_369] | ||
|
|
||
| |Severity | ||
| |LOW | ||
|
|
||
| |Subtype | ||
| |Build | ||
|
|
||
| |Frameworks | ||
| |Terraform,TerraformPlan,CloudFormation | ||
|
|
||
| |=== | ||
|
|
||
| === Description | ||
|
|
||
| This policy checks whether all communications between instances used for monitoring jobs in Amazon SageMaker Data Quality Jobs are encrypted. Encryption is crucial to safeguard sensitive information during transmission. Unencrypted data can be easily intercepted by unauthorized individuals, potentially leading to data breaches or other security incidents. | ||
|
|
||
| === Fix - Buildtime | ||
|
|
||
| *Terraform* | ||
|
|
||
| * *Resource:* aws_sagemaker_data_quality_job_definition | ||
| * *Arguments:* network_config/enable_inter_container_traffic_encryption | ||
|
|
||
| Ensure that the `network_config`` block includes the `enable_inter_container_traffic_encryption`` argument, and set this argument to `true`, as displayed in the example below. | ||
|
|
||
| [source,go] | ||
| ---- | ||
| resource "aws_sagemaker_data_quality_job_definition" "job_definition" { | ||
| job_definition_name = "data-quality-job-definition" | ||
| ... | ||
| network_config { | ||
| + enable_inter_container_traffic_encryption = true | ||
| } | ||
| } | ||
| ---- | ||
|
|
||
| *CloudFormation* | ||
|
|
||
| * *Resource:* AWS::SageMaker::DataQualityJobDefinition | ||
| * *Arguments:* Properties/NetworkConfig/EnableInterContainerTrafficEncryption | ||
|
|
||
| Ensure that the `NetworkConfig` block includes the `EnableInterContainerTrafficEncryption` argument in your CloudFormation configuration file, and that this argument is set to `True`, as displayed in the example below. | ||
|
|
||
| [source,yaml] | ||
| ---- | ||
| Resources: | ||
| DataQualityJobDefinitionPass: | ||
| Type: "AWS::SageMaker::DataQualityJobDefinition" | ||
| Properties: | ||
| ... | ||
| NetworkConfig: | ||
| + EnableInterContainerTrafficEncryption: True | ||
| ---- |
64 changes: 64 additions & 0 deletions
64
...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-371.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| == AWS SageMaker Notebook Instance allows for IMDSv1 | ||
|
|
||
| === Policy Details | ||
|
|
||
| [width=45%] | ||
| [cols="1,1"] | ||
| |=== | ||
| |Prisma Cloud Policy ID | ||
| | b74937ca-e6e5-463e-ac83-9476a90cac40 | ||
|
|
||
| |Checkov ID | ||
| | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerNotebookInstanceAllowsIMDSv2.py[CKV_AWS_371] | ||
|
|
||
| |Severity | ||
| |MEDIUM | ||
|
|
||
| |Subtype | ||
| |Build | ||
|
|
||
| |Frameworks | ||
| |Terraform,TerraformPlan,CloudFormation | ||
|
|
||
| |=== | ||
|
|
||
| === Description | ||
|
|
||
| This policy checks whether SageMaker Notebook Instances are configured to use Instance Metadata Service version 2 (IMDSv2). MDSv2 reduces security risks by requiring session-oriented requests, unlike the vulnerable IMDSv1 which is susceptible to server-side request forgery (SSRF) attacks and potential unauthorized access. This improves the overall security posture of your AWS resources. | ||
|
|
||
| === Fix - Buildtime | ||
|
|
||
| *Terraform* | ||
|
|
||
| * *Resource:* aws_sagemaker_notebook_instance | ||
| * *Arguments:* instance_metadata_service_configuration/minimum_instance_metadata_service_version | ||
|
|
||
| Ensure that the Amazon Sagemaker Notebook Instance is configured to only allow Instance Metadata Service Version 2 (IMDSv2), by setting the `minimum_instance_metadata_service_version` to `2`, as displayed in the example below. | ||
|
|
||
| [source,go] | ||
| ---- | ||
| resource "aws_sagemaker_notebook_instance" "my_notebook_instance_pass" { | ||
| ... | ||
| instance_metadata_service_configuration { | ||
| + minimum_instance_metadata_service_version = "2" | ||
| } | ||
| } | ||
| ---- | ||
|
|
||
| *CloudFormation* | ||
|
|
||
| * *Resource:* AWS::SageMaker::NotebookInstance | ||
| * *Arguments:* Properties/InstanceMetadataServiceConfiguration/MinimumInstanceMetadataServiceVersion | ||
|
|
||
| Ensure that the Amazon Sagemaker Notebook Instance is configured to only allow Instance Metadata Service Version 2 (IMDSv2), by setting the `MinimumInstanceMetadataServiceVersion` to `2`, as displayed in the example below. | ||
|
|
||
| [source,yaml] | ||
| ---- | ||
| Resources: | ||
| Example: | ||
| Type: "AWS::SageMaker::NotebookInstance" | ||
| Properties: | ||
| ... | ||
| InstanceMetadataServiceConfiguration: | ||
| MinimumInstanceMetadataServiceVersion: "2" | ||
| ---- |
48 changes: 48 additions & 0 deletions
48
...rise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-372.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
|
|
||
| == AWS SageMaker Flow Definition does not use KMS for output configurations | ||
|
|
||
| === Policy Details | ||
|
|
||
| [width=45%] | ||
| [cols="1,1"] | ||
| |=== | ||
| |Prisma Cloud Policy ID | ||
| | 4092b020-4b1e-465d-a1ad-f38d8e88dfb3 | ||
|
|
||
| |Checkov ID | ||
| | https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SagemakerFlowDefinitionUsesKMS.py[CKV_AWS_372] | ||
|
|
||
| |Severity | ||
| |LOW | ||
|
|
||
| |Subtype | ||
| |Build | ||
|
|
||
| |Frameworks | ||
| |Terraform,TerraformPlan,CloudFormation | ||
|
|
||
| |=== | ||
|
|
||
| === Description | ||
|
|
||
| This policy checks whether Amazon SageMaker Flow Definitions leverage Key Management Service (KMS) for output configurations. Unencrypted outputs expose sensitive data, increasing the risk of unauthorized access and breaches. KMS ensures data security by encrypting it before storage and physically separating the storage of key material. This strengthens your security posture and adheres to data protection regulations. | ||
|
|
||
| === Fix - Buildtime | ||
|
|
||
| *Terraform* | ||
|
|
||
| * *Resource:* aws_sagemaker_flow_definition | ||
| * *Arguments:* output_config/kms_key_id | ||
|
|
||
| Add a KMS key to your SageMaker Flow Definition output configurations, by defining a `kms_key_id` property in the `output_config` block of your AWS SageMaker Flow Definition. | ||
|
|
||
| [source,hcl] | ||
| ---- | ||
| resource "aws_sagemaker_flow_definition" "example" { | ||
| ... | ||
| output_config { | ||
| + kms_key_id = "example" | ||
| } | ||
| } | ||
| ---- | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.