From b71b27c11008a2efff4588491d50c0b1978fd3aa Mon Sep 17 00:00:00 2001 From: Taylor Date: Tue, 17 Dec 2024 21:48:04 -0800 Subject: [PATCH] Docs --- .../aws-general-policies/bc-aws-381.adoc | 46 +++++++++++++++ .../aws-general-policies/bc-aws-383.adoc | 46 +++++++++++++++ .../aws-networking-policies/bc-aws-378.adoc | 45 +++++++++++++++ .../aws-networking-policies/bc-aws-382.adoc | 56 +++++++++++++++++++ .../bc-azure-2-55.adoc | 44 +++++++++++++++ .../bc-azure-245.adoc | 45 +++++++++++++++ .../bc-azure-246.adoc | 45 +++++++++++++++ 7 files changed, 327 insertions(+) create mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc create mode 100644 docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc new file mode 100644 index 0000000000..6866ee12d3 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-381.adoc @@ -0,0 +1,46 @@ +== AWS CodeGuru Reviewer repository association does not use a Customer Managed Key (CMK) + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| TBD + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/AWSCodeGuruHasCMK.py[CKV_AWS_381] + +|Severity +|LOW + +|Subtype +|Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies AWS CodeGuru Reviewer repository associations that are not configured with a Customer Managed Key (CMK). Using CMK for encryption ensures that you have full control over the encryption keys, enhancing security for your repository data. Relying on default encryption options may not provide the level of security and compliance required for sensitive environments. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* aws_codegurureviewer_repository_association +* *Arguments:* kms_key_details + +To fix this issue, ensure that the `kms_key_details` block is configured with the `encryption_option` set to `CUSTOMER_MANAGED_CMK` in your Terraform configuration. + +[source,go] +---- +resource "aws_codegurureviewer_repository_association" "example" { + ... + kms_key_details { ++ encryption_option = "CUSTOMER_MANAGED_CMK" + } +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc new file mode 100644 index 0000000000..a02c6c21e9 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-383.adoc @@ -0,0 +1,46 @@ +== AWS Bedrock agent is not associated with Bedrock guardrails + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| a531ce58-18f2-439b-863f-601c3ac7f7c4 + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/BedrockGuardrails.py[CKV_AWS_383] + +|Severity +|LOW + +|Subtype +|Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies the AWS Bedrock agent that is not associated with Bedrock guardrails. Amazon Bedrock Guardrails provides governance and compliance controls for generative AI applications, ensuring safe and responsible model use. Associating Guardrails with the Bedrock agent is useful for implementing governance and compliance controls in generative AI applications. Not linking Guardrails to the Bedrock agent raises the risk of non-compliance and harmful AI application outputs. It is recommended that AWS Bedrock agents be associated with Bedrock guardrails to implement safeguards and prevent unwanted behavior from model responses or user messages. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* aws_bedrockagent_agent +* *Arguments:* guardrail_configuration.guardrail_identifier + +To fix this issue, ensure that the `guardrail_configuration` block in your Terraform configuration includes a valid `guardrail_identifier`. + +[source,go] +---- +resource "aws_bedrockagent_agent" "example" { + ... ++ guardrail_configuration { ++ guardrail_identifier = "your-guardrail-id" # Replace with a valid guardrail identifier ++ } +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc new file mode 100644 index 0000000000..7427b2dbe8 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-378.adoc @@ -0,0 +1,45 @@ +== AWS Load Balancer uses HTTP protocol + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| TBD + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/LBTargetGroup.yaml[CKV_AWS_378] + +|Severity +|MEDIUM + +|Subtype +|Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies AWS Load Balancer Target Groups or Listeners configured to use the HTTP protocol. Using HTTP instead of HTTPS for load balancer communication can expose sensitive traffic to interception and compromise. It is a security best practice to ensure that AWS Load Balancers use HTTPS to encrypt data in transit. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* aws_lb_target_group, aws_alb_target_group, aws_lb_listener, aws_alb_listener +* *Arguments:* protocol + +To fix this issue, update the `protocol` attribute for `aws_lb_target_group`, `aws_alb_target_group`, `aws_lb_listener`, or `aws_alb_listener` to use `HTTPS` instead of `HTTP`. + +[source,go] +---- +resource "aws_lb_target_group" "example" { + ... +- protocal = "HTTP" ++ protocol = "HTTPS" +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc new file mode 100644 index 0000000000..f5884c3d20 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382.adoc @@ -0,0 +1,56 @@ +== AWS Security Group allows unrestricted egress traffic + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| TBD + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/SecurityGroupUnrestrictedEgressAny.py[CKV_AWS_382] + +|Severity +|LOW + +|Subtype +|Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies AWS Security Groups that allow unrestricted egress traffic. Allowing unrestricted outbound traffic can lead to data exfiltration and other security risks. As a best practice, egress rules should be explicitly defined to limit outbound traffic to known, trusted destinations. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* aws_security_group +* *Arguments:* egress + +To fix this issue, ensure that the `egress` block in your Terraform configuration is explicitly defined with restricted outbound traffic rules. + +[source,go] +---- +resource "aws_security_group" "example" { + ... +- egress { +- from_port = 0 +- to_port = 0 +- protocol = "-1" +- cidr_blocks = ["0.0.0.0/0"] +- } + ++ egress { ++ from_port = 443 ++ to_port = 443 ++ protocol = "tcp" ++ cidr_blocks = ["10.0.0.0/16"] # Restrict to known, trusted destination ++ } +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc new file mode 100644 index 0000000000..317d9eb604 --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-2-55.adoc @@ -0,0 +1,44 @@ +== Azure Spring Cloud app end-to-end TLS is disabled + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 424a5e77-8997-47d9-b0e0-daaca8b81b01 + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/azure/AzureSpringCloudTLSDisabled.yaml[CKV2_AZURE_55] + +|Severity +|LOW + +|Subtype +|Run,Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies Azure Spring Cloud apps in which end-to-end TLS is disabled. Enabling end-to-end TLS/SSL will secure traffic from ingress controller to apps. After you enable end-to-end TLS and load a cert from the key vault, all communications within Azure Spring Cloud are secured with TLS. As a security best practice, it is recommended to have an end-to-end TLS to secure Spring Cloud apps traffic. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* azurerm_spring_cloud_service, azurerm_spring_cloud_app +* *Arguments:* tls_enabled + +To fix this issue, ensure that the `tls_enabled` attribute is set to `true` in your Terraform configuration for Azure Spring Cloud applications. + +[source,go] +---- +resource "azurerm_spring_cloud_app" "example" { + ... ++ tls_enabled = true +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc new file mode 100644 index 0000000000..fce98217dc --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-245.adoc @@ -0,0 +1,45 @@ +== Azure Container Instance is not configured with virtual network + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| d480c1d2-06b3-4e53-81c9-a21ed83cb5fc + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/AzureContainerInstancePublicIPAddressType.py[CKV_AZURE_245] + +|Severity +|LOW + +|Subtype +|Run,Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +This policy identifies Azure Container Instances (ACI) that are not configured with a virtual network. Making container instances public makes an internet routable network. By deploying container instances into an Azure virtual network, your containers can communicate securely with other resources in the virtual network. So it is recommended to configure all your container instances within a virtual network. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* azurerm_container_group +* *Arguments:* ip_address_type + +To fix this issue, ensure that the `ip_address_type` attribute is set to `Private` or `None` in your Terraform configuration. + +[source,go] +---- +resource "azurerm_container_group" "example" { + ... +- ip_address_type = "Public" ++ ip_address_type = "Private" +} +---- diff --git a/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc new file mode 100644 index 0000000000..f16935231e --- /dev/null +++ b/docs/en/enterprise-edition/policy-reference/azure-policies/azure-networking-policies/bc-azure-246.adoc @@ -0,0 +1,45 @@ +== Azure AKS cluster HTTP application routing enabled + +=== Policy Details + +[width=45%] +[cols="1,1"] +|=== +|Prisma Cloud Policy ID +| 0429670c-5d2d-4d0f-ab33-59eb5e000305 + +|Checkov ID +| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/azure/KubernetesClusterHTTPApplicationRouting.py[CKV_AZURE_246] + +|Severity +|LOW + +|Subtype +|Run,Build + +|Frameworks +|Terraform,Terraform Plan + +|=== + +=== Description + +HTTP application routing configures an Ingress controller in your AKS cluster. As applications are deployed, the solution also creates publicly accessible DNS names for application endpoints. While this makes it easy to access applications that are deployed to your Azure AKS cluster, this add-on is not recommended for production use. + +=== Fix - Buildtime + +*Terraform* + +* *Resource:* azurerm_kubernetes_cluster +* *Arguments:* http_application_routing_enabled + +To fix this issue, ensure that the `http_application_routing_enabled` attribute is set to `false` in your Terraform configuration. + +[source,go] +---- +resource "azurerm_kubernetes_cluster" "example" { + ... +- http_application_routing_enabled = true ++ http_application_routing_enabled = false +} +----