Skip to content

Commit

Permalink
Merge pull request #54 from niaid/auto-update-aws-config-rules
Browse files Browse the repository at this point in the history 
[Auto] Update AWS Config Rules
  • Loading branch information
@bensonce
bensonce authored Sep 23, 2024
2 parents b828f31 + 9798cfc commit de360f6
Show file tree
Hide file tree
Showing 4 changed files with 390 additions and 5 deletions.
2 changes: 2 additions & 0 deletions files/pack-rules-list.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ Operational-Best-Practices-for-ENISA-Cybersecurity-Guide
Operational-Best-Practices-for-Encryption-and-Keys
Operational-Best-Practices-for-FDA-21CFR-Part-11
Operational-Best-Practices-for-FFIEC
Operational-Best-Practices-for-FedRAMP-HighPart1
Operational-Best-Practices-for-FedRAMP-HighPart2
Operational-Best-Practices-for-FedRAMP-Low
Operational-Best-Practices-for-FedRAMP
Operational-Best-Practices-for-Germany-C5
Expand Down
224 changes: 223 additions & 1 deletion files/pack-rules.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
generated_on: '2024-08-01T00:05:28Z'
generated_on: '2024-09-15T00:05:29Z'
packs:
AWS-Control-Tower-Detective-Guardrails:
- autoscaling-launch-config-public-ip-disabled
Expand Down Expand Up @@ -3989,6 +3989,228 @@ packs:
- vpc-sg-open-only-to-authorized-ports
- vpc-vpn-2-tunnels-up
- wafv2-logging-enabled
Operational-Best-Practices-for-FedRAMP-HighPart1:
- access-keys-rotated
- acm-certificate-expiration-check
- alb-http-to-https-redirection-check
- alb-waf-enabled
- api-gw-associated-with-waf
- api-gw-cache-enabled-and-encrypted
- api-gw-execution-logging-enabled
- api-gw-ssl-enabled
- aurora-resources-protected-by-backup-plan
- autoscaling-group-elb-healthcheck-required
- autoscaling-launch-config-public-ip-disabled
- backup-plan-min-frequency-and-min-retention-check
- beanstalk-enhanced-health-reporting-enabled
- cloud-trail-cloud-watch-logs-enabled
- cloud-trail-encryption-enabled
- cloud-trail-log-file-validation-enabled
- cloudtrail-enabled
- cloudtrail-s3-dataevents-enabled
- cloudwatch-alarm-action-check
- cloudwatch-log-group-encrypted
- cmk-backing-key-rotation-enabled
- codebuild-project-envvar-awscred-check
- codebuild-project-logging-enabled
- codebuild-project-source-repo-url-check
- cw-loggroup-retention-period-check
- db-instance-backup-enabled
- dms-replication-not-public
- dynamodb-autoscaling-enabled
- dynamodb-in-backup-plan
- dynamodb-pitr-enabled
- dynamodb-resources-protected-by-backup-plan
- dynamodb-throughput-limit-check
- ebs-in-backup-plan
- ebs-optimized-instance
- ebs-resources-protected-by-backup-plan
- ebs-snapshot-public-restorable-check
- ec2-ebs-encryption-by-default
- ec2-imdsv2-check
- ec2-instance-detailed-monitoring-enabled
- ec2-instance-managed-by-systems-manager
- ec2-instance-no-public-ip
- ec2-instance-profile-attached
- ec2-instances-in-vpc
- ec2-managedinstance-association-compliance-status-check
- ec2-managedinstance-patch-compliance-status-check
- ec2-resources-protected-by-backup-plan
- ec2-stopped-instance
- ec2-volume-inuse-check
- ecs-task-definition-user-for-host-mode-check
- efs-encrypted-check
- efs-in-backup-plan
- efs-resources-protected-by-backup-plan
- elastic-beanstalk-managed-updates-enabled
- elasticache-redis-cluster-automatic-backup-check
- elasticsearch-encrypted-at-rest
- elasticsearch-in-vpc-only
- elasticsearch-logs-to-cloudwatch
- elasticsearch-node-to-node-encryption-check
- elb-acm-certificate-required
- elb-cross-zone-load-balancing-enabled
- elb-deletion-protection-enabled
- elb-logging-enabled
- elb-tls-https-listeners-only
- emr-master-no-public-ip
- encrypted-volumes
- fsx-resources-protected-by-backup-plan
- guardduty-enabled-centralized
- guardduty-non-archived-findings
- iam-customer-policy-blocked-kms-actions
- iam-group-has-users-check
- iam-inline-policy-blocked-kms-actions
- iam-no-inline-policy-check
- iam-password-policy
- iam-policy-no-statements-with-admin-access
- iam-policy-no-statements-with-full-access
- iam-root-access-key-check
- iam-user-group-membership-check
- iam-user-mfa-enabled
- iam-user-no-policies-check
- iam-user-unused-credentials-check
- kms-cmk-not-scheduled-for-deletion
- lambda-concurrency-check
- lambda-dlq-check
- lambda-function-public-access-prohibited
- lambda-inside-vpc
- mfa-enabled-for-iam-console-access
- multi-region-cloudtrail-enabled
- no-unrestricted-route-to-igw
- rds-enhanced-monitoring-enabled
- rds-instance-deletion-protection-enabled
- rds-instance-public-access-check
- rds-logging-enabled
- rds-multi-az-support
- rds-resources-protected-by-backup-plan
- rds-snapshot-encrypted
- rds-snapshots-public-prohibited
- rds-storage-encrypted
- redshift-backup-enabled
- redshift-cluster-configuration-check
- redshift-cluster-kms-enabled
- redshift-cluster-maintenancesettings-check
- redshift-cluster-public-access-check
- redshift-require-tls-ssl
- restricted-common-ports
- restricted-ssh
- s3-account-level-public-access-blocks-periodic
- s3-bucket-default-lock-enabled
- s3-bucket-level-public-access-prohibited
- s3-bucket-logging-enabled
- s3-bucket-public-read-prohibited
- s3-bucket-public-write-prohibited
- s3-bucket-replication-enabled
- s3-bucket-server-side-encryption-enabled
- s3-bucket-ssl-requests-only
- s3-bucket-versioning-enabled
- s3-default-encryption-kms
- s3-version-lifecycle-policy-check
- sagemaker-endpoint-configuration-kms-key-configured
- sagemaker-notebook-instance-kms-key-configured
- sagemaker-notebook-no-direct-internet-access
- securityhub-enabled
- ssm-document-not-public
- subnet-auto-assign-public-ip-disabled
- vpc-sg-open-only-to-authorized-ports
Operational-Best-Practices-for-FedRAMP-HighPart2:
- acm-certificate-expiration-check
- api-gw-cache-enabled-and-encrypted
- api-gw-execution-logging-enabled
- api-gw-ssl-enabled
- aurora-resources-protected-by-backup-plan
- autoscaling-launch-config-public-ip-disabled
- backup-plan-min-frequency-and-min-retention-check
- backup-recovery-point-encrypted
- backup-recovery-point-manual-deletion-disabled
- backup-recovery-point-minimum-retention-check
- cloud-trail-cloud-watch-logs-enabled
- cloud-trail-encryption-enabled
- cloud-trail-log-file-validation-enabled
- cloudtrail-enabled
- cloudtrail-s3-bucket-public-access-prohibited
- cloudtrail-s3-dataevents-enabled
- cloudtrail-security-trail-enabled
- cloudwatch-alarm-action-check
- cloudwatch-log-group-encrypted
- db-instance-backup-enabled
- dynamodb-autoscaling-enabled
- dynamodb-in-backup-plan
- dynamodb-pitr-enabled
- dynamodb-resources-protected-by-backup-plan
- dynamodb-table-encrypted-kms
- ebs-in-backup-plan
- ebs-resources-protected-by-backup-plan
- ec2-ebs-encryption-by-default
- ec2-instance-managed-by-systems-manager
- ec2-instances-in-vpc
- ec2-managedinstance-association-compliance-status-check
- ec2-managedinstance-patch-compliance-status-check
- ec2-resources-protected-by-backup-plan
- efs-encrypted-check
- efs-in-backup-plan
- efs-resources-protected-by-backup-plan
- eks-endpoint-no-public-access
- elasticache-redis-cluster-automatic-backup-check
- elasticsearch-encrypted-at-rest
- elasticsearch-logs-to-cloudwatch
- elb-cross-zone-load-balancing-enabled
- elb-logging-enabled
- emr-master-no-public-ip
- encrypted-volumes
- fsx-resources-protected-by-backup-plan
- guardduty-enabled-centralized
- iam-no-inline-policy-check
- iam-password-policy
- iam-policy-no-statements-with-admin-access
- iam-root-access-key-check
- iam-user-group-membership-check
- iam-user-mfa-enabled
- iam-user-no-policies-check
- iam-user-unused-credentials-check
- inspector-ec2-scan-enabled
- inspector-ecr-scan-enabled
- inspector-lambda-standard-scan-enabled
- kinesis-stream-encrypted
- lambda-dlq-check
- lambda-function-public-access-prohibited
- lambda-inside-vpc
- mfa-enabled-for-iam-console-access
- multi-region-cloudtrail-enabled
- rds-in-backup-plan
- rds-instance-deletion-protection-enabled
- rds-instance-public-access-check
- rds-logging-enabled
- rds-multi-az-support
- rds-resources-protected-by-backup-plan
- rds-snapshot-encrypted
- rds-storage-encrypted
- redshift-backup-enabled
- redshift-cluster-configuration-check
- redshift-cluster-kms-enabled
- redshift-cluster-public-access-check
- restricted-ssh
- s3-bucket-cross-region-replication-enabled
- s3-bucket-logging-enabled
- s3-bucket-replication-enabled
- s3-bucket-server-side-encryption-enabled
- s3-bucket-versioning-enabled
- s3-default-encryption-kms
- s3-resources-protected-by-backup-plan
- s3-version-lifecycle-policy-check
- sagemaker-endpoint-configuration-kms-key-configured
- sagemaker-notebook-instance-kms-key-configured
- sagemaker-notebook-no-direct-internet-access
- secretsmanager-using-cmk
- securityhub-enabled
- sns-encrypted-kms
- subnet-auto-assign-public-ip-disabled
- vpc-default-security-group-closed
- vpc-flow-logs-enabled
- vpc-sg-open-only-to-authorized-ports
- vpc-vpn-2-tunnels-up
- wafv2-logging-enabled
Operational-Best-Practices-for-FedRAMP-Low:
- access-keys-rotated
- acm-certificate-expiration-check
Expand Down
64 changes: 60 additions & 4 deletions managed_rules_locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,14 @@ locals {
severity = "Medium"
}

aurora-resources-in-logically-air-gapped-vault = {
description = "Checks if Amazon Aurora DB clusters are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon Aurora DB cluster is not in a logically air-gapped vault within the specified time period."
identifier = "AURORA_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT"
input_parameters = var.aurora_resources_in_logically_air_gapped_vault_parameters
resource_types_scope = ["AWS::RDS::DBCluster"]
severity = "Medium"
}

aurora-resources-protected-by-backup-plan = {
description = "Checks if Amazon Aurora DB clusters are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) Database Cluster is not protected by a backup plan."
identifier = "AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
Expand Down Expand Up @@ -659,14 +667,14 @@ locals {
description = "Checks if Amazon EventBridge custom event buses have a resource-based policy attached. The rule is NON_COMPLIANT if a custom event bus policy does not have an attached resource-based policy."
identifier = "CUSTOM_EVENTBUS_POLICY_ATTACHED"
resource_types_scope = ["AWS::Events::EventBus"]
severity = "Medium"
severity = "Low"
}

custom-schema-registry-policy-attached = {
description = "Checks if custom Amazon EventBridge schema registries have a resource policy attached. The rule is NON_COMPLIANT for custom schema registries without a resource policy attached."
identifier = "CUSTOM_SCHEMA_REGISTRY_POLICY_ATTACHED"
resource_types_scope = ["AWS::EventSchemas::Registry"]
severity = "Low"
severity = "Medium"
}

cw-loggroup-retention-period-check = {
Expand Down Expand Up @@ -921,6 +929,14 @@ locals {
severity = "Low"
}

ebs-resources-in-logically-air-gapped-vault = {
description = "Checks if Amazon Elastic Block Store (Amazon EBS) volumes are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EBS volume is not in a logically air-gapped vault within the specified time period."
identifier = "EBS_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT"
input_parameters = var.ebs_resources_in_logically_air_gapped_vault_parameters
resource_types_scope = ["AWS::EC2::Volume"]
severity = "Medium"
}

ebs-resources-protected-by-backup-plan = {
description = "Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EBS volume is not covered by a backup plan."
identifier = "EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
Expand Down Expand Up @@ -1083,6 +1099,14 @@ locals {
severity = "Medium"
}

ec2-resources-in-logically-air-gapped-vault = {
description = "Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EC2 instance is not in a logically air-gapped vault within the specified time period."
identifier = "EC2_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT"
input_parameters = var.ec2_resources_in_logically_air_gapped_vault_parameters
resource_types_scope = ["AWS::EC2::Instance"]
severity = "Medium"
}

ec2-resources-protected-by-backup-plan = {
description = "Checks if Amazon Elastic Compute Cloud (Amazon EC2) instances are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EC2 instance is not covered by a backup plan."
identifier = "EC2_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
Expand Down Expand Up @@ -1230,7 +1254,7 @@ locals {
}

ecs-task-definition-user-for-host-mode-check = {
description = "Checks for unauthorized permissions in your latest active Amazon Elastic Container Service (Amazon ECS) task definitions that have NetworkMode set to host. The rule is NON_COMPLIANT for task definitions with NetworkMode set to host, and container..."
description = "Checks if Amazon ECS task definitions with host network mode have privileged OR nonroot in the container definition. The rule is NON_COMPLIANT if the latest active revision of a task definition has privileged=false (or is null) AND user=root (or is null)."
identifier = "ECS_TASK_DEFINITION_USER_FOR_HOST_MODE_CHECK"
input_parameters = var.ecs_task_definition_user_for_host_mode_check_parameters
resource_types_scope = ["AWS::ECS::TaskDefinition"]
Expand Down Expand Up @@ -1298,6 +1322,14 @@ locals {
severity = "Medium"
}

efs-resources-in-logically-air-gapped-vault = {
description = "Checks if Amazon Elastic File System (Amazon EFS) File Systems are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EFS File System is not in a logically air-gapped vault within the specified time period."
identifier = "EFS_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT"
input_parameters = var.efs_resources_in_logically_air_gapped_vault_parameters
resource_types_scope = ["AWS::EFS::FileSystem"]
severity = "Medium"
}

efs-resources-protected-by-backup-plan = {
description = "Checks if Amazon Elastic File System (Amazon EFS) File Systems are protected by a backup plan. The rule is NON_COMPLIANT if the EFS File System is not covered by a backup plan."
identifier = "EFS_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
Expand Down Expand Up @@ -2771,6 +2803,14 @@ locals {
severity = "Medium"
}

s3-resources-in-logically-air-gapped-vault = {
description = "Checks if Amazon Simple Storage Service (Amazon S3) buckets are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon S3 bucket is not in a logically air-gapped vault within the specified time period."
identifier = "S3_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT"
input_parameters = var.s3_resources_in_logically_air_gapped_vault_parameters
resource_types_scope = ["AWS::S3::Bucket"]
severity = "Medium"
}

s3-resources-protected-by-backup-plan = {
description = "Checks if Amazon Simple Storage Service (Amazon S3) buckets are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon S3 bucket is not covered by a backup plan."
identifier = "S3_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
Expand Down Expand Up @@ -2888,7 +2928,7 @@ locals {
description = "Checks if AWS Service Catalog shares portfolios to an organization (a collection of AWS accounts treated as a single unit) when integration is enabled with AWS Organizations. The rule is NON_COMPLIANT if the Type value of a share is ACCOUNT ."
identifier = "SERVICE_CATALOG_SHARED_WITHIN_ORGANIZATION"
resource_types_scope = ["AWS::ServiceCatalog::Portfolio"]
severity = "Medium"
severity = "High"
}

service-vpc-endpoint-enabled = {
Expand Down Expand Up @@ -2956,6 +2996,14 @@ locals {
severity = "High"
}

storagegateway-resources-in-logically-air-gapped-vault = {
description = "Checks if AWS Storage Gateway volumes are in a logically air-gapped vault. The rule is NON_COMPLIANT if an AWS Storage Gateway volume is not in a logically air-gapped vault within the specified time period."
identifier = "STORAGEGATEWAY_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT"
input_parameters = var.storagegateway_resources_in_logically_air_gapped_vault_parameters
resource_types_scope = ["AWS::StorageGateway::Volume"]
severity = "Medium"
}

storagegateway-resources-protected-by-backup-plan = {
description = "Checks if AWS Storage Gateway volumes are protected by a backup plan. The rule is NON_COMPLIANT if the Storage Gateway volume is not covered by a backup plan."
identifier = "STORAGEGATEWAY_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
Expand Down Expand Up @@ -2986,6 +3034,14 @@ locals {
severity = "High"
}

virtualmachine-resources-in-logically-air-gapped-vault = {
description = "Checks if AWS Backup-Gateway VirtualMachines are in a logically air-gapped vault. The rule is NON_COMPLIANT if an AWS Backup-Gateway VirtualMachines is not in a logically air-gapped vault within the specified time period."
identifier = "VIRTUALMACHINE_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT"
input_parameters = var.virtualmachine_resources_in_logically_air_gapped_vault_parameters
resource_types_scope = ["AWS::BackupGateway::VirtualMachine"]
severity = "Medium"
}

virtualmachine-resources-protected-by-backup-plan = {
description = "Checks if AWS Backup-Gateway VirtualMachines are protected by a backup plan. The rule is NON_COMPLIANT if the Backup-Gateway VirtualMachine is not covered by a backup plan."
identifier = "VIRTUALMACHINE_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
Expand Down
Loading

0 comments on commit de360f6

Please sign in to comment.