-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 9c9aac3
Showing
46 changed files
with
7,694 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
__pycache__ | ||
this | ||
.idea/ | ||
tmp/ | ||
runner.env | ||
artifacts/ | ||
*~ | ||
*backups | ||
.cache | ||
docker-tag | ||
.tox/ | ||
.*.swp | ||
*.egg-info | ||
wheelhouse/ | ||
test/build/* | ||
PASSED | ||
FAILED | ||
test/.vagrant/* | ||
.pytest_cache | ||
.eggs/ | ||
venv* | ||
/config/ | ||
*.code-workspace | ||
*/build/ | ||
docs/_build/ | ||
.DS_Store | ||
.coverage | ||
.dccache | ||
fixshell/backup_* | ||
fixcore/tools/Assets | ||
out/ | ||
*.iml | ||
**/.hypothesis/ | ||
.sandbox/* | ||
.env |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
include README.md | ||
recursive-include fixcompliance/data * |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# `fixcompliance` | ||
Fix Inventory Compliance Benchmarks and Checks |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
import os | ||
import json | ||
import time | ||
import threading | ||
from typing import Any, Dict | ||
from pkg_resources import resource_filename | ||
|
||
__version__ = "0.4.1" | ||
|
||
Json = Dict[str, Any] | ||
CACHE_TIMEOUT = 3600 | ||
_cache = {} | ||
_cache_lock = threading.Lock() | ||
|
||
|
||
def benchmarks_from_files() -> Dict[str, Json]: | ||
return _from_files("data/benchmark", add_id=True) | ||
|
||
|
||
def checks_from_files() -> Dict[str, Json]: | ||
return _from_files("data/checks", add_id=False) | ||
|
||
|
||
def _from_files(json_path: str, add_id: bool = False) -> dict[str, Json]: | ||
static_path = os.path.abspath(resource_filename(__package__, json_path)) | ||
result = {} | ||
if os.path.exists(static_path): | ||
for provider in (d.path for d in os.scandir(static_path) if d.is_dir()): | ||
for path in (d.path for d in os.scandir(provider) if d.is_file() and d.name.endswith(".json")): | ||
item_id = os.path.basename(path).rsplit(".", maxsplit=1)[0] | ||
item = cached_json_loads(path) | ||
if add_id: | ||
item["id"] = item_id | ||
result[item_id] = item | ||
return result | ||
|
||
|
||
def cached_json_loads(file_path: str) -> Json: | ||
global _cache | ||
now = time.time() | ||
mtime = os.path.getmtime(file_path) | ||
|
||
cache_entry = _cache.get(file_path) | ||
if cache_entry and cache_entry["mtime"] == mtime and now - cache_entry["cached"] < CACHE_TIMEOUT: | ||
return cache_entry["content"] | ||
else: | ||
with open(file_path, "rt", encoding="utf-8") as f: | ||
content = json.load(f) | ||
with _cache_lock: | ||
cache_entry = _cache.get(file_path) | ||
if not (cache_entry and cache_entry["mtime"] == mtime and now - cache_entry["cached"] < CACHE_TIMEOUT): | ||
_cache[file_path] = {"content": content, "mtime": mtime, "cached": now} | ||
return content |
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
615 changes: 615 additions & 0 deletions
615
fixcompliance/data/benchmark/aws/aws_well_architected_framework_security_pillar.json
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
|
||
- SEC02-BP06: check all custom permissions if they allow privilege escalation | ||
e.g. iam:*, (iam:PassRole and ec2:RunInstances), (iam:PassRole and lambda:CreateFunction and lambda:InvokeFunction) | ||
- SEC03-BP07: SQS queue and SNS topic not publicly accessible check is missing (policy) | ||
- SEC04-BP04: Cloudwatch: ensure alerts for log metric filters are configured |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{ | ||
"title": "", | ||
"framework": "", | ||
"clouds": ["aws"], | ||
"version": "", | ||
"description": "", | ||
"documentation": "can contain markdown", | ||
"children": [ | ||
{ | ||
"title": "", | ||
"description": "", | ||
"documentation": "can contain markdown", | ||
"checks": [], | ||
"children": [] | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
{ | ||
"name": "", | ||
"title": "", | ||
"result_kinds": ["result kind returned by the query"], | ||
"categories": [ | ||
"insights", | ||
"security", | ||
"compliance", | ||
"cost" | ||
], | ||
"risk": "", | ||
"severity": "critical|high|medium|low|info", | ||
"url": "", | ||
"detect": { | ||
"fix": "is(resource)", | ||
"fix_cmd": "search is(resource) | do_something", | ||
"sql": "select * from table where column = 'value'" | ||
}, | ||
"remediation": { | ||
"action": { | ||
"aws_cli": null, | ||
"fix": null, | ||
"xxx": null | ||
}, | ||
"text": "", | ||
"url": "", | ||
"complexity": "high|medium|low" | ||
}, | ||
"related": [], | ||
"internal_notes": "" | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
{ | ||
"provider": "aws", | ||
"service": "acm", | ||
"checks": [ | ||
{ | ||
"name": "certificate_transparency_logging_enabled", | ||
"title": "Ensure ACM Certificate Transparency Is Enabled to Enhance Website Security and Detect Unauthorized SSL/TLS Certificates", | ||
"result_kinds": [ | ||
"aws_acm_certificate" | ||
], | ||
"categories": [ | ||
"security", | ||
"compliance" | ||
], | ||
"risk": "Without ACM certificate transparency, the risk of unauthorized SSL/TLS certificates going undetected increases, posing a threat to website and infrastructure security.", | ||
"severity": "medium", | ||
"detect": { | ||
"fix": "is(aws_acm_certificate) and type!=IMPORTED and certificate_transparency_logging!=ENABLED" | ||
}, | ||
"remediation": { | ||
"text": "To fix this issue, select the certificate you want to check in ACM. In the certificate details, look for the 'Certificate Transparency Logging' attribute and ensure it is enabled.", | ||
"url": "https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency", | ||
"complexity": "low" | ||
}, | ||
"url": "https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency", | ||
"localizations": { | ||
"de": { | ||
"title": "Stellen Sie sicher, dass die ACM-Zertifikatstransparenz aktiviert ist, um die Sicherheit der Website zu verbessern und nicht autorisierte SSL/TLS-Zertifikate zu erkennen.", | ||
"risk": "Ohne die ACM-Zertifikatstransparenz besteht ein erhöhtes Risiko, dass nicht autorisierte SSL/TLS-Zertifikate unbemerkt bleiben und eine Bedrohung für die Sicherheit der Website und der Infrastruktur darstellen.", | ||
"remediation": "Um dieses Problem zu beheben, wählen Sie das Zertifikat aus, das Sie überprüfen möchten, in ACM aus. In den Zertifikatdetails suchen Sie nach dem Attribut 'Zertifikatstransparenzprotokollierung' und stellen Sie sicher, dass es aktiviert ist." | ||
} | ||
} | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,120 @@ | ||
{ | ||
"provider": "aws", | ||
"service": "apigateway", | ||
"checks": [ | ||
{ | ||
"name": "authorizers_enabled", | ||
"title": "Ensure API Gateway Is Configured with Authorizers", | ||
"result_kinds": [ | ||
"aws_apigateway_rest_api" | ||
], | ||
"categories": [ | ||
"security", | ||
"compliance" | ||
], | ||
"risk": "Without a defined authorizer, your service could be exposed to unsanctioned use. This lack of control poses a security risk and can lead to unauthorized access and misuse.", | ||
"severity": "medium", | ||
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html", | ||
"detect": { | ||
"fix": "is(aws_apigateway_rest_api) with(empty, --> is(aws_apigateway_authorizer))" | ||
}, | ||
"remediation": { | ||
"text": "Implement an authorizer by adding an Amazon Cognito user pool or attaching an AWS Lambda function. This will provide controlled access for users interacting with your API.", | ||
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html", | ||
"complexity": "high" | ||
}, | ||
"localizations": { | ||
"de": { | ||
"title": "Stellen Sie sicher, dass das API Gateway mit Authorizern konfiguriert ist", | ||
"risk": "Ohne definierten Authorizer könnte Ihr Service unautorisierten Zugriffen ausgesetzt sein. Diese mangelnde Kontrolle stellt ein Sicherheitsrisiko dar und kann zu unbefugtem Zugriff und Missbrauch führen.", | ||
"remediation": "Implementieren Sie einen Authorizer, indem Sie einen Amazon Cognito Benutzerpool hinzufügen oder eine AWS Lambda Funktion anhängen. Dadurch wird kontrollierter Zugriff für Benutzer ermöglicht, die mit Ihrer API interagieren." | ||
} | ||
} | ||
}, | ||
{ | ||
"name": "client_certificate_enabled", | ||
"title": "Ensure That Client Certificate Is Enabled on API Gateway for Backend Endpoint Access", | ||
"result_kinds": [ | ||
"aws_apigateway_stage" | ||
], | ||
"categories": [ | ||
"security", | ||
"compliance" | ||
], | ||
"risk": "Without client certificate enforcement, potential 'man-in-the-middle' attacks can occur, jeopardizing data integrity and confidentiality. Unsecured API calls may also be intercepted, leading to unauthorized data access.", | ||
"severity": "medium", | ||
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-mutual-tls.html", | ||
"detect": { | ||
"fix": "is(aws_apigateway_stage) and stage_client_certificate_id==null <-[2]- is(aws_apigateway_rest_api)" | ||
}, | ||
"remediation": { | ||
"text": "Enable the client certificate and implement mutual TLS for secure data transit. Mutual TLS is highly recommended for B2B applications, adhering to norms such as Open Banking. Amazon API Gateway provides integral mutual TLS authentication at no additional cost.", | ||
"url": "https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/", | ||
"complexity": "high" | ||
}, | ||
"localizations": { | ||
"de": { | ||
"title": "Stellen Sie sicher, dass das Clientzertifikat für Backend-Endpunktzugriff in der API Gateway aktiviert ist", | ||
"risk": "Ohne Durchsetzung des Clientzertifikats können potenzielle 'Man-in-the-Middle'-Angriffe auftreten, bei denen die Integrität und Vertraulichkeit von Daten gefährdet werden. Nicht gesicherte API-Aufrufe können ebenfalls abgefangen werden, was zu unbefugtem Datenzugriff führt.", | ||
"remediation": "Aktivieren Sie das Clientzertifikat und implementieren Sie Mutual TLS für sicheren Datentransit. Mutual TLS wird für B2B-Anwendungen dringend empfohlen und entspricht Normen wie Open Banking. Amazon API Gateway bietet eine integrierte Mutual TLS-Authentifizierung ohne zusätzliche Kosten." | ||
} | ||
} | ||
}, | ||
{ | ||
"name": "logging_enabled", | ||
"title": "Ensure API Gateway Stages Have Logging Enabled", | ||
"result_kinds": [ | ||
"aws_apigateway_stage" | ||
], | ||
"categories": [ | ||
"compliance" | ||
], | ||
"risk": "Without enabling logging, you compromise on the visibility and traceability of your service usage, potentially missing crucial operational insights, security vulnerabilities, and debugging information.", | ||
"severity": "medium", | ||
"detect": { | ||
"fix": "is(aws_apigateway_stage) and stage_method_settings!={}" | ||
}, | ||
"remediation": { | ||
"text": "To remediate, ensure you enable monitoring in all parts of your AWS solution. Particularly, ensure CloudTrail is active for logging API Gateway actions, which can offer insights like the nature of requests, originating IP address, the executor of the request, and more.", | ||
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html", | ||
"complexity": "low" | ||
}, | ||
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/logging-and-monitoring.html", | ||
"localizations": { | ||
"de": { | ||
"title": "Stellen Sie sicher, dass API Gateway-Stufen das Logging aktiviert haben", | ||
"risk": "Wenn das Logging nicht aktiviert ist, beeinträchtigen Sie die Sichtbarkeit und Nachverfolgbarkeit der Nutzung Ihres Dienstes. Dadurch können wesentliche betriebliche Erkenntnisse, Sicherheitsschwachstellen und Debugging-Informationen übersehen werden.", | ||
"remediation": "Um das Problem zu beheben, stellen Sie sicher, dass Sie die Überwachung in allen Teilen Ihrer AWS-Lösung aktivieren. Stellen Sie insbesondere sicher, dass CloudTrail für das Protokollieren von API Gateway-Aktionen aktiviert ist. Dadurch erhalten Sie Einblicke wie die Art der Anfragen, die IP-Adresse des Ursprungs, den Ausführer der Anfrage und mehr." | ||
} | ||
} | ||
}, | ||
{ | ||
"name": "waf_acl_attached", | ||
"title": "Ensure API Gateway Has a WAF ACL Attached", | ||
"result_kinds": [ | ||
"aws_apigateway_stage" | ||
], | ||
"categories": [ | ||
"security" | ||
], | ||
"risk": "Without a WAF ACL, API Gateway could be exposed to common web threats such as SQL injection and XSS attacks. These could compromise security, affect availability and performance, and consume excessive resources.", | ||
"severity": "medium", | ||
"detect": { | ||
"fix": "is(aws_apigateway_stage) and stage_web_acl_arn==null" | ||
}, | ||
"remediation": { | ||
"text": "Mitigate this risk by using AWS WAF to protect your API Gateway from threats. AWS WAF can block these common web attacks, safeguarding both service performance and security.", | ||
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html", | ||
"complexity": "medium" | ||
}, | ||
"url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html", | ||
"localizations": { | ||
"de": { | ||
"title": "Stellen Sie sicher, dass API Gateway einen WAF ACL angehängt hat.", | ||
"risk": "Ohne einen WAF ACL kann API Gateway gängigen Web-Bedrohungen wie SQL-Injektionen und XSS-Angriffen ausgesetzt sein. Diese könnten die Sicherheit beeinträchtigen, die Verfügbarkeit und Leistung beeinträchtigen und übermäßige Ressourcen verbrauchen.", | ||
"remediation": "Verringern Sie dieses Risiko, indem Sie AWS WAF verwenden, um Ihr API Gateway vor Bedrohungen zu schützen. AWS WAF kann diese gängigen Web-Angriffe blockieren und sowohl die Leistung als auch die Sicherheit des Dienstes schützen." | ||
} | ||
} | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
"provider": "aws", | ||
"service": "autoscaling", | ||
"checks": [ | ||
{ | ||
"name": "launch_template_public_ip_disabled", | ||
"title": "Ensure Auto-Scaling Launch Templates Do Not Automatically Assign Public IP Addresses", | ||
"result_kinds": [ | ||
"aws_autoscaling_group" | ||
], | ||
"categories": [ | ||
"security", | ||
"compliance" | ||
], | ||
"risk": "Auto-assigning public IP addresses in Auto Scaling launch templates can lead to unintended public exposure of EC2 instances. This increases the risk of malicious activities such as brute force attacks, data breaches, or unauthorized access, compromising instance security and data integrity.", | ||
"severity": "medium", | ||
"detect": { | ||
"fix": "is(aws_autoscaling_group) with (any, --> is(aws_ec2_launch_template) and launch_template_data.network_interfaces[*].associate_public_ip_address==true)" | ||
}, | ||
"remediation": { | ||
"text": "To fix the issue, modify the Auto Scaling launch template. Set 'AssociatePublicIpAddress' to false for all network interfaces in the launch template. Additionally, ensure instances are launched in private subnets where public access is not required.", | ||
"url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#launch-template-network", | ||
"complexity": "low" | ||
}, | ||
"localizations": { | ||
"de": { | ||
"title": "Stellen Sie sicher, dass Auto Scaling Launch-Vorlagen keine öffentlichen IP-Adressen automatisch zuweisen", | ||
"risk": "Die automatische Zuweisung öffentlicher IP-Adressen in Auto Scaling Launch-Vorlagen kann zu unbeabsichtigter öffentlicher Zugänglichkeit von EC2-Instanzen führen. Dadurch steigt das Risiko von bösartigen Aktivitäten wie Brute-Force-Angriffen, Datenschutzverletzungen oder unberechtigtem Zugriff, was die Sicherheit und Datenintegrität der Instanz gefährdet.", | ||
"remediation": "Um das Problem zu beheben, ändern Sie die Auto Scaling Launch-Vorlage. Setzen Sie 'AssociatePublicIpAddress' für alle Netzwerkschnittstellen in der Launch-Vorlage auf false. Stellen Sie außerdem sicher, dass Instanzen in privaten Subnetzen gestartet werden, wo kein öffentlicher Zugriff erforderlich ist." | ||
} | ||
} | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
{ | ||
"provider": "aws", | ||
"service": "cloudformation", | ||
"checks": [ | ||
{ | ||
"name": "no_secrets_in_output", | ||
"title": "Ensure There Are No Secrets in CloudFormation Outputs", | ||
"result_kinds": [ | ||
"aws_cloudformation_stack" | ||
], | ||
"categories": [ | ||
"security", | ||
"compliance" | ||
], | ||
"risk": "Using secrets hardcoded into CloudFormation outputs can enable malware and bad actors to gain unauthorized access to other services, leading to potential data breaches and compromised infrastructure.", | ||
"severity": "critical", | ||
"detect": { | ||
"fix_cmd": "search is(aws_cloudformation_stack) | detect-secrets --path stack_outputs --with-secrets" | ||
}, | ||
"remediation": { | ||
"text": "To fix this issue, avoid including secrets in CloudFormation outputs. Instead, use the AWS Secrets Manager service to securely store and retrieve passwords and other sensitive information.", | ||
"url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html", | ||
"complexity": "low" | ||
}, | ||
"localizations": { | ||
"de": { | ||
"title": "Stellen Sie sicher, dass in den CloudFormation-Ausgaben keine Geheimnisse enthalten sind", | ||
"risk": "Die Verwendung von in CloudFormation-Ausgaben fest codierten Geheimnissen kann Malware und bösartigen Akteuren ermöglichen, unbefugten Zugriff auf andere Dienste zu erlangen, was zu potenziellen Datenschutzverletzungen und beeinträchtigter Infrastruktur führen kann.", | ||
"remediation": "Um dieses Problem zu beheben, vermeiden Sie die Verwendung von Geheimnissen in den CloudFormation-Ausgaben. Verwenden Sie stattdessen den AWS Secrets Manager-Dienst, um Passwörter und andere sensitive Informationen sicher zu speichern und abzurufen." | ||
} | ||
} | ||
} | ||
] | ||
} |
Oops, something went wrong.