From 9c9aac3adfd9ec368c50c9421711c85d572c2163 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lukas=20L=C3=B6sche?= Date: Tue, 5 Mar 2024 17:31:02 +0100 Subject: [PATCH] Initial commit --- .gitignore | 35 + MANIFEST.in | 2 + README.md | 2 + fixcompliance/__init__.py | 53 + .../data/benchmark/aws/aws_cis_1_5.json | 521 +++++++ .../data/benchmark/aws/aws_cis_2_0.json | 514 ++++++ ...architected_framework_security_pillar.json | 615 ++++++++ fixcompliance/data/benchmark/aws/waf_notes.md | 5 + fixcompliance/data/benchmark_template.json | 17 + fixcompliance/data/check_template.json | 33 + fixcompliance/data/checks/aws/aws_acm.json | 35 + .../data/checks/aws/aws_apigateway.json | 120 ++ .../data/checks/aws/aws_autoscaling.json | 34 + .../data/checks/aws/aws_cloudformation.json | 34 + .../data/checks/aws/aws_cloudfront.json | 65 + .../data/checks/aws/aws_cloudtrail.json | 737 +++++++++ .../data/checks/aws/aws_cloudwatch.json | 91 ++ fixcompliance/data/checks/aws/aws_config.json | 62 + fixcompliance/data/checks/aws/aws_dms.json | 31 + .../data/checks/aws/aws_dynamodb.json | 35 + fixcompliance/data/checks/aws/aws_ec2.json | 1380 +++++++++++++++++ fixcompliance/data/checks/aws/aws_ecr.json | 93 ++ fixcompliance/data/checks/aws/aws_ecs.json | 175 +++ fixcompliance/data/checks/aws/aws_efs.json | 65 + fixcompliance/data/checks/aws/aws_eks.json | 92 ++ fixcompliance/data/checks/aws/aws_elb.json | 146 ++ .../data/checks/aws/aws_glacier.json | 34 + fixcompliance/data/checks/aws/aws_iam.json | 946 +++++++++++ fixcompliance/data/checks/aws/aws_kms.json | 93 ++ fixcompliance/data/checks/aws/aws_lambda.json | 185 +++ .../data/checks/aws/aws_opensearch.json | 173 +++ .../data/checks/aws/aws_organizations.json | 35 + fixcompliance/data/checks/aws/aws_rds.json | 152 ++ .../data/checks/aws/aws_redshift.json | 93 ++ .../data/checks/aws/aws_route53.json | 35 + fixcompliance/data/checks/aws/aws_s3.json | 242 +++ .../data/checks/aws/aws_sagemaker.json | 266 ++++ .../data/checks/aws/aws_secretsmanager.json | 125 ++ fixcompliance/data/checks/aws/aws_sns.json | 35 + fixcompliance/data/checks/aws/aws_sqs.json | 35 + fixcompliance/data/checks/aws/aws_ssm.json | 126 ++ fixcompliance/data/checks/aws/aws_wafv2.json | 35 + pyproject.toml | 46 + setup.cfg | 7 + test/test_from_files.py | 13 + tox.ini | 26 + 46 files changed, 7694 insertions(+) create mode 100644 .gitignore create mode 100644 MANIFEST.in create mode 100644 README.md create mode 100644 fixcompliance/__init__.py create mode 100644 fixcompliance/data/benchmark/aws/aws_cis_1_5.json create mode 100644 fixcompliance/data/benchmark/aws/aws_cis_2_0.json create mode 100644 fixcompliance/data/benchmark/aws/aws_well_architected_framework_security_pillar.json create mode 100644 fixcompliance/data/benchmark/aws/waf_notes.md create mode 100644 fixcompliance/data/benchmark_template.json create mode 100644 fixcompliance/data/check_template.json create mode 100644 fixcompliance/data/checks/aws/aws_acm.json create mode 100644 fixcompliance/data/checks/aws/aws_apigateway.json create mode 100644 fixcompliance/data/checks/aws/aws_autoscaling.json create mode 100644 fixcompliance/data/checks/aws/aws_cloudformation.json create mode 100644 fixcompliance/data/checks/aws/aws_cloudfront.json create mode 100644 fixcompliance/data/checks/aws/aws_cloudtrail.json create mode 100644 fixcompliance/data/checks/aws/aws_cloudwatch.json create mode 100644 fixcompliance/data/checks/aws/aws_config.json create mode 100644 fixcompliance/data/checks/aws/aws_dms.json create mode 100644 fixcompliance/data/checks/aws/aws_dynamodb.json create mode 100644 fixcompliance/data/checks/aws/aws_ec2.json create mode 100644 fixcompliance/data/checks/aws/aws_ecr.json create mode 100644 fixcompliance/data/checks/aws/aws_ecs.json create mode 100644 fixcompliance/data/checks/aws/aws_efs.json create mode 100644 fixcompliance/data/checks/aws/aws_eks.json create mode 100644 fixcompliance/data/checks/aws/aws_elb.json create mode 100644 fixcompliance/data/checks/aws/aws_glacier.json create mode 100644 fixcompliance/data/checks/aws/aws_iam.json create mode 100644 fixcompliance/data/checks/aws/aws_kms.json create mode 100644 fixcompliance/data/checks/aws/aws_lambda.json create mode 100644 fixcompliance/data/checks/aws/aws_opensearch.json create mode 100644 fixcompliance/data/checks/aws/aws_organizations.json create mode 100644 fixcompliance/data/checks/aws/aws_rds.json create mode 100644 fixcompliance/data/checks/aws/aws_redshift.json create mode 100644 fixcompliance/data/checks/aws/aws_route53.json create mode 100644 fixcompliance/data/checks/aws/aws_s3.json create mode 100644 fixcompliance/data/checks/aws/aws_sagemaker.json create mode 100644 fixcompliance/data/checks/aws/aws_secretsmanager.json create mode 100644 fixcompliance/data/checks/aws/aws_sns.json create mode 100644 fixcompliance/data/checks/aws/aws_sqs.json create mode 100644 fixcompliance/data/checks/aws/aws_ssm.json create mode 100644 fixcompliance/data/checks/aws/aws_wafv2.json create mode 100644 pyproject.toml create mode 100644 setup.cfg create mode 100644 test/test_from_files.py create mode 100644 tox.ini diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d9f2b93 --- /dev/null +++ b/.gitignore @@ -0,0 +1,35 @@ +__pycache__ +this +.idea/ +tmp/ +runner.env +artifacts/ +*~ +*backups +.cache +docker-tag +.tox/ +.*.swp +*.egg-info +wheelhouse/ +test/build/* +PASSED +FAILED +test/.vagrant/* +.pytest_cache +.eggs/ +venv* +/config/ +*.code-workspace +*/build/ +docs/_build/ +.DS_Store +.coverage +.dccache +fixshell/backup_* +fixcore/tools/Assets +out/ +*.iml +**/.hypothesis/ +.sandbox/* +.env diff --git a/MANIFEST.in b/MANIFEST.in new file mode 100644 index 0000000..2997791 --- /dev/null +++ b/MANIFEST.in @@ -0,0 +1,2 @@ +include README.md +recursive-include fixcompliance/data * diff --git a/README.md b/README.md new file mode 100644 index 0000000..007ff16 --- /dev/null +++ b/README.md @@ -0,0 +1,2 @@ +# `fixcompliance` +Fix Inventory Compliance Benchmarks and Checks diff --git a/fixcompliance/__init__.py b/fixcompliance/__init__.py new file mode 100644 index 0000000..fe7eeea --- /dev/null +++ b/fixcompliance/__init__.py @@ -0,0 +1,53 @@ +import os +import json +import time +import threading +from typing import Any, Dict +from pkg_resources import resource_filename + +__version__ = "0.4.1" + +Json = Dict[str, Any] +CACHE_TIMEOUT = 3600 +_cache = {} +_cache_lock = threading.Lock() + + +def benchmarks_from_files() -> Dict[str, Json]: + return _from_files("data/benchmark", add_id=True) + + +def checks_from_files() -> Dict[str, Json]: + return _from_files("data/checks", add_id=False) + + +def _from_files(json_path: str, add_id: bool = False) -> dict[str, Json]: + static_path = os.path.abspath(resource_filename(__package__, json_path)) + result = {} + if os.path.exists(static_path): + for provider in (d.path for d in os.scandir(static_path) if d.is_dir()): + for path in (d.path for d in os.scandir(provider) if d.is_file() and d.name.endswith(".json")): + item_id = os.path.basename(path).rsplit(".", maxsplit=1)[0] + item = cached_json_loads(path) + if add_id: + item["id"] = item_id + result[item_id] = item + return result + + +def cached_json_loads(file_path: str) -> Json: + global _cache + now = time.time() + mtime = os.path.getmtime(file_path) + + cache_entry = _cache.get(file_path) + if cache_entry and cache_entry["mtime"] == mtime and now - cache_entry["cached"] < CACHE_TIMEOUT: + return cache_entry["content"] + else: + with open(file_path, "rt", encoding="utf-8") as f: + content = json.load(f) + with _cache_lock: + cache_entry = _cache.get(file_path) + if not (cache_entry and cache_entry["mtime"] == mtime and now - cache_entry["cached"] < CACHE_TIMEOUT): + _cache[file_path] = {"content": content, "mtime": mtime, "cached": now} + return content diff --git a/fixcompliance/data/benchmark/aws/aws_cis_1_5.json b/fixcompliance/data/benchmark/aws/aws_cis_1_5.json new file mode 100644 index 0000000..b4b3c6d --- /dev/null +++ b/fixcompliance/data/benchmark/aws/aws_cis_1_5.json @@ -0,0 +1,521 @@ +{ + "title": "AWS CIS 1.5", + "framework": "CIS", + "clouds": ["aws"], + "version": "1.5", + "description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.", + "children": [ + { + "title": "Section 1: Access Management", + "description": "This section contains recommendations for configuring identity and access management related options.", + "children": [ + { + "title": "1.1 Maintain current contact details", + "description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.", + "checks": [ + "aws_iam_account_maintain_current_contact_details" + ] + }, + { + "title": "1.2 Ensure security contact information is registered", + "description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.", + "checks": [ + "aws_iam_account_security_contact_information_is_registered" + ] + }, + { + "title": "1.3 Ensure security questions are registered in the AWS account", + "description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.", + "checks": [ + "aws_iam_account_security_questions_are_registered_in_the_aws_account" + ] + }, + { + "title": "1.4 Ensure no 'root' user account access key exists", + "description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.", + "checks": [ + "aws_iam_no_root_access_key" + ] + }, + { + "title": "1.5 Ensure MFA is enabled for the 'root' user account", + "description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.", + "checks": [ + "aws_iam_root_mfa_enabled" + ] + }, + { + "title": "1.6 Ensure hardware MFA is enabled for the 'root' user account", + "description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA.", + "checks": [ + "aws_iam_root_hardware_mfa_enabled" + ] + }, + { + "title": "1.7 Eliminate use of the 'root' user for administrative and daily tasks", + "description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.", + "checks": [ + "aws_iam_avoid_root_usage" + ] + }, + { + "title": "1.8 Ensure IAM password policy requires minimum length of 14 or greater", + "description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.", + "checks": [ + "aws_iam_password_policy_minimum_length_14" + ] + }, + { + "title": "1.9 Ensure IAM password policy prevents password reuse", + "description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.", + "checks": [ + "aws_iam_password_policy_reuse_24" + ] + }, + { + "title": "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password", + "description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.", + "checks": [ + "aws_iam_user_mfa_enabled_console_access" + ] + }, + { + "title": "1.11 Do not setup access keys during initial user setup for all IAM users that have a console password", + "description": "AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require.", + "checks": [ + "aws_iam_user_uses_access_keys_console_access" + ] + }, + { + "title": "1.12 Ensure credentials unused for 45 days or greater are disabled", + "description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.", + "checks": [ + "aws_iam_disable_old_credentials" + ] + }, + { + "title": "1.13 Ensure there is only one active access key available for any single IAM user", + "description": "Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).", + "checks": [ + "aws_iam_user_has_two_active_access_keys" + ] + }, + { + "title": "1.14 Ensure access keys are rotated every 90 days or less", + "description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.", + "checks": [ + "aws_iam_rotate_access_keys_after_90_days" + ] + }, + { + "title": "1.15 Ensure IAM Users Receive Permissions Only Through Groups", + "description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.", + "checks": [ + "aws_iam_policy_attached_only_to_group_or_roles" + ] + }, + { + "title": "1.16 Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached", + "description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.", + "checks": [ + "aws_iam_policy_with_administrative_privileges_not_in_use" + ] + }, + { + "title": "1.17 Ensure a support role has been created to manage incidents with AWS Support", + "description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.", + "checks": [ + "aws_iam_support_role_exists" + ] + }, + { + "title": "1.18 Ensure IAM instance roles are used for AWS resource access from instances", + "description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.", + "checks": [ + "aws_ec2_instance_profile_attached" + ] + }, + { + "title": "1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed", + "description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.", + "checks": [ + "aws_iam_expired_server_certificates" + ] + }, + { + "title": "1.20 Ensure that IAM Access analyzer is enabled for all regions", + "description": "Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.", + "checks": [ + "aws_iam_access_analyzer_enabled" + ] + }, + { + "title": "1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments", + "description": "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.", + "checks": [ + "aws_iam_check_saml_providers_sts" + ] + } + ] + }, + { + "title": "Section 2: Storage", + "description": "This section contains recommendations for configuring AWS Storage.", + "children": [ + { + "title": "2.1 Simple Storage Service (S3)", + "description": "This section contains recommendations for configuring AWS Simple Storage Service (S3) Buckets.", + "children": [ + { + "title": "2.1.1 Ensure all S3 buckets employ encryption-at-rest", + "description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.", + "checks": [ + "aws_s3_bucket_default_encryption" + ] + }, + { + "title": "2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests", + "description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.", + "checks": [ + "aws_s3_bucket_secure_transport_policy" + ] + }, + { + "title": "2.1.3 Ensure MFA Delete is enabled on S3 buckets", + "description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.", + "checks": [ + "aws_s3_bucket_no_mfa_delete" + ] + }, + { + "title": "2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required", + "description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.", + "checks": [ + "aws_s3_macie_is_enabled" + ] + }, + { + "title": "2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'", + "description": "Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.", + "checks": [ + "aws_s3_account_level_public_access_blocks" + ] + } + ] + }, + { + "title": "2.2 Elastic Compute Cloud (EC2)", + "description": "This section contains recommendations for configuring AWS Elastic Compute Cloud (EC2).", + "children": [ + { + "title": "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions", + "description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.", + "checks": [ + "aws_ec2_volume_not_encrypted" + ] + } + ] + }, + { + "title": "2.3 Relational Database Service (RDS)", + "description": "This section contains recommendations for configuring AWS Relational Database Services (RDS).", + "children": [ + { + "title": "2.3.1 Ensure that encryption is enabled for RDS Instances", + "description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.", + "checks": [ + "aws_rds_storage_encrypted" + ] + }, + { + "title": "2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances", + "description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.", + "checks": [ + "aws_rds_auto_minor_version_upgrade" + ] + }, + { + "title": "2.3.3 Ensure that public access is not given to RDS Instance", + "description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.", + "checks": [ + "aws_rds_no_public_access" + ] + } + ] + }, + { + "title": "2.4 Elastic File System (EFS)", + "description": "This section contains recommendations for configuring AWS Elastic File System (EFS).", + "children": [ + { + "title": "2.4.1 Ensure that encryption is enabled for EFS file systems", + "description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).", + "checks": [ + "aws_efs_storage_encrypted" + ] + } + ] + } + ] + }, + { + "title": "Section 3: Logging", + "description": "This section contains recommendations for configuring AWS logging features.", + "children": [ + { + "title": "3.1 Ensure CloudTrail is enabled in all regions", + "description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).", + "checks": [ + "aws_cloudtrail_logging_in_all_regions_enabled" + ] + }, + { + "title": "3.2 Ensure CloudTrail log file validation is enabled", + "description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.", + "checks": [ + "aws_cloudtrail_log_file_validation_enabled" + ] + }, + { + "title": "3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible", + "description": "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.", + "checks": [ + "aws_cloudtrail_logs_s3_bucket_is_not_publicly_accessible" + ] + }, + { + "title": "3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs", + "description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.", + "checks": [ + "aws_cloudtrail_no_logging_enabled", + "aws_cloudtrail_no_recent_log_event" + ] + }, + { + "title": "3.5 Ensure AWS Config is enabled in all regions", + "description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.", + "checks": [ + "aws_config_enabled_in_all_regions" + ] + }, + { + "title": "3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket", + "description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.", + "checks": [ + "aws_cloudtrail_s3_bucket_logging_enabled" + ] + }, + { + "title": "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs", + "description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.", + "checks": [ + "aws_cloudtrail_uses_encryption_at_rest" + ] + }, + { + "title": "3.8 Ensure rotation for customer created symmetric CMKs is enabled", + "description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.", + "checks": [ + "aws_kms_key_rotation_enabled" + ] + }, + { + "title": "3.9 Ensure VPC flow logging is enabled in all VPCs", + "description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.", + "checks": [ + "aws_ec2_vpc_flow_logs_enabled" + ] + }, + { + "title": "3.10 Ensure that Object-level logging for write events is enabled for S3 bucket", + "description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.", + "checks": [ + "aws_cloudtrail_s3_data_events_write_enabled" + ] + }, + { + "title": "3.11 Ensure that Object-level logging for read events is enabled for S3 bucket", + "description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.", + "checks": [ + "aws_cloudtrail_s3_data_events_read_enabled" + ] + } + ] + }, + { + "title": "Section 4: Monitoring", + "description": "This section contains recommendations for configuring AWS to assist with monitoring and responding to account activities.", + "children": [ + { + "title": "4.1 Ensure a log metric filter and alarm exist for unauthorized API calls", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.", + "checks": [ + "aws_cloudtrail_log_metric_filters_unauthorized_api_calls" + ] + }, + { + "title": "4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).", + "checks": [ + "aws_cloudtrail_log_metric_filters_console_login_no_mfa" + ] + }, + { + "title": "4.3 Ensure a log metric filter and alarm exist for usage of 'root' account", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.", + "checks": [ + "aws_cloudtrail_log_metric_filters_root_account_usage" + ] + }, + { + "title": "4.4 Ensure a log metric filter and alarm exist for IAM policy changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.", + "checks": [ + "aws_cloudtrail_log_metric_filters_iam_policy_changes" + ] + }, + { + "title": "4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.", + "checks": [ + "aws_cloudtrail_log_metric_filters_cloud_trail_configuration_changes" + ] + }, + { + "title": "4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.", + "checks": [ + "aws_cloudtrail_log_metric_filters_authentication_failures" + ] + }, + { + "title": "4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.", + "checks": [ + "aws_cloudtrail_log_metric_filters_kms_key_deletion" + ] + }, + { + "title": "4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.", + "checks": [ + "aws_cloudtrail_log_metric_filters_s3_bucket_policy_changes" + ] + }, + { + "title": "4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.", + "checks": [ + "aws_cloudtrail_log_metric_filters_config_configuration_changes" + ] + }, + { + "title": "4.10 Ensure a log metric filter and alarm exist for security group changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.", + "checks": [ + "aws_cloudtrail_log_metric_filters_security_group_changes" + ] + }, + { + "title": "4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.", + "checks": [ + "aws_cloudtrail_log_metric_filters_network_acl_changes" + ] + }, + { + "title": "4.12 Ensure a log metric filter and alarm exist for changes to network gateways", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.", + "checks": [ + "aws_cloudtrail_log_metric_filters_network_gateway_changes" + ] + }, + { + "title": "4.13 Ensure a log metric filter and alarm exist for route table changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.", + "checks": [ + "aws_cloudtrail_log_metric_filters_route_table_changes" + ] + }, + { + "title": "4.14 Ensure a log metric filter and alarm exist for VPC changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.", + "checks": [ + "aws_cloudtrail_log_metric_filters_vpc_changes" + ] + }, + { + "title": "4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.", + "checks": [ + "aws_cloudtrail_log_metric_filters_aws_org_changes" + ] + }, + { + "title": "4.16 Ensure AWS Security Hub is enabled", + "description": "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products.", + "checks": [ + "aws_cloudtrail_security_hub_enabled" + ] + } + ] + }, + { + "title": "Section 5: Networking", + "description": "This section contains recommendations for configuring security-related aspects of AWS Virtual Private Cloud (VPC).", + "children": [ + { + "title": "5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports", + "description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.", + "checks": [ + "aws_ec2_allow_ingress_any_port_ipv4", + "aws_ec2_allow_ingress_any_port_ipv6", + "aws_ec2_allow_ingress_ssh_port_22_ipv4", + "aws_ec2_allow_ingress_ssh_port_22_ipv6", + "aws_ec2_allow_ingress_rdp_port_3389_ipv4", + "aws_ec2_allow_ingress_rdp_port_3389_ipv6" + ] + }, + { + "title": "5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports", + "description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.", + "checks": [ + "aws_ec2_allow_ingress_from_internet_to_any_port_ipv4", + "aws_ec2_allow_ingress_from_internet_to_ssh_port_22_ipv4", + "aws_ec2_allow_ingress_from_internet_to_rdp_port_3389_ipv4" + ] + }, + { + "title": "5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports", + "description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.", + "checks": [ + "aws_ec2_allow_ingress_from_internet_to_any_port_ipv6", + "aws_ec2_allow_ingress_from_internet_to_ssh_port_22_ipv6", + "aws_ec2_allow_ingress_from_internet_to_rdp_port_3389_ipv6" + ] + }, + { + "title": "5.4 Ensure the default security group of every VPC restricts all traffic", + "description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.", + "checks": [ + "aws_ec2_default_restrict_traffic" + ] + }, + { + "title": "5.5 Ensure routing tables for VPC peering are \"least access\"", + "description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.", + "checks": [ + "aws_ec2_routing_tables_with_least_privilege" + ] + }, + { + "title": "5.6 Ensure that EC2 Metadata Service only allows IMDSv2", + "description": "When enabling the Metadata Service on AWS EC2 instances, users have the option of using either Instance Metadata Service Version 1 (IMDSv1; a request/response method) or Instance Metadata Service Version 2 (IMDSv2; a session-oriented method).", + "checks": [ + "aws_ec2_instance_uses_imdsv2" + ] + } + ] + } + ] +} diff --git a/fixcompliance/data/benchmark/aws/aws_cis_2_0.json b/fixcompliance/data/benchmark/aws/aws_cis_2_0.json new file mode 100644 index 0000000..670e15e --- /dev/null +++ b/fixcompliance/data/benchmark/aws/aws_cis_2_0.json @@ -0,0 +1,514 @@ +{ + "title": "AWS CIS 2.0", + "framework": "CIS", + "clouds": ["aws"], + "version": "2.0", + "description": "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.", + "children": [ + { + "title": "Section 1: Access Management", + "description": "This section contains recommendations for configuring identity and access management related options.", + "children": [ + { + "title": "1.1 Maintain current contact details", + "description": "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.", + "checks": [ + "aws_iam_account_maintain_current_contact_details" + ] + }, + { + "title": "1.2 Ensure security contact information is registered", + "description": "AWS provides customers with the option of specifying the contact information for account's security team. It is recommended that this information be provided.", + "checks": [ + "aws_iam_account_security_contact_information_is_registered" + ] + }, + { + "title": "1.3 Ensure security questions are registered in the AWS account", + "description": "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established.", + "checks": [ + "aws_iam_account_security_questions_are_registered_in_the_aws_account" + ] + }, + { + "title": "1.4 Ensure no 'root' user account access key exists", + "description": "The 'root' user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the 'root' user account be removed.", + "checks": [ + "aws_iam_no_root_access_key" + ] + }, + { + "title": "1.5 Ensure MFA is enabled for the 'root' user account", + "description": "The 'root' user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device.", + "checks": [ + "aws_iam_root_mfa_enabled" + ] + }, + { + "title": "1.6 Ensure hardware MFA is enabled for the 'root' user account", + "description": "The 'root' user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA.", + "checks": [ + "aws_iam_root_hardware_mfa_enabled" + ] + }, + { + "title": "1.7 Eliminate use of the 'root' user for administrative and daily tasks", + "description": "With the creation of an AWS account, a 'root user' is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks.", + "checks": [ + "aws_iam_avoid_root_usage" + ] + }, + { + "title": "1.8 Ensure IAM password policy requires minimum length of 14 or greater", + "description": "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14.", + "checks": [ + "aws_iam_password_policy_minimum_length_14" + ] + }, + { + "title": "1.9 Ensure IAM password policy prevents password reuse", + "description": "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords.", + "checks": [ + "aws_iam_password_policy_reuse_24" + ] + }, + { + "title": "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password", + "description": "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.", + "checks": [ + "aws_iam_user_mfa_enabled_console_access" + ] + }, + { + "title": "1.11 Do not setup access keys during initial user setup for all IAM users that have a console password", + "description": "AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM User credentials you have to determine what type of access they require.", + "checks": [ + "aws_iam_user_uses_access_keys_console_access" + ] + }, + { + "title": "1.12 Ensure credentials unused for 45 days or greater are disabled", + "description": "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 45 or greater days be deactivated or removed.", + "checks": [ + "aws_iam_disable_old_credentials" + ] + }, + { + "title": "1.13 Ensure there is only one active access key available for any single IAM user", + "description": "Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).", + "checks": [ + "aws_iam_user_has_two_active_access_keys" + ] + }, + { + "title": "1.14 Ensure access keys are rotated every 90 days or less", + "description": "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated.", + "checks": [ + "aws_iam_rotate_access_keys_after_90_days" + ] + }, + { + "title": "1.15 Ensure IAM Users Receive Permissions Only Through Groups", + "description": "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended.", + "checks": [ + "aws_iam_policy_attached_only_to_group_or_roles" + ] + }, + { + "title": "1.16 Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached", + "description": "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges.", + "checks": [ + "aws_iam_policy_with_administrative_privileges_not_in_use" + ] + }, + { + "title": "1.17 Ensure a support role has been created to manage incidents with AWS Support", + "description": "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support.", + "checks": [ + "aws_iam_support_role_exists" + ] + }, + { + "title": "1.18 Ensure IAM instance roles are used for AWS resource access from instances", + "description": "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources.", + "checks": [ + "aws_ec2_instance_profile_attached" + ] + }, + { + "title": "1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed", + "description": "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console.", + "checks": [ + "aws_iam_expired_server_certificates" + ] + }, + { + "title": "1.20 Ensure that IAM Access analyzer is enabled for all regions", + "description": "Enable IAM Access analyzer for IAM policies about all resources in each region. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access. Access Analyzer analyzes only policies that are applied to resources in the same AWS Region.", + "checks": [ + "aws_iam_access_analyzer_enabled" + ] + }, + { + "title": "1.21 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments", + "description": "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations.", + "checks": [ + "aws_iam_check_saml_providers_sts" + ] + }, + { + "title": "1.22 Ensure access to AWSCloudShellFullAccess is restricted", + "description": "AWS CloudShell is a convenient way of running CLI commands against AWS services. A managed IAM policy ('AWSCloudShellFullAccess') provides full access to CloudShell, which allows file upload and download capability between a user's local system and the CloudShell environment. Within the CloudShell environment a user has sudo permissions, and can access the internet. So it is feasible to install file transfer software (for example) and move data from CloudShell to external internet servers.", + "checks": [ + "aws_iam_check_cloudshell_access_restricted" + ] + } + ] + }, + { + "title": "Section 2: Storage", + "description": "This section contains recommendations for configuring AWS Storage.", + "children": [ + { + "title": "2.1 Simple Storage Service (S3)", + "description": "This section contains recommendations for configuring AWS Simple Storage Service (S3) Buckets.", + "children": [ + { + "title": "2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests", + "description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.", + "checks": [ + "aws_s3_bucket_secure_transport_policy" + ] + }, + { + "title": "2.1.3 Ensure MFA Delete is enabled on S3 buckets", + "description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.", + "checks": [ + "aws_s3_bucket_no_mfa_delete" + ] + }, + { + "title": "2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required", + "description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.", + "checks": [ + "aws_s3_macie_is_enabled" + ] + }, + { + "title": "2.1.5 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'", + "description": "Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.", + "checks": [ + "aws_s3_account_level_public_access_blocks" + ] + } + ] + }, + { + "title": "2.2 Elastic Compute Cloud (EC2)", + "description": "This section contains recommendations for configuring AWS Elastic Compute Cloud (EC2).", + "children": [ + { + "title": "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions", + "description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.", + "checks": [ + "aws_ec2_volume_not_encrypted" + ] + } + ] + }, + { + "title": "2.3 Relational Database Service (RDS)", + "description": "This section contains recommendations for configuring AWS Relational Database Services (RDS).", + "children": [ + { + "title": "2.3.1 Ensure that encryption is enabled for RDS Instances", + "description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.", + "checks": [ + "aws_rds_storage_encrypted" + ] + }, + { + "title": "2.3.2 Ensure Auto Minor Version Upgrade feature is Enabled for RDS Instances", + "description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.", + "checks": [ + "aws_rds_auto_minor_version_upgrade" + ] + }, + { + "title": "2.3.3 Ensure that public access is not given to RDS Instance", + "description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.", + "checks": [ + "aws_rds_no_public_access" + ] + } + ] + }, + { + "title": "2.4 Elastic File System (EFS)", + "description": "This section contains recommendations for configuring AWS Elastic File System (EFS).", + "children": [ + { + "title": "2.4.1 Ensure that encryption is enabled for EFS file systems", + "description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).", + "checks": [ + "aws_efs_storage_encrypted" + ] + } + ] + } + ] + }, + { + "title": "Section 3: Logging", + "description": "This section contains recommendations for configuring AWS logging features.", + "children": [ + { + "title": "3.1 Ensure CloudTrail is enabled in all regions", + "description": "AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail provides a history of AWS API calls for an account, including API calls made via the Management Console, SDKs, command line tools, and higher-level AWS services (such as CloudFormation).", + "checks": [ + "aws_cloudtrail_logging_in_all_regions_enabled" + ] + }, + { + "title": "3.2 Ensure CloudTrail log file validation is enabled", + "description": "CloudTrail log file validation creates a digitally signed digest file containing a hash of each log that CloudTrail writes to S3. These digest files can be used to determine whether a log file was changed, deleted, or unchanged after CloudTrail delivered the log. It is recommended that file validation be enabled on all CloudTrails.", + "checks": [ + "aws_cloudtrail_log_file_validation_enabled" + ] + }, + { + "title": "3.3 Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible", + "description": "CloudTrail logs a record of every API call made in your AWS account. These logs file are stored in an S3 bucket. It is recommended that the bucket policy or access control list (ACL) applied to the S3 bucket that CloudTrail logs to prevent public access to the CloudTrail logs.", + "checks": [ + "aws_cloudtrail_logs_s3_bucket_is_not_publicly_accessible" + ] + }, + { + "title": "3.4 Ensure CloudTrail trails are integrated with CloudWatch Logs", + "description": "AWS CloudTrail is a web service that records AWS API calls made in a given AWS account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs within a specified S3 bucket for long term analysis, realtime analysis can be performed by configuring CloudTrail to send logs to CloudWatch Logs. For a trail that is enabled in all regions in an account, CloudTrail sends log files from all those regions to a CloudWatch Logs log group. It is recommended that CloudTrail logs be sent to CloudWatch Logs.", + "checks": [ + "aws_cloudtrail_no_logging_enabled", + "aws_cloudtrail_no_recent_log_event" + ] + }, + { + "title": "3.5 Ensure AWS Config is enabled in all regions", + "description": "AWS Config is a web service that performs configuration management of supported AWS resources within your account and delivers log files to you. The recorded information includes the configuration item (AWS resource), relationships between configuration items (AWS resources), any configuration changes between resources. It is recommended AWS Config be enabled in all regions.", + "checks": [ + "aws_config_enabled_in_all_regions" + ] + }, + { + "title": "3.6 Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket", + "description": "S3 Bucket Access Logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. It is recommended that bucket access logging be enabled on the CloudTrail S3 bucket.", + "checks": [ + "aws_cloudtrail_s3_bucket_logging_enabled" + ] + }, + { + "title": "3.7 Ensure CloudTrail logs are encrypted at rest using KMS CMKs", + "description": "AWS CloudTrail is a web service that records AWS API calls for an account and makes those logs available to users and resources in accordance with IAM policies. AWS Key Management Service (KMS) is a managed service that helps create and control the encryption keys used to encrypt account data, and uses Hardware Security Modules (HSMs) to protect the security of encryption keys. CloudTrail logs can be configured to leverage server side encryption (SSE) and KMS customer created master keys (CMK) to further protect CloudTrail logs. It is recommended that CloudTrail be configured to use SSE-KMS.", + "checks": [ + "aws_cloudtrail_uses_encryption_at_rest" + ] + }, + { + "title": "3.8 Ensure rotation for customer created symmetric CMKs is enabled", + "description": "AWS Key Management Service (KMS) allows customers to rotate the backing key which is key material stored within the KMS which is tied to the key ID of the Customer Created customer master key (CMK). It is the backing key that is used to perform cryptographic operations such as encryption and decryption. Automated key rotation currently retains all prior backing keys so that decryption of encrypted data can take place transparently. It is recommended that CMK key rotation be enabled for symmetric keys. Key rotation can not be enabled for any asymmetric CMK.", + "checks": [ + "aws_kms_key_rotation_enabled" + ] + }, + { + "title": "3.9 Ensure VPC flow logging is enabled in all VPCs", + "description": "VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. After you've created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. It is recommended that VPC Flow Logs be enabled for packet \"Rejects\" for VPCs.", + "checks": [ + "aws_ec2_vpc_flow_logs_enabled" + ] + }, + { + "title": "3.10 Ensure that Object-level logging for write events is enabled for S3 bucket", + "description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.", + "checks": [ + "aws_cloudtrail_s3_data_events_write_enabled" + ] + }, + { + "title": "3.11 Ensure that Object-level logging for read events is enabled for S3 bucket", + "description": "S3 object-level API operations such as GetObject, DeleteObject, and PutObject are called data events. By default, CloudTrail trails don't log data events and so it is recommended to enable Object-level logging for S3 buckets.", + "checks": [ + "aws_cloudtrail_s3_data_events_read_enabled" + ] + } + ] + }, + { + "title": "Section 4: Monitoring", + "description": "This section contains recommendations for configuring AWS to assist with monitoring and responding to account activities.", + "children": [ + { + "title": "4.1 Ensure a log metric filter and alarm exist for unauthorized API calls", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for unauthorized API calls.", + "checks": [ + "aws_cloudtrail_log_metric_filters_unauthorized_api_calls" + ] + }, + { + "title": "4.2 Ensure a log metric filter and alarm exist for Management Console sign-in without MFA", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for console logins that are not protected by multi-factor authentication (MFA).", + "checks": [ + "aws_cloudtrail_log_metric_filters_console_login_no_mfa" + ] + }, + { + "title": "4.3 Ensure a log metric filter and alarm exist for usage of 'root' account", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for root login attempts.", + "checks": [ + "aws_cloudtrail_log_metric_filters_root_account_usage" + ] + }, + { + "title": "4.4 Ensure a log metric filter and alarm exist for IAM policy changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established changes made to Identity and Access Management (IAM) policies.", + "checks": [ + "aws_cloudtrail_log_metric_filters_iam_policy_changes" + ] + }, + { + "title": "4.5 Ensure a log metric filter and alarm exist for CloudTrail configuration changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.", + "checks": [ + "aws_cloudtrail_log_metric_filters_cloud_trail_configuration_changes" + ] + }, + { + "title": "4.6 Ensure a log metric filter and alarm exist for AWS Management Console authentication failures", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for failed console authentication attempts.", + "checks": [ + "aws_cloudtrail_log_metric_filters_authentication_failures" + ] + }, + { + "title": "4.7 Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for customer created CMKs which have changed state to disabled or scheduled deletion.", + "checks": [ + "aws_cloudtrail_log_metric_filters_kms_key_deletion" + ] + }, + { + "title": "4.8 Ensure a log metric filter and alarm exist for S3 bucket policy changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for changes to S3 bucket policies.", + "checks": [ + "aws_cloudtrail_log_metric_filters_s3_bucket_policy_changes" + ] + }, + { + "title": "4.9 Ensure a log metric filter and alarm exist for AWS Config configuration changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for detecting changes to CloudTrail's configurations.", + "checks": [ + "aws_cloudtrail_log_metric_filters_config_configuration_changes" + ] + }, + { + "title": "4.10 Ensure a log metric filter and alarm exist for security group changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Security Groups are a stateful packet filter that controls ingress and egress traffic within a VPC. It is recommended that a metric filter and alarm be established for detecting changes to Security Groups.", + "checks": [ + "aws_cloudtrail_log_metric_filters_security_group_changes" + ] + }, + { + "title": "4.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets within a VPC. It is recommended that a metric filter and alarm be established for changes made to NACLs.", + "checks": [ + "aws_cloudtrail_log_metric_filters_network_acl_changes" + ] + }, + { + "title": "4.12 Ensure a log metric filter and alarm exist for changes to network gateways", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Network gateways are required to send/receive traffic to a destination outside of a VPC. It is recommended that a metric filter and alarm be established for changes to network gateways.", + "checks": [ + "aws_cloudtrail_log_metric_filters_network_gateway_changes" + ] + }, + { + "title": "4.13 Ensure a log metric filter and alarm exist for route table changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. Routing tables are used to route network traffic between subnets and to network gateways. It is recommended that a metric filter and alarm be established for changes to route tables.", + "checks": [ + "aws_cloudtrail_log_metric_filters_route_table_changes" + ] + }, + { + "title": "4.14 Ensure a log metric filter and alarm exist for VPC changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is possible to have more than 1 VPC within an account, in addition it is also possible to create a peer connection between 2 VPCs enabling network traffic to route between VPCs. It is recommended that a metric filter and alarm be established for changes made to VPCs.", + "checks": [ + "aws_cloudtrail_log_metric_filters_vpc_changes" + ] + }, + { + "title": "4.15 Ensure a log metric filter and alarm exists for AWS Organizations changes", + "description": "Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms. It is recommended that a metric filter and alarm be established for AWS Organizations changes made in the master AWS Account.", + "checks": [ + "aws_cloudtrail_log_metric_filters_aws_org_changes" + ] + }, + { + "title": "4.16 Ensure AWS Security Hub is enabled", + "description": "Security Hub collects security data from across AWS accounts, services, and supported third-party partner products and helps you analyze your security trends and identify the highest priority security issues. When you enable Security Hub, it begins to consume, aggregate, organize, and prioritize findings from AWS services that you have enabled, such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie. You can also enable integrations with AWS partner security products.", + "checks": [ + "aws_cloudtrail_security_hub_enabled" + ] + } + ] + }, + { + "title": "Section 5: Networking", + "description": "This section contains recommendations for configuring security-related aspects of AWS Virtual Private Cloud (VPC).", + "children": [ + { + "title": "5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports", + "description": "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.", + "checks": [ + "aws_ec2_allow_ingress_any_port_ipv4", + "aws_ec2_allow_ingress_any_port_ipv6", + "aws_ec2_allow_ingress_ssh_port_22_ipv4", + "aws_ec2_allow_ingress_ssh_port_22_ipv6", + "aws_ec2_allow_ingress_rdp_port_3389_ipv4", + "aws_ec2_allow_ingress_rdp_port_3389_ipv6" + ] + }, + { + "title": "5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports", + "description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.", + "checks": [ + "aws_ec2_allow_ingress_from_internet_to_any_port_ipv4", + "aws_ec2_allow_ingress_from_internet_to_ssh_port_22_ipv4", + "aws_ec2_allow_ingress_from_internet_to_rdp_port_3389_ipv4" + ] + }, + { + "title": "5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports", + "description": "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.", + "checks": [ + "aws_ec2_allow_ingress_from_internet_to_any_port_ipv6", + "aws_ec2_allow_ingress_from_internet_to_ssh_port_22_ipv6", + "aws_ec2_allow_ingress_from_internet_to_rdp_port_3389_ipv6" + ] + }, + { + "title": "5.4 Ensure the default security group of every VPC restricts all traffic", + "description": "A VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group. Security groups provide stateful filtering of ingress/egress network traffic to AWS resources. It is recommended that the default security group restrict all traffic.", + "checks": [ + "aws_ec2_default_restrict_traffic" + ] + }, + { + "title": "5.5 Ensure routing tables for VPC peering are \"least access\"", + "description": "Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.", + "checks": [ + "aws_ec2_routing_tables_with_least_privilege" + ] + } + ] + } + ] +} diff --git a/fixcompliance/data/benchmark/aws/aws_well_architected_framework_security_pillar.json b/fixcompliance/data/benchmark/aws/aws_well_architected_framework_security_pillar.json new file mode 100644 index 0000000..986480f --- /dev/null +++ b/fixcompliance/data/benchmark/aws/aws_well_architected_framework_security_pillar.json @@ -0,0 +1,615 @@ +{ + "title": "AWS Well-Architected Framework Security Pillar", + "framework": "WAF", + "clouds": ["aws"], + "version": "1.0", + "description": "The AWS Well-Architected Framework describes key concepts, design principles, and architectural best practices for designing and running workloads in the cloud. The security pillar focuses on protecting information and systems. Key topics include confidentiality and integrity of data, managing user permissions, and establishing controls to detect security events.", + "children": [ + { + "title": "Security", + "description": "The security pillar focuses on protecting information and systems. Key topics include confidentiality and integrity of data, managing user permissions, and establishing controls to detect security events.", + "children": [ + { + "title": "SEC01 How do you securely operate your workload?", + "description": "To operate your workload securely, you must apply overarching best practices to every area of security. Take requirements and processes that you have defined in operational excellence at an organizational and workload level, and apply them to all areas. Staying up to date with AWS and industry recommendations and threat intelligence helps you evolve your threat model and control objectives. Automating security processes, testing, and validation allow you to scale your security operations.", + "children": [ + { + "title": "SEC01-BP01 Separate workloads using accounts", + "description": "Establish common guardrails and isolation between environments (such as production, development, and test) and workloads through a multi-account strategy. Account-level separation is strongly recommended, as it provides a strong isolation boundary for security, billing, and access.", + "checks": [ + "aws_organizations_account_part_of_organizations" + ] + }, + { + "title": "SEC01-BP02 Secure account root user and properties", + "description": "The root user is the most privileged user in an AWS account, with full administrative access to all resources within the account, and in some cases cannot be constrained by security policies. Disabling programmatic access to the root user, establishing appropriate controls for the root user, and avoiding routine use of the root user helps reduce the risk of inadvertent exposure of the root credentials and subsequent compromise of the cloud environment.", + "checks": [ + "aws_iam_root_hardware_mfa_enabled", + "aws_iam_root_mfa_enabled", + "aws_iam_no_root_access_key" + ] + }, + { + "title": "SEC01-BP03 Identify and validate control objectives", + "description": "Based on your compliance requirements and risks identified from your threat model, derive and validate the control objectives and controls that you need to apply to your workload. Ongoing validation of control objectives and controls help you measure the effectiveness of risk mitigation.", + "checks": [] + }, + { + "title": "SEC01-BP04 Keep up-to-date with security threats", + "description": "To help you define and implement appropriate controls, recognize attack vectors by staying up to date with the latest security threats. Consume AWS Managed Services to make it easier to receive notification of unexpected or unusual behavior in your AWS accounts. Investigate using AWS Partner tools or third-party threat information feeds as part of your security information flow. The Common Vulnerabilities and Exposures (CVE) List list contains publicly disclosed cyber security vulnerabilities that you can use to stay up to date.", + "checks": [] + }, + { + "title": "SEC01-BP05 Identify and validate control objectives", + "description": "To help you define and implement appropriate controls, recognize attack vectors by staying up to date with the latest security threats. Consume AWS Managed Services to make it easier to receive notification of unexpected or unusual behavior in your AWS accounts. Investigate using AWS Partner tools or third-party threat information feeds as part of your security information flow. The Common Vulnerabilities and Exposures (CVE) List list contains publicly disclosed cyber security vulnerabilities that you can use to stay up to date.", + "checks": [] + }, + { + "title": "SEC01-BP06 Automate testing and validation of security controls in pipelines", + "description": "Establish secure baselines and templates for security mechanisms that are tested and validated as part of your build, pipelines, and processes. Use tools and automation to test and validate all security controls continuously.", + "checks": [ + "aws_ec2_instance_profile_attached", + "aws_ec2_instance_managed_by_ssm", + "aws_ecr_image_scan_on_push" + ] + }, + { + "title": "SEC01-BP07 Identify threats and prioritize mitigations using a threat model", + "description": "Perform threat modeling to identify and maintain an up-to-date register of potential threats and associated mitigations for your workload. Prioritize your threats and adapt your security control mitigations to prevent, detect, and respond. Revisit and maintain this in the context of your workload, and the evolving security landscape.", + "checks": [] + }, + { + "title": "SEC01-BP08 Evaluate and implement new security services and features regularly", + "description": "Evaluate and implement security services and features from AWS and AWS Partners that allow you to evolve the security posture of your workload. The AWS Security Blog highlights new AWS services and features, implementation guides, and general security guidance.", + "checks": [ + "aws_config_enabled_in_all_regions", + "aws_config_remediation_enabled" + ] + } + ] + }, + { + "title": "SEC02 How do you manage identities for people and machines?", + "description": "There are two types of identities you need to manage when approaching operating secure AWS workloads. Understanding the type of identity you need to manage and grant access helps you ensure the right identities have access to the right resources under the right conditions. Human Identities: Your administrators, developers, operators, and end users require an identity to access your AWS environments and applications. These are members of your organization, or external users with whom you collaborate, and who interact with your AWS resources via a web browser, client application, or interactive command-line tools. Machine Identities: Your service applications, operational tools, and workloads require an identity to make requests to AWS services - for example, to read data. These identities include machines running in your AWS environment such as Amazon EC2 instances or AWS Lambda functions. You may also manage machine identities for external parties who need access. Additionally, you may also have machines outside of AWS that need access to your AWS environment.", + "children": [ + { + "title": "SEC02-BP01 Use strong sign-in mechanisms", + "description": "Sign-ins (authentication using sign-in credentials) can present risks when not using mechanisms like multi-factor authentication (MFA), especially in situations where sign-in credentials have been inadvertently disclosed or are easily guessed. Use strong sign-in mechanisms to reduce these risks by requiring MFA and strong password policies.", + "checks": [ + "aws_ec2_instance_profile_attached", + "aws_iam_avoid_root_usage", + "aws_iam_no_root_access_key", + "aws_iam_password_policy_lowercase", + "aws_iam_password_policy_minimum_length_14", + "aws_iam_password_policy_number", + "aws_iam_password_policy_reuse_24", + "aws_iam_password_policy_symbol", + "aws_iam_password_policy_uppercase", + "aws_iam_root_mfa_enabled", + "aws_iam_user_hardware_mfa_enabled", + "aws_iam_user_has_two_active_access_keys", + "aws_iam_user_mfa_enabled_console_access", + "aws_iam_user_uses_access_keys_console_access", + "aws_opensearch_domain_uses_cognito_authentication", + "aws_sagemaker_notebook_root_access" + ] + }, + { + "title": "SEC02-BP02 Use temporary credentials", + "description": "When doing any type of authentication, it’s best to use temporary credentials instead of long-term credentials to reduce or eliminate risks, such as credentials being inadvertently disclosed, shared, or stolen.", + "checks": [ + "aws_iam_disable_old_credentials", + "aws_iam_rotate_access_keys_after_90_days", + "aws_iam_unused_access_keys", + "aws_iam_user_has_two_active_access_keys", + "aws_secretsmanager_secret_not_used_90d", + "aws_secretsmanager_secret_not_changed_90d", + "aws_secretsmanager_secret_not_used_90d", + "aws_secretsmanager_secret_rotated_as_scheduled", + "aws_secretsmanager_secret_rotation_enabled" + ] + }, + { + "title": "SEC02-BP03 Store and use secrets securely", + "description": "A workload requires an automated capability to prove its identity to databases, resources, and third-party services. This is accomplished using secret access credentials, such as API access keys, passwords, and OAuth tokens. Using a purpose-built service to store, manage, and rotate these credentials helps reduce the likelihood that those credentials become compromised.", + "checks": [ + "aws_cloudformation_no_secrets_in_output", + "aws_ec2_no_secrets_in_instance_user_data", + "aws_ec2_no_secrets_in_launch_template_user_data", + "aws_ecs_no_secrets_in_task_definition_env", + "aws_lambda_no_secrets_in_variables", + "aws_ssm_no_secrets_in_content" + ] + }, + { + "title": "SEC02-BP04 Rely on a centralized identity provider", + "description": "For workforce identities, rely on an identity provider that enables you to manage identities in a centralized place. This makes it easier to manage access across multiple applications and services, because you are creating, managing, and revoking access from a single location. For example, if someone leaves your organization, you can revoke access for all applications and services (including AWS) from one location. This reduces the need for multiple credentials and provides an opportunity to integrate with existing human resources (HR) processes. For federation with individual AWS accounts, you can use centralized identities for AWS with a SAML 2.0-based provider with AWS Identity and Access Management. You can use any provider— whether hosted by you in AWS, external to AWS, or supplied by the AWS Partner—that is compatible with the SAML 2.0 protocol. You can use federation between your AWS account and your chosen provider to grant a user or application access to call AWS API operations by using a SAML assertion to get temporary security credentials. Web-based single sign-on is also supported, allowing users to sign in to the AWS Management Console from your sign in website. For federation to multiple accounts in your AWS Organizations, you can configure your identity source in AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center), and specify where your users and groups are stored. Once configured, your identity provider is your source of truth, and information can be synchronized using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. You can then look up users or groups and grant them IAM Identity Center access to AWS accounts, cloud applications, or both. IAM Identity Center integrates with AWS Organizations, which enables you to configure your identity provider once and then grant access to existing and new accounts managed in your organization. IAM Identity Center provides you with a default store, which you can use to manage your users and groups. If you choose to use the IAM Identity Center store, create your users and groups and assign their level of access to your AWS accounts and applications, keeping in mind the best practice of least privilege. Alternatively, you can choose to Connect to Your External Identity Provider using SAML 2.0, or Connect to Your Microsoft AD Directory using AWS Directory Service. Once configured, you can sign into the AWS Management Console, or the AWS mobile app, by authenticating through your central identity provider. For managing end-users or consumers of your workloads, such as a mobile app, you can use Amazon Cognito. It provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with sign-in credentials, or through a third party, such as Amazon, Apple, Facebook, or Google.", + "checks": [ + ] + }, + { + "title": "SEC02-BP05 Audit and rotate credentials periodically", + "description": "Audit and rotate credentials periodically to limit how long the credentials can be used to access your resources. Long-term credentials create many risks, and these risks can be reduced by rotating long-term credentials regularly.", + "checks": [ + "aws_iam_rotate_access_keys_after_90_days", + "aws_kms_key_rotation_enabled", + "aws_secretsmanager_secret_rotation_enabled" + ] + }, + { + "title": "SEC02-BP06 Audit and rotate credentials periodically", + "description": "As the number of users you manage grows, you will need to determine ways to organize them so that you can manage them at scale. Place users with common security requirements in groups defined by your identity provider, and put mechanisms in place to ensure that user attributes that may be used for access control (for example, department or location) are correct and updated. Use these groups and attributes to control access, rather than individual users. This allows you to manage access centrally by changing a user's group membership or attributes once with a permission set, rather than updating many individual policies when a user's access needs change. You can use AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) to manage user groups and attributes. IAM Identity Center supports most commonly used attributes whether they are entered manually during user creation or automatically provisioned using a synchronization engine, such as defined in the System for Cross-Domain Identity Management (SCIM) specification.", + "checks": [ + "aws_iam_policy_attached_only_to_group_or_roles" + ] + } + ] + }, + { + "title": "SEC03 How do you manage permissions for people and machines?", + "description": "Manage permissions to control access to people and machine identities that require access to AWS and your workload. Permissions control who can access what, and under what conditions.", + "children": [ + { + "title": "SEC03-BP01 Define access requirements", + "description": "Each component or resource of your workload needs to be accessed by administrators, end users, or other components. Have a clear definition of who or what should have access to each component, choose the appropriate identity type and method of authentication and authorization.", + "checks": [ + "aws_ec2_instance_uses_imdsv2", + "aws_ec2_instance_profile_attached", + "aws_cloudwatch_cross_account_sharing_enabled", + "aws_ecs_host_mode_not_privileged_nor_root" + ] + }, + { + "title": "SEC03-BP02 Grant least privilege access", + "description": "It's a best practice to grant only the access that identities require to perform specific actions on specific resources under specific conditions. Use group and identity attributes to dynamically set permissions at scale, rather than defining permissions for individual users. Users should only have the permissions required to do their job. Users should only be given access to production environments to perform a specific task within a limited time period, and access should be revoked once that task is complete. Permissions should be revoked when no longer needed, including when a user moves onto a different project or job function. Administrator privileges should be given only to a small group of trusted administrators. Permissions should be reviewed regularly to avoid permission creep. Machine or system accounts should be given the smallest set of permissions needed to complete their tasks.", + "checks": [ + "aws_ec2_instance_profile_attached", + "aws_ecs_writable_root_filesystem_in_ecs_tasks", + "aws_iam_group_inline_policy_no_star_star", + "aws_iam_policy_with_administrative_privileges_not_in_use", + "aws_iam_role_inline_policy_no_star_star", + "aws_iam_user_inline_policy_no_star_star", + "aws_opensearch_domain_does_not_use_internal_user_database" + ] + }, + { + "title": "SEC03-BP03 Establish emergency access process", + "description": "A process that allows emergency access to your workload in the unlikely event of an automated process or pipeline issue. This will help you rely on least privilege access, but ensure users can obtain the right level of access when they require it. For example, establish a process for administrators to verify and approve their request, such as an emergency AWS cross-account role for access, or a specific process for administrators to follow to validate and approve an emergency request.", + "checks": [ + "aws_iam_account_maintain_current_contact_details", + "aws_iam_account_security_contact_information_is_registered", + "aws_iam_account_security_questions_are_registered_in_the_aws_account" + ] + }, + { + "title": "SEC03-BP04 Reduce permissions continuously", + "description": "As your teams determine what access is required, remove unneeded permissions and establish review processes to achieve least privilege permissions. Continually monitor and remove unused identities and permissions for both human and machine access. Permission policies should adhere to the least privilege principle. As job duties and roles become better defined, your permission policies need to be reviewed to remove unnecessary permissions. This approach lessens the scope of impact should credentials be inadvertently exposed or otherwise accessed without authorization.", + "checks": [ + "aws_iam_policy_with_administrative_privileges_not_in_use" + ] + }, + { + "title": "SEC03-BP05 Define permission guardrails for your organization", + "description": "Establish common controls that restrict access to all identities in your organization. For example, you can restrict access to specific AWS Regions, or prevent your operators from deleting common resources, such as an IAM role used for your central security team.", + "checks": [ + "aws_iam_disable_old_credentials", + "aws_iam_unused_access_keys", + "aws_organizations_account_part_of_organizations" + ] + }, + { + "title": "SEC03-BP06 Manage access based on lifecycle", + "description": "Integrate access controls with operator and application lifecycle and your centralized federation provider. For example, remove a user's access when they leave the organization or change roles. AWS RAM, access to shared resources is automatically granted or revoked as accounts are moved in and out of the Organization or Organization Unit with which they are shared. This helps ensure that resources are only shared with the accounts that you intend.", + "checks": [ + "aws_cloudwatch_log_group_retention_days_at_least_365", + "aws_dms_public_ip_address", + "aws_ec2_unused_elastic_ip", + "aws_ecr_repository_lifecycle_policy_enabled", + "aws_elb_alb_has_no_listeners", + "aws_elb_elb_has_no_listeners", + "aws_iam_password_policy_expire_90", + "aws_iam_rotate_access_keys_after_90_days", + "aws_iam_unused_access_keys" + ] + }, + { + "title": "SEC03-BP07 Analyze public and cross-account access", + "description": "Continually monitor findings that highlight public and cross-account access. Reduce public access and cross-account access to only the specific resources that require this access. Know which of your AWS resources are shared and with whom. Continually monitor and audit your shared resources to verify they are shared with only authorized principals.", + "checks": [ + "aws_autoscaling_launch_template_public_ip_disabled", + "aws_cloudtrail_logs_s3_bucket_is_not_publicly_accessible", + "aws_dms_public_ip_address", + "aws_ec2_image_public", + "aws_ec2_instance_in_vpc", + "aws_ec2_public_ip_address", + "aws_ec2_snapshot_encrypted", + "aws_ec2_volume_not_encrypted", + "aws_ec2_wide_open_ipv4_security_group", + "aws_ecr_repository_prohibit_public_access", + "aws_efs_not_publicly_accessible", + "aws_eks_cluster_endpoint_restrict_public_access", + "aws_glacier_vaults_policy_public_access", + "aws_kms_cmk_policy_prohibit_public_access", + "aws_lambda_cors_policy", + "aws_lambda_function_in_vpc", + "aws_lambda_function_restrict_public_access", + "aws_opensearch_domain_is_not_publicly_accessible", + "aws_redshift_cluster_publicly_accessible", + "aws_rds_no_public_access", + "aws_rds_snapshot_not_public", + "aws_sagemaker_notebook_with_direct_internet_access", + "aws_s3_account_level_public_access_blocks", + "aws_s3_bucket_policy_public_write_access", + "aws_s3_public_bucket", + "aws_secretsmanager_secret_not_used_90d", + "aws_ssm_document_is_shared" + ] + }, + { + "title": "SEC03-BP08 Share resources securely within your organization", + "description": "As the number of workloads grows, you might need to share access to resources in those workloads or provision the resources multiple times across multiple accounts. You might have constructs to compartmentalize your environment, such as having development, testing, and production environments. However, having separation constructs does not limit you from being able to share securely. By sharing components that overlap, you can reduce operational overhead and allow for a consistent experience without guessing what you might have missed while creating the same resource multiple times.", + "checks": [ + "aws_dms_public_ip_address", + "aws_ec2_instance_in_vpc", + "aws_lambda_function_in_vpc", + "aws_lambda_publicly_accessible_permissions", + "aws_opensearch_domain_is_not_publicly_accessible", + "aws_sagemaker_notebook_with_direct_internet_access", + "aws_secretsmanager_secret_not_used_90d", + "aws_ssm_no_secrets_in_content" + ] + } + ] + }, + { + "title": "SEC04 How do you detect and investigate security events?", + "description": "Capture and analyze events from logs and metrics to gain visibility. Take action on security events and potential threats to help secure your workload.", + "children": [ + { + "title": "SEC04-BP01 Configure service and application logging", + "description": "Retain security event logs from services and applications. This is a fundamental principle of security for audit, investigations, and operational use cases, and a common security requirement driven by governance, risk, and compliance (GRC) standards, policies, and procedures.An organization should be able to reliably and consistently retrieve security event logs from AWS services and applications in a timely manner when required to fulfill an internal process or obligation, such as a security incident response. Consider centralizing logs for better operational results.", + "checks": [ + "aws_apigateway_logging_enabled", + "aws_cloudfront_distribution_logging_enabled", + "aws_cloudtrail_log_file_validation_enabled", + "aws_cloudtrail_no_logging_enabled", + "aws_cloudtrail_lambda_logging_enabled", + "aws_cloudtrail_s3_data_events_read_enabled", + "aws_cloudtrail_s3_data_events_write_enabled", + "aws_acm_certificate_transparency_logging_enabled", + "aws_ec2_vpc_flow_logs_enabled", + "aws_eks_cluster_control_plane_audit_logging_enabled", + "aws_elb_logging_enabled", + "aws_opensearch_audit_logs_enabled", + "aws_rds_db_instance_cloudwatch_logs_enabled", + "aws_redshift_cluster_audit_logging_enabled", + "aws_route53_zone_query_logging_enabled", + "aws_s3_bucket_object_logging_enabled" + ] + }, + { + "title": "SEC04-BP02 Analyze logs, findings, and metrics centrally", + "description": "Security operations teams rely on the collection of logs and the use of search tools to discover potential events of interest, which might indicate unauthorized activity or unintentional change. However, simply analyzing collected data and manually processing information is insufficient to keep up with the volume of information flowing from complex architectures. Analysis and reporting alone don’t facilitate the assignment of the right resources to work an event in a timely fashion.", + "checks": [ + "aws_cloudtrail_logging_in_all_regions_enabled", + "aws_rds_db_instance_cloudwatch_logs_enabled", + "aws_ec2_vpc_flow_logs_enabled", + "aws_wafv2_web_acl_logging_enabled", + "aws_cloudtrail_logging_in_all_regions_enabled", + "aws_redshift_cluster_audit_logging_enabled", + "aws_config_enabled_in_all_regions" + ] + }, + { + "title": "SEC04-BP03 Automate response to events", + "description": "Using automation to investigate and remediate events reduces human effort and error, and allows you to scale investigation capabilities. Regular reviews will help you tune automation tools, and continuously iterate. In AWS, investigating events of interest and information on potentially unexpected changes into an automated workflow can be achieved using Amazon EventBridge. This service provides a scalable rules engine designed to broker both native AWS event formats (such as AWS CloudTrail events), as well as custom events you can generate from your application. Amazon GuardDuty also allows you to route events to a workflow system for those building incident response systems (AWS Step Functions), or to a central Security Account, or to a bucket for further analysis.", + "checks": [ + "aws_cloudtrail_logging_in_all_regions_enabled", + "aws_cloudtrail_logging_in_all_regions_enabled", + "aws_ec2_vpc_flow_logs_enabled", + "aws_elb_logging_enabled", + "aws_rds_db_instance_cloudwatch_logs_enabled", + "aws_redshift_cluster_audit_logging_enabled", + "aws_wafv2_web_acl_logging_enabled" + ] + }, + { + "title": "SEC04-BP04 Implement actionable security events", + "description": "Create alerts that are sent to and can be actioned by your team. Ensure that alerts include relevant information for the team to take action. For each detective mechanism you have, you should also have a process, in the form of a runbook or playbook, to investigate. For example, when you enable Amazon GuardDuty, it generates different findings. You should have a runbook entry for each finding type, for example, if a trojan is discovered, your runbook has simple instructions that instruct someone to investigate and remediate.", + "checks": [] + } + ] + }, + { + "title": "SEC05 How do you protect your network resources?", + "description": "Any workload that has some form of network connectivity, whether it's the internet or a private network, requires multiple layers of defense to help protect from external and internal network-based threats.", + "children": [ + { + "title": "SEC05-BP01 Create network layers", + "description": "Group components that share sensitivity requirements into layers to minimize the potential scope of impact of unauthorized access. For example, a database cluster in a virtual private cloud (VPC) with no need for internet access should be placed in subnets with no route to or from the internet. Traffic should only flow from the adjacent next least sensitive resource. Consider a web application sitting behind a load balancer. Your database should not be accessible directly from the load balancer. Only the business logic or web server should have direct access to your database.", + "checks": [ + "aws_apigateway_waf_acl_attached", + "aws_cloudfront_distribution_waf_enabled", + "aws_ec2_instance_in_vpc", + "aws_eks_cluster_endpoint_restrict_public_access", + "aws_lambda_publicly_accessible_permissions", + "aws_opensearch_domain_is_not_publicly_accessible", + "aws_sagemaker_model_isolation_enabled", + "aws_sagemaker_model_vpc_settings_enabled", + "aws_sagemaker_notebook_vpc_settings_enabled", + "aws_sagemaker_training_job_vpc_settings_enabled", + "aws_elb_waf_enabled" + ] + }, + { + "title": "SEC05-BP02 Control traffic at all layers", + "description": "When architecting your network topology, you should examine the connectivity requirements of each component. For example, if a component requires internet accessibility (inbound and outbound), connectivity to VPCs, edge services, and external data centers. A VPC allows you to define your network topology that spans an AWS Region with a private IPv4 address range that you set, or an IPv6 address range AWS selects. You should apply multiple controls with a defense in depth approach for both inbound and outbound traffic, including the use of security groups (stateful inspection firewall), Network ACLs, subnets, and route tables. Within a VPC, you can create subnets in an Availability Zone. Each subnet can have an associated route table that defines routing rules for managing the paths that traffic takes within the subnet. You can define an internet routable subnet by having a route that goes to an internet or NAT gateway attached to the VPC, or through another VPC.", + "checks": [ + "aws_apigateway_authorizers_enabled", + "aws_dms_public_ip_address", + "aws_ec2_default_restrict_traffic", + "aws_ec2_public_ip_address", + "aws_ec2_snapshot_encrypted", + "aws_ec2_subnet_auto_assign_public_ip_disabled", + "aws_s3_account_level_public_access_blocks", + "aws_s3_bucket_no_mfa_delete", + "aws_sagemaker_notebook_with_direct_internet_access" + ] + }, + { + "title": "SEC05-BP03 Automate network protection", + "description": "Automate protection mechanisms to provide a self-defending network based on threat intelligence and anomaly detection. For example, intrusion detection and prevention tools that can adapt to current threats and reduce their impact. A web application firewall is an example of where you can automate network protection, for example, by using the AWS WAF Security Automations solution to automatically block requests originating from IP addresses associated with known threat actors.", + "checks": [ + "aws_ec2_allow_ingress_from_internet_to_any_port", + "aws_ec2_allow_ingress_from_internet_to_port_mongodb_27017_27018", + "aws_ec2_allow_ingress_from_internet_to_ssh_port_22", + "aws_ec2_allow_ingress_from_internet_to_ftp_port_20_21", + "aws_ec2_allow_ingress_from_internet_to_rdp_port_3389", + "aws_ec2_allow_ingress_from_internet_to_port_mongodb_27017_27018", + "aws_ec2_allow_ingress_from_internet_to_cassandra_ports", + "aws_ec2_allow_ingress_from_internet_to_kibana_ports", + "aws_ec2_allow_ingress_from_internet_to_kafka_ports", + "aws_ec2_allow_ingress_from_internet_to_memcached_ports", + "aws_ec2_allow_ingress_from_internet_to_mysql_ports", + "aws_ec2_allow_ingress_from_internet_to_oracledb", + "aws_ec2_allow_ingress_from_internet_to_postgresql_ports", + "aws_ec2_allow_ingress_from_internet_to_redis_ports", + "aws_ec2_allow_ingress_from_internet_to_sql_server_ports", + "aws_ec2_allow_ingress_from_internet_to_telnet_ports", + "aws_ec2_default_restrict_traffic", + "aws_dms_public_ip_address", + "aws_ec2_subnet_auto_assign_public_ip_disabled", + "aws_elb_waf_enabled", + "aws_apigateway_waf_acl_attached" + ] + }, + { + "title": "SEC05-BP04 Implement inspection and protection", + "description": "Inspect and filter your traffic at each layer. You can inspect your VPC configurations for potential unintended access using VPC Network Access Analyzer. You can specify your network access requirements and identify potential network paths that do not meet them. For components transacting over HTTP-based protocols, a web application firewall can help protect from common attacks. AWS WAF is a web application firewall that lets you monitor and block HTTP(s) requests that match your configurable rules that are forwarded to an Amazon API Gateway API, Amazon CloudFront, or an Application Load Balancer. To get started with AWS WAF, you can use AWS Managed Rules in combination with your own, or use existing partner integrations.", + "checks": [ + "aws_iam_guardduty_enabled", + "aws_ec2_vpc_flow_logs_enabled", + "aws_apigateway_authorizers_enabled" + ] + } + ] + }, + { + "title": "SEC06 How do you protect your compute resources?", + "description": "Compute resources in your workload require multiple layers of defense to help protect from external and internal threats. Compute resources include EC2 instances, containers, AWS Lambda functions, database services, IoT devices, and more.", + "children": [ + { + "title": "SEC06-BP01 Perform vulnerability management", + "description": "Frequently scan and patch for vulnerabilities in your code, dependencies, and in your infrastructure to help protect against new threats. Create and maintain a vulnerability management program. Regularly scan and patch resources such as Amazon EC2 instances, Amazon Elastic Container Service (Amazon ECS) containers, and Amazon Elastic Kubernetes Service (Amazon EKS) workloads. Configure maintenance windows for AWS managed resources, such as Amazon Relational Database Service (Amazon RDS) databases. Use static code scanning to inspect application source code for common issues. Consider web application penetration testing if your organization has the requisite skills or can hire outside assistance.", + "checks": [ + "aws_cloudtrail_log_file_validation_enabled", + "aws_cloudtrail_logging_in_all_regions_enabled", + "aws_ec2_instance_uses_imdsv2", + "aws_ec2_internet_facing_with_instance_profile", + "aws_opensearch_update_available", + "aws_rds_auto_minor_version_upgrade", + "aws_redshift_version_upgrade_enabled", + "aws_ssm_managed_instance_compliance_patch_compliant", + "aws_ssm_resource_non_compliant" + ] + }, + { + "title": "SEC06-BP02 Reduce attack surface", + "description": "Reduce your exposure to unintended access by hardening operating systems and minimizing the components, libraries, and externally consumable services in use. Start by reducing unused components, whether they are operating system packages or applications, for Amazon Elastic Compute Cloud (Amazon EC2)-based workloads, or external software modules in your code, for all workloads. You can find many hardening and security configuration guides for common operating systems and server software. For example, you can start with the Center for Internet Security and iterate.", + "checks": [ + "aws_ecr_image_scan_on_push", + "aws_ecs_ecs_cluster_container_insights_enabled", + "aws_ecs_ecs_service_fargate_using_latest_platform_version", + "aws_lambda_function_in_vpc", + "aws_lambda_publicly_accessible_permissions" + ] + }, + { + "title": "SEC06-BP03 Implement managed services", + "description": "Implement services that manage resources, such as Amazon Relational Database Service (Amazon RDS), AWS Lambda, and Amazon Elastic Container Service (Amazon ECS), to reduce your security maintenance tasks as part of the shared responsibility model. For example, Amazon RDS helps you set up, operate, and scale a relational database, automates administration tasks such as hardware provisioning, database setup, patching, and backups. This means you have more free time to focus on securing your application in other ways described in the AWS Well-Architected Framework. Lambda lets you run code without provisioning or managing servers, so you only need to focus on the connectivity, invocation, and security at the code level–not the infrastructure or operating system.", + "checks": [] + }, + { + "title": "SEC06-BP04 Automate compute protection", + "description": "Automate your protective compute mechanisms including vulnerability management, reduction in attack surface, and management of resources. The automation will help you invest time in securing other aspects of your workload, and reduce the risk of human error.", + "checks": [ + "aws_ec2_instance_profile_attached", + "aws_ec2_instance_stopped_since_30d", + "aws_ec2_internet_facing_with_instance_profile", + "aws_ec2_instance_managed_by_ssm" + ] + }, + { + "title": "SEC06-BP05 Enable people to perform actions at a distance", + "description": "Removing the ability for interactive access reduces the risk of human error, and the potential for manual configuration or management. For example, use a change management workflow to deploy Amazon Elastic Compute Cloud (Amazon EC2) instances using infrastructure-as-code, then manage Amazon EC2 instances using tools such as AWS Systems Manager instead of allowing direct access or through a bastion host. AWS Systems Manager can automate a variety of maintenance and deployment tasks, using features including automation workflows, documents (playbooks), and the run command. AWS CloudFormation stacks build from pipelines and can automate your infrastructure deployment and management tasks without using the AWS Management Console or APIs directly.", + "checks": [ + "aws_ec2_instance_profile_attached", + "aws_ec2_instance_stopped_since_30d", + "aws_ec2_internet_facing_with_instance_profile", + "aws_ec2_instance_managed_by_ssm" + ] + }, + { + "title": "SEC06-BP06 Validate software integrity", + "description": "Implement mechanisms (for example, code signing) to validate that the software, code and libraries used in the workload are from trusted sources and have not been tampered with. For example, you should verify the code signing certificate of binaries and scripts to confirm the author, and ensure it has not been tampered with since created by the author. AWS Signer can help ensure the trust and integrity of your code by centrally managing the code- signing lifecycle, including signing certification and public and private keys. You can learn how to use advanced patterns and best practices for code signing with AWS Lambda. Additionally, a checksum of software that you download, compared to that of the checksum from the provider, can help ensure it has not been tampered with.", + "checks": [ + "aws_ec2_ebs_volume_unused", + "aws_ssm_managed_instance_compliance_patch_compliant", + "aws_ec2_instance_managed_by_ssm", + "aws_cloudtrail_log_file_validation_enabled" + ] + } + ] + }, + { + "title": "SEC08 How do you protect your data at rest?", + "description": "Protect your data at rest by implementing multiple controls, to reduce the risk of unauthorized access or mishandling.", + "children": [ + { + "title": "SEC08-BP01 Implement secure key management", + "description": "By defining an encryption approach that includes the storage, rotation, and access control of keys, you can help provide protection for your content against unauthorized users and against unnecessary exposure to authorized users. AWS Key Management Service (AWS KMS) helps you manage encryption keys and integrates with many AWS services. This service provides durable, secure, and redundant storage for your AWS KMS keys. You can define your key aliases as well as key-level policies. The policies help you define key administrators as well as key users. Additionally, AWS CloudHSM is a cloud-based hardware security module (HSM) that allows you to easily generate and use your own encryption keys in the AWS Cloud. It helps you meet corporate, contractual, and regulatory compliance requirements for data security by using FIPS 140-2 Level 3 validated HSMs.", + "checks": [ + "aws_kms_key_not_pending_deletion" + ] + }, + { + "title": "SEC08-BP02 Enforce encryption at rest", + "description": "You should enforce the use of encryption for data at rest. Encryption maintains the confidentiality of sensitive data in the event of unauthorized access or accidental disclosure. Private data should be encrypted by default when at rest. Encryption helps maintain confidentiality of the data and provides an additional layer of protection against intentional or inadvertent data disclosure or exfiltration. Data that is encrypted cannot be read or accessed without first unencrypting the data. Any data stored unencrypted should be inventoried and controlled.", + "checks": [ + "aws_cloudtrail_uses_encryption_at_rest", + "aws_cloudwatch_log_group_encryption_at_rest_enabled", + "aws_dynamodb_table_kms_encryption_enabled", + "aws_ec2_volume_not_encrypted", + "aws_efs_storage_encrypted", + "aws_eks_cluster_encryption_enabled", + "aws_opensearch_encryption_at_rest_enabled", + "aws_rds_snapshot_not_public", + "aws_rds_storage_encrypted", + "aws_sagemaker_notebook_encryption_enabled", + "aws_sagemaker_training_job_encryption_enabled", + "aws_sagemaker_training_job_volume_encryption_enabled", + "aws_sqs_server_side_encryption_enabled" + ] + }, + { + "title": "SEC08-BP03 Automate data at rest protection", + "description": "Use automated tools to validate and enforce data at rest controls continuously, for example, verify that there are only encrypted storage resources. You can automate validation that all EBS volumes are encrypted using AWS Config Rules. AWS Security Hub can also verify several different controls through automated checks against security standards. Additionally, your AWS Config Rules can automatically remediate noncompliant resources.", + "checks": [ + "aws_s3_bucket_default_encryption", + "aws_sagemaker_notebook_encryption_enabled" + ] + }, + { + "title": "SEC08-BP04 Enforce access control", + "description": "To help protect your data at rest, enforce access control using mechanisms, such as isolation and versioning, and apply the principle of least privilege. Prevent the granting of public access to your data. Verify that only authorized users can access data on a need-to-know basis. Protect your data with regular backups and versioning to prevent against intentional or inadvertent modification or deletion of data. Isolate critical data from other data to protect its confidentiality and data integrity.", + "checks": [ + "aws_s3_bucket_no_mfa_delete", + "aws_sns_encryption_at_rest_enabled", + "aws_organizations_account_part_of_organizations" + ] + } + ] + }, + { + "title": "SEC09 How do you protect your data in transit?", + "description": "Protect your data in transit by implementing multiple controls to reduce the risk of unauthorized access or loss.", + "children": [ + { + "title": "SEC09-BP01 Implement secure key and certificate management", + "description": "Store encryption keys and certificates securely and rotate them at appropriate time intervals with strict access control. The best way to accomplish this is to use a managed service, such as AWS Certificate Manager (ACM). It lets you easily provision, manage, and deploy public and private Transport Layer Security (TLS) certificates for use with AWS services and your internal connected resources. TLS certificates are used to secure network communications and establish the identity of websites over the internet as well as resources on private networks. ACM integrates with AWS resources, such as Elastic Load Balancers (ELBs), AWS distributions, and APIs on API Gateway, also handling automatic certificate renewals. If you use ACM to deploy a private root CA, both certificates and private keys can be provided by it for use in Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and so on.", + "checks": [ + "aws_elb_uses_ssl_certificate" + ] + }, + { + "title": "SEC09-BP02 Enforce encryption in transit", + "description": "Enforce your defined encryption requirements based on your organization's policies, regulatory obligations and standards to help meet organizational, legal, and compliance requirements. Only use protocols with encryption when transmitting sensitive data outside of your virtual private cloud (VPC). Encryption helps maintain data confidentiality even when the data transits untrusted networks. All data should be encrypted in transit using secure TLS protocols and cipher suites. Network traffic between your resources and the internet must be encrypted to mitigate unauthorized access to the data. Network traffic solely within your internal AWS environment should be encrypted using TLS wherever possible.", + "checks": [ + "aws_cloudtrail_uses_encryption_at_rest", + "aws_s3_bucket_default_encryption", + "aws_apigateway_client_certificate_enabled", + "aws_rds_storage_encrypted", + "aws_elb_uses_ssl_certificate", + "aws_s3_bucket_secure_transport_policy" + ] + }, + { + "title": "SEC09-BP03 Automate detection of unintended data access", + "description": "Use tools such as Amazon GuardDuty to automatically detect suspicious activity or attempts to move data outside of defined boundaries. For example, GuardDuty can detect Amazon Simple Storage Service (Amazon S3) read activity that is unusual with the Exfiltration:S3/AnomalousBehavior finding. In addition to GuardDuty, Amazon VPC Flow Logs, which capture network traffic information, can be used with Amazon EventBridge to detect connections, both successful and denied. Amazon S3 Access Analyzer can help assess what data is accessible to who in your Amazon S3 buckets.", + "checks": [ + "aws_iam_guardduty_enabled" + ] + }, + { + "title": "SEC09-BP04 Authenticate network communications", + "description": "Verify the identity of communications by using protocols that support authentication, such as Transport Layer Security (TLS) or IPsec. Using network protocols that support authentication, allows for trust to be established between the parties. This adds to the encryption used in the protocol to reduce the risk of communications being altered or intercepted. Common protocols that implement authentication include Transport Layer Security (TLS), which is used in many AWS services, and IPsec, which is used in AWS Virtual Private Network (AWS VPN).", + "checks": [ + "aws_elb_uses_ssl_certificate", + "aws_ec2_vpc_flow_logs_enabled" + ] + } + ] + }, + { + "title": "SEC10 How do you anticipate, respond to, and recover from incidents?", + "description": "Preparation is critical to timely and effective investigation, response to, and recovery from security incidents to help minimize disruption to your organization.", + "children": [ + { + "title": "SEC10-BP01 Identify key personnel and external resources", + "description": "Identify internal and external personnel, resources, and legal obligations that would help your organization respond to an incident. When you define your approach to incident response in the cloud, in unison with other teams (such as your legal counsel, leadership, business stakeholders, AWS Support Services, and others), you must identify key personnel, stakeholders, and relevant contacts. To reduce dependency and decrease response time, make sure that your team, specialist security teams, and responders are educated about the services that you use and have opportunities to practice hands-on.", + "checks": [ + "aws_iam_account_maintain_current_contact_details", + "aws_iam_account_security_contact_information_is_registered", + "aws_iam_account_security_questions_are_registered_in_the_aws_account", + "aws_iam_support_role_exists" + ] + }, + { + "title": "SEC10-BP02 Develop incident management plans", + "description": "Create plans to help you respond to, communicate during, and recover from an incident. For example, you can start an incident response plan with the most likely scenarios for your workload and organization. Include how you would communicate and escalate both internally and externally.", + "checks": [] + }, + { + "title": "SEC10-BP03 Prepare forensic capabilities", + "description": "It's important for your incident responders to understand when and how the forensic investigation fits into your response plan. Your organization should define what evidence is collected and what tools are used in the process. Identify and prepare forensic investigation capabilities that are suitable, including external specialists, tools, and automation. A key decision that you should make upfront is if you will collect data from a live system. Some data, such as the contents of volatile memory or active network connections, will be lost if the system is powered off or rebooted.Your response team can combine tools, such as AWS Systems Manager, Amazon EventBridge, and AWS Lambda, to automatically run forensic tools within an operating system and VPC traffic mirroring to obtain a network packet capture, to gather non-persistent evidence. Conduct other activities, such as log analysis or analyzing disk images, in a dedicated security account with customized forensic workstations and tools accessible to your responders.Routinely ship relevant logs to a data store that provides high durability and integrity. Responders should have access to those logs. AWS offers several tools that can make log investigation easier, such as Amazon Athena, Amazon OpenSearch Service (OpenSearch Service), and Amazon CloudWatch Logs Insights. Additionally, preserve evidence securely using Amazon Simple Storage Service (Amazon S3) Object Lock. This service follows the WORM (write-once- read-many) model and prevents objects from being deleted or overwritten for a defined period. As forensic investigation techniques require specialist training, you might need to engage external specialists.", + "checks": [] + }, + { + "title": "SEC10-BP04", + "description": "", + "checks": [] + }, + { + "title": "SEC10-BP05 Pre-provision access", + "description": "Verify that incident responders have the correct access pre-provisioned in AWS to reduce the time needed for investigation through to recovery.Common anti-patterns:Using the root account for incident response.Altering existing accounts.Manipulating IAM permissions directly when providing just-in-time privilege elevation.", + "checks": [] + }, + { + "title": "SEC10-BP06 Pre-deploy tools", + "description": "Ensure that security personnel have the right tools pre-deployed into AWS to reduce the time for investigation through to recovery.To automate security engineering and operations functions, you can use a comprehensive set of APIs and tools from AWS. You can fully automate identity management, network security, data protection, and monitoring capabilities and deliver them using popular software development methods that you already have in place. When you build security automation, your system can monitor, review, and initiate a response, rather than having people monitor your security position and manually react to events. An effective way to automatically provide searchable and relevant log data across AWS services to your incident responders is to enable Amazon Detective.If your incident response teams continue to respond to alerts in the same way, they risk alert fatigue. Over time, the team can become desensitized to alerts and can either make mistakes handling ordinary situations or miss unusual alerts. Automation helps avoid alert fatigue by using functions that process the repetitive and ordinary alerts, leaving humans to handle the sensitive and unique incidents. Integrating anomaly detection systems, such as Amazon GuardDuty, AWS CloudTrail Insights, and Amazon CloudWatch Anomaly Detection, can reduce the burden of common threshold-based alerts.You can improve manual processes by programmatically automating steps in the process. After you define the remediation pattern to an event, you can decompose that pattern into actionable logic, and write the code to perform that logic. Responders can then execute that code to remediate the issue. Over time, you can automate more and more steps, and ultimately automatically handle whole classes of common incidents.For tools that execute within the operating system of your Amazon Elastic Compute Cloud (Amazon EC2) instance, you should evaluate using the AWS Systems Manager Run Command, which enables you to remotely and securely administrate instances using an agent that you install on your Amazon EC2 instance operating system. It requires the Systems Manager Agent (SSM Agent), which is installed by default on many Amazon Machine Images (AMIs). Be aware, though, that once an instance has been compromised, no responses from tools or agents running on it should be considered trustworthy.", + "checks": [] + }, + { + "title": "SEC10-BP07 Run game days", + "description": "Game days, also known as simulations or exercises, are internal events that provide a structured opportunity to practice your incident management plans and procedures during a realistic scenario. These events should exercise responders using the same tools and techniques that would be used in a real-world scenario - even mimicking real-world environments. Game days are fundamentally about being prepared and iteratively improving your response capabilities. Some of the reasons you might find value in performing game day activities include:Validating readinessDeveloping confidence – learning from simulations and training staffFollowing compliance or contractual obligationsGenerating artifacts for accreditationBeing agile – incremental improvementBecoming faster and improving toolsRefining communication and escalationDeveloping comfort with the rare and the unexpectedFor these reasons, the value derived from participating in a simulation activity increases an organization's effectiveness during stressful events. Developing a simulation activity that is both realistic and beneficial can be a difficult exercise. Although testing your procedures or automation that handles well-understood events has certain advantages, it is just as valuable to participate in creative Security Incident Response Simulations (SIRS) activities to test yourself against the unexpected and continuously improve.Create custom simulations tailored to your environment, team, and tools. Find an issue and design your simulation around it. This could be something like a leaked credential, a server communicating with unwanted systems, or a misconfiguration that results in unauthorized exposure. Identify engineers who are familiar with your organization to create the scenario and another group to participate. The scenario should be realistic and challenging enough to be valuable. It should include the opportunity to get hands on with logging, notifications, escalations, and executing runbooks or automation. During the simulation, your responders should exercise their technical and organizational skills, and leaders should be involved to build their incident management skills. At the end of the simulation, celebrate the efforts of the team and look for ways to iterate, repeat, and expand into further simulations.AWS has created Incident Response Runbook templates that you can use not only to prepare your response efforts, but also as a basis for a simulation. When planning, a simulation can be broken into five phases.Evidence gathering: In this phase, a team will get alerts through various means, such as an internal ticketing system, alerts from monitoring tooling, anonymous tips, or even public news. Teams then start to review infrastructure and application logs to determine the source of the compromise. This step should also involve internal escalations and incident leadership. Once identified, teams move on to containing the incidentContain the incident: Teams will have determined there has been an incident and established the source of the compromise. Teams now should take action to contain it, for example, by disabling compromised credentials, isolating a compute resource, or revoking a role's permission.Eradicate the incident: Now that they've contained the incident, teams will work towards mitigating any vulnerabilities in applications or infrastructure configurations that were susceptible to the compromise. This could include rotating all credentials used for a workload, modifying Access Control Lists (ACLs) or changing network configurations.", + "checks": [] + } + ] + }, + { + "title": "SEC11 How do you incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle?", + "description": "Preparation is critical to timely and effective investigation, response to, and recovery from security incidents to help minimize disruption to your organization.", + "children": [ + { + "title": "SEC11-BP01 Identify key personnel and external resources", + "description": "Training people, testing using automation, understanding dependencies, and validating the security properties of tools and applications help to reduce the likelihood of security issues in production workloads.", + "checks": [ + "aws_ecr_image_scan_on_push" + ] + } + ] + } + ] + } + ] +} diff --git a/fixcompliance/data/benchmark/aws/waf_notes.md b/fixcompliance/data/benchmark/aws/waf_notes.md new file mode 100644 index 0000000..429fe29 --- /dev/null +++ b/fixcompliance/data/benchmark/aws/waf_notes.md @@ -0,0 +1,5 @@ + +- SEC02-BP06: check all custom permissions if they allow privilege escalation + e.g. iam:*, (iam:PassRole and ec2:RunInstances), (iam:PassRole and lambda:CreateFunction and lambda:InvokeFunction) +- SEC03-BP07: SQS queue and SNS topic not publicly accessible check is missing (policy) +- SEC04-BP04: Cloudwatch: ensure alerts for log metric filters are configured diff --git a/fixcompliance/data/benchmark_template.json b/fixcompliance/data/benchmark_template.json new file mode 100644 index 0000000..de7f1ba --- /dev/null +++ b/fixcompliance/data/benchmark_template.json @@ -0,0 +1,17 @@ +{ + "title": "", + "framework": "", + "clouds": ["aws"], + "version": "", + "description": "", + "documentation": "can contain markdown", + "children": [ + { + "title": "", + "description": "", + "documentation": "can contain markdown", + "checks": [], + "children": [] + } + ] +} diff --git a/fixcompliance/data/check_template.json b/fixcompliance/data/check_template.json new file mode 100644 index 0000000..e4ae577 --- /dev/null +++ b/fixcompliance/data/check_template.json @@ -0,0 +1,33 @@ +{ + "name": "", + "title": "", + "result_kinds": ["result kind returned by the query"], + "categories": [ + "insights", + "security", + "compliance", + "cost" + ], + "risk": "", + "severity": "critical|high|medium|low|info", + "url": "", + "detect": { + "fix": "is(resource)", + "fix_cmd": "search is(resource) | do_something", + "sql": "select * from table where column = 'value'" + }, + "remediation": { + "action": { + "aws_cli": null, + "fix": null, + "xxx": null + }, + "text": "", + "url": "", + "complexity": "high|medium|low" + }, + "related": [], + "internal_notes": "" +} + + diff --git a/fixcompliance/data/checks/aws/aws_acm.json b/fixcompliance/data/checks/aws/aws_acm.json new file mode 100644 index 0000000..f98f8b9 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_acm.json @@ -0,0 +1,35 @@ +{ + "provider": "aws", + "service": "acm", + "checks": [ + { + "name": "certificate_transparency_logging_enabled", + "title": "Ensure ACM Certificate Transparency Is Enabled to Enhance Website Security and Detect Unauthorized SSL/TLS Certificates", + "result_kinds": [ + "aws_acm_certificate" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without ACM certificate transparency, the risk of unauthorized SSL/TLS certificates going undetected increases, posing a threat to website and infrastructure security.", + "severity": "medium", + "detect": { + "fix": "is(aws_acm_certificate) and type!=IMPORTED and certificate_transparency_logging!=ENABLED" + }, + "remediation": { + "text": "To fix this issue, select the certificate you want to check in ACM. In the certificate details, look for the 'Certificate Transparency Logging' attribute and ensure it is enabled.", + "url": "https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/acm/latest/userguide/acm-bestpractices.html#best-practices-transparency", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die ACM-Zertifikatstransparenz aktiviert ist, um die Sicherheit der Website zu verbessern und nicht autorisierte SSL/TLS-Zertifikate zu erkennen.", + "risk": "Ohne die ACM-Zertifikatstransparenz besteht ein erhöhtes Risiko, dass nicht autorisierte SSL/TLS-Zertifikate unbemerkt bleiben und eine Bedrohung für die Sicherheit der Website und der Infrastruktur darstellen.", + "remediation": "Um dieses Problem zu beheben, wählen Sie das Zertifikat aus, das Sie überprüfen möchten, in ACM aus. In den Zertifikatdetails suchen Sie nach dem Attribut 'Zertifikatstransparenzprotokollierung' und stellen Sie sicher, dass es aktiviert ist." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_apigateway.json b/fixcompliance/data/checks/aws/aws_apigateway.json new file mode 100644 index 0000000..28dafc0 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_apigateway.json @@ -0,0 +1,120 @@ +{ + "provider": "aws", + "service": "apigateway", + "checks": [ + { + "name": "authorizers_enabled", + "title": "Ensure API Gateway Is Configured with Authorizers", + "result_kinds": [ + "aws_apigateway_rest_api" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without a defined authorizer, your service could be exposed to unsanctioned use. This lack of control poses a security risk and can lead to unauthorized access and misuse.", + "severity": "medium", + "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html", + "detect": { + "fix": "is(aws_apigateway_rest_api) with(empty, --> is(aws_apigateway_authorizer))" + }, + "remediation": { + "text": "Implement an authorizer by adding an Amazon Cognito user pool or attaching an AWS Lambda function. This will provide controlled access for users interacting with your API.", + "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html", + "complexity": "high" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass das API Gateway mit Authorizern konfiguriert ist", + "risk": "Ohne definierten Authorizer könnte Ihr Service unautorisierten Zugriffen ausgesetzt sein. Diese mangelnde Kontrolle stellt ein Sicherheitsrisiko dar und kann zu unbefugtem Zugriff und Missbrauch führen.", + "remediation": "Implementieren Sie einen Authorizer, indem Sie einen Amazon Cognito Benutzerpool hinzufügen oder eine AWS Lambda Funktion anhängen. Dadurch wird kontrollierter Zugriff für Benutzer ermöglicht, die mit Ihrer API interagieren." + } + } + }, + { + "name": "client_certificate_enabled", + "title": "Ensure That Client Certificate Is Enabled on API Gateway for Backend Endpoint Access", + "result_kinds": [ + "aws_apigateway_stage" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without client certificate enforcement, potential 'man-in-the-middle' attacks can occur, jeopardizing data integrity and confidentiality. Unsecured API calls may also be intercepted, leading to unauthorized data access.", + "severity": "medium", + "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-mutual-tls.html", + "detect": { + "fix": "is(aws_apigateway_stage) and stage_client_certificate_id==null <-[2]- is(aws_apigateway_rest_api)" + }, + "remediation": { + "text": "Enable the client certificate and implement mutual TLS for secure data transit. Mutual TLS is highly recommended for B2B applications, adhering to norms such as Open Banking. Amazon API Gateway provides integral mutual TLS authentication at no additional cost.", + "url": "https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/", + "complexity": "high" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass das Clientzertifikat für Backend-Endpunktzugriff in der API Gateway aktiviert ist", + "risk": "Ohne Durchsetzung des Clientzertifikats können potenzielle 'Man-in-the-Middle'-Angriffe auftreten, bei denen die Integrität und Vertraulichkeit von Daten gefährdet werden. Nicht gesicherte API-Aufrufe können ebenfalls abgefangen werden, was zu unbefugtem Datenzugriff führt.", + "remediation": "Aktivieren Sie das Clientzertifikat und implementieren Sie Mutual TLS für sicheren Datentransit. Mutual TLS wird für B2B-Anwendungen dringend empfohlen und entspricht Normen wie Open Banking. Amazon API Gateway bietet eine integrierte Mutual TLS-Authentifizierung ohne zusätzliche Kosten." + } + } + }, + { + "name": "logging_enabled", + "title": "Ensure API Gateway Stages Have Logging Enabled", + "result_kinds": [ + "aws_apigateway_stage" + ], + "categories": [ + "compliance" + ], + "risk": "Without enabling logging, you compromise on the visibility and traceability of your service usage, potentially missing crucial operational insights, security vulnerabilities, and debugging information.", + "severity": "medium", + "detect": { + "fix": "is(aws_apigateway_stage) and stage_method_settings!={}" + }, + "remediation": { + "text": "To remediate, ensure you enable monitoring in all parts of your AWS solution. Particularly, ensure CloudTrail is active for logging API Gateway actions, which can offer insights like the nature of requests, originating IP address, the executor of the request, and more.", + "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/security-monitoring.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/logging-and-monitoring.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass API Gateway-Stufen das Logging aktiviert haben", + "risk": "Wenn das Logging nicht aktiviert ist, beeinträchtigen Sie die Sichtbarkeit und Nachverfolgbarkeit der Nutzung Ihres Dienstes. Dadurch können wesentliche betriebliche Erkenntnisse, Sicherheitsschwachstellen und Debugging-Informationen übersehen werden.", + "remediation": "Um das Problem zu beheben, stellen Sie sicher, dass Sie die Überwachung in allen Teilen Ihrer AWS-Lösung aktivieren. Stellen Sie insbesondere sicher, dass CloudTrail für das Protokollieren von API Gateway-Aktionen aktiviert ist. Dadurch erhalten Sie Einblicke wie die Art der Anfragen, die IP-Adresse des Ursprungs, den Ausführer der Anfrage und mehr." + } + } + }, + { + "name": "waf_acl_attached", + "title": "Ensure API Gateway Has a WAF ACL Attached", + "result_kinds": [ + "aws_apigateway_stage" + ], + "categories": [ + "security" + ], + "risk": "Without a WAF ACL, API Gateway could be exposed to common web threats such as SQL injection and XSS attacks. These could compromise security, affect availability and performance, and consume excessive resources.", + "severity": "medium", + "detect": { + "fix": "is(aws_apigateway_stage) and stage_web_acl_arn==null" + }, + "remediation": { + "text": "Mitigate this risk by using AWS WAF to protect your API Gateway from threats. AWS WAF can block these common web attacks, safeguarding both service performance and security.", + "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass API Gateway einen WAF ACL angehängt hat.", + "risk": "Ohne einen WAF ACL kann API Gateway gängigen Web-Bedrohungen wie SQL-Injektionen und XSS-Angriffen ausgesetzt sein. Diese könnten die Sicherheit beeinträchtigen, die Verfügbarkeit und Leistung beeinträchtigen und übermäßige Ressourcen verbrauchen.", + "remediation": "Verringern Sie dieses Risiko, indem Sie AWS WAF verwenden, um Ihr API Gateway vor Bedrohungen zu schützen. AWS WAF kann diese gängigen Web-Angriffe blockieren und sowohl die Leistung als auch die Sicherheit des Dienstes schützen." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_autoscaling.json b/fixcompliance/data/checks/aws/aws_autoscaling.json new file mode 100644 index 0000000..5d5e2ac --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_autoscaling.json @@ -0,0 +1,34 @@ +{ + "provider": "aws", + "service": "autoscaling", + "checks": [ + { + "name": "launch_template_public_ip_disabled", + "title": "Ensure Auto-Scaling Launch Templates Do Not Automatically Assign Public IP Addresses", + "result_kinds": [ + "aws_autoscaling_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Auto-assigning public IP addresses in Auto Scaling launch templates can lead to unintended public exposure of EC2 instances. This increases the risk of malicious activities such as brute force attacks, data breaches, or unauthorized access, compromising instance security and data integrity.", + "severity": "medium", + "detect": { + "fix": "is(aws_autoscaling_group) with (any, --> is(aws_ec2_launch_template) and launch_template_data.network_interfaces[*].associate_public_ip_address==true)" + }, + "remediation": { + "text": "To fix the issue, modify the Auto Scaling launch template. Set 'AssociatePublicIpAddress' to false for all network interfaces in the launch template. Additionally, ensure instances are launched in private subnets where public access is not required.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#launch-template-network", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Auto Scaling Launch-Vorlagen keine öffentlichen IP-Adressen automatisch zuweisen", + "risk": "Die automatische Zuweisung öffentlicher IP-Adressen in Auto Scaling Launch-Vorlagen kann zu unbeabsichtigter öffentlicher Zugänglichkeit von EC2-Instanzen führen. Dadurch steigt das Risiko von bösartigen Aktivitäten wie Brute-Force-Angriffen, Datenschutzverletzungen oder unberechtigtem Zugriff, was die Sicherheit und Datenintegrität der Instanz gefährdet.", + "remediation": "Um das Problem zu beheben, ändern Sie die Auto Scaling Launch-Vorlage. Setzen Sie 'AssociatePublicIpAddress' für alle Netzwerkschnittstellen in der Launch-Vorlage auf false. Stellen Sie außerdem sicher, dass Instanzen in privaten Subnetzen gestartet werden, wo kein öffentlicher Zugriff erforderlich ist." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_cloudformation.json b/fixcompliance/data/checks/aws/aws_cloudformation.json new file mode 100644 index 0000000..3c67b20 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_cloudformation.json @@ -0,0 +1,34 @@ +{ + "provider": "aws", + "service": "cloudformation", + "checks": [ + { + "name": "no_secrets_in_output", + "title": "Ensure There Are No Secrets in CloudFormation Outputs", + "result_kinds": [ + "aws_cloudformation_stack" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Using secrets hardcoded into CloudFormation outputs can enable malware and bad actors to gain unauthorized access to other services, leading to potential data breaches and compromised infrastructure.", + "severity": "critical", + "detect": { + "fix_cmd": "search is(aws_cloudformation_stack) | detect-secrets --path stack_outputs --with-secrets" + }, + "remediation": { + "text": "To fix this issue, avoid including secrets in CloudFormation outputs. Instead, use the AWS Secrets Manager service to securely store and retrieve passwords and other sensitive information.", + "url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass in den CloudFormation-Ausgaben keine Geheimnisse enthalten sind", + "risk": "Die Verwendung von in CloudFormation-Ausgaben fest codierten Geheimnissen kann Malware und bösartigen Akteuren ermöglichen, unbefugten Zugriff auf andere Dienste zu erlangen, was zu potenziellen Datenschutzverletzungen und beeinträchtigter Infrastruktur führen kann.", + "remediation": "Um dieses Problem zu beheben, vermeiden Sie die Verwendung von Geheimnissen in den CloudFormation-Ausgaben. Verwenden Sie stattdessen den AWS Secrets Manager-Dienst, um Passwörter und andere sensitive Informationen sicher zu speichern und abzurufen." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_cloudfront.json b/fixcompliance/data/checks/aws/aws_cloudfront.json new file mode 100644 index 0000000..10ceea0 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_cloudfront.json @@ -0,0 +1,65 @@ +{ + "provider": "aws", + "service": "cloudfront", + "checks": [ + { + "name": "distribution_logging_enabled", + "title": "Ensure That Logging Is Enabled for Every CloudFront Distribution", + "result_kinds": [ + "aws_cloudfront_distribution" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to enable logging in CloudFront distributions may result in a lack of visibility into access patterns, hindering the detection and investigation of potential security threats. This can also lead to non-compliance with security best practices and regulatory requirements.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloudfront_distribution) and distribution_config.logging==null" + }, + "remediation": { + "text": "To fix this issue, you can enable logging for your CloudFront distribution either through the AWS CLI or the management console.", + "url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LoggingIngesting.html", + "action": { + "aws_cli": "aws cloudfront update-distribution --id YOUR_DISTRIBUTION_ID --logging-config '{\"enabled\":true,\"bucket\":\"YOUR_S3_BUCKET\",\"prefix\":\"LOG_PREFIX\"}'" + }, + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Protokollierung für jede CloudFront-Distribution aktiviert ist", + "risk": "Das Nichtaktivieren der Protokollierung in CloudFront-Distributionen kann zu fehlender Transparenz bei Zugriffsmustern führen, was die Erkennung und Untersuchung potenzieller Sicherheitsbedrohungen behindert. Dies kann auch zu Nichteinhaltung von Sicherheitsstandards und gesetzlichen Anforderungen führen.", + "remediation": "Um dieses Problem zu beheben, können Sie die Protokollierung für Ihre CloudFront-Distribution entweder über die AWS CLI oder die Managementkonsole aktivieren." + } + } + }, + { + "name": "distribution_waf_enabled", + "title": "Ensure That a Web Application Firewall (WAF) Is Associated with CloudFront Distribution", + "result_kinds": [ + "aws_cloudfront_distribution" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Not associating a Web Application Firewall (WAF) with CloudFront Distribution can leave your distributions vulnerable to internet attacks such as DDoS.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloudfront_distribution) and distribution_config.web_acl_id in [null, \"\"]" + }, + "remediation": { + "text": "To fix this issue, associate your CloudFront Distributions with a Web ACL. This will provide an additional layer of security.", + "url": "https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Web Application Firewall (WAF) mit CloudFront Distribution verknüpft ist", + "risk": "Wenn Sie keine Web Application Firewall (WAF) mit CloudFront Distribution verknüpfen, können Ihre Verteilungen anfällig für Internetangriffe wie DDoS sein.", + "remediation": "Um dieses Problem zu beheben, verknüpfen Sie Ihre CloudFront-Distributionen mit einer Web ACL. Dadurch wird eine zusätzliche Sicherheitsebene bereitgestellt." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_cloudtrail.json b/fixcompliance/data/checks/aws/aws_cloudtrail.json new file mode 100644 index 0000000..63876e0 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_cloudtrail.json @@ -0,0 +1,737 @@ +{ + "provider": "aws", + "service": "cloudtrail", + "checks": [ + { + "name": "logging_in_all_regions_enabled", + "title": "Ensure CloudTrail is Enabled and Set Up for Logging in All Regions", + "result_kinds": [ + "aws_region" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If CloudTrail is not enabled and set up for logging in all regions, critical information about API calls will not be recorded and delivered. This includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.", + "severity": "high", + "detect": { + "fix": "is(aws_region) with(empty, -[0:1]-> is(aws_cloud_trail) and trail_status.is_logging==true)" + }, + "remediation": { + "text": "To fix this issue, ensure there is one trail in every region with logging enabled. Additionally, consider using multi-account/multi-region trails for your organization to enhance logging capabilities.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrailconcepts.html#cloudtrail-concepts-management-events", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass CloudTrail aktiviert ist und in allen Regionen für die Protokollierung eingerichtet ist", + "risk": "Wenn CloudTrail nicht aktiviert und für die Protokollierung in allen Regionen eingerichtet ist, werden wichtige Informationen über API-Aufrufe nicht aufgezeichnet und übermittelt. Dies umfasst die Identität des API-Aufrufers, die Zeit des API-Aufrufs, die Quell-IP-Adresse des API-Aufrufers, die Anforderungsparameter und die von dem AWS-Dienst zurückgegebenen Antwortelemente.", + "remediation": "Um dieses Problem zu beheben, stellen Sie sicher, dass in jeder Region ein Trail mit aktivierter Protokollierung vorhanden ist. Erwägen Sie außerdem die Verwendung von Multi-Konto/Multi-Region-Trails für Ihre Organisation, um die Protokollierungsfunktionen zu verbessern." + } + } + }, + { + "name": "log_file_validation_enabled", + "title": "Ensure CloudTrail Log File Validation is Enabled", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Enabling log file validation provides additional integrity checking of CloudTrail logs. Failure to enable log file validation increases the risk of undetected tampering or unauthorized access to sensitive logs.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_status.is_logging==true and trail_log_file_validation_enabled==false" + }, + "remediation": { + "text": "To fix the issue, ensure that the LogFileValidationEnabled parameter is set to true for each CloudTrail trail. This can be done through the AWS Management Console or by using the AWS CLI.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-filevalidation-enabling.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Validierung der CloudTrail-Protokolldatei aktiviert ist", + "risk": "Das Aktivieren der Protokollvalidierung bietet zusätzliche Integritätsprüfungen für CloudTrail-Protokolle. Wenn die Protokollvalidierung nicht aktiviert ist, erhöht sich das Risiko einer unbemerkten Manipulation oder unbefugten Zugriffs auf sensible Protokolle.", + "remediation": "Um das Problem zu beheben, stellen Sie sicher, dass der Parameter LogFileValidationEnabled für jeden CloudTrail-Trail auf true gesetzt ist. Dies kann über die AWS Management Console oder mithilfe der AWS CLI erfolgen." + } + } + }, + { + "name": "logs_s3_bucket_is_not_publicly_accessible", + "title": "Ensure That the S3 Bucket for CloudTrail Logs Is Not Publicly Accessible", + "result_kinds": [ + "aws_s3_bucket" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Allowing public access to CloudTrail log content may expose sensitive information and provide potential attackers with valuable insights into the account's vulnerabilities and configuration weaknesses.", + "severity": "critical", + "detect": { + "fix": "is(aws_cloud_trail) and trail_status.is_logging==true --> is(aws_s3_bucket) and bucket_public_access_block_configuration.{block_public_acls!=true or ignore_public_acls!=true or block_public_policy!=true or restrict_public_buckets!=true} or bucket_acl.grants[*].{permission in [READ, READ_ACP] and grantee.uri==\"http://acs.amazonaws.com/groups/global/AllUsers\"}" + }, + "remediation": { + "text": "To fix the issue, carefully analyze the Bucket policy and ensure that appropriate permissions are set. Specifically, make sure that the AllUsers principal and the AuthenticatedUsers principal are not granted any privileges.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass der S3-Bucket für CloudTrail-Logs nicht öffentlich zugänglich ist", + "risk": "Die Zulassung öffentlichen Zugriffs auf den Inhalt von CloudTrail-Logs kann sensible Informationen offenlegen und potenziellen Angreifern wertvolle Einblicke in die Schwachstellen und Konfigurationsprobleme des Kontos ermöglichen.", + "remediation": "Um das Problem zu beheben, analysieren Sie die Bucket-Richtlinie sorgfältig und stellen Sie sicher, dass die entsprechenden Berechtigungen festgelegt sind. Stellen Sie insbesondere sicher, dass dem AllUsers-Principal und dem AuthenticatedUsers-Principal keine Privilegien gewährt werden." + } + } + }, + { + "name": "no_logging_enabled", + "title": "Ensure CloudTrail Has Logging Enabled", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Not enabling logging for CloudTrail prevents real-time and historic activity logging based on user, API, resource, and IP address. This also eliminates the opportunity to establish alarms and notifications for anomalous or sensitive account activity.", + "severity": "low", + "detect": { + "fix": "is(aws_cloud_trail) and trail_status.is_logging==false" + }, + "remediation": { + "text": "Ensure the trails in CloudTrail have the 'CloudWatchLogsLogGroupArn' property set to a valid ARN.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass CloudTrail die Protokollierung aktiviert hat", + "risk": "Die Nichtaktivierung der Protokollierung für CloudTrail verhindert das protokollieren von Echtzeit- und historischen Aktivitäten basierend auf Benutzer, API, Ressourcen und IP-Adresse. Dadurch entfällt auch die Möglichkeit, Alarme und Benachrichtigungen für anomale oder sensible Kontobewegungen einzurichten.", + "remediation": "Stellen Sie sicher, dass die Trails in CloudTrail die Eigenschaft 'CloudWatchLogsLogGroupArn' auf einen gültigen ARN festgelegt haben." + } + } + }, + { + "name": "no_recent_log_event", + "title": "Ensure CloudTrail Has Recent Log Events", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If the issue is not solved, there will be no log events in CloudTrail for the configured duration, which hinders real-time and historic activity logging and prevents the establishment of alarms and notifications for anomalous or sensitive account activity.", + "severity": "low", + "detect": { + "fix": "is(aws_cloud_trail) and trail_status.is_logging==true and trail_status.latest_delivery_attempt_succeeded<{{last_log_event_threshold.ago}}" + }, + "default_values": { + "last_log_event_threshold": "1d" + }, + "remediation": { + "text": "To fix the issue, ensure that the trails in CloudTrail have a valid ARN set in the CloudWatchLogsLogGroupArn property.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass CloudTrail aktuelle Protokollereignisse hat", + "risk": "Wenn das Problem nicht gelöst wird, wird es keine Protokollereignisse in CloudTrail für den konfigurierten Zeitraum geben, was die Echtzeit- und historische Aktivitätsprotokollierung beeinträchtigt und die Einrichtung von Alarmen und Benachrichtigungen für anormale oder sensible Kontenaktivitäten verhindert.", + "remediation": "Um das Problem zu beheben, stellen Sie sicher, dass die Trails in CloudTrail eine gültige ARN im CloudWatchLogsLogGroupArn-Attribut haben." + } + } + }, + { + "name": "s3_bucket_logging_enabled", + "title": "Ensure S3 Bucket Access Logging Is Enabled on the CloudTrail S3 Bucket", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to enable S3 bucket access logging on the CloudTrail S3 bucket can result in security breaches, hindered access audits, and limited understanding of Amazon S3 bill.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) --> is(aws_s3_bucket) and bucket_logging.target_bucket==null" + }, + "remediation": { + "text": "To fix this issue, ensure that S3 buckets have Logging enabled. If you are using CloudTrail data events, you can consider this finding a false positive.", + "url": "https://docs.aws.amazon.com/AmazonS3/latest/dev/security-best-practices.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass das Protokollieren des Zugriffs auf S3-Buckets auf dem CloudTrail S3-Bucket aktiviert ist", + "risk": "Das Versäumnis, das Protokollieren des Zugriffs auf S3-Buckets auf dem CloudTrail S3-Bucket zu aktivieren, kann zu Sicherheitsverletzungen, eingeschränkten Zugriffsprüfungen und begrenztem Verständnis der Amazon S3-Rechnung führen.", + "remediation": "Um dieses Problem zu beheben, stellen Sie sicher, dass S3-Buckets die Protokollierung aktiviert haben. Wenn Sie CloudTrail-Datenvorgänge verwenden, können Sie diesen Befund als Fehlalarm betrachten." + } + } + }, + { + "name": "uses_encryption_at_rest", + "title": "Ensure CloudTrail Logs Are Encrypted at Rest Using AWS KMS Keys", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "By default, CloudTrail log files are encrypted using Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). However, using AWS KMS keys (SSE-KMS) provides a more secure and directly manageable encryption method, ensuring the confidentiality of the log files.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_kms_key_id==null" + }, + "remediation": { + "text": "To fix this issue, you should enable server-side encryption with AWS KMS (SSE-KMS) for your CloudTrail log files. This allows you to create and manage your own encryption keys, assign permissions, and provides enhanced security. Follow the instructions in the AWS documentation to enable SSE-KMS for your CloudTrail logs.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass CloudTrail-Protokolle bei Ruheverschlüsselung mit AWS KMS-Schlüsseln verschlüsselt werden", + "risk": "Standardmäßig werden CloudTrail-Protokolldateien mit Amazon-Server-seitiger Verschlüsselung und S3-verwalteten Verschlüsselungsschlüsseln (SSE-S3) verschlüsselt. Die Verwendung von AWS KMS-Schlüsseln (SSE-KMS) bietet jedoch eine sicherere und direkt verwaltbare Verschlüsselungsmethode, um die Vertraulichkeit der Protokolldateien zu gewährleisten.", + "remediation": "Um dieses Problem zu beheben, sollten Sie die serverseitige Verschlüsselung mit AWS KMS (SSE-KMS) für Ihre CloudTrail-Protokolldateien aktivieren. Dadurch können Sie Ihre eigenen Verschlüsselungsschlüssel erstellen und verwalten, Berechtigungen zuweisen und eine erhöhte Sicherheit gewährleisten. Befolgen Sie die Anweisungen in der AWS-Dokumentation, um SSE-KMS für Ihre CloudTrail-Protokolle zu aktivieren." + } + } + }, + { + "name": "s3_data_events_write_enabled", + "title": "Ensure S3 Buckets Have Object-Level Logging for Write Events Enabled in CloudTrail", + "result_kinds": [ + "aws_region" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If Object-level logging is not enabled, monitoring of service use and threat analysis is not possible.", + "severity": "low", + "detect": { + "fix": "is(aws_region) with(empty, --> is(aws_cloud_trail) and trail_has_custom_event_selectors=true and (trail_event_selectors.event_selectors[*].{read_write_type in [All, WriteOnly] and data_resources[*].type=\"AWS::S3::Object\"} or trail_event_selectors.advanced_event_selectors[*].field_selectors[*].{selector_field==\"resources.type\" and equals[*]=\"AWS::S3::Object\"}))" + }, + "remediation": { + "text": "Enable Object-level logging for write events in CloudTrail. Create an S3 lifecycle policy. Define use cases, metrics, and automated responses where applicable.", + "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass S3-Buckets in CloudTrail eine protokollierte Objektebene für Schreibereignisse aktiviert haben", + "risk": "Wenn die protokollierte Objektebene nicht aktiviert ist, ist eine Überwachung der Nutzung des Dienstes und eine Bedrohungsanalyse nicht möglich.", + "remediation": "Aktivieren Sie die protokollierte Objektebene für Schreibereignisse in CloudTrail. Erstellen Sie eine S3-Lifecycle-Policy. Definieren Sie Anwendungsfälle, Metriken und automatisierte Reaktionen, wo anwendbar." + } + } + }, + { + "name": "s3_data_events_read_enabled", + "title": "Ensure S3 Buckets Have Object-Level Logging for Read Events Enabled in CloudTrail", + "result_kinds": [ + "aws_region" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If Object-level logging for read events is not enabled in CloudTrail, monitoring of service use and threat analysis is not possible.", + "severity": "low", + "detect": { + "fix": "is(aws_region) with(empty, --> is(aws_cloud_trail) and trail_has_custom_event_selectors=true and (trail_event_selectors.event_selectors[*].{read_write_type in [All, ReadOnly] and data_resources[*].type=\"AWS::S3::Object\"} or trail_event_selectors.advanced_event_selectors[*].field_selectors[*].{selector_field==\"resources.type\" and equals[*]=\"AWS::S3::Object\"}))" + }, + "remediation": { + "text": "Enable Object-level logging for read events. Create an S3 lifecycle policy. Define use cases, metrics, and automated responses where applicable.", + "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass S3-Buckets in CloudTrail eine objektbezogene Protokollierung für Leseereignisse aktiviert haben", + "risk": "Wenn in CloudTrail keine objektbezogene Protokollierung für Leseereignisse aktiviert ist, ist die Überwachung der Service-Nutzung und Bedrohungsanalyse nicht möglich.", + "remediation": "Aktivieren Sie eine objektbezogene Protokollierung für Leseereignisse. Erstellen Sie eine S3-Lifecycle-Richtlinie. Definieren Sie Anwendungsfälle, Metriken und automatisierte Reaktionen, wo dies zutreffend ist." + } + } + }, + { + "name": "lambda_logging_enabled", + "title": "Ensure Lambda Function Invocations Are Logged via CloudTrail", + "result_kinds": [ + "aws_region" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If logs are not enabled, it will not be possible to monitor service use and perform threat analysis.", + "severity": "low", + "detect": { + "fix": "is(aws_region) with(empty, --> is(aws_cloud_trail) and trail_has_custom_event_selectors=true and (trail_event_selectors.event_selectors[*].{data_resources[*].type=\"AWS::Lambda::Function\"} or trail_event_selectors.advanced_event_selectors[*].field_selectors[*].{selector_field==\"resources.type\" and equals[*]=\"AWS::Lambda::Function\"}))" + }, + "remediation": { + "text": "To fix this issue, enable logging and create an S3 lifecycle policy. Make sure to define use cases, metrics, and automated responses as applicable.", + "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Lambda-Funktionsaufrufe über CloudTrail protokolliert werden", + "risk": "Wenn das Protokollieren von Logs nicht aktiviert ist, können Nutzung des Dienstes und Bedrohungsanalysen nicht überwacht werden.", + "remediation": "Um dieses Problem zu beheben, aktivieren Sie das Protokollieren und erstellen Sie eine S3-Lifecycle-Richtlinie. Stellen Sie sicher, dass Anwendungsfälle, Metriken und automatisierte Reaktionen gegebenenfalls definiert sind." + } + } + }, + { + "name": "log_metric_filters_unauthorized_api_calls", + "title": "Ensure That a Log Metric Filter and Alarm Are in Place for Unauthorized API Calls", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If the issue is not solved, there is a risk of application errors going undetected and malicious activity not being detected in a timely manner.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\$\\.errorCode\\s*=\\s*\\\"\\*UnauthorizedOperation\\\".+\\$\\.errorCode\\s*=\\s*\\\"AccessDenied\\*\\\".+\\$\\.sourceIPAddress\\s*!=\\s*\\\"delivery.logs.amazonaws.com\\\".+\\$\\.eventName\\s*!=\\s*\\\"HeadBucket\\\"\"))" + }, + "remediation": { + "text": "To fix the issue, it is recommended to establish a metric filter and alarm for unauthorized API Calls.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Log-Metriksfilter und ein Alarm für nicht autorisierte API-Aufrufe vorhanden sind", + "risk": "Wenn das Problem nicht gelöst wird, besteht das Risiko, dass Anwendungsfehler unentdeckt bleiben und bösartige Aktivitäten nicht rechtzeitig erkannt werden.", + "remediation": "Um das Problem zu beheben, wird empfohlen, einen Metriksfilter und Alarm für nicht autorisierte API-Aufrufe einzurichten." + } + } + }, + { + "name": "log_metric_filters_console_login_no_mfa", + "title": "Ensure a Log Metric Filter and Alarm Exist for Management Console Sign-In Without MFA", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity. It is essential to detect Management Console sign-in without MFA to prevent unauthorized access.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\(\\s*\\$\\.eventName\\s*=\\s*\\\"ConsoleLogin\\\"\\)\\s+&&\\s+\\(\\s*\\$.additionalEventData\\.MFAUsed\\s*!=\\s*\\\"Yes\\\"\"))" + }, + "remediation": { + "text": "It is recommended that a metric filter and alarm be established for Console sign-ins without MFA. Follow the instructions in the AWS documentation to create a metric filter and alarm.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokoll-Metriksfilter und ein Alarm für die Anmeldung in der Management Console ohne MFA vorhanden sind.", + "risk": "Das Überwachen nicht autorisierter API-Aufrufe hilft dabei, Anwendungsfehler aufzudecken und die Zeit zur Erkennung bösartiger Aktivitäten zu verkürzen. Es ist unerlässlich, Anmeldungen in der Management Console ohne MFA zu erkennen, um unbefugten Zugriff zu verhindern.", + "remediation": "Es wird empfohlen, einen Metriksfilter und Alarm für Anmeldungen in der Konsole ohne MFA einzurichten. Befolgen Sie die Anweisungen in der AWS-Dokumentation, um einen Metriksfilter und Alarm zu erstellen." + } + } + }, + { + "name": "log_metric_filters_root_account_usage", + "title": "Ensure a Log Metric Filter and Alarm Exist for Usage of the Root Account", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to monitor unauthorized API calls may result in delayed detection of application errors and malicious activity.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with (empty, --> is(aws_cloudwatch_log_group) with (any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.userIdentity\\.type\\s*=\\s*\\\"Root\\\".+\\$\\.userIdentity\\.invokedBy NOT EXISTS.+\\$\\.eventType\\s*!=\\s*\\\"AwsServiceEvent\\\"\"))" + }, + "remediation": { + "text": "To ensure proper monitoring of unauthorized API calls, it is highly recommended to establish a metric filter and alarm for usage of the root account.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokollmetrikfilter und ein Alarm für die Nutzung des Root-Kontos vorhanden sind", + "risk": "Die fehlende Überwachung nicht autorisierter API-Aufrufe kann zu verzögerter Erkennung von Anwendungsfehlern und bösartigen Aktivitäten führen.", + "remediation": "Um eine ordnungsgemäße Überwachung nicht autorisierter API-Aufrufe sicherzustellen, wird dringend empfohlen, einen Metrikfilter und einen Alarm für die Nutzung des Root-Kontos einzurichten." + } + } + }, + { + "name": "log_metric_filters_iam_policy_changes", + "title": "Ensure a Log Metric Filter and Alarm Exist for IAM Policy Changes", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to monitor unauthorized API calls may result in undetected application errors and delays in identifying malicious activity.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventName\\s*=\\s*DeleteGroupPolicy.+\\$\\.eventName\\s*=\\s*DeleteRolePolicy.+\\$\\.eventName\\s*=\\s*DeleteUserPolicy.+\\$\\.eventName\\s*=\\s*PutGroupPolicy.+\\$\\.eventName\\s*=\\s*PutRolePolicy.+\\$\\.eventName\\s*=\\s*PutUserPolicy.+\\$\\.eventName\\s*=\\s*CreatePolicy.+\\$\\.eventName\\s*=\\s*DeletePolicy.+\\$\\.eventName\\s*=\\s*CreatePolicyVersion.+\\$\\.eventName\\s*=\\s*DeletePolicyVersion.+\\$\\.eventName\\s*=\\s*AttachRolePolicy.+\\$\\.eventName\\s*=\\s*DetachRolePolicy.+\\$\\.eventName\\s*=\\s*AttachUserPolicy.+\\$\\.eventName\\s*=\\s*DetachUserPolicy.+\\$\\.eventName\\s*=\\s*AttachGroupPolicy.+\\$\\.eventName\\s*=\\s*DetachGroupPolicy\\\"))\\s*\\$\\.userIdentity\\.type\\s*=\\s*\\\"Root\\\".+\\$\\.userIdentity\\.invokedBy NOT EXISTS.+\\$\\.eventType\\s*!=\\s*\\\"AwsServiceEvent\\\"\"))" + }, + "remediation": { + "text": "To address this issue, establish a metric filter and alarm for IAM policy changes.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokollmetrikfilter und Alarm für IAM-Richtlinienänderungen vorhanden sind", + "risk": "Das Versäumnis, unbefugte API-Aufrufe zu überwachen, kann zu unentdeckten Anwendungsfehlern und Verzögerungen bei der Identifizierung von bösartigen Aktivitäten führen.", + "remediation": "Um dieses Problem zu beheben, richten Sie einen Metrikfilter und Alarm für IAM-Richtlinienänderungen ein." + } + } + }, + { + "name": "log_metric_filters_cloud_trail_configuration_changes", + "title": "Ensure a Log Metric Filter and Alarm Exist for CloudTrail Configuration Changes", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventName\\s*=\\s*CreateTrail.+\\$\\.eventName\\s*=\\s*UpdateTrail.+\\$\\.eventName\\s*=\\s*DeleteTrail.+\\$\\.eventName\\s*=\\s*StartLogging.+\\$\\.eventName\\s*=\\s*StopLogging\"))" + }, + "remediation": { + "text": "It is recommended to establish a metric filter and alarm for CloudTrail configuration changes.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokoll-Metrikfilter und ein Alarm für Änderungen an der CloudTrail-Konfiguration vorhanden sind", + "risk": "Die Überwachung nicht autorisierter API-Aufrufe hilft dabei, Anwendungsfehler aufzudecken und kann die Zeit zur Erkennung böswilliger Aktivitäten verkürzen.", + "remediation": "Es wird empfohlen, einen Metrikfilter und einen Alarm für Änderungen an der CloudTrail-Konfiguration einzurichten." + } + } + }, + { + "name": "log_metric_filters_authentication_failures", + "title": "Ensure a Log Metric Filter and Alarm Exist for AWS Management Console Authentication Failures", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized API calls helps reveal application errors and reduces time to detect malicious activity", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventName\\s*=\\s*ConsoleLogin.+\\$\\.errorMessage\\s*=\\s*\\\"Failed authentication\\\"))\\s*\\$\\.eventName\\s*=\\s*CreateTrail.+\\$\\.eventName\\s*=\\s*UpdateTrail.+\\$\\.eventName\\s*=\\s*DeleteTrail.+\\$\\.eventName\\s*=\\s*StartLogging.+\\$\\.eventName\\s*=\\s*StopLogging\"))" + }, + "remediation": { + "text": "Establish a metric filter and alarm for AWS Management Console authentication failures", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokoll-Metrikenfilter und ein Alarm für AWS Management Console Authentifizierungsfehler vorhanden sind", + "risk": "Die Überwachung unauthorisierter API-Aufrufe hilft, Anwendungsfehler aufzudecken und die Erkennungszeit für bösartige Aktivitäten zu reduzieren.", + "remediation": "Richten Sie einen Metrikenfilter und einen Alarm für AWS Management Console Authentifizierungsfehler ein" + } + } + }, + { + "name": "log_metric_filters_kms_key_deletion", + "title": "Ensure a Log Metric Filter and Alarm Exist for Disabling or Scheduled Deletion of Customer-Created KMS CMKs", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized API calls will help reveal application errors and reduce time to detect malicious activity. This ensures that any unauthorized actions related to customer-created KMS CMKs can be detected promptly.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventSource\\s*=\\s*kms.amazonaws.com.+\\$\\.eventName\\s*=\\s*DisableKey.+\\$\\.eventName\\s*=\\s*ScheduleKeyDeletion\"))" + }, + "remediation": { + "text": "To ensure security, it is recommended to establish a metric filter and alarm for disabling or scheduled deletion of customer-created KMS CMKs.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokollmetrikfilter und ein Alarm existieren, um das Deaktivieren oder geplante Löschen von vom Kunden erstellten KMS CMKs zu überwachen.", + "risk": "Durch die Überwachung nicht autorisierter API-Aufrufe werden Anwendungsfehler aufgedeckt und die Zeit zur Erkennung bösartiger Aktivitäten reduziert. Dadurch können unbefugte Aktionen im Zusammenhang mit vom Kunden erstellten KMS CMKs rechtzeitig erkannt werden.", + "remediation": "Um die Sicherheit zu gewährleisten, wird empfohlen, einen Metrikfilter und einen Alarm für das Deaktivieren oder geplante Löschen von vom Kunden erstellten KMS CMKs einzurichten." + } + } + }, + { + "name": "log_metric_filters_s3_bucket_policy_changes", + "title": "Ensure a Log Metric Filter and Alarm Exist for S3 Bucket Policy Changes", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized API calls will help reveal application errors and reduce time to detect malicious activity.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventSource\\s*=\\s*s3.amazonaws.com.+\\$\\.eventName\\s*=\\s*PutBucketAcl.+\\$\\.eventName\\s*=\\s*PutBucketPolicy.+\\$\\.eventName\\s*=\\s*PutBucketCors.+\\$\\.eventName\\s*=\\s*PutBucketLifecycle.+\\$\\.eventName\\s*=\\s*PutBucketReplication.+\\$\\.eventName\\s*=\\s*DeleteBucketPolicy.+\\$\\.eventName\\s*=\\s*DeleteBucketCors.+\\$\\.eventName\\s*=\\s*DeleteBucketLifecycle.+\\$\\.eventName\\s*=\\s*DeleteBucketReplication\"))" + }, + "remediation": { + "text": "It is recommended to establish a metric filter and alarm for S3 bucket policy changes.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokoll-Metrikenfilter und ein Alarm für Änderungen an S3-Bucket-Richtlinien vorhanden sind", + "risk": "Die Überwachung unberechtigter API-Aufrufe hilft dabei, Anwendungsfehler aufzudecken und die Erkennungszeit für bösartige Aktivitäten zu verkürzen.", + "remediation": "Es wird empfohlen, einen Metrikenfilter und Alarm für Änderungen an S3-Bucket-Richtlinien einzurichten." + } + } + }, + { + "name": "log_metric_filters_config_configuration_changes", + "title": "Ensure a Log Metric Filter and Alarm Exist for AWS Config Configuration Changes", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized Configuration API calls helps reveal application errors and may reduce the time taken to detect malicious activity.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventSource\\s*=\\s*config.amazonaws.com.+\\$\\.eventName\\s*=\\s*StopConfigurationRecorder.+\\$\\.eventName\\s*=\\s*DeleteDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutDeliveryChannel.+\\$\\.eventName\\s*=\\s*PutConfigurationRecorder\"))" + }, + "remediation": { + "text": "To mitigate this issue, it is recommended to establish a metric filter and alarm for AWS Config configuration changes.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokollmetrikfilter und ein Alarm für AWS Config Konfigurationsänderungen vorhanden sind.", + "risk": "Die Überwachung nicht autorisierter Konfigurations-API-Aufrufe hilft, Anwendungsfehler aufzudecken und die Zeit zur Erkennung bösartiger Aktivitäten zu verkürzen.", + "remediation": "Um dieses Problem zu beheben, wird empfohlen, einen Metrikfilter und einen Alarm für AWS Config Konfigurationsänderungen einzurichten." + } + } + }, + { + "name": "log_metric_filters_security_group_changes", + "title": "Ensure a Log Metric Filter and Alarm Exist for Security Group Changes", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized API calls will help reveal application errors and reduce time to detect malicious activity.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*AuthorizeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupIngress.+\\$\\.eventName\\s*=\\s*RevokeSecurityGroupEgress.+\\$\\.eventName\\s*=\\s*CreateSecurityGroup.+\\$\\.eventName\\s*=\\s*DeleteSecurityGroup\"))" + }, + "remediation": { + "text": "It is recommended to establish a metric filter and alarm for security group changes.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass eine Protokoll-Metrikenfilterung und ein Alarm für Sicherheitsgruppenänderungen existieren.", + "risk": "Die Überwachung unauthorisierter API-Aufrufe hilft, Anwendungsfehler aufzudecken und die Zeit zur Erkennung von bösartigen Aktivitäten zu verkürzen.", + "remediation": "Es wird empfohlen, eine Metrikenfilterung und einen Alarm für Sicherheitsgruppenänderungen einzurichten." + } + } + }, + { + "name": "log_metric_filters_network_acl_changes", + "title": "Ensure a Log Metric Filter and Alarm Exist for Changes to Network Access Control Lists (NACL)", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized API calls will help reveal application errors and reduce the time to detect malicious activity.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventName\\s*=\\s*CreateNetworkAcl.+\\$\\.eventName\\s*=\\s*CreateNetworkAclEntry.+\\$\\.eventName\\s*=\\s*DeleteNetworkAcl.+\\$\\.eventName\\s*=\\s*DeleteNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclEntry.+\\$\\.eventName\\s*=\\s*ReplaceNetworkAclAssociation\"))" + }, + "remediation": { + "text": "To ensure proper monitoring of Network ACL changes, it is recommended to establish a metric filter and alarm.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokoll-Metrikenfilter und eine Alarmierung für Änderungen an Network Access Control Lists (NACL) vorhanden ist", + "risk": "Die Überwachung unberechtigter API-Aufrufe hilft bei der Aufdeckung von Anwendungsfehlern und verringert die Zeit, die zum Erkennen bösartiger Aktivitäten benötigt wird.", + "remediation": "Um eine ordnungsgemäße Überwachung von Netzwerk-ACL-Änderungen sicherzustellen, wird empfohlen, einen Metrikenfilter und eine Alarmierung einzurichten." + } + } + }, + { + "name": "log_metric_filters_network_gateway_changes", + "title": "Ensure a Log Metric Filter and Alarm Exist for Changes to Network Gateways", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized API calls helps reveal application errors and reduces time to detect malicious activity.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventName\\s*=\\s*CreateCustomerGateway.+\\$\\.eventName\\s*=\\s*DeleteCustomerGateway.+\\$\\.eventName\\s*=\\s*AttachInternetGateway.+\\$\\.eventName\\s*=\\s*CreateInternetGateway.+\\$\\.eventName\\s*=\\s*DeleteInternetGateway.+\\$\\.eventName\\s*=\\s*DetachInternetGateway\"))" + }, + "remediation": { + "text": "Establish a metric filter and alarm for network gateway changes.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokollmetrikenfilter und eine Alarmierung für Änderungen an Netzwerk-Gateways vorhanden sind", + "risk": "Die Überwachung unbefugter API-Aufrufe hilft bei der Aufdeckung von Anwendungsfehlern und verringert die Zeit zur Erkennung bösartiger Aktivitäten.", + "remediation": "Richten Sie einen Metrikenfilter und eine Alarmierung für Änderungen an Netzwerk-Gateways ein." + } + } + }, + { + "name": "log_metric_filters_route_table_changes", + "title": "Ensure a Log Metric Filter and Alarm Exist for Route Table Changes", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized API calls can help identify application errors and facilitate the detection of malicious activity.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventName\\s*=\\s*CreateRoute.+\\$\\.eventName\\s*=\\s*CreateRouteTable.+\\$\\.eventName\\s*=\\s*ReplaceRoute.+\\$\\.eventName\\s*=\\s*ReplaceRouteTableAssociation.+\\$\\.eventName\\s*=\\s*DeleteRouteTable.+\\$\\.eventName\\s*=\\s*DeleteRoute.+\\$\\.eventName\\s*=\\s*DisassociateRouteTable\"))" + }, + "remediation": { + "text": "To address this issue, it is recommended to establish a metric filter and alarm for route table changes.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokollmetrikfilter und eine Alarmierung für Änderungen an der Routentabelle vorhanden sind.", + "risk": "Die Überwachung nicht autorisierter API-Aufrufe kann dazu beitragen, Anwendungsfehler zu identifizieren und die Erkennung von bösartigen Aktivitäten zu ermöglichen.", + "remediation": "Um dieses Problem zu beheben, wird empfohlen, einen Metrikfilter und eine Alarmierung für Änderungen an der Routentabelle einzurichten." + } + } + }, + { + "name": "log_metric_filters_vpc_changes", + "title": "Ensure a Log Metric Filter and Alarm Exist for VPC Changes", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized API calls will help reveal application errors and reduce the time to detect malicious activity.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventName\\s*=\\s*CreateVpc.+\\$\\.eventName\\s*=\\s*DeleteVpc.+\\$\\.eventName\\s*=\\s*ModifyVpcAttribute.+\\$\\.eventName\\s*=\\s*AcceptVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*CreateVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*DeleteVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*RejectVpcPeeringConnection.+\\$\\.eventName\\s*=\\s*AttachClassicLinkVpc.+\\$\\.eventName\\s*=\\s*DetachClassicLinkVpc.+\\$\\.eventName\\s*=\\s*DisableVpcClassicLink.+\\$\\.eventName\\s*=\\s*EnableVpcClassicLink\"))" + }, + "remediation": { + "text": "To address this issue, it is recommended to establish a metric filter and alarm for VPC changes.", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokollmetrik-Filter und ein Alarm für VPC-Änderungen vorhanden sind", + "risk": "Die Überwachung nicht autorisierter API-Aufrufe hilft bei der Aufdeckung von Anwendungsfehlern und reduziert die Zeit zur Erkennung von bösartigen Aktivitäten.", + "remediation": "Um dieses Problem zu beheben, wird empfohlen, einen Metrikfilter und Alarm für VPC-Änderungen einzurichten." + } + } + }, + { + "name": "log_metric_filters_aws_org_changes", + "title": "Ensure a Log Metric Filter and Alarm Exist for AWS Organizations Changes", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloud_trail) and trail_is_multi_region_trail=true and trail_status.is_logging=true with(empty, --> is(aws_cloudwatch_log_group) with(any, --> is(aws_cloudwatch_metric_filter) and filter_pattern~\"\\s*\\$\\.eventSource\\s*=\\s*organizations.amazonaws.com.+\\$\\.eventName\\s*=\\s*\\\"AcceptHandshake\\\".+\\$\\.eventName\\s*=\\s*\\\"AttachPolicy\\\".+\\$\\.eventName\\s*=\\s*\\\"CreateAccount\\\".+\\$\\.eventName\\s*=\\s*\\\"CreateOrganizationalUnit\\\".+\\$\\.eventName\\s*=\\s*\\\"CreatePolicy\\\".+\\$\\.eventName\\s*=\\s*\\\"DeclineHandshake\\\".+\\$\\.eventName\\s*=\\s*\\\"DeleteOrganization\\\".+\\$\\.eventName\\s*=\\s*\\\"DeleteOrganizationalUnit\\\".+\\$\\.eventName\\s*=\\s*\\\"DeletePolicy\\\".+\\$\\.eventName\\s*=\\s*\\\"DetachPolicy\\\".+\\$\\.eventName\\s*=\\s*\\\"DisablePolicyType\\\".+\\$\\.eventName\\s*=\\s*\\\"EnablePolicyType\\\".+\\$\\.eventName\\s*=\\s*\\\"InviteAccountToOrganization\\\".+\\$\\.eventName\\s*=\\s*\\\"LeaveOrganization\\\".+\\$\\.eventName\\s*=\\s*\\\"MoveAccount\\\".+\\$\\.eventName\\s*=\\s*\\\"RemoveAccountFromOrganization\\\".+\\$\\.eventName\\s*=\\s*\\\"UpdatePolicy\\\".+\\$\\.eventName\\s*=\\s*\\\"UpdateOrganizationalUnit\\\"\"))" + }, + "remediation": { + "text": "Create a metric filter and alarm for AWS organization changes", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging_data_events_with_cloudtrail.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ein Protokollmetrikfilter und ein Alarm für AWS-Organisationsänderungen vorhanden sind", + "risk": "Das Überwachen nicht autorisierter API-Aufrufe hilft dabei, Anwendungsfehler aufzudecken und die Zeit zur Erkennung von bösartigen Aktivitäten zu verkürzen.", + "remediation": "Erstellen Sie einen Metrikfilter und eine Alarmierung für AWS-Organisationsänderungen" + } + } + }, + { + "name": "security_hub_enabled", + "title": "Ensure Security Hub and Its Standard Subscriptions Are Enabled", + "result_kinds": [ + "aws_cloud_trail" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If Security Hub is not enabled, security teams will lack a comprehensive view of security alerts and posture across AWS accounts.", + "severity": "medium", + "detect": { + "manual": "Check if Security Hub is enabled in all regions you operate by running the command: aws securityhub get-enabled-standards" + }, + "remediation": { + "text": "Remember that Security Hub is regional, so enabling or disabling a security standard only affects the current region or the specified region. Follow the steps in the documentation to enable or disable standards in Security Hub.", + "url": "https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-enable-disable.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Security Hub und seine Standard-Abonnements aktiviert sind", + "risk": "Wenn Security Hub nicht aktiviert ist, werden Sicherheitsteams keine umfassende Übersicht über Sicherheitswarnungen und den Sicherheitsstatus in AWS-Konten haben.", + "remediation": "Beachten Sie, dass Security Hub regional ist, daher wirkt sich das Aktivieren oder Deaktivieren eines Sicherheitsstandards nur auf die aktuelle Region oder die angegebene Region aus. Befolgen Sie die Schritte in der Dokumentation, um Standards in Security Hub zu aktivieren oder zu deaktivieren." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_cloudwatch.json b/fixcompliance/data/checks/aws/aws_cloudwatch.json new file mode 100644 index 0000000..982fcf0 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_cloudwatch.json @@ -0,0 +1,91 @@ +{ + "provider": "aws", + "service": "cloudwatch", + "checks": [ + { + "name": "cross_account_sharing_enabled", + "title": "Ensure Cross-Account Sharing is Configured for CloudWatch Logs", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If cross-account sharing for CloudWatch logs is not enabled, it complicates security monitoring and compliance auditing across diverse AWS accounts. This may lead to increased risk of undetected security incidents and failure to meet compliance standards.", + "severity": "medium", + "detect": { + "fix": "is(aws_account) with(empty, -[1:2]-> is(aws_iam_role) and name=\"CloudWatch-CrossAccountSharingRole\")" + }, + "remediation": { + "text": "Navigate to Settings in the CloudWatch Console. Then, under 'Configure', select 'share data' and provide the ID of the monitoring account. This sets up cross-account sharing for CloudWatch logs.", + "url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Cross-Account-Freigabe für CloudWatch-Logs konfiguriert ist", + "risk": "Wenn die Cross-Account-Freigabe für CloudWatch-Logs nicht aktiviert ist, erschwert dies die Überwachung der Sicherheit und die Prüfung der Einhaltung von Vorschriften in verschiedenen AWS-Konten. Dies kann zu erhöhtem Risiko nicht erkannter Sicherheitsvorfälle und Nichteinhaltung von Standards führen.", + "remediation": "Gehen Sie zur CloudWatch Console auf die Einstellungen. Wählen Sie dann unter 'Konfigurieren' 'Daten freigeben' und geben Sie die ID des Überwachungskontos ein. Dadurch wird die Cross-Account-Freigabe für CloudWatch-Logs eingerichtet." + } + } + }, + { + "name": "log_group_encryption_at_rest_enabled", + "title": "Ensure AWS KMS is Protecting CloudWatch Log Groups", + "result_kinds": [ + "aws_cloudwatch_log_group" + ], + "categories": [ + "retention" + ], + "risk": "Not using customer-managed KMS for encryption can compromise the confidentiality of the CloudWatch log group data. Neglecting encryption controls can result in unauthorized access and potential data loss.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloudwatch_log_group) with(empty, --> is(aws_kms_key))" + }, + "remediation": { + "text": "To address this, associate your CloudWatch Log Group with a KMS Key. Ensure that the specified KMS Key is used for encrypting all ingested data for the log group. Implementing this association is essential for CloudWatch Logs to decrypt the data when requested.", + "url": "https://docs.aws.amazon.com/cli/latest/reference/logs/associate-kms-key.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass AWS KMS CloudWatch Log-Gruppen schützt", + "risk": "Die Verwendung von nicht kundenverwalteter KMS-Verschlüsselung kann die Vertraulichkeit der Daten in der CloudWatch Log-Gruppe gefährden. Die Vernachlässigung von Verschlüsselungskontrollen kann zu unbefugtem Zugriff und potenziellem Datenverlust führen.", + "remediation": "Um dies zu beheben, verknüpfen Sie Ihre CloudWatch Log-Gruppe mit einem KMS-Schlüssel. Stellen Sie sicher, dass der angegebene KMS-Schlüssel zur Verschlüsselung aller eingespeisten Daten für die Log-Gruppe verwendet wird. Die Implementierung dieser Verknüpfung ist für CloudWatch-Logs unerlässlich, um die Daten auf Anforderung zu entschlüsseln." + } + } + }, + { + "name": "log_group_retention_days_at_least_365", + "title": "Ensure that CloudWatch Log Groups Retain Data for at Least 365 Days", + "result_kinds": [ + "aws_cloudwatch_log_group" + ], + "categories": [ + "retention" + ], + "risk": "Failure to retain CloudWatch Logs for at least 365 days can result in non-compliance with regulatory requirements for long-term log storage. Additionally, it could hamper forensic analysis and retrospective detection of long-term security breach patterns.", + "severity": "medium", + "detect": { + "fix": "is(aws_cloudwatch_log_group) and group_retention_in_days<{{log_group_retention_days}}" + }, + "default_values": { + "log_group_retention_days": "365d" + }, + "remediation": { + "text": "Apply a log retention policy of at least 365 days to CloudWatch Log Groups. This ensures the continuity of logs and traces to aid in security analysis and regulatory obligations.", + "url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass CloudWatch Log-Gruppen Daten für mindestens 365 Tage aufbewahren", + "risk": "Das Nichtvorhandensein einer Datenbewahrung von CloudWatch-Logs für mindestens 365 Tage kann zu Nichteinhaltung von Vorschriften für die langfristige Speicherung von Logs führen. Außerdem kann es die forensische Analyse und rückwirkende Erkennung von Sicherheitsverletzungen mit Langzeitmuster beeinträchtigen.", + "remediation": "Legen Sie eine Protokollbewahrungspolitik von mindestens 365 Tagen für CloudWatch-Log-Gruppen fest. Dadurch wird die Fortführung von Protokollen und Traces sichergestellt, um bei Sicherheitsanalysen und regulatorischen Verpflichtungen zu helfen." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_config.json b/fixcompliance/data/checks/aws/aws_config.json new file mode 100644 index 0000000..f2c0062 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_config.json @@ -0,0 +1,62 @@ +{ + "provider": "aws", + "service": "config", + "checks": [ + { + "name": "enabled_in_all_regions", + "title": "Ensure AWS Config Is Enabled in All Regions", + "result_kinds": [ + "aws_region" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to enable AWS Config in all regions may result in the inability to capture the AWS configuration item history, leading to a lack of security analysis, resource change tracking, and compliance auditing.", + "severity": "medium", + "detect": { + "fix": "is(aws_region) with(empty, --> is(aws_config_recorder) and recorder_status.recording=true and recorder_group.all_supported=true and recorder_status.last_status=SUCCESS)" + }, + "remediation": { + "text": "To address this issue, it is recommended to enable AWS Config in all regions to ensure proper security analysis, resource change tracking, and compliance auditing.", + "url": "https://aws.amazon.com/blogs/mt/aws-config-best-practices/", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass AWS Config in allen Regionen aktiviert ist.", + "risk": "Die Unterlassung, AWS Config in allen Regionen zu aktivieren, kann dazu führen, dass die AWS-Konfigurationsverlaufseinträge nicht erfasst werden können. Dies führt zu einem Mangel an Sicherheitsanalyse, Ressourcenänderungsnachverfolgung und Compliance-Prüfungen.", + "remediation": "Um dieses Problem zu beheben, wird empfohlen, AWS Config in allen Regionen zu aktivieren, um eine ordnungsgemäße Sicherheitsanalyse, Ressourcenänderungsnachverfolgung und Compliance-Prüfung sicherzustellen." + } + } + }, + { + "name": "remediation_enabled", + "title": "Ensure AWS Config Remediation Is Enabled", + "result_kinds": [ + "aws_region" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to implement AWS Config remediation (manual or automatic through System Manager) configurations can lead to noncompliant resources not being remediated, leaving potential vulnerabilities in the AWS cloud infrastructure.", + "severity": "medium", + "detect": { + "manual": "AWS Config allows for the remediation of noncompliant resources evaluated by AWS Config Rules. Remediation is applied through AWS Systems Manager Automation documents, defining the actions to be performed on noncompliant AWS resources." + }, + "remediation": { + "text": "To remediate the issue, manual configuration can be done with user-defined reviews, or automatic remediation can be set up using AWS Config.", + "url": "https://docs.aws.amazon.com/config/latest/developerguide/remediation.html#setup-manualremediation", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Sicherstellen, dass die AWS Config Behebung aktiviert ist", + "risk": "Das Versäumen, AWS Config-Behebungskonfigurationen (manuell oder automatisch über System Manager) zu implementieren, kann dazu führen, dass nicht konforme Ressourcen nicht behoben werden und potenzielle Sicherheitslücken in der AWS Cloud-Infrastruktur hinterlassen.", + "remediation": "Um das Problem zu beheben, kann manuelle Konfiguration mit benutzerdefinierten Überprüfungen durchgeführt werden oder automatische Behebung mithilfe von AWS Config eingerichtet werden." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_dms.json b/fixcompliance/data/checks/aws/aws_dms.json new file mode 100644 index 0000000..d91ba59 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_dms.json @@ -0,0 +1,31 @@ +{ + "provider": "aws", + "service": "dms", + "checks": [ + { + "name": "public_ip_address", + "title": "Ensure EC2 Instances for Database Migration Service (DMS) Are Not Accessible via Public IP", + "result_kinds": [ + "aws_ec2_instance" + ], + "categories": [], + "risk": "Exposing an EC2 instance directly to the internet increases the attack surface and poses a high risk of compromise. In the context of DMS Replication instances, this can have significant compliance and security implications.", + "severity": "medium", + "detect": { + "manual": "Go to AWS DMS and select replication instances." + }, + "remediation": { + "text": "To fix the issue, ensure that replication instances are created in private subnets and do not have a public IP.", + "url": "https://docs.aws.amazon.com/dms/latest/userguide/CHAP_ReplicationInstance.PublicPrivate.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass EC2-Instanzen für den Database Migration Service (DMS) nicht über eine öffentliche IP-Adresse erreichbar sind", + "risk": "Das direkte Bereitstellen einer EC2-Instanz im Internet erhöht die Angriffsfläche und birgt ein hohes Risiko für Kompromittierung. Im Zusammenhang mit DMS-Replikationsinstanzen kann dies erhebliche Auswirkungen auf die Compliance und Sicherheit haben.", + "remediation": "Um das Problem zu beheben, stellen Sie sicher, dass Replication Instances in privaten Subnetzen erstellt werden und keine öffentliche IP-Adresse haben." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_dynamodb.json b/fixcompliance/data/checks/aws/aws_dynamodb.json new file mode 100644 index 0000000..2cab7b2 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_dynamodb.json @@ -0,0 +1,35 @@ +{ + "provider": "aws", + "service": "dynamodb", + "checks": [ + { + "name": "table_kms_encryption_enabled", + "title": "Ensure DynamoDB Table is Configured with KMS CMK Encryption", + "result_kinds": [ + "aws_dynamodb_table" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without encryption at rest using KMS CMK, your sensitive user data stored in DynamoDB is at risk. This failure to protect data complexity and operational burden can result in breaches or loss of confidential data.", + "severity": "medium", + "detect": { + "fix": "is(aws_dynamodb_table) and dynamodb_sse_description.sse_type!=KMS" + }, + "remediation": { + "text": "To fix this issue, create a new table specifying a KMS CMK encryption key, or, for an existing table, update the configuration to include a KMS CMK encryption key using the AWS Management Console.", + "url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/encryption.tutorial.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die DynamoDB-Tabelle mit der KMS CMK-Verschlüsselung konfiguriert ist", + "risk": "Ohne die Verschlüsselung von Daten mit KMS CMK sind Ihre sensiblen Benutzerdaten, die in DynamoDB gespeichert sind, gefährdet. Diese mangelnde Schutzkomplexität und Betriebslast kann zu Sicherheitsverletzungen oder Verlust vertraulicher Daten führen.", + "remediation": "Um dieses Problem zu beheben, erstellen Sie eine neue Tabelle und geben Sie einen KMS CMK-Verschlüsselungsschlüssel an. Für eine bestehende Tabelle aktualisieren Sie die Konfiguration, um einen KMS CMK-Verschlüsselungsschlüssel mit der AWS Management Console einzuschließen." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_ec2.json b/fixcompliance/data/checks/aws/aws_ec2.json new file mode 100644 index 0000000..2e14c63 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_ec2.json @@ -0,0 +1,1380 @@ +{ + "provider": "aws", + "service": "ec2", + "checks": [ + { + "name": "snapshot_encrypted", + "title": "Ensure That EBS Snapshots Are Encrypted", + "result_kinds": [ + "aws_ec2_snapshot" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Not encrypting EBS snapshots poses a significant security risk by potentially exposing sensitive data to unauthorized access, as unencrypted snapshots can be easily read if intercepted or accessed by unintended parties.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_snapshot) and encrypted=false" + }, + "remediation": { + "text": "You can enforce snapshot encryption by using AWS Key Management Service (AWS KMS) keys.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass EBS-Snapshots verschlüsselt sind", + "risk": "Das Nichtverschlüsseln von EBS-Snapshots stellt ein erhebliches Sicherheitsrisiko dar, da sensible Daten bei unbefugtem Zugriff oder Abfangen leicht eingesehen werden können, wenn die Snapshots unverschlüsselt sind.", + "remediation": "Sie können die Snapshot-Verschlüsselung durch die Verwendung von AWS Key Management Service (AWS KMS)-Schlüsseln erzwingen." + } + } + }, + { + "name": "unused_elastic_ip", + "title": "Ensure There Are No Unassigned Elastic IPs in Your AWS Environment", + "result_kinds": [ + "aws_ec2_elastic_ip" + ], + "categories": [ + "cost" + ], + "risk": "Unused Elastic IPs can lead to unnecessary expenses. Non-utilized resources can artificially inflate costs and contribute to inefficient resource management.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_elastic_ip) with(empty, <-- is(aws_ec2_instance, aws_ec2_network_interface))" + }, + "remediation": { + "text": "Review all Elastic IPs within your AWS environment. Confirm they are appropriately associated with running AWS instances or network interfaces. Release any unused Elastic IPs.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass es in Ihrer AWS-Umgebung keine nicht zugewiesenen elastischen IP-Adressen gibt", + "risk": "Nicht verwendete elastische IP-Adressen können zu unnötigen Kosten führen. Nicht genutzte Ressourcen können Kosten künstlich erhöhen und zu einer ineffizienten Ressourcenverwaltung beitragen.", + "remediation": "Überprüfen Sie alle elastischen IP-Adressen in Ihrer AWS-Umgebung. Stellen Sie sicher, dass sie ordnungsgemäß mit laufenden AWS-Instanzen oder Netzwerkschnittstellen verbunden sind. Geben Sie nicht verwendete elastische IP-Adressen frei." + } + } + }, + { + "name": "instance_in_vpc", + "title": "Ensure All EC2 Instances Operate Within a VPC Instead of EC2-Classic", + "result_kinds": [ + "aws_ec2_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Using deprecated EC2-Classic could impose significant security and compliance risks as it no longer receives updates or support from AWS. Operational stability could also be compromised.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_instance) and instance_subnet_id==null" + }, + "remediation": { + "text": "To mitigate the risk, replace EC2 instances deployed in EC2-Classic with ones operating within a VPC. This shift will enhance your security posture and align you with AWS's current practices.", + "url": "https://aws.amazon.com/blogs/aws/ec2-classic-is-retiring-heres-how-to-prepare/", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Introduction.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass alle EC2-Instanzen innerhalb eines VPCs anstelle von EC2-Classic betrieben werden", + "risk": "Die Verwendung des veralteten EC2-Classic kann erhebliche Sicherheits- und Compliance-Risiken mit sich bringen, da es keine Updates oder Unterstützung von AWS mehr erhält. Auch die operative Stabilität könnte beeinträchtigt werden.", + "remediation": "Um das Risiko zu minimieren, ersetzen Sie EC2-Instanzen, die in EC2-Classic bereitgestellt sind, durch solche, die innerhalb eines VPCs betrieben werden. Diese Umstellung verbessert Ihre Sicherheitsposition und entspricht den aktuellen Praktiken von AWS." + } + } + }, + { + "name": "internet_facing_with_instance_profile", + "title": "Ensure No Internet-Facing EC2 Instances with Instance Profiles Attached Exist", + "result_kinds": [ + "aws_ec2_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Having a public EC2 instance increases the attack surface and exposes the server to potential threats. If an Instance Profile is attached to these instances, it could potentially provide access keys to unauthorized users.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_instance) and instance_public_ip_address!=null and instance_iam_instance_profile!=null" + }, + "remediation": { + "text": "Ensure Elastic IPs are not unassigned and that EC2 instances are not unnecessarily exposed to the Internet. Compartmentalize AWS services to limit exposure and mitigate risk.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html", + "complexity": "high" + }, + "url": "https://aws.amazon.com/premiumsupport/knowledge-center/associate-elastic-ip-ec2/", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine öffentlich zugänglichen EC2-Instanzen mit angehängten Instanzprofilen vorhanden sind", + "risk": "Eine öffentliche EC2-Instanz erhöht die Angriffsfläche und setzt den Server potenziellen Bedrohungen aus. Wenn einem Solchen Instanzprofil angehängt ist, könnten unbefugte Benutzer potenziell Zugriffsschlüssel erhalten.", + "remediation": "Stellen Sie sicher, dass Elastic IPs nicht nicht zugewiesen sind und dass EC2-Instanzen nicht unnötig dem Internet ausgesetzt sind. Segmentieren Sie AWS-Services, um die Exposition zu begrenzen und Risiken zu minimieren." + } + } + }, + { + "name": "old_instances", + "title": "Ensure EC2 Instances Are Not Older Than Specific Days", + "result_kinds": [ + "aws_ec2_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Retaining old instances within your AWS account may heighten the risk of unsecured, outdated software. This could subsequently cause vulnerabilities, leading to potential data breaches or attacks.", + "severity": "low", + "detect": { + "fix": "is(aws_ec2_instance) and instance_status=running and age>{{old_instance_age}}" + }, + "default_values": { + "old_instance_age": "180d" + }, + "remediation": { + "text": "Ensure all software running on the instance is up-to-date and patched. Evaluate the necessity of each instance and decommission those that are obsolete or unused.", + "url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/viewing-patch-compliance-results.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass EC2-Instanzen nicht älter als eine bestimmte Anzahl von Tagen sind.", + "risk": "Das Beibehalten alter Instanzen in Ihrem AWS-Konto kann das Risiko von ungesichertem, veraltetem Software erhöhen. Dies kann anschließend zu Schwachstellen führen, die zu potenziellen Datenverletzungen oder Angriffen führen können.", + "remediation": "Stellen Sie sicher, dass alle auf der Instanz ausgeführte Software auf dem neuesten Stand und gepatcht ist. Bewertung der Notwendigkeit jeder Instanz und Außerbetriebnahme derjenigen, die veraltet oder nicht verwendet werden." + } + } + }, + { + "name": "instance_profile_attached", + "title": "Ensure AWS Resource Access from Instances Is Carried Out Using IAM Instance Roles", + "result_kinds": [ + "aws_ec2_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Utilising hard-coded AWS keys for resource access exposes your infrastructure to potential security risks. If these cloud-embedded credentials are compromised, unauthorized access could be gained from outside the AWS environment resulting in data breaches or infrastructure tampering.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_instance) and instance_iam_instance_profile=null" + }, + "remediation": { + "text": "Ensure your AWS instances access resources using IAM roles. Create and attach these roles as necessary to each corresponding EC2 instance, thereby displacing any hard-coded credentials.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass der Zugriff auf AWS-Ressourcen von Instanzen mit IAM-Instanzrollen durchgeführt wird", + "risk": "Die Verwendung von fest codierten AWS-Schlüsseln für den Ressourcenzugriff setzt Ihre Infrastruktur potenziellen Sicherheitsrisiken aus. Wenn diese in der Cloud eingebetteten Anmeldeinformationen kompromittiert werden, kann von außerhalb der AWS-Umgebung unbefugter Zugriff erfolgen, was zu Datenverstößen oder Eingriffen in die Infrastruktur führen kann.", + "remediation": "Stellen Sie sicher, dass Ihre AWS-Instanzen auf Ressourcen mit IAM-Rollen zugreifen. Erstellen und fügen Sie bei Bedarf diese Rollen zu jeder entsprechenden EC2-Instanz hinzu, um fest codierte Anmeldeinformationen zu ersetzen." + } + } + }, + { + "name": "public_ip_address", + "title": "Ensure EC2 Instances Are Not Using Public IPs", + "result_kinds": [ + "aws_ec2_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Having EC2 instances openly exposed to the internet significantly increases the risk of cyber attacks and potential security breaches, thereby compromising data integrity.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_instance) and instance_status==running and instance_public_ip_address!=null" + }, + "remediation": { + "text": "To mitigate this issue, employ an Application Load Balancer (ALB) as an intermediary and apply a Web Application Firewall (WAF) Access Control List (ACL) to effectively filter access.", + "url": "https://aws.amazon.com/blogs/aws/aws-web-application-firewall-waf-for-application-load-balancers/", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass EC2-Instanzen keine öffentlichen IP-Adressen verwenden", + "risk": "Wenn EC2-Instanzen offen im Internet exponiert sind, erhöht sich das Risiko von Cyberangriffen und potenziellen Sicherheitsverletzungen erheblich, was die Integrität der Daten beeinträchtigen kann.", + "remediation": "Um dieses Problem zu beheben, verwenden Sie einen Application Load Balancer (ALB) als Zwischeninstanz und wenden Sie eine Web Application Firewall (WAF) Access Control List (ACL) an, um den Zugriff effektiv zu filtern." + } + } + }, + { + "name": "allow_ingress_any_port_ipv4", + "title": "Ensure No Network ACLs Allow Ingress from 0.0.0.0/0 to Every Port", + "result_kinds": [ + "aws_ec2_network_acl" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Our Network ACLs currently allow unsolicited traffic from any IP (0.0.0.0/0) to any port. This presents a security risk including network vulnerability to exploits and unauthorized access to sensitive data.", + "severity": "high", + "detect": { + "fix_cmd": "search is(aws_ec2_network_acl) and acl_entries[*].{(egress=false and cidr_block=\"0.0.0.0/0\" and rule_action=allow and protocol=-1) } | jq --no-rewrite 'if (( [.reported.acl_entries[]? | contains({egress:false, cidr_block:\"0.0.0.0/0\", protocol:\"-1\", rule_action:\"deny\"}) ] | any | not ) or ((.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | select(.protocol==\"-1\") |select(.cidr_block==\"0.0.0.0/0\") | select(.rule_action==\"allow\") | .rule_number) < (.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | select(.protocol==\"-1\") | select(.cidr_block==\"0.0.0.0/0\") | select(.rule_action==\"deny\") | .rule_number ))) then [.] else [] end' | flatten" + }, + "remediation": { + "text": "Implement a strict security policy. Scan and revise overly permissive network ACLs regularly. Make sure to limit ingress ports by narrowing their definitions to only the minimum required.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "internal_notes": "The acl entries have to be interpreted in order. idea: if (no_deny_entry or (deny_entry_number > allow_entry_number)) then alert", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ACLs.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Netzwerk-ACLs keinen Zugriff von 0.0.0.0/0 auf beliebige Ports zulassen.", + "risk": "Unsere Netzwerk-ACLs erlauben derzeit unerwünschten Datenverkehr von jeder IP (0.0.0.0/0) auf beliebige Ports. Dies stellt ein Sicherheitsrisiko dar, einschließlich Netzwerk-Schwachstellen für Angriffe und unbefugten Zugriff auf sensible Daten.", + "remediation": "Implementieren Sie eine strikte Sicherheitsrichtlinie. Überprüfen Sie regelmäßig übermäßig großzügige Netzwerk-ACLs und passen Sie sie an. Stellen Sie sicher, dass Ingress-Ports eingeschränkt sind und nur das Minimum an erforderlichen Ports zulassen." + } + } + }, + { + "name": "allow_ingress_any_port_ipv6", + "title": "Ensure That Network ACLs Do Not Permit Ingress from ::/0 to Every Port", + "result_kinds": [ + "aws_ec2_network_acl" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Leaving network ACLs open can expose sensitive ports to vulnerabilities, as any user or malware can scan for these ports, bypass the perimeter firewall, and access your VPC. This poses an imminent threat to security and data confidentiality.", + "severity": "high", + "detect": { + "fix_cmd": "search is(aws_ec2_network_acl) and acl_entries[*].{(egress=false and ipv6_cidr_block=\"::/0\" and rule_action=allow and protocol=-1) } | jq --no-rewrite 'if (( [.reported.acl_entries[]? | contains({egress:false, ipv6_cidr_block:\"::/0\", protocol:\"-1\", rule_action:\"deny\"}) ] | any | not ) or ((.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | select(.protocol==\"-1\") |select(.ipv6_cidr_block==\"::/0\") | select(.rule_action==\"allow\") | .rule_number) < (.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | select(.protocol==\"-1\") | select(.ipv6_cidr_block==\"::/0\") | select(.rule_action==\"deny\") | .rule_number ))) then [.] else [] end' | flatten" + }, + "remediation": { + "text": "To resolve this issue, apply the Zero Trust approach. Continuously scan and modify network ACLs that are unrestricted or overly permissive. Ensure that you limit the definition to the minimum ports required, and regularly update your protocols as part of best practices.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "internal_notes": "The acl entries must be interpreted in sequence. idea: if (no_deny_entry or (deny_entry_number > allow_entry_number)) then alert", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Netzwerk-ACLs kein Ingress von ::/0 zu einem beliebigen Port erlauben.", + "risk": "Das Offenlassen von Netzwerk-ACLs kann empfindliche Ports für Schwachstellen freilegen, da jeder Benutzer oder Malware nach diesen Ports scannen, die Perimeter-Firewall umgehen und auf Ihre VPC zugreifen kann. Dies stellt eine unmittelbare Bedrohung für die Sicherheit und Vertraulichkeit von Daten dar.", + "remediation": "Um dieses Problem zu beheben, wenden Sie den Zero-Trust-Ansatz an. Scannen und ändern Sie kontinuierlich Netzwerk-ACLs, die uneingeschränkt oder übermäßig freizügig sind. Stellen Sie sicher, dass Sie die Definition auf die erforderlichen Mindest-Ports beschränken und aktualisieren Sie regelmäßig Ihre Protokolle im Rahmen bewährter Verfahren." + } + } + }, + { + "name": "allow_ingress_ssh_port_22_ipv4", + "title": "Ensure Network ACLs Do Not Allow Ingress from 0.0.0.0/0 to SSH Port 22", + "result_kinds": [ + "aws_ec2_network_acl" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Leaving Network ACLs open can expose sensitive ports to external threats. Anyone with VPC access, including potential cyber-attackers and malware, can exploit this to gain unauthorized access to instances, risking data breach and system compromise.", + "severity": "high", + "detect": { + "fix_cmd": "search is(aws_ec2_network_acl) and acl_entries[*].{(egress=false and cidr_block=\"0.0.0.0/0\" and rule_action=allow and (protocol=-1 or (port_range.from_range<22 and port_range.to_range>22)))} | jq --no-rewrite 'if (( [.reported.acl_entries[]? | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<22) | select(.port_range.to_range>=22)) end | contains({egress:false, cidr_block:\"0.0.0.0/0\", rule_action:\"deny\"}) ] | any | not ) or ((.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<=22) | select(.port_range.to_range>=22) ) end | select(.cidr_block==\"0.0.0.0/0\") | select(.rule_action==\"allow\") | .rule_number) < (.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<=22) | select(.port_range.to_range>=22) ) end | select(.cidr_block==\"0.0.0.0/0\") | select(.rule_action==\"deny\") | .rule_number))) then [.] else [] end' | flatten" + }, + "remediation": { + "text": "Adopt a Zero Trust approach. Regularly scan your Network ACLs for unrestricted or overly permissive access and remediate immediately. Be sure to limit your ACLs to only the minimum necessary ports.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "internal_notes": "The ACL entries need to be processed in order. An alert should be triggered if there's no deny entry or if the deny entry number is greater than the allow entry number.", + "url": "https://aws.amazon.com/premiumsupport/knowledge-center/vpc-restrict-ingress-traffic/", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Netzwerk-ACLs keinen Ingress vom IP-Bereich 0.0.0.0/0 zum SSH-Port 22 erlauben", + "risk": "Offene Netzwerk-ACLs können sensible Ports externen Bedrohungen aussetzen. Jeder mit VPC-Zugriff, einschließlich potenzieller Cyber-Angreifer und Malware, kann dies ausnutzen, um unbefugten Zugriff auf Instanzen zu erlangen und ein Datenleck und eine Kompromittierung des Systems zu riskieren.", + "remediation": "Verfolgen Sie einen Zero-Trust-Ansatz. Überprüfen Sie regelmäßig Ihre Netzwerk-ACLs auf uneingeschränkten oder übermäßig berechtigten Zugriff und beheben Sie dies sofort. Stellen Sie sicher, dass Sie Ihre ACLs auf nur die erforderlichen Ports beschränken." + } + } + }, + { + "name": "allow_ingress_ssh_port_22_ipv6", + "title": "Ensure No Network ACLs Allow Ingress from ::/0 to SSH Port 22", + "result_kinds": [ + "aws_ec2_network_acl" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Leaving network ACLs open can inadvertently give any user or malware with VPC access the ability to scan sensitive ports and access instances, making your infrastructure more susceptible to malicious activities.", + "severity": "high", + "detect": { + "fix_cmd": "search is(aws_ec2_network_acl) and acl_entries[*].{(egress=false and ipv6_cidr_block=\"::/0\" and rule_action=allow and (protocol=-1 or (port_range.from_range<22 and port_range.to_range>22)))} | jq --no-rewrite 'if (( [.reported.acl_entries[]? | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<22) | select(.port_range.to_range>=22)) end | contains({egress:false, ipv6_cidr_block:\"::/0\", rule_action:\"deny\"}) ] | any | not ) or ((.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<=22) | select(.port_range.to_range>=22) ) end | select(.ipv6_cidr_block==\"::/0\") | select(.rule_action==\"allow\") | .rule_number) < (.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<=22) | select(.port_range.to_range>=22) ) end | select(.ipv6_cidr_block==\"::/0\") | select(.rule_action==\"deny\") | .rule_number))) then [.] else [] end' | flatten" + }, + "remediation": { + "text": "Consider implementing the Zero Trust approach. Consistently scan and remediate unrestricted or overly permissive network ACLs. As a best practice, limit traffic to minimum necessary ports.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "internal_notes": "Pay attention to ACL entries interpretation sequence: if there's no deny entry or if the deny_entry_number is greater than the allow_entry_number, an alert should be issued.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ACLs.html", + "localizations": { + "de": { + "title": "Sicherstellen, dass kein Netzwerk-ACL Eingänge von ::/0 zum SSH-Port 22 erlaubt", + "risk": "Offene Netzwerk-ACLs können unbeabsichtigt jedem Benutzer oder Schadsoftware mit VPC-Zugriff die Möglichkeit geben, sensible Ports zu scannen und auf Instanzen zuzugreifen, wodurch Ihre Infrastruktur anfälliger für bösartige Aktivitäten wird.", + "remediation": "Erwägen Sie die Implementierung des Zero Trust-Ansatzes. Scannen und beheben Sie konsequent unbeschränkte oder übermäßig erlaubende Netzwerk-ACLs. Als bewährte Methode begrenzen Sie den Datenverkehr auf die notwendigen Ports." + } + } + }, + { + "name": "allow_ingress_rdp_port_3389_ipv4", + "title": "Ensure That Network ACLs Do Not Allow Ingress from 0.0.0.0/0 to Microsoft RDP Port 3389", + "result_kinds": [ + "aws_ec2_network_acl" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Allowing network ACLs to remain open exposes your system to threats such as external attack probes scanning for vulnerable, well-known ports. This could lead to unauthorized access to instances within your VPC, even with a perimeter firewall in place.", + "severity": "high", + "detect": { + "fix_cmd": "search is(aws_ec2_network_acl) and acl_entries[*].{(egress=false and cidr_block=\"0.0.0.0/0\" and rule_action=allow and (protocol=-1 or (port_range.from_range<3389 and port_range.to_range>3389)))} | jq --no-rewrite 'if (( [.reported.acl_entries[]? | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<3389) | select(.port_range.to_range>=3389)) end | contains({egress:false, cidr_block:\"0.0.0.0/0\", rule_action:\"deny\"}) ] | any | not ) or ((.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<=3389) | select(.port_range.to_range>=3389) ) end | select(.cidr_block==\"0.0.0.0/0\") | select(.rule_action==\"allow\") | .rule_number) < (.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<=3389) | select(.port_range.to_range>=3389) ) end | select(.cidr_block==\"0.0.0.0/0\") | select(.rule_action==\"deny\") | .rule_number))) then [.] else [] end' | flatten" + }, + "remediation": { + "text": "Adopt a Zero Trust security model. Regularly scan and update ACLs to curtail unrestricted or overly permissive entries. Aim to narrow down ports to the bare minimum required for your operations.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "internal_notes": "The acl entries have to be interpreted in order. idea: if (no_deny_entry or (deny_entry_number > allow_entry_number)) then alert", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/controlling-access.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Netzwerk ACLs keine Eingänge von 0.0.0.0/0 auf den Microsoft RDP-Port 3389 zulassen", + "risk": "Durch das Offenlassen von Netzwerk ACLs wird Ihr System Bedrohungen ausgesetzt, wie zum Beispiel externe Angriffssonden, die nach verwundbaren, bekannten Ports scannen. Dies kann unberechtigten Zugriff auf Instanzen in Ihrem VPC ermöglichen, selbst wenn eine Perimeter-Firewall vorhanden ist.", + "remediation": "Übernehmen Sie ein Sicherheitsmodell mit Null Vertrauen. Scannen und aktualisieren Sie regelmäßig ACLs, um uneingeschränkte oder zu weitreichende Einträge einzuschränken. Streben Sie danach, die Anzahl der Ports auf das absolute Minimum zu reduzieren, das für Ihre Operationen erforderlich ist." + } + } + }, + { + "name": "allow_ingress_rdp_port_3389_ipv6", + "title": "Ensure That Network ACLs Do Not Permit Inbound Traffic from ::/0 to Microsoft RDP Port 3389", + "result_kinds": [ + "aws_ec2_network_acl" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Leaving network ACLs open can expose well-known and sensitive ports to unauthorized users or malicious software. This can lead to potential intrusions, even if a perimeter firewall already exists.", + "severity": "high", + "detect": { + "fix_cmd": "search is(aws_ec2_network_acl) and acl_entries[*].{(egress=false and ipv6_cidr_block=\"::/0\" and rule_action=allow and (protocol=-1 or (port_range.from_range<3389 and port_range.to_range>3389)))} | jq --no-rewrite 'if (( [.reported.acl_entries[]? | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<3389) | select(.port_range.to_range>=3389)) end | contains({egress:false, ipv6_cidr_block:\"::/0\", rule_action:\"deny\"}) ] | any | not ) or ((.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<=3389) | select(.port_range.to_range>=3389) ) end | select(.ipv6_cidr_block==\"::/0\") | select(.rule_action==\"allow\") | .rule_number) < (.reported.acl_entries | sort_by(.rule_number) | .[]? | select(.egress==false) | if .protocol==\"-1\" then . else (. | select(.port_range.from_range<=3389) | select(.port_range.to_range>=3389) ) end | select(.ipv6_cidr_block==\"::/0\") | select(.rule_action==\"deny\") | .rule_number))) then [.] else [] end' | flatten" + }, + "remediation": { + "text": "Adopt the Zero Trust security model. Regularly scan for and amend overly permissive or unrestricted network ACLs. Limit access to the minimum ports needed to perform necessary functions.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "internal_notes": "ACL entries must be interpreted in sequential order. The alert triggers if there is no deny entry or if the deny entry number is greater than the allow entry number.", + "url": "https://aws.amazon.com/premiumsupport/knowledge-center/network-acl-nacl-ec2/", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Netzwerk-ACLs den eingehenden Datenverkehr von ::/0 zum Microsoft RDP-Anschluss 3389 nicht zulassen", + "risk": "Das Offenlassen von Netzwerk-ACLs kann bekannte und sensible Ports für unbefugte Benutzer oder bösartige Software freigeben. Dies kann zu potenziellen Eindringlingen führen, selbst wenn eine Perimeter-Firewall bereits vorhanden ist.", + "remediation": "Übernehmen Sie das Sicherheitsmodell des Zero Trust. Überprüfen Sie regelmäßig, ob zu großzügige oder uneingeschränkte Netzwerk-ACLs vorliegen, und beheben Sie diese. Begrenzen Sie den Zugriff auf die minimal benötigten Ports, um erforderliche Funktionen durchzuführen." + } + } + }, + { + "name": "allow_ingress_from_internet_to_any_port", + "title": "Ensure No Security Groups Permit Ingress from 0.0.0.0/0 or ::/0 to Every Port", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Inadequate configuration of Security Groups can significantly expand the attack surface, leaving vital resources vulnerable to unauthorized access and potential network intrusion.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{ip_protocol=\"-1\" and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Embrace the Zero Trust model. Consistently audit and rectify unrestricted or too lenient network Access Control Lists (ACLs). Ensure to define the minimum required ports with access to minimize potential breaches.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den Zugriff von 0.0.0.0/0 oder ::/0 auf jeden Port erlauben.", + "risk": "Eine unzureichende Konfiguration der Sicherheitsgruppen kann die Angriffsfläche erheblich erweitern und wichtige Ressourcen anfällig für unbefugten Zugriff und potenzielle Netzwerkeindringungen machen.", + "remediation": "Befolgen Sie das Zero-Trust-Modell. Überprüfen Sie konsequent und korrigieren Sie uneingeschränkte oder zu nachlässige Netzwerk-Zugriffssteuerungslisten (ACLs). Stellen Sie sicher, dass nur die minimal erforderlichen Ports Zugriff haben, um potenzielle Sicherheitslücken zu minimieren." + } + } + }, + { + "name": "allow_ingress_from_internet_to_any_port_ipv4", + "title": "Ensure No Security Groups Allow Ingress from 0.0.0.0/0 to Every Port", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "An improperly configured security group can lead to exposure of all ports to the internet, vastly expanding the attack surface. Such positions can result in significant system vulnerability and potential breaches.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{ip_protocol=\"-1\" and ip_ranges[*].cidr_ip=\"0.0.0.0/0\"}" + }, + "remediation": { + "text": "Adopt a Zero Trust network model. Implement regular scans and remediations for unrestricted or overly permissive network ACLs, and restrict ingress to minimum necessary ports. For outbound traffic, use whitelist approach to limit the exposed interfaces.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den Zugriff von 0.0.0.0/0 auf beliebige Ports erlauben.", + "risk": "Eine fehlerhaft konfigurierte Sicherheitsgruppe kann dazu führen, dass alle Ports für das Internet freigegeben werden, was die Angriffsfläche erheblich erweitert. Solche Positionen können zu erheblichen Systemrisiken und potenziellen Verstößen führen.", + "remediation": "Etablieren Sie ein Netzwerkmodell ohne Vertrauen (Zero-Trust). Führen Sie regelmäßige Scans und Maßnahmen zur Behebung von uneingeschränkten oder zu weitreichenden Netzwerk-ACLs durch und beschränken Sie den Zugriff auf die minimal erforderlichen Ports. Für ausgehenden Traffic verwenden Sie einen Whitelist-Ansatz, um die freigegebenen Schnittstellen zu begrenzen." + } + } + }, + { + "name": "allow_ingress_from_internet_to_any_port_ipv6", + "title": "Ensure No Security Groups Are Allowing Ingress from ::/0 to Every Port in Your VPC", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "A misconfigured security group, specifically allowing traffic from all IPv6 addresses (::/0) to any port, significantly widens your attack surface. This can lead to increased vulnerabilities, unwarranted access or potential data breaches.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{ip_protocol=\"-1\" and ipv6_ranges[*].cidr_ipv6=\"::/0\"}" + }, + "remediation": { + "text": "Adapt a Zero Trust approach. Start by regularly auditing your security groups for overly permissive rules. Limit the traffic to the minimum required ports and restrict ingress from specific IP addresses or ranges.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen Ingress vom ::/0 zu einem beliebigen Port in Ihrem VPC zulassen.", + "risk": "Eine fehlerhaft konfigurierte Sicherheitsgruppe, die speziell den Datenverkehr von allen IPv6-Adressen (::/0) zu jedem Port erlaubt, erweitert erheblich Ihre Angriffsfläche. Dies kann zu erhöhten Sicherheitslücken, unberechtigtem Zugriff oder potenziellen Datenlecks führen.", + "remediation": "Passen Sie den Zero Trust-Ansatz an. Beginnen Sie damit, Ihre Sicherheitsgruppen regelmäßig auf zu weitreichende Regeln zu überprüfen. Begrenzen Sie den Datenverkehr auf die minimal erforderlichen Ports und beschränken Sie den Ingress auf spezifische IP-Adressen oder Bereiche." + } + } + }, + { + "name": "allow_ingress_from_internet_to_port_mongodb_27017_27018", + "title": "Ensure No Security Groups Permit Ingress from 0.0.0.0/0 or ::/0 to MongoDB Ports 27017 and 27018", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Improper configuration of Security groups can significantly increase the attack surface, potentially leading to unauthorized data access or system breaches.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=27017 and to_port<=27017 and ip_protocol=tcp) or (from_port>=27018 and to_port<=27018 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Adopt a Zero Trust model. Regularly scan and rectify unrestricted or overly broad network acls. Best practice recommends defining the minimal necessary ports.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den Zugriff von 0.0.0.0/0 oder ::/0 auf die MongoDB-Ports 27017 und 27018 erlauben.", + "risk": "Die fehlerhafte Konfiguration von Sicherheitsgruppen kann die Angriffsfläche erheblich erhöhen und möglicherweise zu unberechtigtem Datenzugriff oder Systemverletzungen führen.", + "remediation": "Verwenden Sie das Zero-Trust-Modell. Scannen Sie regelmäßig und beheben Sie uneingeschränkte oder zu weitreichende Netzwerk-ACLs. Bewährte Praxis empfiehlt, die minimal benötigten Ports zu definieren." + } + } + }, + { + "name": "allow_ingress_from_internet_to_ssh_port_22", + "title": "Ensure No Security Groups Permit Ingress from 0.0.0.0/0 or ::/0 to SSH Port 22", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to properly configure Security groups expands the attack surface, exposing the infrastructure to higher risk of intrusion and cyber attacks.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=22 and to_port<=22 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Adhere to Zero Trust principles. Establish routine scanning and remediation of unrestricted or excessively permissive network acls. Ensure only the necessary minimum ports are open to fulfill operational requirements.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Appendix_NACLs.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den Zugriff von 0.0.0.0/0 oder ::/0 auf den SSH-Port 22 erlauben.", + "risk": "Fehlerhafte Konfiguration von Sicherheitsgruppen erweitert die Angriffsfläche und erhöht das Risiko von Eindringlingen und Cyberangriffen.", + "remediation": "Befolgen Sie die Prinzipien des Zero Trust. Führen Sie regelmäßige Scans und die Behebung von uneingeschränkten oder übermäßig freizügigen Netzwerk-ACLs durch. Stellen Sie sicher, dass nur die notwendigen Mindestports geöffnet sind, um die betrieblichen Anforderungen zu erfüllen." + } + } + }, + { + "name": "allow_ingress_from_internet_to_ssh_port_22_ipv4", + "title": "Ensure No Security Groups Permit Unrestricted Ingress from 0.0.0.0/0 to SSH Port 22", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "The risk of system breaches is heightened if security groups are not correctly configured. Failures in these configurations inevitably expand the attack surface, increasing vulnerability to cyber threats.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=22 and to_port<=22 and ip_protocol=tcp)) and ip_ranges[*].cidr_ip=\"0.0.0.0/0\"}" + }, + "remediation": { + "text": "Adoption of the Zero Trust strategy is imperative. Initiate a systematic scan to detect and remediate unrestricted or excessively permissive network acls. As a best practice, limit the definition to the minimum ports required to significantly boost security.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen einen uneingeschränkten Zugriff von 0.0.0.0/0 auf den SSH-Port 22 erlauben.", + "risk": "Das Risiko von Systemeindringen erhöht sich, wenn Sicherheitsgruppen nicht korrekt konfiguriert sind. Fehler in diesen Konfigurationen erweitern zwangsläufig die Angriffsfläche und erhöhen die Anfälligkeit für Cyberbedrohungen.", + "remediation": "Die Einführung der Zero-Trust-Strategie ist unerlässlich. Führen Sie systematische Scans durch, um netzwerkweite Zugriffssteuerungslisten ohne Beschränkungen oder mit übermäßig hohen Berechtigungen zu erkennen und zu beheben. Als bewährte Praxis beschränken Sie die Definition auf die minimal erforderlichen Ports, um die Sicherheit erheblich zu verbessern." + } + } + }, + { + "name": "allow_ingress_from_internet_to_ssh_port_22_ipv6", + "title": "Ensure No Security Groups Allow Ingress from ::/0 to SSH Port 22 via IPv6", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Insecure configuration can potentially expose the system to unauthorized access and attacks from any location, risking infrastructure security and data compromise.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=22 and to_port<=22 and ip_protocol=tcp)) and ipv6_ranges[*].cidr_ipv6=\"::/0\"}" + }, + "remediation": { + "text": "Adhere to the principles of 'Zero Trust'. Limit allowed ingress by specifying trusted CIDRs, and revoking unnecessary privileges. Refine security groups to minimize exposure by only allowing required ports.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen Ingress von ::/0 zum SSH-Port 22 über IPV6 erlauben.", + "risk": "Eine unsichere Konfiguration kann das System potenziell unautorisiertem Zugriff und Angriffen aus jedem Ort aussetzen, wodurch die Sicherheit der Infrastruktur und die Kompromittierung von Daten gefährdet werden.", + "remediation": "Befolgen Sie die Grundsätze des 'Zero Trust'. Begrenzen Sie den erlaubten Ingress, indem Sie vertrauenswürdige CIDRs festlegen und unnötige Berechtigungen widerrufen. Verfeinern Sie Sicherheitsgruppen, um die Exposition zu minimieren, indem Sie nur erforderliche Ports zulassen." + } + } + }, + { + "name": "allow_ingress_from_internet_to_ftp_port_20_21", + "title": "Ensure No Security Groups Allow Ingress from 0.0.0.0/0 or ::/0 to FTP Ports 20 or 21", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Non-restrictive security group configurations can cause an increase in the attack surface for cyberthreats. This can potentially lead to unauthorized access, data breaches, and other security incidents.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=20 and to_port<=20 and ip_protocol=tcp) or (from_port>=21 and to_port<=21 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Adopt a Zero Trust security strategy. Conduct regular audits to identify and restrict any overly permissive network access control lists (ACLs). Strive to minimize the number of necessary ports and impose strict access rules for each.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#AddRemoveRule", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den Internetzugriff von 0.0.0.0/0 oder ::/0 auf FTP-Ports 20 oder 21 ermöglichen.", + "risk": "Nicht restriktive Sicherheitsgruppeneinstellungen können die Angriffsfläche für Cyberrisiken erhöhen. Dies kann zu unbefugtem Zugriff, Datenverletzungen und anderen Sicherheitsvorfällen führen.", + "remediation": "Verfolgen Sie eine Sicherheitsstrategie des Zero Trust. Führen Sie regelmäßige Überprüfungen durch, um jeglichen übermäßig freizügigen Netzwerkzugriff einzuschränken. Streben Sie an, die Anzahl der erforderlichen Ports zu minimieren und strenge Zugriffsregeln für jeden Port festzulegen." + } + } + }, + { + "name": "allow_ingress_from_internet_to_rdp_port_3389", + "title": "Ensure That Security Groups Do Not Permit Ingress from 0.0.0.0/0 or ::/0 to Port 3389", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Improper configuration of security groups leading to permitting ingress from 0.0.0.0/0 and ::/0 to port 3389 can significantly increase the attack surface by potentially exposing resources to irrelevant or malicious traffic.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=3389 and to_port<=3389 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Adopt a Zero Trust Approach and ensure that security groups are properly configured to restrict unnecessary ingress. Implement processes to frequently scan and remediate any unrestricted or overly permissive network ACLs. Best practice is to restrict ingress to the least number of ports necessary.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://aws.amazon.com/premiumsupport/knowledge-center/security-group-rules-conflict/", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Sicherheitsgruppen keinen Ingress vom 0.0.0.0/0 oder ::/0 auf Port 3389 erlauben.", + "risk": "Eine fehlerhafte Konfiguration von Sicherheitsgruppen, die Ingress vom 0.0.0.0/0 und ::/0 auf Port 3389 ermöglicht, kann die Angriffsfläche erheblich erhöhen, indem potenziell irrelevanter oder bösartiger Traffic freigegeben wird.", + "remediation": "Verfolgen Sie einen Zero-Trust-Ansatz und stellen Sie sicher, dass Sicherheitsgruppen ordnungsgemäß konfiguriert sind, um unnötigen Ingress einzuschränken. Implementieren Sie Prozesse, um ungeeignete oder übermäßig großzügige Netzwerk-ACLs regelmäßig zu überprüfen und zu beheben. Es empfiehlt sich, Ingress auf die kleinste Anzahl von erforderlichen Ports zu beschränken." + } + } + }, + { + "name": "allow_ingress_from_internet_to_rdp_port_3389_ipv4", + "title": "Ensure Security Groups Do Not Allow Ingress from 0.0.0.0/0 to TCP Port 3389", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "An improperly configured Security Group, allowing open ingress to port 3389, increases the attack surface making your cloud infrastructure more vulnerable to potential security threats or breaches.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=3389 and to_port<=3389 and ip_protocol=tcp)) and ip_ranges[*].cidr_ip=\"0.0.0.0/0\"}" + }, + "remediation": { + "text": "Adopt the Zero Trust model. Regularly scan and make necessary amendments to eliminate unrestricted or overly permissive network ACLs. Minimise the attack surface by defining the exact ports required, rather than leaving ports unnecessarily open.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Security Groups keinen Zugriff von 0.0.0.0/0 auf den TCP-Port 3389 erlauben.", + "risk": "Eine fehlerhaft konfigurierte Security Group, die offenen Zugriff auf den Port 3389 erlaubt, erhöht die Angriffsfläche und macht Ihre Cloud-Infrastruktur anfälliger für potenzielle Sicherheitsbedrohungen oder Angriffe.", + "remediation": "Übernehmen Sie das Zero Trust-Modell. Scannen Sie regelmäßig und nehmen Sie erforderliche Änderungen vor, um uneingeschränkte oder übermäßig zugriffsberechtigte Netzwerk-ACLs zu beseitigen. Minimieren Sie die Angriffsfläche, indem Sie die genauen Ports definieren, die benötigt werden, anstatt Ports unnötig offen zu lassen." + } + } + }, + { + "name": "allow_ingress_from_internet_to_rdp_port_3389_ipv6", + "title": "Ensure No Security Groups Permit Ingress from ::/0 to Port 3389", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Unsecured security group configurations could potentially enlarge the attack surface, making your cloud infrastructure more vulnerable to malicious attacks and unauthorised access attempts.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=3389 and to_port<=3389 and ip_protocol=tcp)) and ipv6_ranges[*].cidr_ipv6=\"::/0\"}" + }, + "remediation": { + "text": "Adhere to the principles of Zero Trust approach. Conduct regular scans and fix any unrestricted or overly permissive network ACLs. Narrow down the rules to include only the necessary ports, thereby minimising potential risks.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den Zugriff von ::/0 auf Port 3389 gestatten.", + "risk": "Unsichere Sicherheitsgruppeneinstellungen könnten die Angriffsfläche vergrößern und Ihre Cloud-Infrastruktur anfälliger für bösartige Angriffe und unbefugte Zugriffsversuche machen.", + "remediation": "Halten Sie sich an die Prinzipien des Zero-Trust-Ansatzes. Führen Sie regelmäßige Scans durch und beheben Sie alle nicht eingeschränkten oder zu weit geöffneten Netzwerk-ACLs. Beschränken Sie die Regeln auf die notwendigen Ports, um potenzielle Risiken zu minimieren." + } + } + }, + { + "name": "allow_ingress_from_internet_to_cassandra_ports", + "title": "Ensure Ingress to Cassandra Ports 7199, 9160 and 8888 Is Not Allowed from 0.0.0.0/0 or ::/0", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Inappropriate configuration of security groups can significantly increase the attack surface. Publicly exposed Cassandra ports can open a vector for potential cyber-attacks that may compromise data integrity.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=9160 and to_port<=9160 and ip_protocol=tcp) or (from_port>=8888 and to_port<=8888 and ip_protocol=tcp) or (from_port>=7199 and to_port<=7199 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Implement Zero Trust networking model. Regularly scan and remediate unrestricted or overly permissive network access control lists (ACLs). It's a best practice to minimize the attack surface by restricting ports to the bare minimum required for functioning.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass der Zugriff auf die Cassandra-Ports 7199, 9160 und 8888 von 0.0.0.0/0 oder ::/0 nicht erlaubt ist", + "risk": "Eine unangemessene Konfiguration der Sicherheitsgruppen kann die Angriffsfläche erheblich vergrößern. Öffentlich zugängliche Cassandra-Ports können einen Angriffsvektor darstellen, der die Integrität der Daten gefährden kann.", + "remediation": "Implementieren Sie das Zero-Trust-Netzwerkmodell. Scannen und beheben Sie regelmäßig uneingeschränkte oder übermäßig zugängliche Netzwerkzugriffssteuerungslisten (Access Control Lists, ACLs). Es ist bewährte Praxis, die Angriffsfläche zu minimieren, indem Sie die Ports auf das absolute Minimum beschränken, das für den reibungslosen Betrieb erforderlich ist." + } + } + }, + { + "name": "allow_ingress_from_internet_to_kibana_ports", + "title": "Ensure Security Groups Disallow Ingress from 0.0.0.0/0 or ::/0 to Elasticsearch/Kibana Ports", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Unregulated ingress into Elasticsearch/Kibana ports increases attack surface, leading to potential unauthorized access and data breaches, which directly undermines system security and compliance.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=9200 and to_port<=9200 and ip_protocol=tcp) or (from_port>=9300 and to_port<=9300 and ip_protocol=tcp) or (from_port>=5601 and to_port<=5601 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Implement the Zero Trust model. Ensure frequent scanning and remediation of insecure or overly permissive network ACLs. It is recommended to limit the scope to the minimum necessary ports.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Security Groups den Eingriff von 0.0.0.0/0 oder ::/0 in die Elasticsearch/Kibana-Ports untersagen", + "risk": "Ein ungeregelter Eingriff in die Elasticsearch/Kibana-Ports erhöht die Angriffsfläche und führt zu potenziell unbefugtem Zugriff und Datenverletzungen, was die Systemsecurity und Compliance unmittelbar untergräbt.", + "remediation": "Implementieren Sie das Zero Trust-Modell. Stellen Sie eine regelmäßige Überprüfung und Behebung unsicherer oder übermäßig freizügiger Netzwerk-ACLs sicher. Es wird empfohlen, den Umfang auf die minimal notwendigen Ports zu beschränken." + } + } + }, + { + "name": "allow_ingress_from_internet_to_kafka_ports", + "title": "Ensure That Security Groups Restrict Ingress from 0.0.0.0/0 or ::/0 to Kafka Ports", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "A lack of properly configured security groups broadens your attack surface. This increases the risk of unauthorized access to your AWS infrastructure and data breaches.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=9092 and to_port<=9092 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Leverage the Zero Trust approach. Initiate a process to regularly scan and patch unrestricted or overly permissive network access control lists (ACLs). Best practice dictates narrowing the definition to the minimum required ports.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Sicherheitsgruppen den Zugriff von 0.0.0.0/0 oder ::/0 auf Kafka-Ports einschränken.", + "risk": "Ein Mangel an ordnungsgemäß konfigurierten Sicherheitsgruppen erhöht Ihre Angriffsfläche. Dadurch steigt das Risiko unbefugten Zugriffs auf Ihre AWS-Infrastruktur und Datenverletzungen.", + "remediation": "Nutzen Sie den Zero-Trust-Ansatz. Initiieren Sie regelmäßige Scans und Patching von uneingeschränkten oder übermäßig großzügigen Netzwerkzugriffskontrolllisten (ACLs). Die bewährte Praxis besteht darin, die Definition auf die erforderlichen Mindestports zu beschränken." + } + } + }, + { + "name": "allow_ingress_from_internet_to_memcached_ports", + "title": "Ensure Security Groups Do Not Permit Ingress from 0.0.0.0/0 or ::/0 to Memcached Ports 11211", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Allowing unrestricted access to Memcached ports increases the risk of unauthorized data access and potential DDoS attacks. Ensuring proper configurations is fundamental for defending the AWS infrastructure.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=11211 and to_port<=11211 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Security groups should be refined to disregard traffic from 0.0.0.0/0 or ::/0 to Memcached ports. Embrace a Zero Trust approach and impose stricter network ACLs that only allow minimum required port access as part of a routine scanning and remediation process.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#VPCSecurityGroups", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Sicherheitsgruppen keinen Zugriff von 0.0.0.0/0 oder ::/0 auf Memcached Ports 11211 erlauben.", + "risk": "Die Erlaubnis eines unbeschränkten Zugriffs auf Memcached Ports erhöht das Risiko eines unberechtigten Datenzugriffs und potenzieller DDoS-Angriffe. Eine ordnungsgemäße Konfiguration ist entscheidend für die Verteidigung der AWS-Infrastruktur.", + "remediation": "Sicherheitsgruppen sollten so angepasst werden, dass der Datenverkehr von 0.0.0.0/0 oder ::/0 zu Memcached Ports blockiert wird. Verfolgen Sie einen Zero Trust Ansatz und setzen Sie strengere Netzwerk-ACLs ein, die nur den minimal erforderlichen Portzugriff erlauben. Dies sollte Teil eines regelmäßigen Scanning- und Remediation-Prozesses sein." + } + } + }, + { + "name": "allow_ingress_from_internet_to_mysql_ports", + "title": "Ensure No Security Groups Allow Ingress from 0.0.0.0/0 or ::/0 to MySQL Ports", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If security groups are not properly configured, the attack surface is increased. This allows unauthorized access to MySQL ports, potentially compromising sensitive data and affecting the availability of the service.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=3306 and to_port<=3306 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "To fix this issue, implement a Zero Trust approach by applying the principle of least privilege. Create explicit security group rules that only allow necessary inbound traffic to MySQL ports. Regularly scan and remediate any unrestricted or overly permissive network ACLs. Refer to the AWS documentation for recommended best practices.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacls-recommendations", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den Zugriff von 0.0.0.0/0 oder ::/0 auf MySQL-Ports erlauben", + "risk": "Wenn Sicherheitsgruppen nicht ordnungsgemäß konfiguriert sind, wird die Angriffsfläche erhöht. Dadurch wird unbefugter Zugriff auf MySQL-Ports ermöglicht, was potenziell sensible Daten gefährdet und die Verfügbarkeit des Dienstes beeinträchtigt.", + "remediation": "Um dieses Problem zu beheben, implementieren Sie einen Ansatz des 'Zero Trust', indem Sie das Prinzip des geringsten Privilegs anwenden. Erstellen Sie explizite Sicherheitsgruppenregeln, die nur den erforderlichen eingehenden Datenverkehr zu MySQL-Ports zulassen. Scannen und beheben Sie regelmäßig alle uneingeschränkten oder übermäßig freizügigen Netzwerk-ACLs. Lesen Sie die AWS-Dokumentation für empfohlene bewährte Verfahren." + } + } + }, + { + "name": "allow_ingress_from_internet_to_oracledb", + "title": "Ensure No Security Groups Allow Ingress from 0.0.0.0/0 or ::/0 to OracleDB Ports", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Improperly configured security groups increase the attack surface, making the infrastructure vulnerable.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=1521 and to_port<=1521 and ip_protocol=tcp) or (from_port>=2483 and to_port<=2483 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "To fix this issue, it is recommended to apply a Zero Trust approach, implement a process for scanning and remediating unrestricted or overly permissive network ACLs. It is also advised to narrow the definition for the minimum required ports.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den eingehenden Verkehr von 0.0.0.0/0 oder ::/0 zu den OracleDB-Ports erlauben", + "risk": "Fehlkonfigurierte Sicherheitsgruppen erhöhen die Angriffsfläche und machen die Infrastruktur anfällig.", + "remediation": "Um dieses Problem zu beheben, wird empfohlen, einen Zero-Trust-Ansatz anzuwenden, einen Prozess zur Überprüfung und Behebung von uneingeschränkten oder übermäßig unberechtigten Netzwerk-ACLs zu implementieren. Es wird außerdem empfohlen, die Definition für die minimal erforderlichen Ports einzuschränken." + } + } + }, + { + "name": "allow_ingress_from_internet_to_postgresql_ports", + "title": "Ensure No Security Groups Allow Ingress from 0.0.0.0/0 or ::/0 to PostgreSQL Ports", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Allowing ingress from 0.0.0.0/0 or ::/0 to PostgreSQL ports increases the attack surface and can expose sensitive data.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=5432 and to_port<=5432 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Implement a Zero Trust approach by scanning and remediating unrestricted or overly permissive network ACLs. Apply recommended best practices by narrowing the definition for the minimum required ports.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den Eingriff von 0.0.0.0/0 oder ::/0 auf PostgreSQL-Ports erlauben.", + "risk": "Das Zulassen von Eingriffen von 0.0.0.0/0 oder ::/0 auf PostgreSQL-Ports erhöht die Angriffsfläche und kann sensible Daten preisgeben.", + "remediation": "Implementieren Sie einen Zero-Trust-Ansatz durch Scannen und Beheben von uneingeschränkten oder übermäßig genehmigten Netzwerk-ACLs. Wenden Sie empfohlene bewährte Methoden an, indem Sie die Definition für die erforderlichen Mindestports einschränken." + } + } + }, + { + "name": "allow_ingress_from_internet_to_redis_ports", + "title": "Ensure No Security Groups Allow Ingress from 0.0.0.0/0 or ::/0 to Redis Ports", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If security groups are not properly configured, the attack surface is increased. Unauthorized access from the internet can lead to data breaches and security incidents.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=6379 and to_port<=6379 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Apply a Zero Trust approach to security. Implement a process to scan and remediate unrestricted or overly permissive network ACLs. It is recommended to define specific rules and narrow down the allowed ingress IP ranges to minimize the attack surface.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den Zugriff von 0.0.0.0/0 oder ::/0 auf Redis-Ports ermöglichen", + "risk": "Wenn Sicherheitsgruppen nicht ordnungsgemäß konfiguriert sind, erhöht sich die Angriffsfläche. Nicht autorisierter Zugriff aus dem Internet kann zu Datenverstößen und Sicherheitsvorfällen führen.", + "remediation": "Wenden Sie einen Zero-Trust-Ansatz für die Sicherheit an. Implementieren Sie einen Prozess zur Überprüfung und Behebung von uneingeschränkten oder übermäßig freizügigen Netzwerk-ACLs. Es wird empfohlen, spezifische Regeln festzulegen und die erlaubten Eingangs-IP-Bereiche einzugrenzen, um die Angriffsfläche zu minimieren." + } + } + }, + { + "name": "allow_ingress_from_internet_to_sql_server_ports", + "title": "Ensure No Security Groups Allow Ingress from 0.0.0.0/0 or ::/0 to SQL Server Ports", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If security groups are not properly configured, the attack surface is significantly increased.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=1433 and to_port<=1433 and ip_protocol=tcp) or (from_port>=1434 and to_port<=1434 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "Implement a Zero Trust approach. Scan and remediate unrestricted or overly permissive network ACLs. It is recommended to narrow the definition for the minimum required ports.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den Zugriff von 0.0.0.0/0 oder ::/0 auf SQL Server-Ports erlauben.", + "risk": "Wenn Sicherheitsgruppen nicht ordnungsgemäß konfiguriert sind, wird die Angriffsfläche erheblich erhöht.", + "remediation": "Implementieren Sie einen Zero Trust-Ansatz. Scannen und beheben Sie unbeschränkte oder übermäßig weitreichende Netzwerk-ACLs. Es wird empfohlen, die Definition für die erforderlichen Mindestports zu reduzieren." + } + } + }, + { + "name": "allow_ingress_from_internet_to_telnet_ports", + "title": "Ensure No Security Groups Allow Ingress from 0.0.0.0/0 or ::/0 to Telnet Ports", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failing to properly configure security groups increases the attack surface.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].{(ip_protocol=-1 or (from_port>=23 and to_port<=23 and ip_protocol=tcp)) and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")}" + }, + "remediation": { + "text": "To fix this issue, apply a Zero Trust approach by implementing a process to scan and remediate unrestricted or overly permissive network ACLs. It is recommended to narrow the definition for the minimum required ports.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Sicherheitsgruppen den Zugriff von 0.0.0.0/0 oder ::/0 auf Telnet-Ports erlauben", + "risk": "Eine falsche Konfiguration von Sicherheitsgruppen erhöht die Angriffsfläche.", + "remediation": "Um das Problem zu beheben, verwenden Sie einen Zero-Trust-Ansatz, indem Sie einen Prozess implementieren, um nicht eingeschränkte oder zu großzügige Netzwerk-ACLs zu überprüfen und zu beheben. Es wird empfohlen, die Definition der erforderlichen Mindest-Ports zu verengen." + } + } + }, + { + "name": "wide_open_ipv4_security_group", + "title": "Ensure Security Group Is Properly Configured to Reduce Attack Surface", + "result_kinds": [ + "aws_ec2_security_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Improperly configured security groups increase the attack surface, making the AWS cloud infrastructure vulnerable.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and group_ip_permissions[*].ip_ranges[*].{cidr_ip!=\"0.0.0.0/0\" and cidr_ip!~\"^(10\\.|^172\\.(1[6-9]|2[0-9]|3[0-1])\\.|^192\\.168\\.)\" and cidr_ip!~\"/(2[4-9]|[3][0-2])$\"}" + }, + "remediation": { + "text": "To fix the issue, implement a Zero Trust approach and establish a process to regularly scan and remediate unrestricted or overly permissive network access control lists. It is recommended to narrow the definition of the minimum required ports.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "localizations": { + "de": { + "title": "Sicherheitsgruppe korrekt konfigurieren, um die Angriffsfläche zu reduzieren.", + "risk": "Falsch konfigurierte Sicherheitsgruppen erhöhen die Angriffsfläche und machen die AWS Cloud-Infrastruktur anfällig.", + "remediation": "Um das Problem zu beheben, implementieren Sie einen Zero-Trust-Ansatz und etablieren Sie einen Prozess, um uneingeschränkte oder übermäßig freizügige Netzwerkzugriffskontrolllisten regelmäßig zu überprüfen und zu beheben. Es wird empfohlen, die Definition der erforderlichen Ports zu verengen." + } + } + }, + { + "name": "default_restrict_traffic", + "title": "Ensure That the Default Security Group of Every VPC Restricts All Traffic", + "result_kinds": [ + "aws_vpc" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Leaving security groups open allows any user or malware with VPC access to scan for well-known and sensitive ports, potentially gaining unrestricted access to instances.", + "severity": "high", + "detect": { + "fix": "is(aws_ec2_security_group) and name=\"default\" and group_ip_permissions[*].{ip_protocol=\"-1\" and (ip_ranges[*].cidr_ip=\"0.0.0.0/0\" or ipv6_ranges[*].cidr_ipv6=\"::/0\")} <-- is(aws_vpc)" + }, + "remediation": { + "text": "To address this issue, apply a Zero Trust approach and implement a process to regularly scan and remediate any unrestricted or overly permissive network ACLs. It is recommended to narrow the definition for the minimum ports required.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Standard-Sicherheitsgruppe jeder VPC den gesamten Datenverkehr einschränkt", + "risk": "Das Offenlassen von Sicherheitsgruppen ermöglicht es jedem Benutzer oder Schadprogramm mit VPC-Zugriff, bekannte und sensible Ports zu scannen und möglicherweise uneingeschränkten Zugriff auf Instanzen zu erhalten.", + "remediation": "Um dieses Problem zu beheben, wenden Sie einen Zero-Trust-Ansatz an und implementieren Sie einen Prozess, um regelmäßig nicht eingeschränkte oder zu weitreichende Netzwerk-ACLs zu scannen und zu beheben. Es wird empfohlen, die Definition für die erforderlichen Mindestports einzugrenzen." + } + } + }, + { + "name": "routing_tables_with_least_privilege", + "title": "Ensure VPC Peering Routing Tables Have Least Access", + "result_kinds": [ + "aws_vpc" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "By being highly selective in peering routing tables, the impact of a breach can be minimized as resources outside of these routes will be inaccessible to the peered VPC.", + "severity": "medium", + "detect": { + "fix_cmd": "search is(aws_vpc_peering_connection) {/vpc: <-- is(aws_vpc), /route_tables[]: <-- is(aws_vpc) --> is(aws_ec2_route_table)} | jq --no-rewrite 'if [.route_tables[]?.reported.route_table_routes[]? | select(.origin!=\"CreateRouteTable\") | (.destination_cidr_block==\"0.0.0.0/0\") or (.destination_cidr_block==.reported.connection_accepter_vpc_info.cidr_block) or (.destination_cidr_block==.reported.connection_requester_vpc_info.cidr_block)] | any then [.vpc] else [] end' | flatten" + }, + "remediation": { + "text": "To fix this issue, review the routing tables of the peered VPCs and determine whether they route all subnets of each VPC and whether such routing is necessary for the intended purposes of peering the VPCs.", + "url": "https://docs.aws.amazon.com/vpc/latest/peering/peering-configurations-partial-access.html", + "complexity": "high" + }, + "internal_notes": "Load peering connections and merge VPC and route tables. Then check if any route table CIDR is set to 0.0.0.0/0 or the same as the requester or accepter CIDR.", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass VPC-Peering-Routing-Tabellen den geringsten Zugriff haben.", + "risk": "Durch eine hohe Selektivität bei den Peering-Routing-Tabellen kann der Schaden eines Sicherheitsverstoßes minimiert werden, da Ressourcen außerhalb dieser Routen für das gepeerte VPC nicht zugänglich sind.", + "remediation": "Um dieses Problem zu beheben, überprüfen Sie die Routing-Tabellen der gepeerten VPCs und prüfen Sie, ob sie alle Subnetze jedes VPC routen und ob eine solche Weiterleitung für den beabsichtigten Zweck des Peering der VPCs erforderlich ist." + } + } + }, + { + "name": "volume_not_encrypted", + "title": "Ensure All EBS Volumes Are Encrypted", + "result_kinds": [ + "aws_ec2_volume" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to encrypt EBS volumes may lead to unauthorized access or theft of data.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_volume) and volume_encrypted=false" + }, + "remediation": { + "text": "To fix the issue, encrypt all EBS volumes and enable encryption by default. You can enforce encryption of new EBS volumes and snapshot copies in your AWS account. Amazon EBS automatically encrypts volumes created when launching an instance and copying from an unencrypted snapshot.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass alle EBS-Volumes verschlüsselt sind.", + "risk": "Das Fehlen der Verschlüsselung von EBS-Volumes kann zu unbefugtem Zugriff oder Diebstahl von Daten führen.", + "remediation": "Um das Problem zu beheben, verschlüsseln Sie alle EBS-Volumes und aktivieren Sie die standardmäßige Verschlüsselung. Sie können die Verschlüsselung neuer EBS-Volumes und Snapshot-Kopien in Ihrem AWS-Konto erzwingen. Amazon EBS verschlüsselt automatisch Volumes, die beim Start einer Instanz erstellt werden, sowie Kopien von unverschlüsselten Snapshots." + } + } + }, + { + "name": "vpc_flow_logs_enabled", + "title": "Ensure VPC Flow Logging Is Enabled in All VPCs", + "result_kinds": [ + "aws_vpc" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to enable VPC Flow Logs may result in a lack of visibility into network traffic, making it difficult to detect and respond to anomalous activity, compromising security measures.", + "severity": "medium", + "detect": { + "fix": "is(aws_vpc) with(empty, --> is(aws_ec2_flow_log))" + }, + "remediation": { + "text": "To fix this issue, it is recommended to enable VPC Flow Logs for packet rejects in all VPCs.", + "url": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass VPC-Flussprotokollierung in allen VPCs aktiviert ist", + "risk": "Das Nichtaktivieren von VPC-Flussprotokollen kann zu einer fehlenden Sichtbarkeit des Netzwerkverkehrs führen, was die Erkennung und Reaktion auf abweichende Aktivitäten erschwert und die Sicherheitsmaßnahmen gefährdet.", + "remediation": "Um dieses Problem zu beheben, wird empfohlen, die VPC-Flussprotokollierung für verworfene Pakete in allen VPCs zu aktivieren." + } + } + }, + { + "name": "instance_uses_imdsv2", + "title": "Ensure EC2 Metadata Service Is Configured to Only Allow IMDSv2", + "result_kinds": [ + "aws_ec2_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Allowing Version 1 of the service may open EC2 instances to Server-Side Request Forgery (SSRF) attacks, putting the instances at risk. It is recommended to utilize Version 2 for better instance security.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_instance) and not instance_metadata_options.{(http_endpoint=enabled and http_tokens=required) or http_endpoint=disabled}" + }, + "remediation": { + "text": "To fix the issue, login to the AWS Management Console and open the Amazon EC2 console using the link: https://console.aws.amazon.com/ec2/. Then, navigate to the Instances menu and select Instances. For each instance, choose Actions > Modify instance metadata options. If the Instance metadata service is enabled, set IMDSv2 to Required.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html", + "action": { + "aws_cli": "aws ec2 modify-instance-metadata-options --instance-id --http-tokens required" + }, + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-metadata-transition-to-version-2.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass der EC2-Metadatendienst nur IMDSv2 zulässt.", + "risk": "Die Zulassung von Version 1 des Dienstes kann EC2-Instanzen anfällig für Server-seitige Request Forgery (SSRF)-Angriffe machen und die Instanzen gefährden. Es wird empfohlen, Version 2 für eine bessere Instanzsicherheit zu nutzen.", + "remediation": "Um das Problem zu beheben, melden Sie sich in der AWS Management Console an und öffnen Sie die Amazon EC2 Console über den Link: https://console.aws.amazon.com/ec2/. Navigieren Sie dann zum Menü 'Instances' und wählen Sie 'Instances' aus. Wählen Sie für jede Instanz 'Actions > Modify instance metadata options'. Wenn der Instanzdienst für Metadaten aktiviert ist, setzen Sie IMDSv2 auf 'Erforderlich'." + } + } + }, + { + "name": "instance_stopped_since_30d", + "title": "Ensure That Stopped EC2 Instances Are Terminated Within 30 Days", + "result_kinds": [ + "aws_ec2_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Instances that are stopped have a tendency to be forgotten and can pose a security risk. It is important to terminate instances that are not in use to mitigate this risk.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_instance) and instance_status==stopped and mtime>{{stopped_instance_age}}" + }, + "default_values": { + "stopped_instance_age": "30d" + }, + "remediation": { + "text": "To fix this issue, terminate any EC2 instance that has been shutdown for more than 30 days. Make sure to create backups of the instances that are still required for future use.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass gestoppte EC2-Instanzen innerhalb von 30 Tagen beendet werden", + "risk": "Instanzen, die gestoppt sind, haben die Tendenz, vergessen zu werden und stellen ein Sicherheitsrisiko dar. Es ist wichtig, Instanzen, die nicht in Gebrauch sind, zu beenden, um dieses Risiko zu mindern.", + "remediation": "Um dieses Problem zu beheben, beenden Sie alle EC2-Instanzen, die seit mehr als 30 Tagen heruntergefahren sind. Stellen Sie sicher, Backups von den Instanzen zu erstellen, die für zukünftigen Gebrauch noch benötigt werden." + } + } + }, + { + "name": "ebs_volume_unused", + "title": "Ensure There Are No Unused EBS Volumes on the AWS Account", + "result_kinds": [ + "aws_ec2_volume" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If not solved, unused EBS volumes pose a security risk by containing previously stored data, violating compliance requirements. It is essential to dispose of them properly.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_volume) and last_access>7d and volume_attachments==[]" + }, + "remediation": { + "text": "To fix the issue, navigate to the EC2 Dashboard, select the unused volumes, go to the action tab, and click on \"delete volumes\".", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-volume.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass auf dem AWS-Konto keine ungenutzten EBS-Volumes vorhanden sind", + "risk": "Wenn nicht behoben, stellen ungenutzte EBS-Volumes ein Sicherheitsrisiko dar, da sie zuvor gespeicherte Daten enthalten und gegen Compliance-Anforderungen verstoßen. Es ist unerlässlich, sie ordnungsgemäß zu entsorgen.", + "remediation": "Um das Problem zu beheben, navigieren Sie zur EC2-Dashboard, wählen Sie die ungenutzten Volumes aus, gehen Sie zum Aktions-Tab und klicken Sie auf 'Volumes löschen'." + } + } + }, + { + "name": "instance_managed_by_ssm", + "title": "Ensure EC2 Instances Are Managed by AWS Systems Manager", + "result_kinds": [ + "aws_ec2_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If EC2 instances are not managed by AWS Systems Manager, there is a risk of misconfigured or non-compliant instances, leading to potential security vulnerabilities.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_instance) with(empty, <-- is(aws_ssm_instance))" + }, + "remediation": { + "text": "To fix this issue, verify if the EC2 instances are managed by AWS Systems Manager and apply Systems Manager Prerequisites.", + "url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/managed_instances.html", + "localizations": { + "de": { + "title": "Stelle sicher, dass EC2-Instanzen von AWS Systems Manager verwaltet werden", + "risk": "Wenn EC2-Instanzen nicht von AWS Systems Manager verwaltet werden, besteht ein Risiko von fehlerhaft konfigurierten oder nicht konformen Instanzen, die potenzielle Sicherheitsrisiken mit sich bringen.", + "remediation": "Um dieses Problem zu beheben, überprüfen Sie, ob die EC2-Instanzen von AWS Systems Manager verwaltet werden und wenden Sie die Systems Manager-Voraussetzungen an." + } + } + }, + { + "name": "image_public", + "title": "Ensure EC2 AMIs Are Not Publicly Accessible", + "result_kinds": [ + "aws_ec2_image" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Publicly accessible AMIs can be used by anyone with an AWS account to launch EC2 instances, potentially exposing sensitive data contained in the AMIs.", + "severity": "critical", + "detect": { + "fix": "search is(aws_ec2_image) and public==true" + }, + "remediation": { + "text": "To prevent unauthorized access, ensure that your EC2 AMIs are not set as public or available in the Community AMIs.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cancel-sharing-an-AMI.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/cancel-sharing-an-AMI.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass EC2-AMIs nicht öffentlich zugänglich sind.", + "risk": "Öffentlich zugängliche AMIs können von jedem mit einem AWS-Konto verwendet werden, um EC2-Instanzen zu starten und potenziell sensible Daten, die in den AMIs enthalten sind, offenzulegen.", + "remediation": "Um unbefugten Zugriff zu verhindern, stellen Sie sicher, dass Ihre EC2-AMIs nicht als öffentlich zugänglich oder in den Community-AMIs verfügbar sind." + } + } + }, + { + "name": "no_secrets_in_instance_user_data", + "title": "Ensure There Are No Secrets in EC2 User Data", + "result_kinds": [ + "aws_ec2_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Adding secrets in userdata can compromise security as these scripts can be viewed by anyone. Secrets hardcoded into instance user data can be used by malware and bad actors to gain lateral access to other services.", + "severity": "medium", + "detect": { + "fix_cmd": "search is(aws_ec2_instance) and instance_user_data!=null | detect-secrets --path instance_user_data --with-secrets" + }, + "remediation": { + "text": "Always ensure that User data picks up secrets from a managed service like Parameter Store or Secrets Manager, rather than having it hardcoded in the actual script.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass sich keine Geheimnisse in der EC2-Benutzerdaten befinden.", + "risk": "Das Hinzufügen von Geheimnissen in Benutzerdaten kann die Sicherheit beeinträchtigen, da diese Skripts von jedem angesehen werden können. In Benutzerdaten fest codierte Geheimnisse können von Malware und böswilligen Akteuren verwendet werden, um seitlichen Zugriff auf andere Dienste zu erlangen.", + "remediation": "Stellen Sie immer sicher, dass die Benutzerdaten Geheimnisse aus einem verwalteten Dienst wie dem Parameter Store oder Secrets Manager abrufen, anstatt sie im tatsächlichen Skript fest zu codieren." + } + } + }, + { + "name": "no_secrets_in_launch_template_user_data", + "title": "Ensure There Are No Secrets in EC2 Launch Template User Data", + "result_kinds": [ + "aws_ec2_launch_template" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If secrets are added to the EC2 Launch Template User Data, it can compromise security as these scripts can be viewed by anyone. Hackers and malware can exploit these secrets to gain unauthorized access to other services.", + "severity": "medium", + "detect": { + "fix_cmd": "search is(aws_ec2_launch_template) and launch_template_data.user_data!=null | detect-secrets --path launch_template_data.user_data --with-secrets" + }, + "remediation": { + "text": "To fix this issue, always ensure that User Data retrieves secrets from a managed service like AWS Systems Manager Parameter Store or AWS Secrets Manager, instead of hardcoding them in the user data script.", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-best-practices", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass in der EC2-Startvorlage keine Geheimnisse in den Benutzerdaten enthalten sind", + "risk": "Wenn Geheimnisse zu den Benutzerdaten der EC2-Startvorlage hinzugefügt werden, kann dies die Sicherheit beeinträchtigen, da diese Skripte von jedem eingesehen werden können. Hacker und Malware können diese Geheimnisse ausnutzen, um unbefugten Zugriff auf andere Dienste zu erlangen.", + "remediation": "Um dieses Problem zu beheben, stellen Sie immer sicher, dass die Benutzerdaten Geheimnisse aus einem verwalteten Dienst wie dem AWS Systems Manager-Parameter Store oder dem AWS Secrets Manager abrufen, anstatt sie im Benutzerdatenskript fest zu codieren." + } + } + }, + { + "name": "subnet_auto_assign_public_ip_disabled", + "title": "Ensure Subnets Have Auto-Assign Public IP Disabled to Prevent Accidental Public Access", + "result_kinds": [ + "aws_ec2_subnet" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Disabling auto-assign public IP in subnets is crucial for security as it reduces the exposure of instances to the public internet, minimizing the risk of external attacks. This setting helps control the network accessibility of EC2 instances and maintain a secure environment within the VPC.", + "severity": "medium", + "detect": { + "fix": "is(aws_ec2_subnet) and subnet_map_public_ip_on_launch=true" + }, + "remediation": { + "text": "To fix this issue, select the subnet, click 'Actions', then 'Modify auto-assign IP settings', uncheck 'Auto-assign IPv4', and save.", + "url": "https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Subnetze Auto-Assign Public IP deaktiviert haben, um versehentlichen öffentlichen Zugriff zu verhindern", + "risk": "Die Deaktivierung von Auto-Assign Public IP in Subnetzen ist für die Sicherheit entscheidend, da sie die Exposition von Instanzen gegenüber dem öffentlichen Internet verringert und das Risiko externer Angriffe minimiert. Diese Einstellung hilft dabei, die Netzwerkzugänglichkeit von EC2-Instanzen zu kontrollieren und eine sichere Umgebung im VPC aufrechtzuerhalten.", + "remediation": "Um dieses Problem zu beheben, wählen Sie das Subnetz aus, klicken Sie auf 'Aktionen', dann auf 'Auto-Assign IP-Einstellungen ändern', deaktivieren Sie 'Auto-Assign IPv4' und speichern Sie." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_ecr.json b/fixcompliance/data/checks/aws/aws_ecr.json new file mode 100644 index 0000000..df52b3f --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_ecr.json @@ -0,0 +1,93 @@ +{ + "provider": "aws", + "service": "ecr", + "checks": [ + { + "name": "image_scan_on_push", + "title": "Ensure ECR Image Scan on Push is Enabled", + "result_kinds": [ + "aws_ecr_repository" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without enabling ECR image scanning, software vulnerabilities in container images may go undetected, increasing the risk of potential security incidents. ECR image scanning provides a list of scan findings based on the Common Vulnerabilities and Exposures (CVEs) database from the open-source Clair project.", + "severity": "medium", + "detect": { + "fix": "is(aws_ecr_repository) and image_scan_on_push = false" + }, + "remediation": { + "text": "To fix this issue, enable ECR image scanning and review the scan findings for information about the security of the container images being deployed.", + "url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die ECR-Bildscan beim Pushen aktiviert ist", + "risk": "Ohne die Aktivierung des ECR-Bildscans beim Pushen können Software-Schwachstellen in Container-Bildern unentdeckt bleiben. Dadurch steigt das Risiko potenzieller Sicherheitsvorfälle. Der ECR-Bildscan liefert eine Liste von Scan-Ergebnissen, die auf der Common Vulnerabilities and Exposures (CVEs) Datenbank des Open-Source-Projekts Clair basieren.", + "remediation": "Um dieses Problem zu beheben, aktivieren Sie den ECR-Bildscan und überprüfen Sie die Scan-Ergebnisse, um Informationen zur Sicherheit der bereitgestellten Container-Bilder zu erhalten." + } + } + }, + { + "name": "repository_prohibit_public_access", + "title": "Ensure ECR Repositories Are Not Publicly Accessible to Mitigate Security Risks, Prevent Unauthorized Access, and Maintain Control Over Container Image Distribution", + "result_kinds": [ + "aws_ecr_repository" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to secure ECR repositories can lead to unauthorized access to code bases and application artifacts, posing serious security risks.", + "severity": "medium", + "detect": { + "fix": "is(aws_ecr_repository) and repository_visibility==public" + }, + "remediation": { + "text": "To fix the issue, delete any public repositories in ECR and redeploy them as private.", + "url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/repository-create.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ECR-Repositories nicht öffentlich zugänglich sind, um Sicherheitsrisiken zu minimieren, unbefugten Zugriff zu verhindern und die Kontrolle über die Verteilung von Container-Images zu behalten.", + "risk": "Die Nichtsicherung von ECR-Repositories kann zu unbefugtem Zugriff auf Code-Basen und Anwendungsartefakte führen und ernsthafte Sicherheitsrisiken darstellen.", + "remediation": "Um das Problem zu beheben, löschen Sie alle öffentlichen Repositories in ECR und erstellen Sie sie erneut als private." + } + } + }, + { + "name": "repository_lifecycle_policy_enabled", + "title": "Ensure ECR Repositories Have Lifecycle Policies Enabled", + "result_kinds": [ + "aws_ecr_repository" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If lifecycle policies are not enabled for Amazon ECR repositories, there is a risk of retaining a large number of images, which can result in unnecessary costs.", + "severity": "medium", + "detect": { + "fix": "is(aws_ecr_repository) and lifecycle_policy!=null" + }, + "remediation": { + "text": "To fix this issue, open the Amazon ECR console and create a lifecycle policy for each repository.", + "url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Amazon ECR-Repositories Lebenszyklusrichtlinien aktiviert haben", + "risk": "Wenn für Amazon ECR-Repositories keine Lebenszyklusrichtlinien aktiviert sind, besteht das Risiko, dass eine große Anzahl von Abbildern aufbewahrt wird, was zu unnötigen Kosten führen kann.", + "remediation": "Um dieses Problem zu beheben, öffnen Sie die Amazon ECR-Konsole und erstellen Sie für jedes Repository eine Lebenszyklusrichtlinie." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_ecs.json b/fixcompliance/data/checks/aws/aws_ecs.json new file mode 100644 index 0000000..a01d340 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_ecs.json @@ -0,0 +1,175 @@ +{ + "provider": "aws", + "service": "ecs", + "checks": [ + { + "name": "no_secrets_in_task_definition_env", + "title": "Ensure There Are No Secrets in ECS Task Definition Environment Variables", + "result_kinds": [ + "aws_ecs_task_definition" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Using hard-coded passwords increases the risk of password guessing. Malicious users may gain unauthorized access through the compromised account.", + "severity": "high", + "detect": { + "fix_cmd": "search is(aws_ecs_task_definition) and container_definitions[*].{environment_files[*].value != null or environment[*].value!=None} | detect-secrets --path container_definitions[*].environment_files[*].value container_definitions[*].environment[*].value --with-secrets" + }, + "remediation": { + "text": "To securely provide credentials to containers, use AWS Secrets Manager or Parameter Store instead of hard-coding the secrets in the code or passing them through environment variables. Note that task definition revisions containing plaintext secrets cannot be deleted. AWS is planning to implement a feature to address this in 2023, so it is recommended to rotate plaintext secrets while moving them to Secrets Manager or Parameter Store.", + "url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/specifying-sensitive-data.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass in der Umgebungsvariablen der ECS Task-Definition keine Secrets enthalten sind", + "risk": "Die Verwendung von fest codierten Passwörtern erhöht das Risiko von Passwortraten. Bösartige Benutzer können durch das kompromittierte Konto unbefugten Zugriff erlangen.", + "remediation": "Verwenden Sie zur sicheren Bereitstellung von Anmeldeinformationen an Container AWS Secrets Manager oder Parameter Store anstelle einer Festcodierung der Secrets im Code oder einer Übermittlung über Umgebungsvariablen. Beachten Sie, dass Task-Definitionen, die Klartext-Secrets enthalten, nicht gelöscht werden können. AWS plant, ab 2023 eine Funktion zur Behebung dieses Problems zu implementieren. Es wird empfohlen, Klartext-Secrets beim Transfer zu Secrets Manager oder Parameter Store zu rotieren." + } + } + }, + { + "name": "host_mode_not_privileged_nor_root", + "title": "Ensure There Are No Task Definitions with Containers in Host Mode Running as Root or with Privileged Access", + "result_kinds": [ + "aws_ecs_task_definition" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Running an ECS Task Definition with a container in host networking mode, either with privileged access or as the root user, grants extensive control over the host system. This configuration increases the risk of security breaches, as it could allow malicious actors, if they compromise the container, to access or compromise not only the host machine but also other containers running on it.", + "severity": "high", + "detect": { + "fix": "is(aws_ecs_task_definition) and network_mode==host and container_definitions[*].{privileged==true or user==root}" + }, + "remediation": { + "text": "To fix the issue, revise the ECS Task Definition to disable privileged mode and avoid running containers as the root user, especially in host networking mode. Use least-privileged user accounts within containers and limit network access where possible. Ensure that containers have only the permissions they need to operate, and review IAM roles and policies for necessary restrictions. For existing task definitions that require significant permissions, assess and implement security best practices to minimize potential attack surfaces. AWS documentation provides guidelines for securing ECS tasks and containers.", + "url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definitions", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine Task-Definitionen mit Containern im host-Modus als Root-Benutzer oder mit privilegiertem Zugriff ausgeführt werden", + "risk": "Die Ausführung einer ECS Task-Definition mit einem Container im Host-Netzwerkmodus, entweder mit privilegiertem Zugriff oder als Root-Benutzer, gewährt umfassende Kontrolle über das Host-System. Diese Konfiguration erhöht das Risiko von Sicherheitsverletzungen, da sie bösartigen Akteuren, wenn sie den Container kompromittieren, den Zugriff oder die Kompromittierung nicht nur der Host-Maschine, sondern auch anderer darauf laufender Container ermöglichen könnte.", + "remediation": "Um das Problem zu beheben, überprüfen Sie die ECS Task-Definition, um den privilegierten Modus zu deaktivieren und Container nicht als Root-Benutzer, insbesondere im Host-Netzwerkmodus, auszuführen. Verwenden Sie Benutzerkonten mit möglichst wenigen Rechten in den Containern und beschränken Sie die Netzwerkzugriffe, wo immer möglich. Stellen Sie sicher, dass Container nur die Berechtigungen haben, die zum Betrieb erforderlich sind, und überprüfen Sie IAM-Rollen und -Policies auf notwendige Einschränkungen. Für bestehende Task-Definitionen, die umfangreiche Berechtigungen erfordern, sollten Sicherheitsbest Practices bewertet und implementiert werden, um potenzielle Angriffsflächen zu minimieren. Die AWS-Dokumentation enthält Richtlinien zur Absicherung von ECS-Aufgaben und Containern." + } + } + }, + { + "name": "writable_root_filesystem_in_ecs_tasks", + "title": "Ensure ECS Task Definitions Have Read-Only Root Filesystems", + "result_kinds": [ + "aws_ecs_task_definition" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Allowing writable root filesystems in ECS task definitions can pose a significant security risk. If a container is compromised, attackers can manipulate system files, install malicious software, and perform unauthorized activities.", + "severity": "medium", + "detect": { + "fix": "search is(aws_ecs_task_definition) and container_definitions[*].readonly_root_filesystem!=true" + }, + "remediation": { + "text": "To fix this issue, modify ECS task definitions and set 'readonly_root_filesystem' to 'true' for each container. This ensures that containers operate with a read-only root filesystem, enhancing security by preventing unauthorized changes to system files. If necessary, use attached volumes for directories that require write access. For more information, refer to the [AWS documentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definitions) on configuring container definitions in ECS task definitions.", + "url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definitions", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ECS-Task-Definitionen über schreibgeschützte Stammdateisysteme verfügen", + "risk": "Die Verwendung von beschreibbaren Stammdateisystemen in ECS-Task-Definitionen kann ein erhebliches Sicherheitsrisiko darstellen. Wenn ein Container kompromittiert wird, können Angreifer Systemdateien manipulieren, bösartige Software installieren und unbefugte Aktivitäten durchführen.", + "remediation": "Um dieses Problem zu beheben, passen Sie die ECS-Task-Definitionen an und setzen Sie für jeden Container 'readonly_root_filesystem' auf 'true'. Dadurch wird sichergestellt, dass Container mit einem schreibgeschützten Stammdateisystem arbeiten und die Sicherheit verbessert wird, indem unbefugte Änderungen an Systemdateien verhindert werden. Verwenden Sie bei Bedarf angehängte Volumes für Verzeichnisse, die Schreibzugriff erfordern. Weitere Informationen finden Sie in der [AWS-Dokumentation](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definitions) zur Konfiguration von Container-Definitionen in ECS-Task-Definitionen." + } + } + }, + { + "name": "ecs_cluster_container_insights_enabled", + "title": "Ensure Container Insights Is Enabled for Improved Visibility and Monitoring of Container-Based Applications in Amazon ECS", + "result_kinds": [ + "aws_ecs_task_definition" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Not enabling Container Insights could result in reduced visibility of anomalies, delayed threat responses, potential compliance violations, and unchecked resource usage in containerized applications.", + "severity": "medium", + "detect": { + "manual": "Go to the AWS ECS console, select Account settings." + }, + "remediation": { + "text": "To enable Container Insights, check the box for default opt-in at the bottom of the AWS ECS console page.", + "url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/deploy-container-insights-ECS-cluster.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/deploy-container-insights-ECS-cluster.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Container Insights aktiviert ist, um die Sichtbarkeit und Überwachung von anwendungsbasierten Containern in Amazon ECS zu verbessern.", + "risk": "Die Nichtaktivierung von Container Insights kann zu einer reduzierten Sichtbarkeit von Anomalien, verzögerten Bedrohungsreaktionen, potenziellen Compliance-Verstößen und einer unkontrollierten Ressourcennutzung in containerisierten Anwendungen führen.", + "remediation": "Um Container Insights zu aktivieren, aktivieren Sie das Kontrollkästchen für die standardmäßige Zustimmung am unteren Rand der AWS ECS-Konsole-Seite." + } + } + }, + { + "name": "ecs_task_definition_logging_enabled", + "title": "Ensure All ECS Task Definitions Have Logging Enabled to Cloudwatch", + "result_kinds": [ + "aws_ecs_task_definition" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Not enabling ECS task definition logging increases the risk of missing critical information about application behavior, making it harder to diagnose issues, track security incidents, or audit system activities for compliance purposes.", + "severity": "medium", + "detect": { + "fix": "is(aws_ecs_task_definition) and container_definitions[*].log_configuration.log_driver==null" + }, + "remediation": { + "text": "Update the task definition to include logging with an appropriate CloudWatch log group. Also, ensure that the task has appropriate permissions to push logs to CloudWatch from IAM.", + "url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/firelens-example-taskdefs.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/using_firelens.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass alle ECS Task-Definitionen zur Cloudwatch geloggt werden", + "risk": "Das Nichtaktivieren der ECS Task-Definition-Protokollierung erhöht das Risiko, wichtige Informationen über das Verhalten der Anwendung zu verpassen. Dadurch wird es schwieriger, Probleme zu diagnostizieren, Sicherheitsvorfälle zu verfolgen oder Systemaktivitäten für Compliance-Zwecke zu überprüfen.", + "remediation": "Aktualisieren Sie die Task-Definition, um das Protokollieren mit einer geeigneten CloudWatch-Log-Gruppe einzuschließen. Stellen Sie außerdem sicher, dass die Aufgabe die entsprechenden Berechtigungen besitzt, um Protokolle von IAM aus in CloudWatch zu übertragen." + } + } + }, + { + "name": "ecs_service_fargate_using_latest_platform_version", + "title": "Ensure That ECS Fargate Services Are Using the Latest Platform Version to Take Advantage of the Latest Patch and Vulnerability Management", + "result_kinds": [], + "categories": [ + "security", + "compliance" + ], + "risk": "Not using the latest platform version for an ECS service can lead to exposure to vulnerabilities, missing out on security patches, and lacking the latest security features. This can potentially compromise the security of your containerized applications and data.", + "severity": "medium", + "detect": { + "manual": "Go to AWS ECS -> Click ECS Cluster and then Tasks" + }, + "remediation": { + "text": "To fix this issue, update the task definition for Fargate to use the latest platform version.", + "url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/platform_versions.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass ECS Fargate-Services die neueste Plattformversion verwenden, um von den neuesten Patches und Schwachstellenverwaltungen zu profitieren", + "risk": "Die Verwendung der neuesten Plattformversion für einen ECS-Dienst kann zu Sicherheitslücken führen, da Sicherheitspatches und aktuelle Sicherheitsfunktionen fehlen können. Dadurch könnte die Sicherheit Ihrer containerisierten Anwendungen und Daten beeinträchtigt werden.", + "remediation": "Um dieses Problem zu beheben, aktualisieren Sie die Task-Definition für Fargate, um die neueste Plattformversion zu verwenden." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_efs.json b/fixcompliance/data/checks/aws/aws_efs.json new file mode 100644 index 0000000..d5f9f8b --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_efs.json @@ -0,0 +1,65 @@ +{ + "provider": "aws", + "service": "efs", + "checks": [ + { + "name": "storage_encrypted", + "title": "Ensure EFS File Systems Encrypt Sensitive Data at Rest", + "result_kinds": [ + "aws_efs_file_system" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If EFS file systems are not encrypted at rest, sensitive data may be exposed to bad actors, leading to potential data breaches and compliance violations.", + "severity": "medium", + "detect": { + "fix": "is(aws_efs_file_system) and volume_encrypted==false" + }, + "remediation": { + "text": "To fix the issue, ensure encryption at rest is enabled for EFS file systems. Encryption at rest can only be enabled during the file system creation.", + "url": "https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/efs/latest/ug/encryption-at-rest.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass EFS-Dateisysteme sensitive Daten in Ruhe verschlüsseln", + "risk": "Wenn EFS-Dateisysteme nicht in Ruhe verschlüsselt sind, können sensible Daten für böswillige Akteure zugänglich sein, was zu potenziellen Datenverstößen und Verletzungen der Compliance führen kann.", + "remediation": "Um das Problem zu beheben, stellen Sie sicher, dass die Verschlüsselung in Ruhe für EFS-Dateisysteme aktiviert ist. Die Verschlüsselung in Ruhe kann nur während der Erstellung des Dateisystems aktiviert werden." + } + } + }, + { + "name": "not_publicly_accessible", + "title": "Ensure Restrict Public Access in EFS File System Policies", + "result_kinds": [ + "aws_efs_file_system" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Allowing public access to Elastic File System (EFS) could lead to unauthorized data exposure or data breaches. Publicly accessible EFS file systems are at risk of exposing sensitive information, making them potential targets for malicious actors.", + "severity": "medium", + "detect": { + "fix": "is(aws_efs_file_system) and file_system_policy==null" + }, + "remediation": { + "text": "Modify the EFS file system's resource policy to restrict public access. Ensure that the policy does not include a principal set to '*', which would grant access to any user. Instead, define specific principals or use AWS IAM to manage access securely. Review the AWS documentation for guidance on creating and managing EFS access policies to safeguard your file systems effectively.", + "url": "https://docs.aws.amazon.com/efs/latest/ug/access-control-block-public-access.html", + "complexity": "medium" + }, + "internal_note": "Evaluate the statement in the file_system_policy to determine if it is publicly accessible.", + "url": "https://docs.aws.amazon.com/efs/latest/ug/access-control-block-public-access.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass der öffentliche Zugriff in EFS-Dateisystemrichtlinien eingeschränkt ist", + "risk": "Die Zulassung öffentlichen Zugriffs auf das Elastic File System (EFS) kann zu unbefugter Datenexposition oder Datenverletzungen führen. Öffentlich zugängliche EFS-Dateisysteme sind gefährdet und können sensible Informationen preisgeben, was sie zu potenziellen Zielen für bösartige Akteure macht.", + "remediation": "Ändern Sie die Ressourcenrichtlinie des EFS-Dateisystems, um den öffentlichen Zugriff einzuschränken. Stellen Sie sicher, dass die Richtlinie keinen Prinzipal enthält, der auf '*' gesetzt ist, was jedem Benutzer Zugriff gewähren würde. Definieren Sie stattdessen spezifische Prinzipale oder verwenden Sie AWS IAM, um den Zugriff sicher zu verwalten. Konsultieren Sie die AWS-Dokumentation für Anleitungen zur Erstellung und Verwaltung von EFS-Zugriffsrichtlinien, um Ihre Dateisysteme effektiv abzusichern." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_eks.json b/fixcompliance/data/checks/aws/aws_eks.json new file mode 100644 index 0000000..0c58237 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_eks.json @@ -0,0 +1,92 @@ +{ + "provider": "aws", + "service": "eks", + "checks": [ + { + "name": "cluster_endpoint_restrict_public_access", + "title": "Ensure That Public Access to EKS Cluster Endpoint Is Restricted", + "result_kinds": [ + "aws_eks_cluster" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If EKS cluster endpoint is publicly accessible, it exposes the cluster to potential security risks as it is reachable from the public internet. This could lead to unauthorized access or data breaches.", + "severity": "medium", + "detect": { + "fix": "is(aws_eks_cluster) and cluster_resources_vpc_config.endpoint_public_access==true" + }, + "remediation": { + "text": "Restrict the EKS cluster's public access by adjusting the security group settings. Implement network policies that enforce secure access controls and restrict inbound traffic. You can also choose to disable public access entirely or limit the IP addresses that can access your API server from the internet.", + "url": "https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html", + "complexity": "low" + }, + "url": "https://aws.amazon.com/premiumsupport/knowledge-center/eks-api-server-unauthorized-error/", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass der öffentliche Zugriff auf den EKS Cluster Endpoint eingeschränkt ist", + "risk": "Wenn der EKS Cluster Endpoint öffentlich erreichbar ist, birgt dies potenzielle Sicherheitsrisiken, da er über das öffentliche Internet erreichbar ist. Dies kann zu unbefugtem Zugriff oder Datenverletzungen führen.", + "remediation": "Schränken Sie den öffentlichen Zugriff auf den EKS Cluster ein, indem Sie die Sicherheitseinstellungen der Sicherheitsgruppe anpassen. Implementieren Sie Netzwerkrichtlinien, die sichere Zugriffskontrollen durchsetzen und eingehenden Datenverkehr beschränken. Sie können auch wählen, den öffentlichen Zugriff vollständig zu deaktivieren oder die IP-Adressen zu beschränken, die auf Ihren API-Server aus dem Internet zugreifen können." + } + } + }, + { + "name": "cluster_control_plane_audit_logging_enabled", + "title": "Ensure Control Planes for EKS Clusters Are Configured with Audit Logging to Maintain Security Forensics and Audit Compliance", + "result_kinds": [ + "aws_eks_cluster" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without audit logging, potentially suspicious activities within the cluster could go unnoticed, leaving the system vulnerable to internal and external threats. It could also make it challenging to meet audit and compliance requirements.", + "severity": "medium", + "detect": { + "fix": "is(aws_eks_cluster) and cluster_logging.cluster_logging[*].enabled = false" + }, + "remediation": { + "text": "Navigate to the 'Logging' tab of your EKS cluster in the AWS console to change settings. Select 'Edit' and enable or adjust control plane logging. Remember to save any change.", + "url": "https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/eks/latest/userguide/cluster-logging.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Steuerungsebenen für EKS-Cluster mit Audit-Logging konfiguriert sind, um Sicherheitsforensik und Audit-Konformität zu gewährleisten", + "risk": "Ohne Audit-Logging könnten potenziell verdächtige Aktivitäten innerhalb des Clusters unbemerkt bleiben und das System anfällig für interne und externe Bedrohungen machen. Es könnte auch schwierig sein, Audit- und Compliance-Anforderungen zu erfüllen.", + "remediation": "Navigieren Sie zur 'Logging'-Registerkarte Ihres EKS-Clusters in der AWS-Konsole, um die Einstellungen zu ändern. Wählen Sie 'Bearbeiten' aus und aktivieren oder stellen Sie das Steuerungs-Logging ein. Vergessen Sie nicht, jede Änderung zu speichern." + } + } + }, + { + "name": "cluster_encryption_enabled", + "title": "Ensure Kubernetes Secrets Are Encrypted Using AWS KMS Customer Master Keys (CMKs)", + "result_kinds": [ + "aws_eks_cluster" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without envelope encryption, sensitive data may be exposed within your applications, leading to potential security breaches. This measure is crucial to a comprehensive defence-in-depth security strategy.", + "severity": "medium", + "detect": { + "fix": "is(aws_eks_cluster) and cluster_encryption_config in [null, []]" + }, + "remediation": { + "text": "Create a Customer Master Key (CMK) in AWS Key Management Service (KMS). Then, while creating a new Amazon EKS cluster, provide this CMK's Amazon Resource Name (ARN).", + "url": "https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Kubernetes Secrets mit AWS KMS Customer Master Keys (CMKs) verschlüsselt sind", + "risk": "Ohne Umschlagverschlüsselung können sensible Daten in Ihren Anwendungen offengelegt werden, was zu potenziellen Sicherheitsverletzungen führen kann. Diese Maßnahme ist entscheidend für eine umfassende Verteidigung-in-Depth-Sicherheitsstrategie.", + "remediation": "Erstellen Sie einen Customer Master Key (CMK) im AWS Key Management Service (KMS). Geben Sie dann beim Erstellen eines neuen Amazon EKS-Clusters den Amazon Resource Name (ARN) dieses CMKs an." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_elb.json b/fixcompliance/data/checks/aws/aws_elb.json new file mode 100644 index 0000000..18be891 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_elb.json @@ -0,0 +1,146 @@ +{ + "provider": "aws", + "service": "elb", + "checks": [ + { + "name": "alb_has_no_listeners", + "title": "Ensure That Elastic Load Balancers V2 Have Listeners Configured", + "result_kinds": [ + "aws_alb" + ], + "categories": [ + "unused" + ], + "risk": "If no listeners are configured for an Application Load Balancer, it will not be able to receive traffic from clients and route requests to registered targets.", + "severity": "medium", + "detect": { + "fix": "is(aws_alb) and alb_listener in [null, []]" + }, + "remediation": { + "text": "To fix this issue, add listeners to the Elastic Load Balancers V2.", + "url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Elastic Load Balancers V2 konfigurierte Listener haben.", + "risk": "Wenn keine Listener für einen Application Load Balancer konfiguriert sind, kann er keinen Datenverkehr von Clients empfangen und Anfragen an registrierte Ziele weiterleiten.", + "remediation": "Um dieses Problem zu beheben, fügen Sie Listener zu den Elastic Load Balancers V2 hinzu." + } + } + }, + { + "name": "elb_has_no_listeners", + "title": "Ensure Elastic Load Balancers Have Listeners", + "result_kinds": [ + "aws_elb" + ], + "categories": [ + "unused" + ], + "risk": "Without listeners, Elastic Load Balancers cannot receive traffic from clients and cannot route requests to registered targets.", + "severity": "medium", + "detect": { + "fix": "search is(aws_elb) and listener in [null, []]" + }, + "remediation": { + "text": "Add listeners to Elastic Load Balancers to allow them to receive and route traffic.", + "url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Elastic Load Balancers Zuhörer haben.", + "risk": "Ohne Zuhörer können Elastic Load Balancers keinen Datenverkehr von Clients empfangen und Anfragen nicht an registrierte Ziele weiterleiten.", + "remediation": "Fügen Sie Elastic Load Balancers Zuhörer hinzu, um ihnen den Empfang und die Weiterleitung von Datenverkehr zu ermöglichen." + } + } + }, + { + "name": "logging_enabled", + "title": "Ensure That Logging Is Enabled for Application Load Balancers", + "result_kinds": [ + "aws_elb" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without enabling logging for Application load balancers, there is a risk of limited visibility into security risks, reduced threat detection, and inability to measure performance metrics.", + "severity": "medium", + "detect": { + "fix": "is(aws_elb) and elb_attributes.access_log.enabled==false" + }, + "remediation": { + "text": "To enable logging for Application load balancers, go to the Attributes tab, find the Access logs section, click the Edit button, enable access logs, provide the necessary information such as the S3 bucket and prefix, and save the changes.", + "url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/enable-access-logging.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Protokollierung für Application Load Balancers aktiviert ist", + "risk": "Ohne die Aktivierung der Protokollierung für Application Load Balancers besteht die Gefahr einer begrenzten Sichtbarkeit von Sicherheitsrisiken, einer verringerten Bedrohungserkennung und der Unfähigkeit, Leistungsmetriken zu messen.", + "remediation": "Um die Protokollierung für Application Load Balancers zu aktivieren, gehen Sie zum Abschnitt 'Attribute', suchen Sie den Bereich 'Zugriffsprotokolle' und klicken Sie auf die Schaltfläche 'Bearbeiten'. Aktivieren Sie die Zugriffsprotokolle und geben Sie die erforderlichen Informationen wie den S3-Bucket und den Präfix ein und speichern Sie die Änderungen." + } + } + }, + { + "name": "uses_ssl_certificate", + "title": "Ensure Load Balancer Uses SSL Certificate for Port 443", + "result_kinds": [ + "aws_elb" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Not having a valid SSL certificate for an open port 443 can result in security risks such as exposure of sensitive information, vulnerability to multiple attacks, and loss of customer trust.", + "severity": "medium", + "detect": { + "fix": "is(aws_elb) and elb_listener_descriptions[*].{listener.protocol in [HTTPS, SSL] and listener.ssl_certificate_id==null}" + }, + "remediation": { + "text": "To fix the issue, go to the load balancer settings, click on 'View/edit rules' for port 443, and associate a valid SSL certificate.", + "url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass der Lastenausgleicher ein SSL-Zertifikat für den Port 443 verwendet", + "risk": "Das Fehlen eines gültigen SSL-Zertifikats für einen offenen Port 443 kann zu Sicherheitsrisiken führen, wie z. B. der Offenlegung sensibler Informationen, der Anfälligkeit für verschiedene Angriffe und dem Verlust des Vertrauens der Kunden.", + "remediation": "Um das Problem zu beheben, gehen Sie zu den Einstellungen des Lastenausgleichers, klicken Sie auf 'Regeln anzeigen/bearbeiten' für Port 443 und verknüpfen Sie ein gültiges SSL-Zertifikat." + } + } + }, + { + "name": "waf_enabled", + "title": "Ensure That Application Load Balancer Has Web Application Firewall (WAF) Enabled for Enhanced Security", + "result_kinds": [ + "aws_alb" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Enabling WAF on an Application Load Balancer provides a layer of protection against common web exploits and attacks. It filters, monitors, and blocks harmful traffic before reaching applications, enhancing overall security.", + "severity": "medium", + "detect": { + "fix": "is(aws_alb) with (empty, <-- is(aws_waf_web_acl))" + }, + "remediation": { + "text": "Open the AWS WAF & Shield console, and go to 'Web ACLs'. Create or select an existing Web ACL for the Load Balancer.", + "url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass der Application Load Balancer die Web Application Firewall (WAF) für eine verbesserte Sicherheit aktiviert hat", + "risk": "Die Aktivierung von WAF auf einem Application Load Balancer bietet eine Schutzschicht gegen häufige Web-Exploits und Angriffe. Es filtert, überwacht und blockiert schädlichen Datenverkehr, bevor er die Anwendungen erreicht und somit die Gesamtsicherheit verbessert.", + "remediation": "Öffnen Sie die AWS WAF & Shield-Konsole und gehen Sie zu 'Web ACLs'. Erstellen Sie eine neue Web ACL oder wählen Sie eine vorhandene Web ACL für den Load Balancer aus." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_glacier.json b/fixcompliance/data/checks/aws/aws_glacier.json new file mode 100644 index 0000000..4f53905 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_glacier.json @@ -0,0 +1,34 @@ +{ + "provider": "aws", + "service": "glacier", + "checks": [ + { + "name": "vaults_policy_public_access", + "title": "Ensure S3 Glacier Vaults Have Policies That Restrict Access to Authorized Users", + "result_kinds": [ + "aws_glacier_vault" + ], + "categories": [ + "security" + ], + "risk": "If the issue is not resolved, S3 Glacier vaults accessible to everyone could lead to unauthorized access and exposure of sensitive data to potential malicious attackers.", + "severity": "critical", + "detect": { + "fix": "is(aws_glacier_vault) and glacier_access_policy.Statement[*].{Effect==Allow and (Principal==\"*\" or Principal.AWS=\"*\" or Principal.CanonicalUser=\"*\")}" + }, + "remediation": { + "text": "To rectify the problem, ensure that the vault policy does not grant access to unauthorized users. Follow the guidelines provided in the AWS documentation to set up proper access controls for S3 Glacier vaults.", + "url": "https://docs.aws.amazon.com/amazonglacier/latest/dev/access-control-overview.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/AmazonS3/latest/dev/amazon-s3-glacier.html", + "localizations": { + "de": { + "title": "Sorgen Sie dafür, dass S3 Glacier-Tresore Richtlinien haben, die den Zugriff auf autorisierte Benutzer beschränken.", + "risk": "Wenn das Problem nicht behoben wird, können S3 Glacier-Tresore, die für jeden zugänglich sind, zu unbefugtem Zugriff und Offenlegung sensibler Daten für potenziell bösartige Angreifer führen.", + "remediation": "Um das Problem zu beheben, stellen Sie sicher, dass die Tresor-Richtlinie keinen Zugriff für nicht autorisierte Benutzer gewährt. Befolgen Sie die Richtlinien in der AWS-Dokumentation, um angemessene Zugriffskontrollen für S3 Glacier-Tresore einzurichten." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_iam.json b/fixcompliance/data/checks/aws/aws_iam.json new file mode 100644 index 0000000..aa2adcc --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_iam.json @@ -0,0 +1,946 @@ +{ + "provider": "aws", + "service": "iam", + "checks": [ + { + "name": "account_maintain_current_contact_details", + "title": "Ensure Contact Details for AWS Accounts Are Current and Mapped to Multiple Individuals in Your Organization", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to maintain current contact email and telephone details for AWS accounts can result in security breaches. If AWS observes prohibited or suspicious behavior from an account and is unable to contact the account owner, it may take proactive measures such as throttling traffic, causing impaired service to and from the account.", + "severity": "medium", + "detect": { + "manual": "To check and update contact information, login to the AWS Console. Choose your account name on the top right of the window -> My Account -> Contact Information." + }, + "remediation": { + "text": "To maintain current contact details, access the Billing and Cost Management console and complete the necessary information.", + "url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Kontaktinformationen für AWS-Konten aktuell sind und mehreren Personen in Ihrer Organisation zugeordnet sind", + "risk": "Das Versäumnis, aktuelle Kontakt-E-Mail- und Telefoninformationen für AWS-Konten aufrechtzuerhalten, kann zu Sicherheitsverletzungen führen. Wenn AWS unzulässiges oder verdächtiges Verhalten von einem Konto feststellt und keinen Kontakt zum Kontoinhaber herstellen kann, kann es proaktive Maßnahmen ergreifen, wie beispielsweise die Drosselung des Datenverkehrs, was zu einer beeinträchtigten Servicequalität für das Konto führt.", + "remediation": "Um die aktuellen Kontaktinformationen aufrechtzuerhalten, greifen Sie auf die Billing and Cost Management Console zu und vervollständigen Sie die erforderlichen Informationen." + } + } + }, + { + "name": "account_security_contact_information_is_registered", + "title": "Ensure Security Contact Information Is Registered", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to provide security contact information in AWS account settings could result in missed security advisories. Registering security-specific contact information will ensure that security advisories sent by AWS reach the appropriate team in your organization, enhancing your ability to respond effectively.", + "severity": "medium", + "detect": { + "manual": "To check, login to the AWS Console, click on your account name on the top right of the window, go to My Account, and navigate to the Alternate Contacts section. Check if the Security Section is completed." + }, + "remediation": { + "text": "To fix this issue, go to the My Account section in the AWS Console, and complete the alternate contacts, specifically the Security Section.", + "url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-update-contact.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Sicherheitskontaktinformationen registriert sind", + "risk": "Das Nichtbereitstellen von Sicherheitskontaktinformationen in den AWS-Kontoeinstellungen kann zu versäumten Sicherheitswarnungen führen. Durch die Registrierung von sicherheitsspezifischen Kontaktinformationen wird sichergestellt, dass Sicherheitswarnungen von AWS das entsprechende Team in Ihrer Organisation erreichen und somit Ihre Fähigkeit zur effektiven Reaktion verbessern.", + "remediation": "Um dieses Problem zu beheben, gehen Sie zur Sektion 'Mein Konto' in der AWS-Konsole und füllen Sie die alternativen Kontakte aus, insbesondere den Sicherheitsabschnitt." + } + } + }, + { + "name": "account_security_questions_are_registered_in_the_aws_account", + "title": "Ensure Security Questions Are Registered in the AWS Account", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to establish security questions in the AWS support portal can lead to limited control and accessibility issues with the root account. In the event of a lost root password or MFA token, the account owner may face difficulties in account recovery and verification.", + "severity": "medium", + "detect": { + "manual": "To check if security questions are registered, login to the AWS Console as the root account. Choose your account name on the top right of the window, go to My Account, and select Configure Security Challenge Questions." + }, + "remediation": { + "text": "To fix this issue, login as the root account and configure Security Questions in My Account.", + "url": "https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-security-challenge.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Sicherstellen, dass Sicherheitsfragen im AWS-Konto registriert sind", + "risk": "Das Versäumnis, Sicherheitsfragen im AWS-Support-Portal festzulegen, kann zu eingeschränkter Kontrolle und Zugänglichkeitsproblemen mit dem Root-Konto führen. Im Falle eines verlorenen Root-Passworts oder MFA-Tokens kann der Kontoinhaber Schwierigkeiten bei der Wiederherstellung und Verifizierung des Kontos haben.", + "remediation": "Um dieses Problem zu beheben, melden Sie sich als Root-Konto an und konfigurieren Sie Sicherheitsfragen in Mein Konto." + } + } + }, + { + "name": "no_root_access_key", + "title": "Ensure No Root Account Access Key Exists", + "result_kinds": [ + "aws_root_user" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Removing the root access keys encourages the creation and use of role-based accounts that are least privileged.", + "severity": "critical", + "detect": { + "fix": "is(aws_root_user) with(any, --> is(access_key))" + }, + "remediation": { + "text": "Ensure the access_key_1_active and access_key_2_active fields in the credential report are set to FALSE. If the access keys are still active, delete them using the IAM console.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass kein Zugangsschlüssel für das Root-Konto vorhanden ist", + "risk": "Das Root-Konto ist der privilegierteste Benutzer in einem AWS-Konto. AWS-Zugangsschlüssel ermöglichen programmgesteuerten Zugriff auf ein bestimmtes AWS-Konto. Es wird empfohlen, alle Zugangsschlüssel, die mit dem Root-Konto verbunden sind, zu entfernen. Das Entfernen der Zugangsschlüssel, die mit dem Root-Konto verbunden sind, begrenzt die Angriffsvektoren, über die das Konto kompromittiert werden kann. Durch das Entfernen der Root-Zugangsschlüssel wird die Erstellung und Verwendung rollenbasierter Konten gefördert, die minimalste Berechtigungen haben.", + "remediation": "Stellen Sie sicher, dass die Felder access_key_1_active und access_key_2_active im Credential-Bericht auf FALSE gesetzt sind. Wenn die Zugangsschlüssel immer noch aktiv sind, löschen Sie sie über die IAM-Konsole." + } + } + }, + { + "name": "root_mfa_enabled", + "title": "Ensure MFA Is Enabled for the Root Account", + "result_kinds": [ + "aws_root_user" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "The root account is the most privileged user in an AWS account. Without MFA, the root account is vulnerable to unauthorized access, increasing the risk of security breaches. Enabling MFA adds an extra layer of protection, ensuring that only authorized individuals can access the account.", + "severity": "critical", + "detect": { + "fix": "is(aws_root_user) and mfa_active!=true" + }, + "remediation": { + "text": "To fix this issue, navigate to the AWS Identity and Access Management (IAM) console, access the Dashboard, and activate MFA on the root account.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_considerations", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass MFA für das Root-Konto aktiviert ist", + "risk": "Das Root-Konto ist der privilegierteste Benutzer in einem AWS-Konto. Ohne MFA ist das Root-Konto anfällig für unbefugten Zugriff, was das Risiko von Sicherheitsverstößen erhöht. Die Aktivierung von MFA bietet eine zusätzliche Schutzschicht und stellt sicher, dass nur autorisierte Personen auf das Konto zugreifen können.", + "remediation": "Um dieses Problem zu beheben, navigieren Sie zur AWS Identity and Access Management (IAM) Konsole, greifen Sie auf das Dashboard zu und aktivieren Sie MFA für das Root-Konto." + } + } + }, + { + "name": "root_hardware_mfa_enabled", + "title": "Ensure Hardware MFA Is Enabled for the Root Account", + "result_kinds": [ + "aws_root_user" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "The root account is the most privileged user in an AWS account. Enabling MFA adds an extra layer of protection by requiring an authentication code from a hardware MFA device along with the user name and password, significantly reducing the risk of unauthorized access to the root account. It is important for Level 2 security to have the root account protected with a hardware MFA device.", + "severity": "low", + "detect": { + "fix": "is(aws_root_user) and mfa_active==true and user_virtual_mfa_devices!=null and user_virtual_mfa_devices!=[]" + }, + "remediation": { + "text": "To enable hardware MFA for the root account, navigate to the IAM console Dashboard and activate MFA.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Hardware-MFA für das Root-Konto aktiviert ist", + "risk": "Das Root-Konto ist der privilegierteste Benutzer in einem AWS-Konto. Durch die Aktivierung der MFA wird eine zusätzliche Sicherheitsebene geschaffen, die neben Benutzername und Passwort auch einen Authentifizierungscode von einem Hardware-MFA-Gerät erfordert. Dies reduziert das Risiko eines unbefugten Zugriffs auf das Root-Konto erheblich. Es ist wichtig, dass das Root-Konto auf Sicherheitsstufe 2 mit einem Hardware-MFA-Gerät geschützt ist.", + "remediation": "Um die Hardware-MFA für das Root-Konto zu aktivieren, navigieren Sie zur IAM-Konsolen-Dashboard und aktivieren Sie MFA." + } + } + }, + { + "name": "user_hardware_mfa_enabled", + "title": "Ensure Hardware MFA Is Enabled for All IAM Users", + "result_kinds": [ + "aws_iam_user" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Not having hardware MFA enabled for IAM users increases the risk of unauthorized access to the AWS account.", + "severity": "low", + "detect": { + "fix": "is(aws_iam_user) and user_virtual_mfa_devices in [null, []]" + }, + "remediation": { + "text": "To fix this issue, enable a hardware MFA device for each IAM user from the AWS Management Console, command line, or IAM API.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Hardware-MFA für alle IAM-Benutzer aktiviert ist", + "risk": "Das Fehlen von aktivierter Hardware-MFA für IAM-Benutzer erhöht das Risiko eines unbefugten Zugriffs auf das AWS-Konto.", + "remediation": "Um dieses Problem zu beheben, aktivieren Sie ein Hardware-MFA-Gerät für jeden IAM-Benutzer über die AWS Management Console, die Befehlszeile oder die IAM API." + } + } + }, + { + "name": "avoid_root_usage", + "title": "Ensure the Avoidance of Root Account Usage", + "result_kinds": [ + "aws_root_user" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If the issue is not solved, the root account will maintain unrestricted access to all resources in the AWS account. It is highly recommended to avoid using this account due to the associated risks.", + "severity": "critical", + "detect": { + "fix": "is(aws_root_user) {access_keys[]: --> is(access_key)} password_last_used>{{last_access_younger_than.ago}} or access_keys[*].reported.access_key_last_used.last_used>{{last_access_younger_than.ago}}" + }, + "default_values": { + "last_access_younger_than": "1d" + }, + "remediation": { + "text": "To fix the issue, follow the remediation instructions provided in the 'Ensure IAM policies are attached only to groups or roles' recommendation.", + "url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "complexity": "low" + }, + "url": "http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Verwendung des Root-Kontos vermieden wird", + "risk": "Wenn das Problem nicht gelöst wird, behält das Root-Konto uneingeschränkten Zugriff auf alle Ressourcen im AWS-Konto. Es wird dringend empfohlen, die Verwendung dieses Kontos aufgrund der damit verbundenen Risiken zu vermeiden.", + "remediation": "Um das Problem zu beheben, befolgen Sie die Anweisungen zur Fehlerbehebung in der Empfehlung 'Stellen Sie sicher, dass IAM-Richtlinien nur Gruppen oder Rollen zugewiesen sind'." + } + } + }, + { + "name": "password_policy_minimum_length_14", + "title": "Ensure IAM Password Policy Requires a Minimum Length of 14 or Greater", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to enforce a strong password policy increases the risk of unauthorized access to AWS resources. Without a minimum length requirement of 14 or greater, it becomes easier for attackers to crack passwords and gain unauthorized access.", + "severity": "medium", + "detect": { + "fix": "is(aws_account) and minimum_password_length<14" + }, + "remediation": { + "text": "To fix this issue, ensure that the \"Minimum password length\" option is checked under \"Password Policy\" in the AWS Identity and Access Management (IAM) console.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die IAM-Passwortrichtlinie eine Mindestlänge von 14 oder mehr erfordert", + "risk": "Die Nichtdurchsetzung einer starken Passwortrichtlinie erhöht das Risiko eines unbefugten Zugriffs auf AWS-Ressourcen. Ohne eine Mindestlängenanforderung von 14 oder mehr wird es einfacher für Angreifer, Passwörter zu knacken und unbefugten Zugriff zu erlangen.", + "remediation": "Um dieses Problem zu beheben, stellen Sie sicher, dass die Option \"Mindest-Passwortlänge\" unter \"Passwortrichtlinie\" in der AWS Identity and Access Management (IAM) Konsole aktiviert ist." + } + } + }, + { + "name": "password_policy_reuse_24", + "title": "Ensure IAM Password Policy Prevents Password Reuse: 24 or Greater", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to enforce a strong password policy increases the risk of unauthorized access to the AWS account. Without preventing password reuse of 24 or greater, weak passwords may be reused, making it easier for attackers to gain access.", + "severity": "medium", + "detect": { + "fix": "is(aws_account) and password_reuse_prevention<24" + }, + "remediation": { + "text": "To fix this issue, ensure that the \"Number of passwords to remember\" in the account password policy is set to 24 or greater.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die IAM-Passwortrichtlinie die Wiederverwendung von Passwörtern verhindert: 24 oder höher", + "risk": "Die Nichtumsetzung einer starken Passwortrichtlinie erhöht das Risiko eines unbefugten Zugriffs auf das AWS-Konto. Ohne die Verhinderung der Wiederverwendung von Passwörtern mit einer Anzahl von 24 oder höher können schwache Passwörter wiederholt verwendet werden, was es Angreifern erleichtert, Zugriff zu erlangen.", + "remediation": "Um dieses Problem zu beheben, stellen Sie sicher, dass die \"Anzahl der zu merkenden Passwörter\" in der Konten-Passwortrichtlinie auf 24 oder höher festgelegt ist." + } + } + }, + { + "name": "user_mfa_enabled_console_access", + "title": "Ensure Multi-Factor Authentication (MFA) Is Enabled for All IAM Users with Console Passwords", + "result_kinds": [ + "aws_iam_user" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If MFA is not enabled for IAM users with console passwords, it increases the risk of unauthorized access to AWS resources. Password complexity requirements and password policy enforcement may not be sufficient to protect against password reuse. It is recommended to prevent password reuse of 24 or more passwords to enhance security.", + "severity": "high", + "detect": { + "fix": "is(aws_iam_user) and password_enabled==true and mfa_active==false" + }, + "remediation": { + "text": "To fix this issue, enable MFA for the user's account. MFA adds an extra layer of protection beyond just a username and password. It is recommended to use hardware keys instead of virtual MFA for enhanced security.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Mehr-Faktor-Authentifizierung (MFA) für alle IAM-Benutzer mit Konsolenpasswörtern aktiviert ist.", + "risk": "Wenn die MFA für IAM-Benutzer mit Konsolenpasswörtern nicht aktiviert ist, erhöht sich das Risiko eines unbefugten Zugriffs auf AWS-Ressourcen. Die Anforderungen an die Passwortkomplexität und die Durchsetzung von Passwortrichtlinien sind möglicherweise nicht ausreichend, um sich gegen die Wiederverwendung von Passwörtern zu schützen. Es wird empfohlen, die Wiederverwendung von 24 oder mehr Passwörtern zu verhindern, um die Sicherheit zu erhöhen.", + "remediation": "Um dieses Problem zu beheben, aktivieren Sie MFA für das Benutzerkonto. MFA bietet einen zusätzlichen Schutz über Benutzernamen und Passwort hinaus. Es wird empfohlen, anstelle von virtuellem MFA Hardware-Schlüssel für eine verbesserte Sicherheit zu verwenden." + } + } + }, + { + "name": "user_uses_access_keys_console_access", + "title": "Ensure Access Keys Are Not Created During Initial User Setup for IAM Users with a Console Password", + "result_kinds": [ + "aws_iam_access_key" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If access keys are generated unnecessarily during the initial user setup, it creates unnecessary credentials and management work to audit and rotate these keys. Requiring additional steps after the user's profile is created will indicate intent and ensure that access keys are only created when truly necessary.", + "severity": "medium", + "detect": { + "fix": "is(aws_iam_access_key) and access_key_status==\"Active\" and access_key_last_used.last_used==null and /ancestors.aws_iam_user.reported.password_enabled==true" + }, + "remediation": { + "text": "From the IAM console, generate a credential report and disable any access keys that are not required.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass bei der initialen Benutzereinrichtung für IAM-Benutzer mit einem Konsolenpasswort keine Zugriffsschlüssel erstellt werden", + "risk": "Wenn bei der initialen Benutzereinrichtung unnötigerweise Zugriffsschlüssel generiert werden, entstehen unnötige Anmeldeinformationen und Verwaltungsarbeit, um diese Schlüssel zu überprüfen und zu rotieren. Das Erfordernis weiterer Schritte nach Erstellung des Benutzerprofils deutet auf Absicht hin und stellt sicher, dass Zugriffsschlüssel nur dann erstellt werden, wenn sie wirklich erforderlich sind.", + "remediation": "Generieren Sie über die IAM-Konsole einen Berechtigungsbericht und deaktivieren Sie alle nicht erforderlichen Zugriffsschlüssel." + } + } + }, + { + "name": "disable_old_credentials", + "title": "Ensure Unused Credentials Are Disabled After 45 Days", + "result_kinds": [ + "aws_iam_user" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to disable unused IAM user credentials (passwords and access keys) poses a security risk to your AWS account. This includes credentials of users who have left the organization or no longer require AWS access.", + "severity": "medium", + "detect": { + "fix": "is(aws_iam_user) and password_last_used<{{password_used_since.ago}}" + }, + "default_values": { + "password_used_since": "45d" + }, + "remediation": { + "text": "To fix the issue, generate a credential report from the IAM console and disable unnecessary keys.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass nicht genutzte Anmeldeinformationen nach 45 Tagen deaktiviert werden", + "risk": "Das Versäumnis, nicht genutzte IAM-Benutzeranmeldeinformationen (Passwörter und Zugriffsschlüssel) zu deaktivieren, stellt ein Sicherheitsrisiko für Ihr AWS-Konto dar. Dies betrifft die Anmeldeinformationen von Benutzern, die die Organisation verlassen haben oder keinen AWS-Zugriff mehr benötigen.", + "remediation": "Um das Problem zu beheben, generieren Sie einen Bericht über Anmeldeinformationen in der IAM-Konsole und deaktivieren Sie unnötige Schlüssel." + } + } + }, + { + "name": "user_has_two_active_access_keys", + "title": "Ensure IAM Users Do Not Have Two Active Access Keys", + "result_kinds": [ + "aws_iam_user" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Users should not have two access keys simultaneously, as it increases the risk of key mismanagement and potential unauthorized access; this practice is advised only temporarily during key rotation to ensure seamless access transition.", + "severity": "medium", + "detect": { + "fix": "is(aws_iam_user) {access_keys[]: --> is(access_key)} access_keys[0].reported.access_key_status==\"Active\" and access_keys[1].reported.access_key_status==\"Active\"" + }, + "remediation": { + "text": "To fix the issue, avoid using long-lived access keys and delete the second one after rotation to minimize the risk of compromise.", + "url": "https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass IAM-Benutzer nicht über zwei aktive Zugriffsschlüssel verfügen", + "risk": "Benutzer sollten nicht gleichzeitig zwei Zugriffsschlüssel besitzen, da dies das Risiko einer fehlerhaften Schlüsselverwaltung und potenziell unbefugten Zugriffs erhöht; diese Praxis wird nur vorübergehend während des Schlüsselwechsels empfohlen, um einen nahtlosen Übergang des Zugriffs zu gewährleisten.", + "remediation": "Um das Problem zu beheben, sollten Sie vermeiden, langlebige Zugriffsschlüssel zu verwenden und einen zweiten direkt nach dem Rotieren zu löschen, um das Risiko einer Kompromittierung zu minimieren." + } + } + }, + { + "name": "rotate_access_keys_after_90_days", + "title": "Ensure Access Keys Are Rotated Every 90 Days or Less", + "result_kinds": [ + "aws_iam_access_key" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Access keys consist of an access key ID and secret access key which are used to sign programmatic requests that you make to AWS. If access keys are not rotated regularly, it increases the risk of unauthorized access to AWS resources. Regularly rotating access keys helps mitigate the risk of compromised keys.", + "severity": "medium", + "detect": { + "fix": "is(aws_iam_access_key) and access_key_last_used.last_rotated<{{last_rotated_max.ago}}" + }, + "default_values": { + "last_rotated_max": "90d" + }, + "remediation": { + "text": "To fix the issue, check the credential report and ensure that the access_key_X_last_rotated value is less than 90 days ago.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Zugriffsschlüssel alle 90 Tage oder weniger rotiert werden", + "risk": "Zugriffsschlüssel bestehen aus einer Zugriffsschlüssel-ID und geheimem Zugriffsschlüssel, die verwendet werden, um programmierte Anfragen zu signieren, die Sie an AWS stellen. Wenn Zugriffsschlüssel nicht regelmäßig rotiert werden, erhöht sich das Risiko eines unbefugten Zugriffs auf AWS-Ressourcen. Durch regelmäßiges Rotieren der Zugriffsschlüssel wird das Risiko von kompromittierten Schlüsseln verringert.", + "remediation": "Um das Problem zu beheben, überprüfen Sie den Berechtigungsbericht und stellen Sie sicher, dass der Wert access_key_X_last_rotated weniger als 90 Tage zurück liegt." + } + } + }, + { + "name": "policy_attached_only_to_group_or_roles", + "title": "Ensure IAM Policies Are Attached Only to Groups or Roles", + "result_kinds": [ + "aws_iam_user" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are used to grant privileges to users, groups, or roles. It is recommended to apply IAM policies directly to groups and roles rather than users. Assigning privileges at the group or role level reduces access management complexity and minimizes the risk of excessive privileges.", + "severity": "low", + "detect": { + "fix": "is(aws_iam_user) {attached_policy: --> is(aws_iam_policy)} user_policies!=[] or attached_policy!=null" + }, + "remediation": { + "text": "To fix the issue, remove any directly attached policy from the user and use groups or roles instead.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass IAM-Richtlinien nur Gruppen oder Rollen zugeordnet sind", + "risk": "Standardmäßig haben IAM-Benutzer, Gruppen und Rollen keinen Zugriff auf AWS-Ressourcen. IAM-Richtlinien werden verwendet, um Benutzern, Gruppen oder Rollen Privilegien zuzuweisen. Es wird empfohlen, IAM-Richtlinien direkt Gruppen und Rollen zuzuordnen, anstatt Benutzern. Die Zuweisung von Berechtigungen auf Gruppen- oder Rollenebene reduziert die Komplexität des Zugriffsmanagements und minimiert das Risiko übermäßiger Berechtigungen.", + "remediation": "Um das Problem zu beheben, entfernen Sie alle direkt zugeordneten Richtlinien von Benutzern und verwenden Sie stattdessen Gruppen oder Rollen." + } + } + }, + { + "name": "policy_with_administrative_privileges_not_in_use", + "title": "Ensure IAM Policies Do Not Grant Full Administrative Privileges", + "result_kinds": [ + "aws_iam_policy" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Granting full administrative privileges through IAM policies exposes resources to potentially unwanted actions. It is recommended to grant least privilege by only providing necessary permissions for users, groups, or roles.", + "severity": "medium", + "detect": { + "fix": "is(aws_iam_policy) and policy_document.document.Statement[*].{Effect=Allow and (Action in [\"*\", [\"*\"]] and Resource in [\"*\", [\"*\"]])} and policy_attachment_count>0" + }, + "remediation": { + "text": "To mitigate the risk, start with a minimum set of permissions and grant additional permissions as necessary. Regularly review policies to ensure permissions are the minimum required for business activities.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass IAM-Richtlinien keine volle administrative Berechtigung gewähren", + "risk": "Indem volle administrative Berechtigungen über IAM-Richtlinien gewährt werden, werden Ressourcen potenziell unerwünschten Aktionen ausgesetzt. Es wird empfohlen, die Minimalberechtigung zu gewähren, indem nur die für Benutzer, Gruppen oder Rollen erforderlichen Berechtigungen erteilt werden.", + "remediation": "Um das Risiko zu mindern, beginnen Sie mit einem minimalen Satz von Berechtigungen und gewähren Sie zusätzliche Berechtigungen, wenn erforderlich. Überprüfen Sie regelmäßig die Richtlinien, um sicherzustellen, dass die Berechtigungen für die Geschäftsaktivitäten minimal erforderlich sind." + } + } + }, + { + "name": "user_inline_policy_no_star_star", + "title": "Ensure IAM Users Do Not Have Inline Policies Granting Full Administrative Privileges \"*:*\"", + "result_kinds": [ + "aws_iam_user" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Granting full administrative privileges to IAM users increases the risk of unauthorized actions and potential security breaches. It is best practice to grant least privilege, providing users with only the necessary permissions to complete their tasks.", + "severity": "medium", + "detect": { + "fix": "is(aws_iam_user) and user_policies[*].policy_document.Statement[*].{Effect=Allow and (Action in [\"*\", [\"*\"]] and Resource in [\"*\", [\"*\"]])}" + }, + "remediation": { + "text": "Follow the principle of least privilege by starting with minimal permissions and gradually granting additional permissions as needed. Review and analyze existing policies to ensure they only provide the minimum necessary permissions for business activities.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass IAM-Benutzer keine inline-Richtlinien haben, die volle Administrationsberechtigungen \"*:*\" gewähren.", + "risk": "Indem IAM-Benutzern volle Administrationsberechtigungen gewährt werden, erhöht sich das Risiko unbefugter Aktionen und potenzieller Sicherheitsverletzungen. Es ist bewährte Praxis, möglichst geringe Privilegien zu gewähren und den Benutzern nur die für ihre Aufgaben erforderlichen Berechtigungen zur Verfügung zu stellen.", + "remediation": "Befolgen Sie das Prinzip des geringsten Privilegs, indem Sie mit minimalen Berechtigungen beginnen und schrittweise zusätzliche Berechtigungen gewähren, wenn sie benötigt werden. Überprüfen und analysieren Sie vorhandene Richtlinien, um sicherzustellen, dass sie nur die für geschäftliche Aktivitäten erforderlichen minimalen Berechtigungen bieten." + } + } + }, + { + "name": "group_inline_policy_no_star_star", + "title": "Ensure Inline Policies for IAM Groups That Grant Full Administrative Privileges Are Not in Use", + "result_kinds": [ + "aws_iam_group" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Granting full \"*:*\" administrative privileges to IAM groups exposes resources to potentially unwanted actions. It is recommended to follow the principle of least privilege and grant only the necessary permissions to perform specific tasks.", + "severity": "medium", + "detect": { + "fix": "is(aws_iam_group) and group_policies[*].policy_document.Statement[*].{Effect=Allow and (Action in [\"*\", [\"*\"]] and Resource in [\"*\", [\"*\"]])}" + }, + "remediation": { + "text": "To fix this issue, it is more secure to start with a minimum set of permissions and grant additional permissions as necessary. Analyze the existing policies and ensure that the permissions granted are the least required for business activities.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass inline-Richtlinien für IAM-Gruppen, die volle administrative Berechtigungen gewähren, nicht verwendet werden", + "risk": "Die Gewährung vollständiger \"*:*\" administrativer Berechtigungen an IAM-Gruppen macht Ressourcen potenziell unerwünschten Aktionen ausgesetzt. Es wird empfohlen, dem Prinzip des geringsten Privilegs zu folgen und nur die erforderlichen Berechtigungen für bestimmte Aufgaben zu gewähren.", + "remediation": "Um dieses Problem zu beheben, ist es sicherer, mit einem Mindestmaß an Berechtigungen zu beginnen und bei Bedarf zusätzliche Berechtigungen zu gewähren. Analysieren Sie die vorhandenen Richtlinien und stellen Sie sicher, dass die gewährten Berechtigungen für Geschäftstätigkeiten minimal erforderlich sind." + } + } + }, + { + "name": "role_inline_policy_no_star_star", + "title": "Ensure IAM Roles Do Not Use Inline Policies with Full Administrative Privileges", + "result_kinds": [ + "aws_iam_role" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Granting full administrative privileges through IAM roles increases the risk of unauthorized access to resources. Following least privilege principle is crucial to limit potential unwanted actions and protect resources.", + "severity": "medium", + "detect": { + "fix": "is(aws_iam_role) and role_policies[*].policy_document.Statement[*].{Effect=Allow and (Action in [\"*\", [\"*\"]] and Resource in [\"*\", [\"*\"]])}" + }, + "remediation": { + "text": "To improve security, start with a minimum set of permissions and gradually grant additional permissions as needed. Review the policies and ensure permissions are restricted to the essential tasks required for business activities.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass IAM-Rollen keine inline-Richtlinien mit vollen administrativen Rechten verwenden.", + "risk": "Die Gewährung voller administrativer Rechte über IAM-Rollen erhöht das Risiko unbefugten Zugriffs auf Ressourcen. Das Befolgen des Prinzips des geringsten Privilegs ist entscheidend, um potenziell unerwünschte Aktionen zu begrenzen und Ressourcen zu schützen.", + "remediation": "Um die Sicherheit zu verbessern, beginnen Sie mit einem minimalen Satz von Berechtigungen und gewähren Sie nach Bedarf schrittweise zusätzliche Berechtigungen. Überprüfen Sie die Richtlinien und stellen Sie sicher, dass die Berechtigungen auf die für die Geschäftstätigkeit erforderlichen Aufgaben beschränkt sind." + } + } + }, + { + "name": "support_role_exists", + "title": "Ensure a Support Role Has Been Created to Manage Incidents with AWS Support", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without a support role, incident notification and response, as well as technical support and customer services, may be compromised. To mitigate this risk, it is important to create an IAM Role that allows authorized users to manage incidents with AWS Support.", + "severity": "medium", + "detect": { + "fix": "is(aws_account) with(empty, -[0:2]-> is(aws_iam_role) and name=AWSServiceRoleForSupport and role_assume_role_policy_document.Statement[*].{Effect=Allow and Principal.Service=support.amazonaws.com and Action=\"sts:AssumeRole\"})" + }, + "remediation": { + "text": "To fix this issue, create an IAM role specifically for managing incidents with AWS Support.", + "url": "https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/awssupport/latest/user/using-service-linked-roles-sup.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass eine Support-Rolle erstellt wurde, um Vorfälle mit AWS Support zu verwalten", + "risk": "Ohne eine Support-Rolle können die Benachrichtigung und Reaktion auf Vorfälle sowie technischer Support und Kundenservice beeinträchtigt werden. Um dieses Risiko zu mindern, ist es wichtig, eine IAM-Rolle zu erstellen, die autorisierten Benutzern das Verwalten von Vorfällen mit AWS Support ermöglicht.", + "remediation": "Um dieses Problem zu beheben, erstellen Sie eine IAM-Rolle, die speziell für das Verwalten von Vorfällen mit AWS Support geeignet ist." + } + } + }, + { + "name": "expired_server_certificates", + "title": "Ensure That All Expired SSL/TLS Certificates Are Removed from AWS IAM", + "result_kinds": [ + "aws_iam_server_certificate" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If expired SSL/TLS certificates are not removed, there is a risk of accidentally deploying an invalid certificate to a resource like AWS Elastic Load Balancer (ELB), which can damage the credibility of the application/website.", + "severity": "critical", + "detect": { + "fix": "is(aws_iam_server_certificate) and expires<{{certificate_expiration.from_now}}" + }, + "default_values": { + "certificate_expiration": "0d" + }, + "remediation": { + "action": { + "fix": "search is(aws_iam_server_certificate) and expires<@UTC@ | clean", + "aws_cli": "aws iam delete-server-certificate --server-certificate-name {{name}}" + }, + "text": "To fix this issue, delete the expired SSL/TLS certificate from AWS IAM. However, keep in mind that deleting the certificate could have implications for your application if you are using it with services like Elastic Load Balancing or CloudFront. Make the necessary configurations in these services to ensure no interruption in application functionality.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_server-certs.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass alle abgelaufenen SSL/TLS-Zertifikate aus AWS IAM entfernt werden.", + "risk": "Wenn abgelaufene SSL/TLS-Zertifikate nicht entfernt werden, besteht die Gefahr, versehentlich ein ungültiges Zertifikat auf eine Ressource wie den AWS Elastic Load Balancer (ELB) zu deployen, was die Glaubwürdigkeit der Anwendung/Website beeinträchtigen kann.", + "remediation": "Um dieses Problem zu beheben, löschen Sie das abgelaufene SSL/TLS-Zertifikat aus AWS IAM. Beachten Sie jedoch, dass das Löschen des Zertifikats Auswirkungen auf Ihre Anwendung haben kann, wenn Sie es mit Diensten wie Elastic Load Balancing oder CloudFront verwenden. Nehmen Sie die erforderlichen Konfigurationen in diesen Diensten vor, um sicherzustellen, dass es zu keiner Unterbrechung der Anwendungsfunktionalität kommt." + } + } + }, + { + "name": "access_analyzer_enabled", + "title": "Ensure IAM Access Analyzer Is Enabled", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without IAM Access Analyzer enabled, it becomes difficult to identify resources in your organization and accounts that are shared with external entities. This increases the risk of unintended access to your resources and data, posing a security threat. By using IAM Access Analyzer, you can efficiently analyze resource policies and detect and address potential security risks.", + "severity": "low", + "detect": { + "manual": "Check that IAM Access Analyzer is enabled and that no analyzer produced any findings. Use the commands `aws accessanalyzer list-analyzers` and `aws accessanalyzer list-findings`." + }, + "remediation": { + "text": "To mitigate the risk, enable IAM Access Analyzer for all accounts and create an analyzer. Take appropriate action based on the analyzer's recommendations. Enabling IAM Access Analyzer is free of charge and highly beneficial for security purposes.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass IAM Access Analyzer aktiviert ist", + "risk": "Ohne aktivierten IAM Access Analyzer wird es schwierig, Ressourcen in Ihrer Organisation und in den Konten zu identifizieren, die mit externen Einheiten geteilt werden. Dadurch besteht ein erhöhtes Risiko für unbeabsichtigten Zugriff auf Ihre Ressourcen und Daten, was eine Sicherheitsbedrohung darstellt. Durch die Verwendung von IAM Access Analyzer können Sie Ressourcenrichtlinien effizient analysieren und potenzielle Sicherheitsrisiken erkennen und beheben.", + "remediation": "Um das Risiko zu minimieren, aktivieren Sie IAM Access Analyzer für alle Konten und erstellen Sie einen Analyzer. Ergreifen Sie entsprechende Maßnahmen basierend auf den Empfehlungen des Analyzers. Die Aktivierung von IAM Access Analyzer ist kostenlos und für Sicherheitszwecke äußerst vorteilhaft." + } + } + }, + { + "name": "check_saml_providers_sts", + "title": "Ensure SAML Providers Are Used for STS to Prevent the Use of Long-Lived Credentials", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without SAML provider, users with AWS CLI or AWS API access can use IAM static credentials. This increases the risk of unauthorized access and potential misuse of privileges.", + "severity": "low", + "detect": { + "manual": "Check that SAML providers are available by running the command `aws iam list-saml-providers`" + }, + "remediation": { + "text": "To mitigate this issue, enable a SAML provider and use temporary security credentials. Temporary credentials provide the same permissions as long-term credentials but have a limited duration. This helps prevent the unauthorized use of long-lived credentials.", + "url": "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", + "complexity": "high" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass SAML-Provider für STS verwendet werden, um die Verwendung von langfristigen Anmeldeinformationen zu vermeiden", + "risk": "Ohne SAML-Provider können Benutzer mit AWS CLI- oder AWS API-Zugriff IAM-Statikanmeldeinformationen verwenden. Dadurch steigt das Risiko unbefugten Zugriffs und potenziellen Missbrauchs von Berechtigungen.", + "remediation": "Um dieses Problem zu beheben, aktivieren Sie einen SAML-Provider und verwenden Sie temporäre Sicherheitsanmeldeinformationen. Temporäre Anmeldeinformationen bieten die gleichen Berechtigungen wie langfristige Anmeldeinformationen, haben jedoch eine begrenzte Gültigkeitsdauer. Dies hilft, die unbefugte Verwendung von langfristigen Anmeldeinformationen zu verhindern." + } + } + }, + { + "name": "check_cloudshell_access_restricted", + "title": "Ensure Access to AWSCloudShellFullAccess Is Restricted", + "result_kinds": [ + "aws_iam_role", + "aws_iam_user" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Unrestricted access to the AWSCloudShellFullAccess policy poses a risk of data exfiltration by malicious cloud admins with full permissions to the service. To mitigate this risk, it is recommended to create a more restrictive IAM policy that denies file transfer permissions.", + "severity": "medium", + "detect": { + "fix": "is(aws_iam_policy) and name==AWSCloudShellFullAccess <-- is(aws_iam_user, aws_iam_role)" + }, + "remediation": { + "text": "To restrict access to the AWSCloudShellFullAccess policy, open the IAM console at https://console.aws.amazon.com/iam/, select Policies in the left pane, search for and select AWSCloudShellFullAccess. On the Entities attached tab, select and detach each item.", + "url": "https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass der Zugriff auf AWSCloudShellFullAccess eingeschränkt ist", + "risk": "Unbeschränkter Zugriff auf die AWSCloudShellFullAccess-Richtlinie birgt ein Risiko der Datenexfiltration durch bösartige Cloud-Administratoren mit vollen Berechtigungen für den Dienst. Zur Minderung dieses Risikos wird empfohlen, eine restriktivere IAM-Richtlinie zu erstellen, die Dateiübertragungsberechtigungen verweigert.", + "remediation": "Um den Zugriff auf die AWSCloudShellFullAccess-Richtlinie einzuschränken, öffnen Sie die IAM-Konsole unter https://console.aws.amazon.com/iam/, wählen Sie in der linken Leiste 'Richtlinien' aus, suchen Sie nach und wählen Sie AWSCloudShellFullAccess aus. Wählen Sie auf der Registerkarte 'Angefügte Entitäten' jedes Element aus und heben Sie die Zuordnung auf." + } + } + }, + { + "name": "password_policy_lowercase", + "title": "Ensure IAM Password Policy Requires at Least One Lowercase Letter", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without requiring at least one lowercase letter in the password policy, IAM users may use passwords that lack complexity and are easier to crack. This increases the risk of unauthorized access and potential data breaches.", + "severity": "medium", + "detect": { + "fix": "is(aws_account) and require_lowercase_characters=false" + }, + "remediation": { + "text": "To fix the issue, ensure that the \"Requires at least one lowercase letter\" option is checked under \"Password Policy\" in the AWS IAM console.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die IAM-Passwortrichtlinie mindestens einen Kleinbuchstaben erfordert", + "risk": "Ohne die Anforderung mindestens eines Kleinbuchstabens in der Passwortrichtlinie können IAM-Benutzer Passwörter verwenden, die an Komplexität fehlen und leichter zu knacken sind. Dadurch erhöht sich das Risiko eines unbefugten Zugriffs und potenzieller Datenverstöße.", + "remediation": "Um das Problem zu beheben, stellen Sie sicher, dass die Option \"Erfordert mindestens einen Kleinbuchstaben\" unter \"Passwortrichtlinie\" in der AWS IAM-Konsole aktiviert ist." + } + } + }, + { + "name": "password_policy_number", + "title": "Ensure IAM Password Policy Requires at Least One Number", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If the issue is not solved, password complexity requirements may not be enforced, allowing weak passwords to be used. It is recommended to require at least one number in the password policy to enhance security.", + "severity": "medium", + "detect": { + "fix": "is(aws_account) and require_numbers=false" + }, + "remediation": { + "text": "To fix the issue, ensure that the \"Requires at least one number\" option is checked under \"Password Policy\".", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die IAM-Passwortrichtlinie mindestens eine Nummer erfordert", + "risk": "Wenn das Problem nicht behoben wird, können die Anforderungen an die Passwortkomplexität nicht durchgesetzt werden, was das Verwenden von schwachen Passwörtern ermöglicht. Es wird empfohlen, mindestens eine Nummer in die Passwortrichtlinie aufzunehmen, um die Sicherheit zu verbessern.", + "remediation": "Um das Problem zu beheben, stellen Sie sicher, dass die Option \"Erfordert mindestens eine Nummer\" unter \"Passwortrichtlinie\" aktiviert ist." + } + } + }, + { + "name": "password_policy_symbol", + "title": "Ensure IAM Password Policy Requires at Least One Symbol", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to enforce password complexity requirements in IAM can result in weak passwords. It is important to require at least one non-alphanumeric character to ensure stronger password security.", + "severity": "medium", + "detect": { + "fix": "is(aws_account) and require_symbols=false" + }, + "remediation": { + "text": "To fix the issue, navigate to the \"Password Policy\" section and ensure that the option \"Require at least one non-alphanumeric character\" is checked.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die IAM-Kennwortrichtlinie mindestens ein Symbol erfordert", + "risk": "Die Nichtdurchsetzung von Anforderungen an die Kennwortkomplexität in IAM kann zu schwachen Kennwörtern führen. Es ist wichtig, mindestens ein nicht alphanumerisches Zeichen zu verlangen, um eine stärkere Kennwortsicherheit zu gewährleisten.", + "remediation": "Um das Problem zu beheben, navigieren Sie zum Abschnitt \"Kennwortrichtlinie\" und stellen Sie sicher, dass die Option \"Mindestens ein nicht alphanumerisches Zeichen erforderlich\" aktiviert ist." + } + } + }, + { + "name": "password_policy_uppercase", + "title": "Ensure IAM Password Policy Requires at Least One Uppercase Letter", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "A strong password policy is important for ensuring password complexity. Without requiring at least one uppercase letter, there is a risk of weak passwords being used, which can lead to potential security breaches.", + "severity": "medium", + "detect": { + "fix": "is(aws_account) and require_uppercase_characters=false" + }, + "remediation": { + "text": "To fix this issue, go to the AWS Identity and Access Management (IAM) console, navigate to the \"Password Policy\" section, and ensure that \"Require at least one uppercase character\" is checked.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die IAM-Passwortrichtlinie mindestens einen Großbuchstaben erfordert", + "risk": "Eine starke Passwortrichtlinie ist wichtig, um die Komplexität von Passwörtern sicherzustellen. Ohne die Anforderung mindestens eines Großbuchstabens besteht das Risiko, dass schwache Passwörter verwendet werden, was zu möglichen Sicherheitsverletzungen führen kann.", + "remediation": "Um dieses Problem zu beheben, gehen Sie zur AWS Identity and Access Management (IAM) Konsole, navigieren Sie zum Abschnitt \"Passwortrichtlinie\" und stellen Sie sicher, dass \"Mindestens ein Großbuchstabe erforderlich\" ausgewählt ist." + } + } + }, + { + "name": "unused_access_keys", + "title": "Ensure Unused Access Keys Are Removed", + "result_kinds": [ + "aws_iam_access_key" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Unused access keys pose a security risk and should be removed to prevent unauthorized access.", + "severity": "medium", + "detect": { + "fix": "is(aws_iam_access_key) and age>{{access_key_too_old_age}} and (last_used==null or last_used<{{access_key_too_old_age.ago}})" + }, + "default_values": { + "access_key_too_old_age": "90d" + }, + "remediation": { + "text": "To fix this issue, delete any unused access keys from the IAM user.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html", + "localizations": { + "de": { + "title": "Sicherstellen, dass unbenutzte Zugriffsschlüssel entfernt werden", + "risk": "Unbenutzte Zugriffsschlüssel stellen ein Sicherheitsrisiko dar und sollten entfernt werden, um unbefugten Zugriff zu verhindern.", + "remediation": "Um dieses Problem zu beheben, entfernen Sie alle unbenutzten Zugriffsschlüssel vom IAM-Benutzer." + } + } + }, + { + "name": "password_policy_expire_90", + "title": "Ensure Passwords Expire Within 90 Days or Less", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Allowing passwords to remain unchanged for more than 90 days can significantly increase the risk of unauthorized access and security breaches. Older passwords are more likely to be compromised over time, and longer password lifetimes give malicious actors a wider window of opportunity to exploit stolen or weak credentials.", + "severity": "high", + "detect": { + "fix": "is(aws_account) and (expire_passwords!=true or max_password_age>{{password_age}})" + }, + "default_values": { + "password_age": "90d" + }, + "remediation": { + "text": "To fix this issue, configure IAM policies to enforce password expiration within 90 days. Ensure the 'expire_passwords' setting is enabled and set 'max_password_age' to 90 days or less. Regularly rotating passwords helps maintain account security by reducing the risk of compromised credentials being used for extended periods.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Passwörter innerhalb von 90 Tagen oder weniger ablaufen", + "risk": "Durch das Zulassen von Passwörtern, die länger als 90 Tage unverändert bleiben, kann das Risiko unbefugten Zugriffs und von Sicherheitsverletzungen erheblich steigen. Ältere Passwörter werden im Laufe der Zeit wahrscheinlicher kompromittiert, und eine längere Lebensdauer von Passwörtern gibt bösartigen Akteuren ein größeres Zeitfenster, um gestohlene oder schwache Anmeldedaten auszunutzen.", + "remediation": "Um dieses Problem zu beheben, konfigurieren Sie IAM-Richtlinien, um eine Passwortablaufzeit von 90 Tagen festzulegen. Stellen Sie sicher, dass die Einstellung 'expire_passwords' aktiviert ist und 'max_password_age' auf 90 Tage oder weniger gesetzt ist. Durch regelmäßige Änderung von Passwörtern wird die Sicherheit des Kontos gewährleistet, indem das Risiko von kompromittierten Anmeldedaten, die für längere Zeiträume verwendet werden, verringert wird." + } + } + }, + { + "name": "guardduty_enabled", + "title": "Ensure AWS GuardDuty Is Enabled", + "result_kinds": [], + "categories": [ + "security" + ], + "risk": "Not enabling AWS GuardDuty poses potential risks to your AWS account. It is recommended to enable GuardDuty to identify and mitigate these risks effectively.", + "severity": "low", + "detect": { + "manual": "Check if GuardDuty is enabled in the AWS console." + }, + "remediation": { + "text": "Enable GuardDuty in the AWS console to benefit from its intelligent threat detection capabilities.", + "url": "https://aws.amazon.com/guardduty/", + "complexity": "low" + }, + "url": "https://aws.amazon.com/guardduty/", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass AWS GuardDuty aktiviert ist", + "risk": "Die Nichtaktivierung von AWS GuardDuty birgt potenzielle Risiken für Ihr AWS-Konto. Es wird empfohlen, GuardDuty zu aktivieren, um diese Risiken effektiv zu erkennen und zu mindern.", + "remediation": "Aktivieren Sie GuardDuty in der AWS-Konsole, um von seinen intelligenten Bedrohungserkennungsfunktionen zu profitieren." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_kms.json b/fixcompliance/data/checks/aws/aws_kms.json new file mode 100644 index 0000000..f8f5345 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_kms.json @@ -0,0 +1,93 @@ +{ + "provider": "aws", + "service": "kms", + "checks": [ + { + "name": "key_rotation_enabled", + "title": "Ensure That Key Rotation Is Enabled for Customer-Created KMS CMKs", + "result_kinds": [ + "aws_kms_key" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "The extensive reuse of encryption keys is discouraged as it may lead to the use of compromised keys. Without timely rotation, Customer Master Keys (CMKs) are at an increased risk of compromise, resulting in potential data breaches and operational disruptions.", + "severity": "medium", + "detect": { + "fix": "is(aws_kms_key) and kms_key_manager==CUSTOMER and access_key_status=Enabled and kms_key_rotation_enabled=false" + }, + "remediation": { + "text": "For every Customer Master Key (CMK), ensure that the 'Rotate this key every year' option is enabled. Regular rotation reduces the risk of compromise and improves overall system security. Check the key rotation status frequently and apply changes immediately when needed.", + "url": "https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html", + "complexity": "medium" + }, + "url": "https://aws.amazon.com/kms/features/key-rotation/", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Schlüsselrotation für benutzerdefinierte KMS CMKs aktiviert ist", + "risk": "Die umfangreiche Wiederverwendung von Verschlüsselungsschlüsseln wird nicht empfohlen, da dies zu kompromittierten Schlüsseln führen kann. Ohne regelmäßige Rotation besteht ein erhöhtes Risiko, dass Customer Master Keys (CMKs) kompromittiert werden, was zu potenziellen Datenverletzungen und Betriebsunterbrechungen führen kann.", + "remediation": "Stellen Sie für jeden Customer Master Key (CMK) sicher, dass die Option Diesen Schlüssel einmal pro Jahr drehen aktiviert ist. Durch regelmäßige Rotation wird das Risiko einer Kompromittierung reduziert und die allgemeine Systemsicherheit verbessert. überprüfen Sie den Rotationsstatus des Schlüssels regelmäßig und wenden Sie änderungen sofort an, wenn dies erforderlich ist." + } + } + }, + { + "name": "key_not_pending_deletion", + "title": "Ensure No AWS KMS Keys in Use Are Pending Deletion", + "result_kinds": [ + "aws_kms_key" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "KMS keys marked for deletion cease to function for operations. An operational loss can occur if a key in use is pending deletion, with potential for irrecoverable data loss.", + "severity": "high", + "detect": { + "fix": "is(aws_kms_key) and access_key_status==PendingDeletion with(any, <-- not is(region))" + }, + "remediation": { + "text": "Confirm no keys in use are set with 'Pending deletion' status. If such a key is detected, promptly substitute the key with a new one to avoid disruption of services.", + "url": "https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass keine AWS KMS-Schlüssel ausstehend gelöscht werden", + "risk": "KMS-Schlüssel, die zur Löschung markiert sind, funktionieren nicht mehr ordnungsgemäß für Operationen. Bei einem Schlüssel, der noch verwendet wird und zur Löschung aussteht, kann ein Betriebsverlust auftreten, der zu unwiederbringlichem Datenverlust führen kann.", + "remediation": "Überprüfen Sie, ob keine verwendeten Schlüssel den Status 'Ausstehende Löschung' haben. Wenn ein solcher Schlüssel erkannt wird, ersetzen Sie ihn umgehend durch einen neuen, um Unterbrechungen von Diensten zu vermeiden." + } + } + }, + { + "name": "cmk_policy_prohibit_public_access", + "title": "Ensure Customer Managed Keys in Use Are Not Publicly Accessible", + "result_kinds": [ + "aws_kms_key" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Maintaining public accessibility of Customer Managed Keys exposes your system to unnecessary security risks by granting external entities potential access. This can compromise the integrity, confidentiality or availability of your services.", + "severity": "medium", + "detect": { + "fix": "is(aws_kms_key) and kms_key_policy.Statement[*].{ Effect==Allow and Principal==\"*\" and Action in [\"*\", \"kms:*\"] and Condition==null}" + }, + "remediation": { + "text": "Modify the access policy of in-use keys to restrict public access. Grant access only to necessary users or roles, adhering to a least-privilege model to uphold security.", + "url": "https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass verwendete benutzerdefinierte Schlüssel nicht öffentlich zugänglich sind", + "risk": "Die Aufrechterhaltung der öffentlichen Zugänglichkeit von benutzerdefinierten Schlüsseln ermöglicht externen Entitäten potenziellen Zugriff und gefährdet somit die Integrität, Vertraulichkeit oder Verfügbarkeit Ihrer Dienste.", + "remediation": "Ändern Sie die Zugriffsrichtlinie der verwendeten Schlüssel, um den öffentlichen Zugriff einzuschränken. Gewähren Sie nur notwendigen Benutzern oder Rollen Zugriff und halten Sie sich dabei an das Modell des minimalen Privilegienlevels, um die Sicherheit zu gewährleisten." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_lambda.json b/fixcompliance/data/checks/aws/aws_lambda.json new file mode 100644 index 0000000..d398d42 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_lambda.json @@ -0,0 +1,185 @@ +{ + "provider": "aws", + "service": "lambda", + "checks": [ + { + "name": "publicly_accessible_permissions", + "title": "Ensure Lambda Functions Avoid Public Resource-Based Policies", + "result_kinds": [ + "aws_lambda_function" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If Lambda functions retain publicly accessible services, they become a potential vector for data breaches, exposing sensitive information to unauthorized use or malicious exploitation.", + "severity": "low", + "url": "https://docs.aws.amazon.com/lambda/latest/dg/logging-using-cloudtrail.html", + "detect": { + "fix": "is(aws_lambda_function) and function_policy.statement[*].{principal~\"*\" or principal.AWS~\"*\" or principal.CanonicalUser~\"*\"}" + }, + "remediation": { + "text": "To address this issue, restrict usage permissions on resource-based policies, strictly granting access on a per-resource basis. Always adhere to the principle of least privilege, allowing only necessary permissions.", + "url": "https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html", + "complexity": "high" + }, + "localizations": { + "de": { + "title": "Sicherstellen, dass Lambda-Funktionen öffentliche, ressourcenbasierte Richtlinien vermeiden", + "risk": "Wenn Lambda-Funktionen öffentlich zugängliche Dienste beibehalten, werden sie zu einem potenziellen Angriffsvektor für Datenverletzungen, bei denen sensible Informationen unbefugt genutzt oder bösartig ausgebeutet werden können.", + "remediation": "Um dieses Problem zu beheben, sollten Sie die Berechtigungen für ressourcenbasierte Richtlinien einschränken und den Zugriff strikt auf Basis von Ressourcen gewähren. Halten Sie sich immer an das Prinzip des geringsten Privilegs und genehmigen Sie nur die notwendigen Berechtigungen." + } + } + }, + { + "name": "function_in_vpc", + "title": "Ensure That AWS Lambda Functions Are Deployed within a VPC and Configured with Appropriate Security Groups for Precise and Compliant Network Access Controls", + "result_kinds": [ + "aws_lambda_function" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Lambda functions without established controls via security groups in a VPC, are vulnerable to unauthorized access. This exposure threatens data security and compliance standards.", + "severity": "medium", + "detect": { + "fix": "is(aws_lambda_function) with (empty, <-- is(aws_vpc))" + }, + "remediation": { + "text": "Modify your Lambda function configuration to deploy within a VPC. This requires setting up necessary security groups and network access controls.", + "url": "https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html", + "complexity": "medium" + }, + "url": "https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass AWS Lambda-Funktionen innerhalb einer VPC bereitgestellt werden und mit geeigneten Sicherheitsgruppen für präzise und konforme Netzwerkzugriffskontrollen konfiguriert sind.", + "risk": "Lambda-Funktionen ohne etablierte Kontrollen über Sicherheitsgruppen in einer VPC sind anfällig für unbefugten Zugriff. Diese Exposition bedroht die Datensicherheit und Konformitätsstandards.", + "remediation": "Ändern Sie die Konfiguration Ihrer Lambda-Funktion, um sie innerhalb einer VPC bereitzustellen. Dies erfordert das Einrichten der erforderlichen Sicherheitsgruppen und Netzwerkzugriffskontrollen." + } + } + }, + { + "name": "cors_policy", + "title": "Ensure Appropriate CORS Configuration for AWS Lambda Functions URL", + "result_kinds": [ + "aws_lambda_function" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Unverified CORS configurations can expose services to malicious attacks and unauthorized access, leading to potential data theft or infrastructure manipulation.", + "severity": "medium", + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html", + "detect": { + "fix": "is(aws_lambda_function) and function_url_config.cors.allow_origins ~ \"*\"" + }, + "remediation": { + "action": { + "aws_cli": "aws lambda update-function-url-config --region AWS_REGION --function-name FUNCTION-NAME --auth-type AWS_IAM --cors 'AllowOrigins=https://www.example.com,AllowMethods=*,ExposeHeaders=keep-alive,MaxAge=3600,AllowCredentials=false'" + }, + "text": "Restrict access by updating the CORS policy to allow specific origins only, applying the principle of least privilege to function URLs to reduce potential security threats.", + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie eine angemessene CORS-Konfiguration für die URL der AWS Lambda-Funktionen sicher.", + "risk": "Nicht verifizierte CORS-Konfigurationen können Dienste Angriffen und unbefugtem Zugriff aussetzen, was zu potenziellem Diebstahl von Daten oder Manipulation der Infrastruktur führen kann.", + "remediation": "Beschränken Sie den Zugriff, indem Sie die CORS-Richtlinie aktualisieren, um nur bestimmte Ursprünge zuzulassen. Verwenden Sie das Prinzip des geringsten Privilegs für Funktions-URLs, um potenzielle Sicherheitsbedrohungen zu verringern." + } + } + }, + { + "name": "function_restrict_public_access", + "title": "Ensure Lambda Functions Are Not Publicly Accessible", + "result_kinds": [ + "aws_lambda_function" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Publicly accessible Lambda functions pose a security threat as they can expose sensitive data and potentially allow unauthorized access to system resources. This could lead to data breaches or system compromise.", + "severity": "high", + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html", + "detect": { + "fix": "is(aws_lambda_function) and function_url_config != null and function_url_config.auth_type != AWS_IAM" + }, + "remediation": { + "action": { + "aws_cli": "aws lambda update-function-url-config --region AWS_REGION --function-name FUNCTION-NAME --auth-type AWS_IAM" + }, + "text": "To secure your Lambda functions, update your function URL configuration to use AWS IAM as the authentication type. This will restrict access to permitted entities and applies the 'least privilege' security principle.", + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html", + "complexity": "high" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Lambda-Funktionen nicht öffentlich zugänglich sind.", + "risk": "Öffentlich zugängliche Lambda-Funktionen stellen eine Sicherheitsbedrohung dar, da sie sensible Daten offenlegen und potenziell unbefugten Zugriff auf Systemressourcen ermöglichen können. Dadurch könnte es zu Datenschutzverletzungen oder Kompromittierungen des Systems kommen.", + "remediation": "Um Ihre Lambda-Funktionen abzusichern, aktualisieren Sie die URL-Konfiguration Ihrer Funktion, um AWS IAM als Authentifizierungstyp zu verwenden. Dadurch wird der Zugriff auf genehmigte Entitäten beschränkt und das Sicherheitsprinzip des 'geringsten Privilegs' angewendet." + } + } + }, + { + "name": "supported_runtime", + "title": "Ensure AWS Lambda Deployments Are Using Supported Runtimes", + "result_kinds": [ + "aws_lambda_function" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Utilizing deprecated runtimes in AWS Lambda functions could introduce severe risk. When deprecated, runtimes may become unsupported and receive no security updates, posing a potential security threat. Additionally, AWS may stop function invocation at any time without notice, causing functionality failures.", + "severity": "medium", + "url": "https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html", + "detect": { + "fix": "is(aws_lambda_function) and function_runtime in [python3.6, python2.7, dotnetcore2.1, ruby2.5, nodejs10.x, nodejs8.10, nodejs4.3, nodejs6.10, dotnetcore1.0, dotnetcore2.0, nodejs4.3-edge, nodejs]" + }, + "remediation": { + "text": "Upgrade AWS Lambda functions to the latest, supported runtimes. Continually test and facilitate the implementation of new runtimes as they become available, ensuring the highest level of security and performance.", + "url": "https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass AWS Lambda-Bereitstellungen unterstützte Runtimes verwenden", + "risk": "Die Verwendung veralteter Runtimes in AWS Lambda-Funktionen könnte erhebliche Risiken mit sich bringen. Veraltete Runtimes werden möglicherweise nicht mehr unterstützt und erhalten keine Sicherheitsupdates mehr, was eine potenzielle Sicherheitsbedrohung darstellt. Darüber hinaus kann AWS die Funktionen jederzeit ohne Vorankündigung außer Betrieb setzen, was zu Funktionsausfällen führen kann.", + "remediation": "Aktualisieren Sie AWS Lambda-Funktionen auf die neuesten unterstützten Runtimes. Testen und ermöglichen Sie kontinuierlich die Implementierung neuer Runtimes, wenn diese verfügbar werden, um das höchste Maß an Sicherheit und Leistung zu gewährleisten." + } + } + }, + { + "name": "no_secrets_in_variables", + "title": "Ensure Secrets Are Not Stored in AWS Lambda Environment Variables", + "result_kinds": [ + "aws_lambda_function" + ], + "categories": [ + "security" + ], + "risk": "Hard-coded passwords significantly amplify the risks of password guessing and unauthorized access. Consequently, if secrets are stored in the environment variables, they can potentially be exploited by malicious actors.", + "severity": "critical", + "url": "https://docs.aws.amazon.com/lambda/latest/dg/runtime-support-policy.html", + "detect": { + "fix_cmd": "search is(aws_lambda_function) and function_environment.variables not in [null, {}] | detect-secrets --path function_environment.variables --with-secrets" + }, + "remediation": { + "text": "Leverage AWS Secrets Manager to securely provide database credentials to your Lambda functions. This approach eliminates the need to hard-code secrets in your code or the environment variables, thus improving the security of your AWS deployments.", + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/lambda-functions.html", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Geheimnisse nicht in AWS Lambda Umgebungsvariablen gespeichert werden", + "risk": "Hardcodierte Passwörter erhöhen signifikant die Risiken von Passwortraten und unbefugtem Zugriff. Wenn Geheimnisse in den Umgebungsvariablen gespeichert sind, können sie potenziell von bösartigen Akteuren ausgenutzt werden.", + "remediation": "Nutzen Sie AWS Secrets Manager, um Datenbankanmeldeinformationen sicher an Ihre Lambda-Funktionen bereitzustellen. Dieser Ansatz beseitigt die Notwendigkeit, Geheimnisse im Code oder in den Umgebungsvariablen fest zu kodieren und verbessert somit die Sicherheit Ihrer AWS-Bereitstellungen." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_opensearch.json b/fixcompliance/data/checks/aws/aws_opensearch.json new file mode 100644 index 0000000..c3c161c --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_opensearch.json @@ -0,0 +1,173 @@ +{ + "provider": "aws", + "service": "opensearch", + "checks": [ + { + "name": "domain_does_not_use_internal_user_database", + "title": "Ensure That Amazon OpenSearch Service Domains Do Not Use the Internal User Database", + "result_kinds": [ + "aws_opensearch_domain" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Using the Internal User Database for production environments is risky as it lacks the security benefits of Federated authentication.", + "severity": "medium", + "detect": { + "fix": "is(aws_opensearch_domain) and advanced_security_options.internal_user_database_enabled==true" + }, + "remediation": { + "text": "To fix this issue, remove the users from the internal user database and utilize Cognito for authentication instead.", + "url": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Amazon OpenSearch Service-Domänen nicht die interne Benutzerdatenbank verwenden", + "risk": "Die Verwendung der internen Benutzerdatenbank für Produktionsumgebungen ist riskant, da sie die Sicherheitsvorteile der föderierten Authentifizierung nicht bietet.", + "remediation": "Um das Problem zu beheben, entfernen Sie die Benutzer aus der internen Benutzerdatenbank und nutzen Sie stattdessen Cognito zur Authentifizierung.\nWeitere Informationen finden Sie unter: https://docs.aws.amazon.com/opensearch-service/latest/developerguide/fgac.html" + } + } + }, + { + "name": "domain_is_not_publicly_accessible", + "title": "Ensure That Amazon OpenSearch/Elasticsearch Domains Are Not Publicly Accessible or Have Open Policy Access", + "result_kinds": [ + "aws_opensearch_domain" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to address this issue may result in exposing sensitive data to unauthorized individuals or malicious actors.", + "severity": "medium", + "detect": { + "fix": "is(aws_opensearch_domain) and access_policies.Statement[*].{Effect==\"Allow\" and (Principal.AWS=\"*\" or Principal=\"*\") and (Condition==null or Condition.IpAddress.`aws:SourceIp`[] in [\"*\", \"0.0.0.0/0\"])}" + }, + "remediation": { + "text": "To resolve this issue, ensure that Amazon OpenSearch/Elasticsearch domains are not set as Public and restrict access through VPC endpoints.", + "url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-vpc.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Amazon OpenSearch/Elasticsearch-Domains nicht öffentlich zugänglich oder mit offenen Zugriffsrichtlinien versehen sind", + "risk": "Das Nichtbeheben dieses Problems kann dazu führen, dass sensible Daten unbefugten Personen oder bösartigen Akteuren zugänglich gemacht werden.", + "remediation": "Um dieses Problem zu beheben, stellen Sie sicher, dass Amazon OpenSearch/Elasticsearch-Domains nicht öffentlich zugänglich sind und beschränken Sie den Zugriff über VPC-Endpoints." + } + } + }, + { + "name": "domain_uses_cognito_authentication", + "title": "Ensure That Amazon OpenSearch Service Domains Have Amazon Cognito Authentication Enabled", + "result_kinds": [ + "aws_opensearch_domain" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Not using Amazon Cognito authentication leaves the domain vulnerable to unauthorized access and compromises the security of the OpenSearch Service.", + "severity": "medium", + "detect": { + "fix": "is(aws_opensearch_domain) and cognito_options==null" + }, + "remediation": { + "text": "To address this issue, configure Amazon Cognito authentication. This helps protect the domain by providing secure user authentication and access control.", + "url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Amazon OpenSearch Service-Domänen die Amazon Cognito-Authentifizierung aktiviert haben.", + "risk": "Die Nichtverwendung der Amazon Cognito-Authentifizierung macht die Domäne anfällig für unbefugten Zugriff und gefährdet die Sicherheit des OpenSearch Service.", + "remediation": "Um dieses Problem zu beheben, konfigurieren Sie die Amazon Cognito-Authentifizierung. Dadurch wird die Domäne durch sichere Benutzerauthentifizierung und Zugriffskontrolle geschützt." + } + } + }, + { + "name": "audit_logs_enabled", + "title": "Ensure That Amazon OpenSearch Service Domains Have Audit Logs Enabled", + "result_kinds": [ + "aws_opensearch_domain" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If audit logs are not enabled, monitoring of service use and threat analysis is not possible.", + "severity": "low", + "detect": { + "fix": "is(aws_opensearch_domain) and log_publishing_options.AUDIT_LOGS.enabled in [null, false]" + }, + "remediation": { + "text": "Ensure that you enable logging information about Amazon OpenSearch Service operations.", + "url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/audit-logs.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Audit-Logs für Amazon OpenSearch Service-Domains aktiviert sind", + "risk": "Wenn Audit-Logs nicht aktiviert sind, ist die Überwachung der Service-Nutzung und die Bedrohungsanalyse nicht möglich.", + "remediation": "Stellen Sie sicher, dass Sie Protokollinformationen über die Amazon OpenSearch Service-Vorgänge aktivieren." + } + } + }, + { + "name": "update_available", + "title": "Ensure That Amazon OpenSearch Service Domains Are Running the Latest Version", + "result_kinds": [ + "aws_opensearch_domain" + ], + "categories": [], + "risk": "Failure to update Amazon Opensearch Service domains to the latest version can leave them vulnerable to security risks and prevent them from benefiting from new features and improvements.", + "severity": "low", + "detect": { + "fix": "is(aws_opensearch_domain) and service_software_options.update_available==true" + }, + "remediation": { + "text": "To ensure that your Amazon OpenSearch Service domains are running the latest version, regularly check the Notifications panel in the console for available updates. You can also receive notifications through Amazon EventBridge. It is recommended to apply the updates promptly to maintain the security and functionality of your domains.", + "url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-service-software.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-service-software.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Amazon OpenSearch Service-Domänen die neueste Version ausführen.", + "risk": "Wenn Amazon OpenSearch Service-Domänen nicht auf die neueste Version aktualisiert werden, können sie anfällig für Sicherheitsrisiken sein und von neuen Funktionen und Verbesserungen nicht profitieren.", + "remediation": "Um sicherzustellen, dass Ihre Amazon OpenSearch Service-Domänen die neueste Version ausführen, überprüfen Sie regelmäßig das Benachrichtigungsfenster in der Konsole auf verfügbare Updates. Sie können auch Benachrichtigungen über Amazon EventBridge erhalten. Es wird empfohlen, die Updates umgehend anzuwenden, um die Sicherheit und Funktionalität Ihrer Domänen aufrechtzuerhalten." + } + } + }, + { + "name": "encryption_at_rest_enabled", + "title": "Ensure That Encryption at Rest Is Enabled for Amazon OpenSearch Service Domains", + "result_kinds": [ + "aws_opensearch_domain" + ], + "categories": [], + "risk": "Encrypting data at rest is critical to protect sensitive data from unauthorized access.", + "severity": "low", + "detect": { + "fix": "is(aws_opensearch_domain) and encryption_at_rest_options.enabled=false" + }, + "remediation": { + "text": "To fix this issue, enable encryption at rest for your Amazon OpenSearch Service domain using AWS KMS to store and manage your encryption keys and the Advanced Encryption Standard algorithm with 256-bit keys (AES-256) for encryption.", + "url": "https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Verschlüsselung in Ruhe für Amazon OpenSearch Service-Domänen aktiviert ist", + "risk": "Die Verschlüsselung von Daten in Ruhe ist entscheidend, um sensible Daten vor unbefugtem Zugriff zu schützen.", + "remediation": "Um dieses Problem zu beheben, aktivieren Sie die Verschlüsselung in Ruhe für Ihre Amazon OpenSearch Service-Domäne. Verwenden Sie dazu AWS KMS, um Ihre Verschlüsselungsschlüssel zu speichern und zu verwalten, und den Advanced Encryption Standard-Algorithmus mit 256-Bit-Schlüsseln (AES-256) zur Verschlüsselung." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_organizations.json b/fixcompliance/data/checks/aws/aws_organizations.json new file mode 100644 index 0000000..31dfb80 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_organizations.json @@ -0,0 +1,35 @@ +{ + "provider": "aws", + "service": "organizations", + "checks": [ + { + "name": "account_part_of_organizations", + "title": "Ensure AWS Account is Part of an AWS Organization", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Not being part of an AWS Organization limits centralized management and control over AWS accounts, making it difficult to enforce security policies consistently. It can also result in increased costs due to resource usage inefficiencies and hinder account usage and access tracking.", + "severity": "high", + "detect": { + "fix": "is(aws_account) and is_organization_member=False" + }, + "remediation": { + "text": "Create or Join an AWS Organization", + "url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass das AWS-Konto Teil einer AWS-Organisation ist", + "risk": "Die Nichtzugehörigkeit zu einer AWS-Organisation schränkt die zentralisierte Verwaltung und Kontrolle über AWS-Konten ein, was es schwierig macht, Sicherheitsrichtlinien konsistent durchzusetzen. Dies kann auch zu erhöhten Kosten aufgrund ineffizienter Ressourcennutzung führen und die Kontoverwendung und -zugriffsverfolgung beeinträchtigen.", + "remediation": "Erstellen oder Beitritt zu einer AWS-Organisation" + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_rds.json b/fixcompliance/data/checks/aws/aws_rds.json new file mode 100644 index 0000000..20cf49c --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_rds.json @@ -0,0 +1,152 @@ +{ + "provider": "aws", + "service": "rds", + "checks": [ + { + "name": "storage_encrypted", + "title": "Ensure That RDS Instances Storage Is Encrypted", + "result_kinds": [ + "aws_rds_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If storage encryption is not enabled, sensitive data stored at rest is unprotected. This poses a serious security risk as unauthorized parties may access or compromise your data.", + "severity": "medium", + "detect": { + "fix": "is(aws_rds_instance) and volume_encrypted==false" + }, + "remediation": { + "text": "You should enable storage encryption for the RDS instances. This provides enhancement to your data security by preventing unauthorized access to the underlying storage. Use industry standard AES-256 encryption algorithm and ensure all logs, backups, and snapshots are included in the encryption.", + "url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encrypting.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass der Speicher von RDS-Instanzen verschlüsselt ist.", + "risk": "Wenn die Speicherverschlüsselung nicht aktiviert ist, sind gespeicherte sensible Daten ungeschützt. Dies stellt ein ernsthaftes Sicherheitsrisiko dar, da unbefugte Personen auf Ihre Daten zugreifen oder diese kompromittieren können.", + "remediation": "Sie sollten die Speicherverschlüsselung für die RDS-Instanzen aktivieren. Dies verbessert die Datensicherheit, indem unbefugter Zugriff auf den zugrunde liegenden Speicher verhindert wird. Verwenden Sie den branchenüblichen AES-256-Verschlüsselungsalgorithmus und stellen Sie sicher, dass alle Protokolle, Backups und Snapshots in die Verschlüsselung einbezogen werden." + } + } + }, + { + "name": "auto_minor_version_upgrade", + "title": "Ensure Minor Version Upgrade Is Enabled for RDS Instances", + "result_kinds": [ + "aws_rds_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Disabling Auto Minor Version Upgrade feature exposes the AWS database to potential threats including security vulnerabilities and bugs. Regular updates ensure optimal performance of your system and protects against such threats.", + "severity": "low", + "detect": { + "fix": "is(aws_rds_instance) and rds_auto_minor_version_upgrade==false" + }, + "remediation": { + "text": "To mitigate the risk, activate Auto Minor Version Upgrade feature for all databases and environments. This will ensure that your AWS database system is up-to-date.", + "url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql", + "complexity": "low" + }, + "url": "https://aws.amazon.com/blogs/database/best-practices-for-upgrading-amazon-rds-to-major-and-minor-versions-of-postgresql", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Aktualisierung der Nebenversion für RDS-Instanzen aktiviert ist", + "risk": "Das Deaktivieren der Funktion zur automatischen Aktualisierung der Nebenversion birgt potenzielle Risiken für die AWS-Datenbank, einschließlich Sicherheitslücken und Fehler. Regelmäßige Updates gewährleisten eine optimale Leistung Ihres Systems und schützen vor solchen Bedrohungen.", + "remediation": "Um das Risiko zu mindern, aktivieren Sie die Funktion zur automatischen Aktualisierung der Nebenversion für alle Datenbanken und Umgebungen. Dadurch wird sichergestellt, dass Ihr AWS-Datenbanksystem auf dem neuesten Stand ist." + } + } + }, + { + "name": "db_instance_cloudwatch_logs_enabled", + "title": "Ensure That AWS RDS Instances Have CloudWatch Logs Exports Enabled", + "result_kinds": [ + "aws_rds_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "The absence of CloudWatch Logs exports for RDS instances limits visibility into crucial performance or security metrics, possibly concealing operational issues or threats. It also makes the task of diagnosing problems significantly harder.", + "severity": "medium", + "detect": { + "fix": "is(aws_rds_instance) and rds_enabled_cloudwatch_logs_exports==[]" + }, + "remediation": { + "text": "Navigate to the RDS instance configuration and click 'Modify'. Enable 'Enable CloudWatch Logs exports.' and specify the CloudWatch Logs group for the RDS Instance. Save the changes to implement the new settings.", + "url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_LogAccess.Concepts.html#USER_LogAccess.Procedural.Enabling", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Configuring.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass AWS RDS-Instanzen CloudWatch-Protokolle aktiviert haben", + "risk": "Das Fehlen von CloudWatch-Protokollen für RDS-Instanzen begrenzt die Sichtbarkeit wichtiger Leistungs- oder Sicherheitsmetriken, was potenziell betriebliche Probleme oder Bedrohungen verbirgt. Es erschwert auch die Aufgabe der Problembehandlung erheblich.", + "remediation": "Navigieren Sie zur Konfiguration der RDS-Instanz und klicken Sie auf 'Ändern'. Aktivieren Sie 'CloudWatch-Protokollierungen exportieren' und geben Sie die CloudWatch-Protokollgruppe für die RDS-Instanz an. Speichern Sie die Änderungen, um die neuen Einstellungen zu implementieren." + } + } + }, + { + "name": "no_public_access", + "title": "Ensure That All Amazon RDS Instances Are Secured from Public Access", + "result_kinds": [ + "aws_rds_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Granting public access to databases exposes sensitive information, making the system vulnerable to malicious attacks and data breaches.", + "severity": "critical", + "detect": { + "fix": "is(aws_rds_instance) and db_publicly_accessible==true" + }, + "remediation": { + "text": "Ensure that each Amazon RDS instance is properly configured to disallow public access. Use options group and DB parameter group settings to enforce this configuration.", + "url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Configuring.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_RDS_Security.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass alle Amazon RDS-Instanzen vor öffentlichem Zugriff geschützt sind.", + "risk": "Das Gewähren öffentlichen Zugriffs auf Datenbanken stellt sensible Informationen bloß und macht das System anfällig für bösartige Angriffe und Datenverstöße.", + "remediation": "Stellen Sie sicher, dass jede Amazon RDS-Instanz ordnungsgemäß konfiguriert ist, um öffentlichen Zugriff zu verhindern. Verwenden Sie Optionsgruppen- und DB-Parametergruppeneinstellungen, um diese Konfiguration durchzusetzen." + } + } + }, + { + "name": "snapshot_not_public", + "title": "Ensure That Amazon RDS Snapshots Are Not Publicly Available", + "result_kinds": [ + "aws_rds_cluster_snapshot", + "aws_rds_snapshot" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If RDS snapshots are publicly available, sensitive data may be exposed, increasing the risk of data breach and non-compliance with data privacy regulations.", + "severity": "critical", + "detect": { + "fix": "is(aws_rds_cluster_snapshot, aws_rds_snapshot) and rds_attributes.restore[*]==\"all\"" + }, + "remediation": { + "text": "To remediate, disable public availability for all RDS snapshots. Ensure that only necessary and authorized AWS accounts have snapshot sharing permissions.", + "url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ShareSnapshot.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Amazon RDS-Snapshots nicht öffentlich verfügbar sind", + "risk": "Wenn RDS-Snapshots öffentlich verfügbar sind, können sensible Daten offengelegt werden, was das Risiko eines Datenlecks und Verstöße gegen Datenschutzbestimmungen erhöht.", + "remediation": "Um das Problem zu beheben, deaktivieren Sie die öffentliche Verfügbarkeit für alle RDS-Snapshots. Stellen Sie sicher, dass nur notwendige und autorisierte AWS-Konten Berechtigungen zum Freigeben von Snapshots haben." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_redshift.json b/fixcompliance/data/checks/aws/aws_redshift.json new file mode 100644 index 0000000..5184b98 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_redshift.json @@ -0,0 +1,93 @@ +{ + "provider": "aws", + "service": "redshift", + "checks": [ + { + "name": "cluster_audit_logging_enabled", + "title": "Ensure Cluster Audit Logging Is Enabled for Optimal Compliance and Incident Investigation", + "result_kinds": [ + "aws_redshift_cluster" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to enable cluster audit logging in Amazon Redshift could compromise security by not providing a detailed record of database activities. This could affect effective monitoring, incident investigation, and compliance.", + "severity": "medium", + "detect": { + "fix": "is(aws_redshift_cluster) and redshift_logging_status.logging_enabled=false" + }, + "remediation": { + "text": "To enable audit logging, go to 'Cluster details' tab -> click 'Modify'. Next, under 'Audit logging', enable or adjust the settings as needed, then save the changes.", + "url": "https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing-console.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/redshift/latest/mgmt/db-auditing.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Audit-Protokollierung für den Cluster aktiviert ist, um optimale Compliance und Untersuchung von Vorfällen zu gewährleisten", + "risk": "Die Nichtaktivierung der Audit-Protokollierung für den Cluster in Amazon Redshift kann die Sicherheit gefährden, indem keine detaillierte Aufzeichnung der Datenbankaktivitäten bereitgestellt wird. Dies kann sich auf die wirksame Überwachung, Untersuchung von Vorfällen und Compliance auswirken.", + "remediation": "Um die Audit-Protokollierung zu aktivieren, gehen Sie zum Tab 'Clusterdetails' -> Klicken Sie auf 'Ändern'. Aktivieren oder passen Sie unter 'Audit-Protokollierung' die Einstellungen nach Bedarf an und speichern Sie die Änderungen." + } + } + }, + { + "name": "cluster_publicly_accessible", + "title": "Ensure Redshift Clusters Are Not Publicly Accessible", + "result_kinds": [ + "aws_redshift_cluster" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Having Redshift clusters publicly accessible can lead to unauthorized access and potential data breaches. This exposes sensitive data and risks noncompliance with industry regulations.", + "severity": "high", + "detect": { + "fix": "is(aws_redshift_cluster) and redshift_publicly_accessible=true and redshift_endpoint.address!=null" + }, + "remediation": { + "text": "Identify all publicly accessible Redshift clusters. For each cluster, review the necessity of public accessibility. If unjustified, revise the settings by disallowing public access to enhance security.", + "url": "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-console.html#modify-cluster-access", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html", + "localizations": { + "de": { + "title": "Redshift-Cluster dürfen nicht öffentlich erreichbar sein", + "risk": "Öffentlich erreichbare Redshift-Cluster können zu unbefugtem Zugriff und potenziellen Datenlecks führen. Dadurch werden sensible Daten offengelegt und es besteht das Risiko der Nichtkonformität mit branchenspezifischen Vorschriften.", + "remediation": "Ermitteln Sie alle öffentlich zugänglichen Redshift-Cluster. Überprüfen Sie für jeden Cluster die Notwendigkeit der öffentlichen Erreichbarkeit. Wenn nicht gerechtfertigt, ändern Sie die Einstellungen, um den öffentlichen Zugriff zu untersagen und die Sicherheit zu verbessern." + } + } + }, + { + "name": "version_upgrade_enabled", + "title": "Ensure Automatic Upgrades Are Enabled for Redshift Clusters", + "result_kinds": [ + "aws_redshift_cluster" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Disabling automatic upgrades for Redshift clusters exposes them to security vulnerabilities due to outdated versions, potentially leading to data breaches and non-compliance with regulations.", + "severity": "high", + "detect": { + "fix": "is(aws_redshift_cluster) and redshift_allow_version_upgrade=false" + }, + "remediation": { + "text": "To mitigate this risk, enable automatic upgrades in the AWS Management Console under the 'Maintenance' tab for each Redshift cluster. This ensures that your Redshift clusters are always operating on the latest, security patch included, version.", + "url": "https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html#rs-maintenance-settings", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass automatische Upgrades für Redshift-Cluster aktiviert sind", + "risk": "Das Deaktivieren automatischer Upgrades für Redshift-Cluster macht sie anfällig für Sicherheitslücken aufgrund veralteter Versionen und kann zu Datenverstößen und Nichteinhaltung von Vorschriften führen.", + "remediation": "Um dieses Risiko zu minimieren, aktivieren Sie automatische Upgrades in der AWS Management Console im 'Maintenance'-Tab für jeden Redshift-Cluster. Dadurch gewährleisten Sie, dass Ihre Redshift-Cluster immer mit der neuesten Version, einschließlich Sicherheitspatches, betrieben werden." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_route53.json b/fixcompliance/data/checks/aws/aws_route53.json new file mode 100644 index 0000000..fd0065c --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_route53.json @@ -0,0 +1,35 @@ +{ + "provider": "aws", + "service": "route53", + "checks": [ + { + "name": "zone_query_logging_enabled", + "title": "Ensure Activation of DNS Query Logging in Route 53 for Enhanced Monitoring and Security", + "result_kinds": [ + "aws_route53_zone" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Not enabling query logging in Route 53 zones can obscure visibility into DNS query traffic, making it difficult to detect unusual patterns or malicious activities. Such a lack of visibility increases the risk of undetected security threats and hampers incident response efforts, potentially leading to prolonged exposure to cyber attacks or misuse.", + "severity": "medium", + "detect": { + "fix": "is(aws_route53_zone) and zone_logging_config==null" + }, + "remediation": { + "text": "To enable query logging, navigate to the Route 53 console, select the desired hosted zone, and go to the Query logging tab. Click on 'Configure query logging', then choose a log destination (CloudWatch Logs, S3, or Kinesis Data Firehose) and configure the necessary settings. Ensure that the chosen logging service has the necessary permissions to receive logs. Finally, confirm and save your settings to start logging DNS queries.", + "url": "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/query-logs.html", + "localizations": { + "de": { + "title": "Aktivierung der DNS-Abfrageprotokollierung in Route 53 zur Verbesserung der Überwachung und Sicherheit gewährleisten", + "risk": "Die Nichtaktivierung der Abfrageprotokollierung in Route 53-Zonen kann die Sichtbarkeit des DNS-Abfrageverkehrs beeinträchtigen und es schwierig machen, ungewöhnliche Muster oder bösartige Aktivitäten zu erkennen. Ein Mangel an Sichtbarkeit erhöht das Risiko unentdeckter Sicherheitsbedrohungen und behindert die Reaktion auf Vorfälle. Dadurch kann es zu einer längeren Exposition gegenüber Cyberangriffen oder Missbrauch kommen.", + "remediation": "Um die Abfrageprotokollierung zu aktivieren, gehen Sie zur Route 53-Konsole, wählen Sie die gewünschte gehostete Zone aus und wechseln Sie zum Tab 'Abfrageprotokollierung'. Klicken Sie auf 'Abfrageprotokollierung konfigurieren' und wählen Sie dann ein Protokollziel (CloudWatch Logs, S3 oder Kinesis Data Firehose) aus und konfigurieren Sie die erforderlichen Einstellungen. Stellen Sie sicher, dass der ausgewählte Protokolldienst die erforderlichen Berechtigungen zum Empfangen von Protokollen hat. Bestätigen und speichern Sie abschließend Ihre Einstellungen, um die Protokollierung der DNS-Abfragen zu starten." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_s3.json b/fixcompliance/data/checks/aws/aws_s3.json new file mode 100644 index 0000000..4947f92 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_s3.json @@ -0,0 +1,242 @@ +{ + "provider": "aws", + "service": "s3", + "checks": [ + { + "name": "bucket_default_encryption", + "title": "Ensure S3 Buckets Have Default Encryption (SSE) Enabled or Use a Bucket Policy to Enforce It", + "result_kinds": [ + "aws_s3_bucket" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If the issue is not solved, there is a risk of data-at-rest being unencrypted, which can pose a threat to the confidentiality and integrity of stored objects.", + "severity": "medium", + "detect": { + "fix": "is(aws_s3_bucket) and bucket_encryption_rules[*].{sse_algorithm==null}" + }, + "remediation": { + "action": { + "aws_cli": "aws s3api put-bucket-encryption --bucket {{name}} --server-side-encryption-configuration '{'Rules': [{'ApplyServerSideEncryptionByDefault': {'SSEAlgorithm': 'AES256'}}]}'" + }, + "text": "To fix the issue, ensure that S3 buckets have encryption at rest enabled using default encryption (SSE) or enforcing it through a bucket policy.", + "url": "https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass S3-Buckets standardmäßige Verschlüsselung (SSE) aktiviert haben oder erzwingen Sie dies über eine Bucket-Richtlinie", + "risk": "Wenn das Problem nicht gelöst wird, besteht die Gefahr, dass Daten im Ruhezustand unverschlüsselt sind, was eine Bedrohung für die Vertraulichkeit und Integrität der gespeicherten Objekte darstellen kann.", + "remediation": "Um das Problem zu beheben, stellen Sie sicher, dass S3-Buckets die Verschlüsselung im Ruhezustand aktiviert haben, indem Sie die standardmäßige Verschlüsselung (SSE) verwenden oder sie über eine Bucket-Richtlinie erzwingen." + } + } + }, + { + "name": "bucket_no_mfa_delete", + "title": "Ensure S3 Bucket MFA Delete Is Enabled", + "result_kinds": [ + "aws_s3_bucket" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without enabling MFA Delete for an S3 bucket, your security credentials are at risk of being compromised, and unauthorized access may be granted.", + "severity": "medium", + "detect": { + "fix": "is(aws_s3_bucket) and bucket_versioning=true and bucket_mfa_delete=false" + }, + "remediation": { + "action": { + "aws_cli": "aws s3api put-bucket-versioning --bucket {{name}} --versioning-configuration MFADelete=Enabled --mfa 'arn:aws:iam::00000000:mfa/root-account-mfa-device 123456'" + }, + "text": "To enhance the security of your S3 bucket, enable MFA delete. This requires additional authentication when changing the version state of your bucket or deleting an object version, adding an extra layer of security in case your security credentials are compromised or unauthorized access is granted.", + "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Sicherstellen, dass MFA Delete für den S3-Bucket aktiviert ist.", + "risk": "Ohne die Aktivierung von MFA Delete für einen S3-Bucket sind Ihre Sicherheitsanmeldedaten gefährdet und es besteht die Möglichkeit einer unbefugten Zugriffsgewährung.", + "remediation": "Aktivieren Sie MFA Delete für Ihren S3-Bucket, um die Sicherheit zu verbessern. Dadurch ist bei Änderungen des Versionierungsstatus des Buckets oder beim Löschen einer Objektversion eine zusätzliche Authentifizierung erforderlich. Dadurch wird eine zusätzliche Sicherheitsebene hinzugefügt, falls Ihre Sicherheitsanmeldedaten gefährdet sind oder unbefugter Zugriff gewährt wird." + } + } + }, + { + "name": "bucket_secure_transport_policy", + "title": "Ensure S3 Buckets Have Secure Transport Policy", + "result_kinds": [ + "aws_s3_bucket" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without enforcing HTTPS on the bucket policy, communication between clients and S3 buckets may use unencrypted HTTP, posing a risk of transmitting sensitive information in clear text over the network or internet.", + "severity": "medium", + "detect": { + "fix_cmd": "search is(aws_s3_bucket) | jq --no-rewrite 'if (.reported.bucket_policy==null) then [.] elif any(.reported.bucket_policy.Statement[]?; .Effect? ==\"Deny\" and (.Action? == \"s3:*\" or .Action? == \"*\") and .Condition?.Bool?.\"aws:SecureTransport\"?==\"false\") then [] else [.] end' | flatten" + }, + "remediation": { + "text": "To fix the issue, ensure that S3 buckets have encryption in transit enabled to enforce secure communication.", + "url": "https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/", + "complexity": "low" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass S3-Buckets über eine sichere Transportrichtlinie verfügen.", + "risk": "Ohne die Durchsetzung von HTTPS in der Bucket-Richtlinie kann die Kommunikation zwischen Clients und S3-Buckets unverschlüsseltes HTTP verwenden. Dies birgt das Risiko, dass sensible Informationen im Klartext über das Netzwerk oder das Internet übertragen werden.", + "remediation": "Um das Problem zu beheben, stellen Sie sicher, dass S3-Buckets die Verschlüsselung während der Übertragung aktiviert haben, um eine sichere Kommunikation durchzusetzen." + } + } + }, + { + "name": "macie_is_enabled", + "title": "Ensure Amazon Macie Is Enabled", + "result_kinds": [ + "aws_s3_bucket" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If Amazon Macie is not enabled, sensitive data in AWS may be at risk of unauthorized access or exposure. Amazon Macie provides automated sensitive data discovery and helps protect sensitive data by using machine learning and pattern matching.", + "severity": "medium", + "detect": { + "manual": "Check if Amazon Macie is enabled." + }, + "remediation": { + "text": "To fix this issue, enable Amazon Macie in the AWS Management Console and create appropriate jobs to discover and protect sensitive data.", + "url": "https://aws.amazon.com/macie/getting-started/", + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Amazon Macie aktiviert ist", + "risk": "Wenn Amazon Macie nicht aktiviert ist, kann sensibler Datenbestand in AWS einem unbefugten Zugriff oder einer Offenlegung ausgesetzt sein. Amazon Macie bietet automatisierte Erkennung sensibler Daten und schützt diese durch den Einsatz von maschinellem Lernen und Mustererkennung.", + "remediation": "Um dieses Problem zu beheben, aktivieren Sie Amazon Macie in der AWS Management Console und erstellen Sie entsprechende Aufträge zur Erkennung und zum Schutz sensibler Daten." + } + } + }, + { + "name": "bucket_policy_public_write_access", + "title": "Ensure S3 Buckets Do Not Have Policies That Allow Public Write Access", + "result_kinds": [ + "aws_s3_bucket" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If the issue is not solved, non-intended users can put objects in a given bucket, leading to unauthorized data modifications or leaks.", + "severity": "critical", + "detect": { + "fix": "is(aws_s3_bucket) and bucket_policy!=null and bucket_public_access_block_configuration.restrict_public_buckets==false" + }, + "remediation": { + "text": "To fix the issue, ensure that a proper bucket policy is in place with the principle of least privilege applied.", + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html", + "localizations": { + "de": { + "title": "Sicherstellen, dass S3 Buckets keine Richtlinien haben, die öffentlichen Schreibzugriff erlauben.", + "risk": "Wenn das Problem nicht behoben wird, können nicht beabsichtigte Benutzer Objekte in einen bestimmten Bucket ablegen, was zu unbefugten Datenänderungen oder Lecks führen kann.", + "remediation": "Um das Problem zu beheben, stellen Sie sicher, dass eine angemessene Bucket-Richtlinie mit dem Prinzip des geringsten Privilegs vorhanden ist." + } + } + }, + { + "name": "account_level_public_access_blocks", + "title": "Ensure S3 Account Level Public Access Block Is Enabled", + "result_kinds": [ + "aws_s3_bucket" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to enable the S3 Account Level Public Access Block may lead to potential unauthorized access to sensitive data stored in S3 buckets.", + "severity": "high", + "detect": { + "fix": "is(aws_s3_bucket) {account_setting: <-[0:]- is(aws_account) --> is(aws_s3_account_settings)} (bucket_public_access_block_configuration.block_public_acls==false and account_setting.reported.bucket_public_access_block_configuration.block_public_acls==false) or (bucket_public_access_block_configuration.ignore_public_acls==false and account_setting.reported.bucket_public_access_block_configuration.ignore_public_acls==false) or (bucket_public_access_block_configuration.block_public_policy==false and account_setting.reported.bucket_public_access_block_configuration.block_public_policy==false) or (bucket_public_access_block_configuration.restrict_public_buckets==false and account_setting.reported.bucket_public_access_block_configuration.restrict_public_buckets==false)" + }, + "remediation": { + "text": "To fix this issue, ensure you enable Public Access Block at the account level to prevent the exposure of your data stored in S3. Follow the instructions in the AWS documentation.", + "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "action": { + "aws_cli": "aws s3control put-public-access-block --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true --account-id {{account_id}}" + }, + "complexity": "medium" + }, + "localizations": { + "de": { + "title": "Sicherstellen, dass der S3 Account Level Public Access Block aktiviert ist", + "risk": "Das Versäumnis, den S3 Account Level Public Access Block zu aktivieren, kann zu potenziell unbefugtem Zugriff auf sensible Daten führen, die in S3 Buckets gespeichert sind.", + "remediation": "Um dieses Problem zu beheben, stellen Sie sicher, dass Sie den Public Access Block auf Kontenebene aktivieren, um die Offenlegung Ihrer in S3 gespeicherten Daten zu verhindern. Befolgen Sie die Anweisungen in der AWS-Dokumentation." + } + } + }, + { + "name": "public_bucket", + "title": "Ensure S3 Buckets Are Not Made Public", + "result_kinds": [ + "aws_s3_bucket" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to secure S3 buckets can lead to unauthorized access and potential security breaches in operations.", + "severity": "high", + "detect": { + "fix": "is(aws_s3_bucket) and bucket_public_access_block_configuration.{block_public_acls!=true or ignore_public_acls!=true or block_public_policy!=true or restrict_public_buckets!=true} or bucket_acl.grants[*].{permission in [READ, READ_ACP] and grantee.uri==\"http://acs.amazonaws.com/groups/global/AllUsers\"}" + }, + "remediation": { + "text": "To fix this issue, update the S3 bucket configurations to disable public settings and ensure bucket policies do not grant all permissions.", + "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html", + "localizations": { + "de": { + "title": "Stelle sicher, dass S3-Buckets nicht öffentlich zugänglich sind", + "risk": "Die fehlende Absicherung von S3-Buckets kann unberechtigten Zugriff ermöglichen und potenzielle Sicherheitsverstöße in den Betriebsabläufen verursachen.", + "remediation": "Um dieses Problem zu beheben, aktualisiere die Konfiguration des S3-Buckets, um öffentliche Einstellungen zu deaktivieren und sicherzustellen, dass Bucket-Richtlinien keine umfassenden Berechtigungen gewähren." + } + } + }, + { + "name": "bucket_object_logging_enabled", + "title": "Ensure S3 Bucket Object Logging Is Enabled to Aid in Identifying Security Breaches with AWS S3", + "result_kinds": [ + "aws_s3_bucket" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Enabling S3 bucket object logging is crucial for security and compliance, as it provides audit trails for access and modifications to objects, aiding in identifying unauthorized access or data breaches.", + "severity": "high", + "detect": { + "fix": "is(aws_s3_bucket) and bucket_logging==null" + }, + "remediation": { + "text": "To fix the issue, select 'Edit', choose a target bucket for the logs, set a prefix if desired, and save the changes.", + "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Protokollierung von Objekten in S3-Buckets aktiviert ist, um bei AWS S3-Sicherheitsverstößen zu helfen", + "risk": "Die Aktivierung der Protokollierung von Objekten in S3-Buckets ist für die Sicherheit und Compliance entscheidend, da sie Audit Trails für den Zugriff und Änderungen an Objekten bereitstellt und hilft, unbefugten Zugriff oder Datenverstöße zu identifizieren.", + "remediation": "Um das Problem zu beheben, wählen Sie 'Bearbeiten', wählen Sie einen Zielspeicherort für die Protokolle aus, legen Sie bei Bedarf einen Präfix fest und speichern Sie die Änderungen ab." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_sagemaker.json b/fixcompliance/data/checks/aws/aws_sagemaker.json new file mode 100644 index 0000000..c3af744 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_sagemaker.json @@ -0,0 +1,266 @@ +{ + "provider": "aws", + "service": "sagemaker", + "checks": [ + { + "name": "notebook_root_access", + "title": "Ensure Root Access is Disabled for SageMaker Notebooks", + "result_kinds": [ + "aws_sagemaker_notebook" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Enabling root access in SageMaker notebooks can lead to security vulnerabilities, as it grants full control over the notebook environment.", + "severity": "medium", + "detect": { + "fix": "is(aws_sagemaker_notebook) and notebook_root_access==Enabled" + }, + "remediation": { + "text": "To fix this issue and enforce security best practices, disable root access for SageMaker notebooks. This can be done by configuring the RootAccess parameter to 'Disabled' in the SageMaker console or through the API.", + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/nbi-root-access-disable.html", + "complexity": "low" + }, + "url": "https://aws.amazon.com/sagemaker/", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass der Root-Zugriff für SageMaker Notebooks deaktiviert ist", + "risk": "Die Aktivierung des Root-Zugriffs in SageMaker Notebooks kann zu Sicherheitslücken führen, da dadurch die vollständige Kontrolle über die Notebook-Umgebung gewährt wird.", + "remediation": "Um dieses Problem zu beheben und Sicherheitsbest Practices durchzusetzen, deaktivieren Sie den Root-Zugriff für SageMaker-Notebooks. Dies kann über die Konfiguration des RootAccess-Parameters auf 'Disabled' in der SageMaker-Konsole oder über die API erfolgen." + } + } + }, + { + "name": "notebook_with_direct_internet_access", + "title": "Ensure SageMaker Notebooks Do Not Have Direct Internet Access", + "result_kinds": [ + "aws_sagemaker_notebook" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Ensuring SageMaker notebooks do not have direct internet access is essential to mitigate security threats and prevent potential data breaches.", + "severity": "medium", + "detect": { + "fix": "is(aws_sagemaker_notebook) and notebook_direct_internet_access==\"Enabled\"" + }, + "remediation": { + "text": "To fix this issue, configure SageMaker notebooks to use a VPC without direct internet access. This setup enhances network security and significantly reduces the risk of unauthorized external access.", + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-interface-vpc-endpoint.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/notebook-interface-vpc-endpoint.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass SageMaker-Notebooks keinen direkten Internetzugang haben", + "risk": "Es ist von entscheidender Bedeutung, sicherzustellen, dass SageMaker-Notebooks keinen direkten Internetzugang haben, um Sicherheitsbedrohungen zu minimieren und potenzielle Datenverstöße zu verhindern.", + "remediation": "Um dieses Problem zu beheben, konfigurieren Sie SageMaker-Notebooks so, dass sie ein VPC ohne direkten Internetzugang verwenden. Diese Einrichtung erhöht die Netzwerksicherheit und reduziert das Risiko unbefugten externen Zugriffs erheblich." + } + } + }, + { + "name": "model_isolation_enabled", + "title": "Ensure Network Isolation is Enabled for SageMaker Models", + "result_kinds": [ + "aws_sagemaker_model" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to enable network isolation for SageMaker models may result in unauthorized access to data or cyber attacks.", + "severity": "medium", + "detect": { + "fix": "is(aws_sagemaker_model) and model_enable_network_isolation=false" + }, + "remediation": { + "text": "To fix this issue, enable network isolation for SageMaker models to prevent unauthorized access to data and ensure data security.", + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/model-vpc-security.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/model-vpc-security.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Netzwerk-Isolierung für SageMaker-Modelle aktiviert ist", + "risk": "Die Nichtaktivierung der Netzwerk-Isolierung für SageMaker-Modelle kann zu unbefugtem Zugriff auf Daten oder Cyberangriffen führen.", + "remediation": "Um dieses Problem zu beheben, aktivieren Sie die Netzwerk-Isolierung für SageMaker-Modelle, um unbefugten Zugriff auf Daten zu verhindern und die Datensicherheit zu gewährleisten." + } + } + }, + { + "name": "model_vpc_settings_enabled", + "title": "Ensure SageMaker Studio Classic Notebooks are Configured in a VPC", + "result_kinds": [ + "aws_sagemaker_model" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Models without VPC isolation are vulnerable to unauthorized data access or cyber attacks. Restricting traffic access by launching Studio in a Virtual Private Cloud (VPC) is crucial to ensure data security.", + "severity": "medium", + "detect": { + "fix": "is(aws_sagemaker_model) and model_vpc_config.subnets in [null, []]" + }, + "remediation": { + "text": "Connect SageMaker Studio Classic Notebooks to a Virtual Private Cloud (VPC) for external resource access. Follow the instructions in the official AWS SageMaker documentation to configure VPC settings.", + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html", + "complexity": "high" + }, + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass SageMaker Studio Classic Notebooks in einem VPC konfiguriert sind", + "risk": "Modelle ohne VPC-Isolierung sind anfällig für unbefugten Zugriff auf Daten oder Cyberangriffe. Die Einschränkung des Netzwerkzugriffs durch das Ausführen von Studio in einem Virtual Private Cloud (VPC) ist entscheidend, um die Datensicherheit zu gewährleisten.", + "remediation": "Verbinden Sie SageMaker Studio Classic Notebooks mit einem Virtual Private Cloud (VPC) für den Zugriff auf externe Ressourcen. Befolgen Sie die Anweisungen in der offiziellen AWS SageMaker-Dokumentation, um VPC-Einstellungen zu konfigurieren." + } + } + }, + { + "name": "notebook_vpc_settings_enabled", + "title": "Ensure VPC is Configured for SageMaker Notebook", + "result_kinds": [ + "aws_sagemaker_notebook" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Using a SageMaker Notebook without VPC isolation increases the risk of unauthorized data access and cyber attacks.", + "severity": "medium", + "detect": { + "fix": "is(aws_sagemaker_notebook) with(empty, <-- is(aws_ec2_subnet))" + }, + "remediation": { + "text": "To mitigate the risk, restrict the traffic that can access the SageMaker Notebook by launching it in a Virtual Private Cloud (VPC) of your choosing.", + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/studio-notebooks-and-internet-access.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/vpc-connect-to-classic-notebook.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass VPC für SageMaker Notebook konfiguriert ist", + "risk": "Die Verwendung eines SageMaker Notebooks ohne VPC-Isolierung erhöht das Risiko eines unbefugten Zugriffs auf Daten und von Cyberangriffen.", + "remediation": "Um das Risiko zu mindern, beschränken Sie den Datenverkehr, der auf das SageMaker Notebook zugreifen kann, indem Sie es in einem Virtual Private Cloud (VPC) Ihrer Wahl starten." + } + } + }, + { + "name": "training_job_vpc_settings_enabled", + "title": "Ensure VPC is Configured for SageMaker Training Jobs", + "result_kinds": [ + "aws_sagemaker_training_job" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Training Jobs without VPC isolation may be vulnerable to unauthorized data access or cyber attacks. Security engineers must ensure that SageMaker training jobs are configured to use a Virtual Private Cloud (VPC) to mitigate this risk.", + "severity": "medium", + "detect": { + "fix": "is(aws_sagemaker_training_job) and training_job_enable_network_isolation=false" + }, + "remediation": { + "text": "To fix this issue, security engineers should restrict the traffic that can access SageMaker training jobs by launching them in a Virtual Private Cloud (VPC) of their choosing. This can be done by following the instructions in the AWS documentation on how to configure a VPC interface endpoint for SageMaker.", + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/interface-vpc-endpoint.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass VPC für SageMaker-Training-Jobs konfiguriert ist", + "risk": "Training-Jobs ohne VPC-Isolierung können anfällig für unbefugten Datenzugriff oder Cyberangriffe sein. Sicherheitsingenieure müssen sicherstellen, dass SageMaker-Training-Jobs so konfiguriert sind, dass sie ein Virtual Private Cloud (VPC) verwenden, um dieses Risiko zu mindern.", + "remediation": "Um dieses Problem zu beheben, sollten Sicherheitsingenieure den Datenverkehr einschränken, der auf SageMaker-Training-Jobs zugreifen kann, indem sie diese in einer von ihnen gewählten Virtual Private Cloud (VPC) starten. Dies kann durch Befolgung der Anweisungen in der AWS-Dokumentation zur Konfiguration eines VPC-Schnittstellenendpunkts für SageMaker erfolgen." + } + } + }, + { + "name": "notebook_encryption_enabled", + "title": "Ensure Encryption is Enabled for SageMaker Notebooks", + "result_kinds": [ + "aws_sagemaker_notebook" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to enable encryption for SageMaker notebooks can lead to unauthorized data access and potential data breaches. By utilizing KMS keys, organizations can add a critical layer of security through encryption.", + "severity": "medium", + "detect": { + "fix": "is(aws_sagemaker_notebook) with(empty, --> is(aws_kms_key))" + }, + "remediation": { + "text": "To secure data at rest, enable KMS-based encryption for SageMaker notebooks. Configure the notebooks to use AWS KMS keys for both S3 (input/output) and EBS volume encryption.", + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/encryption-at-rest.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/encryption-at-rest.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Verschlüsselung für SageMaker Notebooks aktiviert ist", + "risk": "Die Nichtaktivierung der Verschlüsselung für SageMaker-Notebooks kann zu unbefugtem Zugriff auf Daten und potenziellen Datenverstößen führen. Durch die Verwendung von KMS-Schlüsseln können Organisationen durch Verschlüsselung eine wichtige Sicherheitsebene hinzufügen.", + "remediation": "Um Daten in Ruhe zu sichern, aktivieren Sie die KMS-basierte Verschlüsselung für SageMaker-Notebooks. Konfigurieren Sie die Notebooks so, dass sie AWS KMS-Schlüssel sowohl für die S3-(Ein-/Ausgabe-) als auch die EBS-Verschlüsselung verwenden." + } + } + }, + { + "name": "training_job_encryption_enabled", + "title": "Ensure Encryption for SageMaker Training Jobs", + "result_kinds": [ + "aws_sagemaker_training_job" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "SageMaker training jobs without encryption are vulnerable to data interception and unauthorized access. Encryption ensures data confidentiality during training processes.", + "severity": "medium", + "detect": { + "fix": "is(aws_sagemaker_training_job) and training_job_enable_inter_container_traffic_encryption=false" + }, + "remediation": { + "text": "Enable TLS 1.2 encryption for inter-container traffic in SageMaker training jobs to protect data in transit. This ensures secure communication between the training containers.", + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/train-vpc.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/train-vpc.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Verschlüsselung für SageMaker Training Jobs aktiviert ist", + "risk": "SageMaker Training Jobs ohne Verschlüsselung sind anfällig für Dateninterception und unbefugten Zugriff. Verschlüsselung gewährleistet die Vertraulichkeit von Daten während des Trainingsprozesses.", + "remediation": "Aktivieren Sie die TLS 1.2-Verschlüsselung für den Kommunikationsverkehr zwischen den Containern in SageMaker Training Jobs, um die Daten während der Übertragung zu schützen. Dadurch wird eine sichere Kommunikation zwischen den Training Containern gewährleistet." + } + } + }, + { + "name": "training_job_volume_encryption_enabled", + "title": "Ensure Encryption is Enabled for SageMaker Training Jobs Volumes", + "result_kinds": [ + "aws_sagemaker_training_job" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Unencrypted data poses a risk of unauthorized data access and potential data breaches. Utilizing KMS keys adds a critical layer of security through encryption.", + "severity": "medium", + "detect": { + "fix": "is(aws_sagemaker_training_job) and training_job_resource_config.volume_kms_key_id==null" + }, + "remediation": { + "text": "Enable volume encryption for SageMaker Training Jobs by specifying a KMS key during job creation.", + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/how-it-works.html#resources-security-network-encryption", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/sagemaker/latest/dg/how-it-works.html#resources-security-network-encryption", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die Verschlüsselung für SageMaker-Trainingsjobs-Volumes aktiviert ist", + "risk": "Unverschlüsselte Daten bergen das Risiko unbefugten Datenzugriffs und potenzieller Datenverstöße. Die Verwendung von KMS-Schlüsseln bietet eine kritische Sicherheitsebene durch Verschlüsselung.", + "remediation": "Aktivieren Sie die Volumenverschlüsselung für SageMaker-Trainingsjobs, indem Sie bei der Joberstellung einen KMS-Schlüssel angeben." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_secretsmanager.json b/fixcompliance/data/checks/aws/aws_secretsmanager.json new file mode 100644 index 0000000..cd74cdf --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_secretsmanager.json @@ -0,0 +1,125 @@ +{ + "provider": "aws", + "service": "secretsmanager", + "checks": [ + { + "name": "secret_rotation_enabled", + "title": "Ensure Secrets Manager Secrets Have Automatic Rotation Enabled", + "result_kinds": [ + "aws_secretsmanager_secret" + ], + "categories": [ + "compliance" + ], + "risk": "Not enabling automatic rotation for Secrets Manager secrets may lead to extended periods of active secrets and increased business impact if compromised.", + "severity": "medium", + "detect": { + "fix": "is(aws_secretsmanager_secret) and rotation_enabled==false" + }, + "remediation": { + "text": "To fix this issue, enable automatic rotation for the secret.", + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Secrets Manager-Geheimnisse automatisch rotiert werden", + "risk": "Das Nichtaktivieren der automatischen Rotation für Secrets Manager-Geheimnisse kann zu längeren Zeiträumen aktiver Geheimnisse führen und die geschäftlichen Auswirkungen bei Kompromittierung erhöhen.", + "remediation": "Um dieses Problem zu beheben, aktivieren Sie die automatische Rotation für das Geheimnis." + } + } + }, + { + "name": "secret_not_used_90d", + "title": "Ensure No Unused Secrets in the Last 90 Days", + "result_kinds": [ + "aws_secretsmanager_secret" + ], + "categories": [ + "compliance" + ], + "risk": "If not solved, there is a risk of potential unauthorized access, lack of tracking or auditing, non-compliance with data retention policies, and increased exposure time for potential breaches.", + "severity": "medium", + "detect": { + "fix": "is(aws_secretsmanager_secret) and last_accessed_date < {{secret_too_old_age.ago}}" + }, + "default_values": { + "secret_too_old_age": "90d" + }, + "remediation": { + "text": "To fix the issue, retrieve the details of a secret and view the LastAccessedDate to identify unused secrets.", + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass in den letzten 90 Tagen keine ungenutzten Secrets vorhanden sind", + "risk": "Wenn nicht behoben, besteht die Gefahr eines potenziellen unbefugten Zugriffs, fehlender Verfolgung oder Auditierung, Nichtkonformität mit Datenaufbewahrungsrichtlinien und verlängerter Expositionsdauer für potenzielle Sicherheitsverletzungen.", + "remediation": "Um das Problem zu beheben, rufen Sie die Details eines Secrets ab und überprüfen Sie das LastAccessedDate, um ungenutzte Secrets zu identifizieren." + } + } + }, + { + "name": "secret_not_changed_90d", + "title": "Ensure Secrets Are Rotated Every 90 Days", + "result_kinds": [ + "aws_secretsmanager_secret" + ], + "categories": [ + "compliance" + ], + "risk": "If secrets are not changed in the last 90 days, it indicates that they are no longer in use and can be removed.", + "severity": "medium", + "detect": { + "fix": "is(aws_secretsmanager_secret) and last_changed_date<{{secret_too_old_age.ago}}" + }, + "default_values": { + "secret_too_old_age": "90d" + }, + "remediation": { + "text": "Set up automated or manual remediation to rotate old/expired credentials.", + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Geheimnisse alle 90 Tage geändert werden", + "risk": "Wenn Geheimnisse in den letzten 90 Tagen nicht geändert wurden, deutet dies darauf hin, dass sie nicht mehr verwendet werden und entfernt werden können.", + "remediation": "Richten Sie automatisierte oder manuelle Maßnahmen ein, um alte/abgelaufene Berechtigungen zu ändern." + } + } + }, + { + "name": "secret_rotated_as_scheduled", + "title": "Ensure Secrets Rotation Is Error-Free and Timely", + "result_kinds": [ + "aws_account" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Failure to solve this issue may result in errors or issues with secrets rotation, compromising the security and compliance of the AWS cloud infrastructure.", + "severity": "medium", + "detect": { + "manual": "To verify if secrets are being rotated manually, use the AWS Secrets CLI to describe Secrets and check the LastRotatedDate for any issues with manual/automatic rotation." + }, + "remediation": { + "text": "Retrieve the details of a secret using the DescribeSecret API call to view the LastRotatedDate and assess if any corrective action is required.", + "url": "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DescribeSecret.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die regelmäßige Rotation von Geheimnissen fehlerfrei und rechtzeitig erfolgt", + "risk": "Das Nichtbeheben dieses Problems kann zu Fehlern oder Problemen bei der Rotation von Geheimnissen führen und die Sicherheit und Compliance der AWS-Cloudinfrastruktur gefährden.", + "remediation": "Rufen Sie die Details eines Geheimnisses über den API-Aufruf DescribeSecret ab, um das LastRotatedDate anzuzeigen und zu prüfen, ob Maßnahmen erforderlich sind." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_sns.json b/fixcompliance/data/checks/aws/aws_sns.json new file mode 100644 index 0000000..830793a --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_sns.json @@ -0,0 +1,35 @@ +{ + "provider": "aws", + "service": "sns", + "checks": [ + { + "name": "encryption_at_rest_enabled", + "title": "Ensure That Amazon SNS Topics Are Encrypted at Rest Using KMS CMKs", + "result_kinds": [ + "aws_sns_topic" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If encryption at rest is not enabled, sensitive information may be at risk of unauthorized access. A failure to protect this data can lead to potential security breaches and non-compliance with data privacy regulations.", + "severity": "medium", + "detect": { + "fix": "is(aws_sns_topic) with(empty, --> is(aws_kms_key))" + }, + "remediation": { + "text": "Activate Encryption at Rest using KMS CMKs for Amazon SNS topics. Opt for CMKs for superior management and privacy controls. This will protect messages stored at rest in SNS topics with keys managed in AWS Key Management Service.", + "url": "https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass Amazon SNS-Themen mit KMS-CMKs verschlüsselt sind", + "risk": "Wenn die Verschlüsselung ruhender Daten nicht aktiviert ist, können sensible Informationen einem unbefugten Zugriff ausgesetzt sein. Ein Versäumnis beim Schutz dieser Daten kann zu potenziellen Sicherheitsverletzungen und Datenschutzverstößen führen.", + "remediation": "Aktivieren Sie die Verschlüsselung ruhender Daten mit KMS-CMKs für Amazon SNS-Themen. Entscheiden Sie sich für CMKs, um eine überlegene Verwaltung und Datenschutzkontrollen zu gewährleisten. Dadurch werden Nachrichten, die in SNS-Themen gespeichert sind, mit in AWS Key Management Service verwalteten Schlüsseln geschützt." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_sqs.json b/fixcompliance/data/checks/aws/aws_sqs.json new file mode 100644 index 0000000..9e96995 --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_sqs.json @@ -0,0 +1,35 @@ +{ + "provider": "aws", + "service": "sqs", + "checks": [ + { + "name": "server_side_encryption_enabled", + "title": "Ensure That Server-Side Encryption Is Enabled for SQS Queues", + "result_kinds": [ + "aws_sqs_queue" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If server-side encryption is not enabled for SQS queues, sensitive information in transit could be compromised. This leads to risks of data leakage, breach of compliance regulations, and potential damage to the organization's reputation.", + "severity": "medium", + "detect": { + "fix": "is(aws_sqs_queue) and sqs_managed_sse_enabled==false and sqs_kms_master_key_id==null" + }, + "remediation": { + "text": "To mitigate this risk, ensure server-side encryption is turned on for all Amazon SQS queues. If possible, leverage a Customer Master Key (CMK) for enhanced management and privacy benefits.", + "url": "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-sse-existing-queue.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass die serverseitige Verschlüsselung für SQS-Warteschlangen aktiviert ist", + "risk": "Wenn die serverseitige Verschlüsselung für SQS-Warteschlangen nicht aktiviert ist, kann vertrauliche Information während der Übertragung kompromittiert werden. Dadurch besteht das Risiko von Datenlecks, Verstößen gegen Compliance-Vorschriften und potenziellem Schaden für den Ruf der Organisation.", + "remediation": "Um dieses Risiko zu minimieren, stellen Sie sicher, dass die serverseitige Verschlüsselung für alle Amazon SQS-Warteschlangen aktiviert ist. Nutzen Sie falls möglich einen Kundenschlüssel (CMK) für verbessertes Management und mehr Privatsphäre." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_ssm.json b/fixcompliance/data/checks/aws/aws_ssm.json new file mode 100644 index 0000000..cd759cd --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_ssm.json @@ -0,0 +1,126 @@ +{ + "provider": "aws", + "service": "ssm", + "checks": [ + { + "name": "managed_instance_compliance_patch_compliant", + "title": "Ensure Managed EC2 Instances Adhere to SSM Patch Manager Policies", + "result_kinds": [ + "aws_ec2_instance" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If EC2 instances are not configured with SSM Patch Manager, they might miss crucial security patches and updates. This lack of patching can lead to potential security vulnerabilities and non-compliance with security standards.", + "severity": "medium", + "detect": { + "manual": "Navigate to AWS System Manager -> Patch Manager to verify the configuration." + }, + "remediation": { + "text": "To address this issue, ensure that all EC2 instances are under the SSM Patch Manager policy. Set up patching operations using the AWS Systems Manager's Quick Setup feature. This configuration provides centralized control over patching operations and enables automatic patch application.", + "url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-create-a-patch-policy.html", + "complexity": "high" + }, + "source": "saad", + "url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-configure.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass verwaltete EC2-Instanzen den Richtlinien des SSM Patch Managers entsprechen", + "risk": "Wenn EC2-Instanzen nicht mit dem SSM Patch Manager konfiguriert sind, können wichtige Sicherheitspatches und Updates verpasst werden. Dieses Fehlen von Patches kann zu potenziellen Sicherheitslücken und Nichteinhaltung von Sicherheitsstandards führen.", + "remediation": "Um dieses Problem zu beheben, stellen Sie sicher, dass alle EC2-Instanzen unter der SSM Patch Manager-Richtlinie stehen. Richten Sie Patching-Operationen mit der Quick Setup-Funktion des AWS Systems Managers ein. Diese Konfiguration bietet eine zentrale Kontrolle über Patching-Operationen und ermöglicht die automatische Patch-Anwendung." + } + } + }, + { + "name": "no_secrets_in_content", + "title": "Ensure SSM Documents Do Not Contain Secrets", + "result_kinds": [ + "aws_ssm_document" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "If secrets get hard-coded into SSM documents, bad actors or malware could exploit these to gain lateral access to other services, thereby compromising the security of the entire AWS ecosystem.", + "severity": "medium", + "detect": { + "fix_cmd": "search is(aws_ssm_document) and content!=null | detect-secrets --path content --with-secrets" + }, + "remediation": { + "text": "Utilize AWS Secrets Manager service to safely store and retrieve passwords and sensitive information. Avoid hard-coding secrets in SSM Documents.", + "url": "https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_create-basic-secret.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-secretsmanager-secret-generatesecretstring.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass SSM-Dokumente keine Geheimnisse enthalten.", + "risk": "Wenn Geheimnisse in SSM-Dokumenten fest codiert werden, können böswillige Akteure oder Malware diese ausnutzen, um seitlichen Zugriff auf andere Dienste zu erlangen und damit die Sicherheit des gesamten AWS-Ökosystems zu gefährden.", + "remediation": "Verwenden Sie den AWS Secrets Manager-Dienst, um Passwörter und sensible Informationen sicher zu speichern und abzurufen. Vermeiden Sie es, Geheimnisse in SSM-Dokumenten fest zu codieren." + } + } + }, + { + "name": "document_is_shared", + "title": "Ensure that AWS Systems Manager (SSM) Documents Are Not Inappropriately or Inadvertently Shared", + "result_kinds": [ + "aws_ssm_document" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Accidental sharing of SSM Documents poses a security risk. They might contain sensitive data, tokens, or secrets that if fallen into wrong hands could lead to unauthorized access or data breaches. It’s crucial to manage this properly.", + "severity": "high", + "detect": { + "fix": "is(aws_ssm_document) and document_shared_with_accounts not in [null, []]" + }, + "remediation": { + "text": "To mitigate this risk, review the document’s contents before sharing. Enable the 'Block public sharing' feature for SSM Documents, and conform sharing only to trusted accounts via preferred AWS Region.", + "url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-managing-shared.html", + "complexity": "medium" + }, + "url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-doc-sharing.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass AWS Systems Manager (SSM)-Dokumente nicht unangemessen oder unbeabsichtigt geteilt werden.", + "risk": "Die versehentliche Weitergabe von SSM-Dokumenten birgt ein Sicherheitsrisiko. Sie könnten sensible Daten, Tokens oder Geheimnisse enthalten, die, wenn sie in die falschen Hände gelangen, zu unbefugtem Zugriff oder Datenverletzungen führen könnten. Es ist entscheidend, dies ordnungsgemäß zu verwalten.", + "remediation": "Um dieses Risiko zu mindern, überprüfen Sie den Inhalt des Dokuments, bevor Sie es teilen. Aktivieren Sie die Funktion 'Block public sharing' für SSM-Dokumente und beschränken Sie die Weitergabe nur auf vertrauenswürdige Konten über die bevorzugte AWS-Region." + } + } + }, + { + "name": "resource_non_compliant", + "title": "Ensure AWS Systems Manager Compliance Across Multiple Resources", + "result_kinds": [ + "aws_ec2_instance", + "aws_dynamodb_table", + "aws_ssm_document", + "aws_s3_bucket" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Non-compliance of AWS resources (EC2, DynamoDB, SSM, S3) with AWS Systems Manager policies could expose security vulnerabilities, and incite operational inconsistencies. This could infringe regulatory compliance laws risking system integrity, data safety, and reliability.", + "severity": "high", + "detect": { + "fix": "is(aws_ssm_resource_compliance) --> is(aws_ec2_instance, aws_dynamodb_table, aws_ssm_document, aws_s3_bucket)" + }, + "remediation": { + "text": "To rectify non-compliance, identify the unmet AWS Systems Manager standards for each resource. Ensure proper setup of SSM Agent for EC2 instances, verify table settings for DynamoDB against best practices, fix S3 bucket's access controls and encryption settings. Enforce compliance policies, perform consistent audits, and leverage AWS Systems Manager automation to mend non-compliant resources.", + "url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-compliance.html", + "complexity": "high" + }, + "url": "https://docs.aws.amazon.com/systems-manager/latest/userguide/%system-name%.html", + "localizations": { + "de": { + "title": "Stellen Sie die AWS Systems Manager-Konformität über mehrere Ressourcen sicher", + "risk": "Die Nicht-Konformität von AWS-Ressourcen (EC2, DynamoDB, SSM, S3) mit den AWS Systems Manager-Richtlinien kann Sicherheitsrisiken aufdecken und operationelle Inkonsistenzen verursachen. Dies könnte gegen gesetzliche Compliance-Vorschriften verstoßen und somit die Systemintegrität, Datensicherheit und Zuverlässigkeit gefährden.", + "remediation": "Um die Nicht-Konformität zu beheben, identifizieren Sie die nicht erfüllten AWS Systems Manager-Standards für jede Ressource. Stellen Sie sicher, dass der SSM-Agent für EC2-Instanzen ordnungsgemäß eingerichtet ist, überprüfen Sie die Tabelleneinstellungen für DynamoDB anhand bewährter Verfahren, beheben Sie die Zugriffskontrollen und Verschlüsselungseinstellungen für den S3-Bucket. Erzwingen Sie Konformitätsrichtlinien, führen Sie regelmäßige Audits durch und nutzen Sie die AWS Systems Manager-Automatisierung, um nicht-konforme Ressourcen zu beheben." + } + } + } + ] +} diff --git a/fixcompliance/data/checks/aws/aws_wafv2.json b/fixcompliance/data/checks/aws/aws_wafv2.json new file mode 100644 index 0000000..d80b22e --- /dev/null +++ b/fixcompliance/data/checks/aws/aws_wafv2.json @@ -0,0 +1,35 @@ +{ + "provider": "aws", + "service": "wafv2", + "checks": [ + { + "name": "web_acl_logging_enabled", + "title": "Ensure That Logging Is Enabled for Every Web ACL to Improve Security Insight", + "result_kinds": [ + "aws_waf_web_acl" + ], + "categories": [ + "security", + "compliance" + ], + "risk": "Without Web ACL logging, comprehensive traffic insights, specifically the inspected and blocked requests, are lost. This absence of crucial data impedes security analysis, auditing, and the identification of threats or misconfigurations.", + "severity": "medium", + "detect": { + "fix": "is(aws_waf_web_acl) and logging_configuration==null" + }, + "remediation": { + "text": "To remedy this, navigate to the 'WAF and Shield' service in AWS, select the relevant ACL, go to 'Logging', click 'Edit' and configure logging by selecting an S3 bucket.", + "url": "https://docs.aws.amazon.com/waf/latest/developerguide/logging.html", + "complexity": "low" + }, + "url": "https://docs.aws.amazon.com/waf/latest/developerguide/logging-web-acl.html", + "localizations": { + "de": { + "title": "Stellen Sie sicher, dass für jeden Web ACL das Logging aktiviert ist, um die Sicherheitsüberwachung zu verbessern", + "risk": "Ohne Web ACL-Protokollierung gehen umfassende Einblicke in den Datenverkehr verloren, insbesondere in überprüfte und blockierte Anfragen. Das Fehlen dieser wichtigen Daten beeinträchtigt die Sicherheitsanalyse, Überprüfung und die Identifizierung von Bedrohungen oder Fehlkonfigurationen.", + "remediation": "Um dieses Problem zu beheben, navigieren Sie zum Dienst 'WAF und Shield' in AWS, wählen Sie das relevante ACL aus, gehen Sie zu 'Protokollierung', klicken Sie auf 'Bearbeiten' und konfigurieren Sie das Logging, indem Sie einen S3-Bucket auswählen." + } + } + } + ] +} diff --git a/pyproject.toml b/pyproject.toml new file mode 100644 index 0000000..2f97cad --- /dev/null +++ b/pyproject.toml @@ -0,0 +1,46 @@ +[project] +name = "fixcompliance" +version = "0.4.1" +authors = [{name="Some Engineering Inc."}] +description = "Fix Inventory Compliance Benchmarks and Checks" +license = { text="AGPLv3" } +requires-python = ">=3.9" +classifiers = [ + # Current project status + "Development Status :: 5 - Production/Stable", + # Audience + "Intended Audience :: System Administrators", + "Intended Audience :: Information Technology", + # License information + "License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)", + # Supported python versions + "Programming Language :: Python :: 3.9", + # Supported OS's + "Operating System :: POSIX :: Linux", + "Operating System :: Unix", + # Extra metadata + "Environment :: Console", + "Natural Language :: English", + "Topic :: Security", + "Topic :: Utilities", +] +readme = {file="README.md", content-type="text/markdown"} + +dependencies = [ + "setuptools", +] + +[pyproject.optional-dependencies] +test = ["pytest", "pytest-cov"] + +[project.scripts] +fixcompliance = "fixcompliance.__main__:main" + +[project.urls] +Documentation = "https://inventory.fix.security" +Source = "https://github.com/someengineering/fix/tree/main/fixmetrics" + +[build-system] +requires = ["setuptools>=67.8.0", "wheel>=0.40.0", "build>=0.10.0"] +build-backend = "setuptools.build_meta" + diff --git a/setup.cfg b/setup.cfg new file mode 100644 index 0000000..7ca6537 --- /dev/null +++ b/setup.cfg @@ -0,0 +1,7 @@ +[options] +packages = find: +include_package_data = True +zip_safe = False + +[aliases] +test=pytest diff --git a/test/test_from_files.py b/test/test_from_files.py new file mode 100644 index 0000000..811b238 --- /dev/null +++ b/test/test_from_files.py @@ -0,0 +1,13 @@ +import fixcompliance + + +def test_benchmarks_from_files(): + benchmarks = fixcompliance.benchmarks_from_files() + assert benchmarks + assert len(benchmarks) > 1 + + +def test_checks_from_files(): + checks = fixcompliance.checks_from_files() + assert checks + assert len(checks) > 1 diff --git a/tox.ini b/tox.ini new file mode 100644 index 0000000..6979ac1 --- /dev/null +++ b/tox.ini @@ -0,0 +1,26 @@ +[tox] +env_list = syntax, tests, black + +[flake8] +max-line-length=120 +exclude = .git,.tox,__pycache__,.idea,.pytest_cache +ignore=F403, F405, E722, N806, N813, E266, W503, E203 + +[pytest] +addopts= -rs -vv --cov=fixcompliance --cov-report html +testpaths= test + +[testenv] +usedevelop = true +# until this is fixed: https://github.com/pypa/setuptools/issues/3518 +setenv = + SETUPTOOLS_ENABLE_FEATURES = legacy-editable + +[testenv:syntax] +commands = flake8 --verbose + +[testenv:tests] +commands= pytest + +[testenv:black] +commands = black --line-length 120 --check --diff --target-version py39 .