feat(rules): Update guard policies and metadata with October and Nove…

…mber control releases (#245) ## New Controls Added - [AWS Control Tower adds additional controls](https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#q3-new-controls) - [AWS Control Tower announces controls to assist digital sovereignty](https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#digital-sovereignty) ## Metadata Updates - Added `Groups` property for the `digital-sovereignty` controls - Updated `SupportedRegions` property - Updated `ComplianceFrameworkMappings` property --------- Signed-off-by: github-actions <github-actions@github.com> Co-authored-by: github-actions <github-actions@github.com>
cdklabs · Dec 12, 2023 · 2a6efad · 2a6efad
1 parent c2c2cb1
commit 2a6efad
Show file tree

Hide file tree

Showing 296 changed files with 13,531 additions and 757 deletions.
diff --git a/API.md b/API.md
diff --git a/README.md b/README.md
diff --git a/rules/control-tower/cfn-guard/apigateway/ct-apigateway-pr-6.guard b/rules/control-tower/cfn-guard/apigateway/ct-apigateway-pr-6.guard
@@ -0,0 +1,98 @@
+# ###################################
+##       Rule Specification        ##
+#####################################
+# 
+# Rule Identifier:
+#   api_gw_domain_tls_check
+# 
+# Description:
+#   This control checks whether an Amazon API Gateway REST API domain name requires a minimum Transport Layer Security protocol version of TLSv1.2 by means of its security policy.
+# 
+# Reports on:
+#   AWS::ApiGateway::DomainName
+# 
+# Evaluates:
+#   AWS CloudFormation, AWS CloudFormation hook
+# 
+# Rule Parameters:
+#   None
+# 
+# Scenarios:
+#   Scenario: 1
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document does not contain any API Gateway domain name resources
+#      Then: SKIP
+#   Scenario: 2
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document contains an API Gateway domain name resource
+#       And: 'SecurityPolicy' has been provided and set to a security policy that allows
+#            a minimum TLS protocol version earlier than TLSv1.2
+#      Then: FAIL
+#   Scenario: 3
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document contains an API Gateway domain name resource
+#       And: 'SecurityPolicy' has not been provided
+#      Then: PASS
+#   Scenario: 4
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document contains an API Gateway domain name resource
+#       And: 'SecurityPolicy' has been provided and set to a security policy that requires
+#            a minimum TLS protocol version of TLSv1.2
+#      Then: PASS
+
+#
+# Constants
+#
+let API_GW_DOMAIN_NAME_TYPE = "AWS::ApiGateway::DomainName"
+let ALLOWED_SECURITY_POLICIES = ["TLS_1_2"]
+let INPUT_DOCUMENT = this
+
+#
+# Assignments
+#
+let api_gateway_domain_names = Resources.*[ Type == %API_GW_DOMAIN_NAME_TYPE ]
+
+#
+# Primary Rules
+#
+rule api_gw_domain_tls_check when is_cfn_template(%INPUT_DOCUMENT)
+                                  %api_gateway_domain_names not empty {
+    check(%api_gateway_domain_names.Properties)
+        <<
+        [CT.APIGATEWAY.PR.6]: Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2
+        [FIX]: Set the value of SecurityPolicy to TLS_1_2, or to adopt the default value, do not provide a value for SecurityPolicy.
+        >>
+}
+
+rule api_gw_domain_tls_check when is_cfn_hook(%INPUT_DOCUMENT, %API_GW_DOMAIN_NAME_TYPE) {
+    check(%INPUT_DOCUMENT.%API_GW_DOMAIN_NAME_TYPE.resourceProperties)
+        <<
+        [CT.APIGATEWAY.PR.6]: Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2
+        [FIX]: Set the value of SecurityPolicy to TLS_1_2, or to adopt the default value, do not provide a value for SecurityPolicy.
+        >>
+}
+
+#
+# Parameterized Rules
+#
+rule check(api_gateway_stage) {
+    %api_gateway_stage {
+        # Scenario 2, 3, 4
+        SecurityPolicy not exists or
+        SecurityPolicy in %ALLOWED_SECURITY_POLICIES
+    }
+}
+
+#
+# Utility Rules
+#
+rule is_cfn_template(doc) {
+    %doc {
+        AWSTemplateFormatVersion exists  or
+        Resources exists
+    }
+}
+
+rule is_cfn_hook(doc, RESOURCE_TYPE) {
+    %doc.%RESOURCE_TYPE.resourceProperties exists
+}
diff --git a/rules/control-tower/cfn-guard/appsync/ct-appsync-pr-2.guard b/rules/control-tower/cfn-guard/appsync/ct-appsync-pr-2.guard
@@ -0,0 +1,97 @@
+# ###################################
+##       Rule Specification        ##
+#####################################
+# 
+# Rule Identifier:
+#   appsync_api_private_visibility_check
+# 
+# Description:
+#   This control checks whether an AWS AppSync GraphQL API has been configured with private visibility.
+# 
+# Reports on:
+#   AWS::AppSync::GraphQLApi
+# 
+# Evaluates:
+#   AWS CloudFormation, AWS CloudFormation hook
+# 
+# Rule Parameters:
+#   None
+# 
+# Scenarios:
+#   Scenario: 1
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document does not contain any Appsync GraphQL API resources
+#      Then: SKIP
+#   Scenario: 2
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document contains an Appsync GraphQL API resource
+#       And: 'Visibility' has not been provided
+#      Then: FAIL
+#   Scenario: 3
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document contains an Appsync GraphQL API resource
+#       And: 'Visibility' has been provided and set to a value other than 'PRIVATE'
+#      Then: FAIL
+#   Scenario: 4
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document contains an Appsync GraphQL API resource
+#       And: 'Visibility' has been provided and set to 'PRIVATE'
+#      Then: PASS
+
+#
+# Constants
+#
+let APPSYNC_GRAPHQL_API_TYPE = "AWS::AppSync::GraphQLApi"
+let ALLOWED_VISIBILITY_LEVELS = [ "PRIVATE" ]
+let INPUT_DOCUMENT = this
+
+#
+# Assignments
+#
+let appsync_graphql_apis = Resources.*[ Type == %APPSYNC_GRAPHQL_API_TYPE ]
+
+#
+# Primary Rules
+#
+rule appsync_api_private_visibility_check when is_cfn_template(%INPUT_DOCUMENT)
+                                               %appsync_graphql_apis not empty {
+    check(%appsync_graphql_apis.Properties)
+        <<
+        [CT.APPSYNC.PR.2]: Require an AWS AppSync GraphQL API to be configured with private visibility
+        [FIX]: Set the Visibility property to PRIVATE.
+        >>
+}
+
+rule appsync_api_private_visibility_check when is_cfn_hook(%INPUT_DOCUMENT, %APPSYNC_GRAPHQL_API_TYPE) {
+    check(%INPUT_DOCUMENT.%APPSYNC_GRAPHQL_API_TYPE.resourceProperties)
+        <<
+        [CT.APPSYNC.PR.2]: Require an AWS AppSync GraphQL API to be configured with private visibility
+        [FIX]: Set the Visibility property to PRIVATE.
+        >>
+}
+
+#
+# Parameterized Rules
+#
+rule check(appsync_graphql_api) {
+    %appsync_graphql_api {
+        # Scenario 2
+        Visibility exists
+        # Scenarios 3 and 4
+        Visibility in %ALLOWED_VISIBILITY_LEVELS
+    }
+}
+
+#
+# Utility Rules
+#
+rule is_cfn_template(doc) {
+    %doc {
+        AWSTemplateFormatVersion exists  or
+        Resources exists
+    }
+}
+
+rule is_cfn_hook(doc, RESOURCE_TYPE) {
+    %doc.%RESOURCE_TYPE.resourceProperties exists
+}
diff --git a/rules/control-tower/cfn-guard/appsync/ct-appsync-pr-3.guard b/rules/control-tower/cfn-guard/appsync/ct-appsync-pr-3.guard
@@ -0,0 +1,129 @@
+# ###################################
+##       Rule Specification        ##
+#####################################
+# 
+# Rule Identifier:
+#   appsync_authorization_check
+# 
+# Description:
+#   This control checks that an AWS AppSync GraphQL API has been configured with an authentication type other than API_KEY authentication.
+# 
+# Reports on:
+#   AWS::AppSync::GraphQLApi
+# 
+# Evaluates:
+#   AWS CloudFormation, AWS CloudFormation hook
+# 
+# Rule Parameters:
+#   None
+# 
+# Scenarios:
+#   Scenario: 1
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document does not contain any AppSync GraphQL API resources
+#      Then: SKIP
+#   Scenario: 2
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document contains an AppSync GraphQL API resource
+#       And: 'AuthenticationType' has not been provided
+#      Then: FAIL
+#   Scenario: 3
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document contains an AppSync GraphQL API resource
+#       And: 'AuthenticationType' has been provided and is equal to 'API_KEY'
+#       And: 'AdditionalAuthenticationProviders' has not been provided or provided as an empty list
+#      Then: FAIL
+#   Scenario: 4
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document contains an AppSync GraphQL API resource
+#       And: 'AuthenticationType' has been provided and is equal to a value other than 'API_KEY'
+#       And: 'AdditionalAuthenticationProviders' has been provided as a non-empty list
+#       And: An entry in 'AdditionalAuthenticationProviders' has 'AuthenticationType' equal to 'API_KEY'
+#      Then: FAIL
+#   Scenario: 5
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document contains an AppSync GraphQL API resource
+#       And: 'AuthenticationType' has been provided and is equal to a value other than 'API_KEY'
+#       And: 'AdditionalAuthenticationProviders' has not been provided or provided as an empty list
+#      Then: PASS
+#   Scenario: 6
+#     Given: The input document is an AWS CloudFormation or CloudFormation hook document
+#       And: The input document contains an AppSync GraphQL API resource
+#       And: 'AuthenticationType' has been provided and is equal to a value other than 'API_KEY'
+#       And: 'AdditionalAuthenticationProviders' has been provided as a non-empty list
+#       And: No entries in 'AdditionalAuthenticationProviders' have 'AuthenticationType' equal to 'API_KEY'
+#      Then: PASS
+
+#
+# Constants
+#
+let APPSYNC_GRAPHQL_API_TYPE = "AWS::AppSync::GraphQLApi"
+let DISALLOWED_AUTHORIZATION_TYPES = [ "API_KEY" ]
+let INPUT_DOCUMENT = this
+
+#
+# Assignments
+#
+let appsync_graphql_apis = Resources.*[ Type == %APPSYNC_GRAPHQL_API_TYPE ]
+
+#
+# Primary Rules
+#
+rule appsync_authorization_check when is_cfn_template(%INPUT_DOCUMENT)
+                                      %appsync_graphql_apis not empty {
+    check(%appsync_graphql_apis.Properties)
+        <<
+        [CT.APPSYNC.PR.3]: Require that an AWS AppSync GraphQL API is not authenticated with API keys
+        [FIX]: Set the AuthenticationType property to a value other than API_KEY, and ensure no entry in the AdditionalAuthenticationProviders property has an AuthenticationType value of API_KEY.
+        >>
+}
+
+rule appsync_authorization_check when is_cfn_hook(%INPUT_DOCUMENT, %APPSYNC_GRAPHQL_API_TYPE) {
+    check(%INPUT_DOCUMENT.%APPSYNC_GRAPHQL_API_TYPE.resourceProperties)
+        <<
+        [CT.APPSYNC.PR.3]: Require that an AWS AppSync GraphQL API is not authenticated with API keys
+        [FIX]: Set the AuthenticationType property to a value other than API_KEY, and ensure no entry in the AdditionalAuthenticationProviders property has an AuthenticationType value of API_KEY.
+        >>
+}
+
+#
+# Parameterized Rules
+#
+rule check(appsync_graphql_api) {
+    %appsync_graphql_api {
+        # Scenarios 2, 3 and 5
+        check_authentication_type(this)
+    }
+
+    %appsync_graphql_api [
+        AdditionalAuthenticationProviders exists
+        AdditionalAuthenticationProviders is_list
+        AdditionalAuthenticationProviders not empty
+    ] {
+        AdditionalAuthenticationProviders[*] {
+            # Scenarios 4 and 6
+            check_authentication_type(this)
+        }
+    }
+}
+
+rule check_authentication_type(appsync_configuration) {
+    %appsync_configuration {
+        AuthenticationType exists
+        AuthenticationType not in %DISALLOWED_AUTHORIZATION_TYPES
+    }
+}
+
+#
+# Utility Rules
+#
+rule is_cfn_template(doc) {
+    %doc {
+        AWSTemplateFormatVersion exists  or
+        Resources exists
+    }
+}
+
+rule is_cfn_hook(doc, RESOURCE_TYPE) {
+    %doc.%RESOURCE_TYPE.resourceProperties exists
+}