Merge pull request tenable#357 from accurics/feature/aws-serverless-r…

…egos Adds new policies/regos for AWS serverless services
devang-gaur · Oct 22, 2020 · 222bd31 · 222bd31
2 parents 4a5d34d + 54ab58d
commit 222bd31
Show file tree

Hide file tree

Showing 12 changed files with 104 additions and 3 deletions.
diff --git a/docs/policies/aws.md b/docs/policies/aws.md
@@ -86,6 +86,12 @@
 | Network Security | SNS | MEDIUM | Ensure SNS Topic is Publicly Accessible For Subscription | AWS.SNS.NS.Medium.1044 |
 
 
+### aws_apigatewayv2_api
+| Category | Resource | Severity | Description | Reference ID |
+| -------- | -------- | -------- | ----------- | ------------ |
+| AccessControl | ApiGatewayV2Api | Medium | Insecure Cross-Origin Resource Sharing Configuration allowing all domains | AWS.ApiGatewayV2Api.AccessControl.High.0630 |
+
+
 ### aws_efs_file_system
 | Category | Resource | Severity | Description | Reference ID |
 | -------- | -------- | -------- | ----------- | ------------ |
@@ -149,6 +155,12 @@
 | Identity and Access Management | IamPolicy | HIGH | It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges. | AWS.IamPolicy.IAM.High.0392 |
 
 
+### aws_apigatewayv2_stage
+| Category | Resource | Severity | Description | Reference ID |
+| -------- | -------- | -------- | ----------- | ------------ |
+| Logging | ApiGatewayV2Stage | Low | AWS API Gateway V2 Stage is missing access logs | AWS.ApiGatewayV2Stage.Logging.Low.0630 |
+
+
 ### aws_ecr_repository
 | Category | Resource | Severity | Description | Reference ID |
 | -------- | -------- | -------- | ----------- | ------------ |
@@ -168,6 +180,7 @@
 | Category | Resource | Severity | Description | Reference ID |
 | -------- | -------- | -------- | ----------- | ------------ |
 | Logging | CloudWatch | MEDIUM | App-Tier CloudWatch Log Group Retention Period | AWS.CloudWatch.Logging.Medium.0631 |
+| Encryption and Key Management | CloudWatch | HIGH | AWS CloudWatch log group is not encrypted with a KMS CMK | AWS.CloudWatch.EncryptionandKeyManagement.High.0632 |
 
 
 ### aws_ami_launch_permission
@@ -340,7 +353,9 @@
 ### aws_lambda_function
 | Category | Resource | Severity | Description | Reference ID |
 | -------- | -------- | -------- | ----------- | ------------ |
-| Logging | VPC | LOW | Lambda tracing is not enabled. | AWS.VPC.Logging.Medium.0470 |
+| Logging | LambdaFunction | Low | Lambda function doesn't not include a VPC configuration. | AWS.LambdaFunction.Logging.Low.0472 |
+| Logging | LambdaFunction | LOW | Lambda tracing is not enabled. | AWS.LambdaFunction.Logging.Low.0470 |
+| Encryption and Key Management | LambdaFunction | High | Lambda does not uses KMS CMK key to protect environment variables. | AWS.LambdaFunction.EncryptionandKeyManagement.High.0471 |
 
 
 ### aws_kms_key

diff --git a/...cies/opa/rego/aws/aws_apigatewayv2_api/AWS.ApiGatewayV2Api.AccessControl.Medium.0630.json b/...cies/opa/rego/aws/aws_apigatewayv2_api/AWS.ApiGatewayV2Api.AccessControl.Medium.0630.json
@@ -0,0 +1,10 @@
+{
+    "name": "apiGatewayMiconfiguredCors",
+    "file": "apiGatewayMiconfiguredCors.rego",
+    "template_args": null,
+    "severity": "Medium",
+    "description": "Insecure Cross-Origin Resource Sharing Configuration allowing all domains",
+    "reference_id": "AWS.ApiGatewayV2Api.AccessControl.0630",
+    "category": "AccessControl",
+    "version": 2
+}
diff --git a/pkg/policies/opa/rego/aws/aws_apigatewayv2_api/apiGatewayMiconfiguredCors.rego b/pkg/policies/opa/rego/aws/aws_apigatewayv2_api/apiGatewayMiconfiguredCors.rego
@@ -0,0 +1,8 @@
+package accurics
+
+apiGatewayMiconfiguredCors[api.id] {
+  api := input.aws_apigatewayv2_api[_]
+  cors := api.config.cors_configuration[_]
+  origins := cors.allow_origins[_]
+  not origins == ["*"]
+}
diff --git a/pkg/policies/opa/rego/aws/aws_apigatewayv2_stage/AWS.ApiGatewayV2Stage.Logging.Low.0630.json b/pkg/policies/opa/rego/aws/aws_apigatewayv2_stage/AWS.ApiGatewayV2Stage.Logging.Low.0630.json
@@ -0,0 +1,10 @@
+{
+    "name": "apiGatewayNoAccessLogs",
+    "file": "apiGatewayNoAccessLogs.rego",
+    "template_args": null,
+    "severity": "Low",
+    "description": "AWS API Gateway V2 Stage is missing access logs",
+    "reference_id": "AWS.ApiGatewayV2Stage.Logging.0630",
+    "category": "Logging",
+    "version": 2
+}
diff --git a/pkg/policies/opa/rego/aws/aws_apigatewayv2_stage/apiGatewayNoAccessLogs.rego b/pkg/policies/opa/rego/aws/aws_apigatewayv2_stage/apiGatewayNoAccessLogs.rego
@@ -0,0 +1,6 @@
+package accurics
+
+apiGatewayNoAccessLogs[stage.id] {
+  stage := input.aws_apigatewayv2_stage[_]
+  not stage.config.access_log_settings
+}
diff --git a/...cies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.EncryptionandKeyManagement.High.0632.json b/...cies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.EncryptionandKeyManagement.High.0632.json
@@ -0,0 +1,10 @@
+{
+    "name": "logGroupNotEncryptedWithKms",
+    "file": "logGroupNotEncryptedWithKms.rego",
+    "template_args": null,
+    "severity": "HIGH",
+    "description": "AWS CloudWatch log group is not encrypted with a KMS CMK",
+    "reference_id": "AWS.CloudWatch.EncryptionandKeyManagement.High.0632",
+    "category": "Encryption and Key Management",
+    "version": 2
+}
diff --git a/pkg/policies/opa/rego/aws/aws_cloudwatch/logGroupNotEncryptedWithKms.rego b/pkg/policies/opa/rego/aws/aws_cloudwatch/logGroupNotEncryptedWithKms.rego
@@ -0,0 +1,6 @@
+package accurics
+
+logGroupNotEncryptedWithKms[log_group.id] {
+  log_group := input.aws_cloudwatch_log_group[_]
+  not log_group.config.kms_key_id
+}
diff --git a/...rego/aws/aws_lambda_function/AWS.LambdaFunction.EncryptionandKeyManagement.High.0471.json b/...rego/aws/aws_lambda_function/AWS.LambdaFunction.EncryptionandKeyManagement.High.0471.json
@@ -0,0 +1,12 @@
+{
+    "name": "lambdaNotEncryptedWithKms",
+    "file": "lambdaNotEncryptedWithKms.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "High",
+    "description": "Lambda does not use KMS CMK key to protect environment variables.",
+    "reference_id": "AWS.LambdaFunction.EncryptionandKeyManagement.0471",
+    "category": "Encryption and Key Management",
+    "version": 2
+}
diff --git a/...function/AWS.VPC.Logging.Medium.0470.json → .../AWS.LambdaFunction.Logging.Low.0470.json b/...function/AWS.VPC.Logging.Medium.0470.json → .../AWS.LambdaFunction.Logging.Low.0470.json
@@ -6,7 +6,7 @@
     },
     "severity": "LOW",
     "description": "Lambda tracing is not enabled.",
-    "reference_id": "AWS.VPC.Logging.Medium.0470",
+    "reference_id": "AWS.LambdaFunction.Logging.0470",
     "category": "Logging",
     "version": 2
-}
+}
diff --git a/pkg/policies/opa/rego/aws/aws_lambda_function/AWS.LambdaFunction.Logging.Low.0472.json b/pkg/policies/opa/rego/aws/aws_lambda_function/AWS.LambdaFunction.Logging.Low.0472.json
@@ -0,0 +1,12 @@
+{
+    "name": "lambdaNotInVpc",
+    "file": "lambdaNotInVpc.rego",
+    "template_args": {
+        "prefix": ""
+    },
+    "severity": "Low",
+    "description": "Lambda function doesn't not include a VPC configuration.",
+    "reference_id": "AWS.LambdaFunction.Logging.0472",
+    "category": "Logging",
+    "version": 2
+}
diff --git a/pkg/policies/opa/rego/aws/aws_lambda_function/lambdaNotEncryptedWithKms.rego b/pkg/policies/opa/rego/aws/aws_lambda_function/lambdaNotEncryptedWithKms.rego
@@ -0,0 +1,6 @@
+package accurics
+
+lambdaNotEncryptedWithKms[lambda.id] {
+  lambda := input.aws_lambda_function[_]
+  not lambda.config.kms_key_arn
+}
diff --git a/pkg/policies/opa/rego/aws/aws_lambda_function/lambdaNotInVpc.rego b/pkg/policies/opa/rego/aws/aws_lambda_function/lambdaNotInVpc.rego
@@ -0,0 +1,6 @@
+package accurics
+
+lambdaNotInVpc[lambda.id] {
+  lambda := input.aws_lambda_function[_]
+  not lambda.config.vpc_config
+}