Addind AWS Network Security Policies

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0227.json

@@ -0,0 +1,20 @@
+{
+	"name": "port22OpenToInternet",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port22OpenToInternet",
+		"portNumber": 22,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - (SSH,22)",
+	"reference_id": "AC_AWS_0227",
+	"id": "AC_AWS_0227",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0228.json

@@ -0,0 +1,20 @@
+{
+	"name": "port80OpenToInternet",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port80OpenToInternet",
+		"portNumber": 80,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - (HTTP,80)",
+	"reference_id": "AC_AWS_0228",
+	"id": "AC_AWS_0228",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0229.json

@@ -0,0 +1,20 @@
+{
+	"name": "port443OpenToInternet",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port443OpenToInternet",
+		"portNumber": 443,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "LOW",
+	"description": "Security Groups - Unrestricted Specific Ports - (HTTPS,443)",
+	"reference_id": "AC_AWS_0229",
+	"id": "AC_AWS_0229",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0230.json

@@ -0,0 +1,20 @@
+{
+	"name": "port3389OpenToInternet",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port3389OpenToInternet",
+		"portNumber": 3389,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - remote desktop port (TCP,3389)",
+	"reference_id": "AC_AWS_0230",
+	"id": "AC_AWS_0230",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0231.json

@@ -0,0 +1,18 @@
+{
+	"name": "unrestrictedIngressAccess",
+	"file": "unrestrictedIngressAccess.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "unrestrictedIngressAccess",
+		"prefix": "",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols",
+	"reference_id": "AC_AWS_0231",
+	"id": "AC_AWS_0231",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0232.json

@@ -0,0 +1,17 @@
+{
+	"name": "defaultSGNotRestrictsAllTraffic",
+	"file": "defaultSGNotRestrictsAllTraffic.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"name": "defaultSGNotRestrictsAllTraffic",
+		"prefix": "",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Ensure no default security groups are used as they allow ingress from 0.0.0.0/0 to ALL ports and protocols",
+	"reference_id": "AC_AWS_0232",
+	"id": "AC_AWS_0232",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0233.json

@@ -0,0 +1,20 @@
+{
+	"name": "port4505AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port4505AlbNetworkPortSecurity",
+		"portNumber": 4505,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - SaltStack Master (TCP,4505)",
+	"reference_id": "AC_AWS_0233",
+	"id": "AC_AWS_0233",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0234.json

@@ -0,0 +1,20 @@
+{
+	"name": "port9200AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port9200AlbNetworkPortSecurity",
+		"portNumber": 9200,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - Elasticsearch (TCP,9200)",
+	"reference_id": "AC_AWS_0234",
+	"id": "AC_AWS_0234",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0235.json

@@ -0,0 +1,20 @@
+{
+	"name": "port9300AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port9300AlbNetworkPortSecurity",
+		"portNumber": 9300,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - Elasticsearch (TCP,9300)",
+	"reference_id": "AC_AWS_0235",
+	"id": "AC_AWS_0235",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0236.json

@@ -0,0 +1,20 @@
+{
+	"name": "port4506AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port4506AlbNetworkPortSecurity",
+		"portNumber": 4506,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - SaltStack Master (TCP,4506)",
+	"reference_id": "AC_AWS_0236",
+	"id": "AC_AWS_0236",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0237.json

@@ -0,0 +1,20 @@
+{
+	"name": "port3020AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port3020AlbNetworkPortSecurity",
+		"portNumber": 3020,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - CIFS / SMB (TCP,3020)",
+	"reference_id": "AC_AWS_0237",
+	"id": "AC_AWS_0237",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0238.json

@@ -0,0 +1,20 @@
+{
+	"name": "port61621AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port61621AlbNetworkPortSecurity",
+		"portNumber": 61621,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - Cassandra OpsCenter agent (TCP,61621)",
+	"reference_id": "AC_AWS_0238",
+	"id": "AC_AWS_0238",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0239.json

@@ -0,0 +1,20 @@
+{
+	"name": "port7001AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port7001AlbNetworkPortSecurity",
+		"portNumber": 7001,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - Cassandra (TCP,7001)",
+	"reference_id": "AC_AWS_0239",
+	"id": "AC_AWS_0239",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0240.json

@@ -0,0 +1,20 @@
+{
+	"name": "port9000AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port9000AlbNetworkPortSecurity",
+		"portNumber": 9000,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - Hadoop Name Node (TCP,9000)",
+	"reference_id": "AC_AWS_0240",
+	"id": "AC_AWS_0240",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0241.json

@@ -0,0 +1,20 @@
+{
+	"name": "port8000AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port8000AlbNetworkPortSecurity",
+		"portNumber": 8000,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - Known internal web port (TCP,8000)",
+	"reference_id": "AC_AWS_0241",
+	"id": "AC_AWS_0241",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0242.json

@@ -0,0 +1,20 @@
+{
+	"name": "port8080AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port8080AlbNetworkPortSecurity",
+		"portNumber": 8080,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - Known internal web port (TCP,8080)",
+	"reference_id": "AC_AWS_0242",
+	"id": "AC_AWS_0242",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0243.json

@@ -0,0 +1,20 @@
+{
+	"name": "port636AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port636AlbNetworkPortSecurity",
+		"portNumber": 636,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - LDAP SSL (TCP,636)",
+	"reference_id": "AC_AWS_0243",
+	"id": "AC_AWS_0243",
+	"category": "Infrastructure Security",
+	"version": 2
+}

pkg/policies/opa/rego/aws/aws_security_group/AC_AWS_0244.json

@@ -0,0 +1,20 @@
+{
+	"name": "port1434AlbNetworkPortSecurity",
+	"file": "portOpenToInternet.rego",
+	"policy_type": "aws",
+	"resource_type": "aws_security_group",
+	"template_args": {
+		"defaultValue": "<cidr>",
+		"name": "port1434AlbNetworkPortSecurity",
+		"portNumber": 1434,
+		"prefix": "",
+		"protocol": "tcp",
+		"suffix": ""
+	},
+	"severity": "HIGH",
+	"description": "Security Groups - Unrestricted Specific Ports - MSSQL Admin (TCP,1434)",
+	"reference_id": "AC_AWS_0244",
+	"id": "AC_AWS_0244",
+	"category": "Infrastructure Security",
+	"version": 2
+}