Merge pull request #731 from turbot/release/v0.82

Release/v0.82
turbot · Nov 3, 2023 · 3e38f44 · 3e38f44
2 parents 1fe312a + c801eef
commit 3e38f44
Show file tree

Hide file tree

Showing 5 changed files with 84 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,15 @@
+## v0.82 [2023-11-03]
+
+_Breaking changes_
+
+- Updated the plugin dependency section of the mod to use `min_version` instead of `version`. ([#728](https://github.com/turbot/steampipe-mod-aws-compliance/pull/728))
+
+_Enhancements_
+
+- Added the following controls to the `All Controls` benchmark: ([#727](https://github.com/turbot/steampipe-mod-aws-compliance/pull/727))
+  - `glue_connection_ssl_enabled`
+  - `vpc_peering_connection_route_table_least_privilege`
+
 ## v0.81 [2023-10-20]
 
 _Enhancements_

diff --git a/all_controls/glue.sp b/all_controls/glue.sp
@@ -8,6 +8,7 @@ benchmark "all_controls_glue" {
   title       = "Glue"
   description = "This section contains recommendations for configuring Glue resources."
   children = [
+    control.glue_connection_ssl_enabled,
     control.glue_data_catalog_encryption_settings_metadata_encryption_enabled,
     control.glue_data_catalog_encryption_settings_password_encryption_enabled,
     control.glue_dev_endpoint_cloudwatch_logs_encryption_enabled,

diff --git a/all_controls/vpc.sp b/all_controls/vpc.sp
@@ -17,6 +17,7 @@ benchmark "all_controls_vpc" {
     control.vpc_in_more_than_one_region,
     control.vpc_network_acl_remote_administration,
     control.vpc_network_acl_unused,
+    control.vpc_peering_connection_route_table_least_privilege,
     control.vpc_route_table_restrict_public_access_to_igw,
     control.vpc_security_group_allows_ingress_authorized_ports,
     control.vpc_security_group_allows_ingress_to_cassandra_ports,

diff --git a/conformance_pack/glue.sp b/conformance_pack/glue.sp
@@ -68,6 +68,14 @@ control "glue_data_catalog_encryption_settings_password_encryption_enabled" {
   tags = local.conformance_pack_glue_common_tags
 }
 
+control "glue_connection_ssl_enabled" {
+  title       = "Glue connection SSL should be enabled"
+  description = "Ensure Glue connection encryption SSL is enabled."
+  query       = query.glue_connection_ssl_enabled
+
+  tags = local.conformance_pack_glue_common_tags
+}
+
 query "glue_dev_endpoint_cloudwatch_logs_encryption_enabled" {
   sql = <<-EOQ
     select
@@ -219,3 +227,21 @@ query "glue_data_catalog_encryption_settings_password_encryption_enabled" {
       aws_glue_data_catalog_encryption_settings;
   EOQ
 }
+
+query "glue_connection_ssl_enabled" {
+  sql = <<-EOQ
+    select
+      arn as resource,
+      case
+        when connection_properties ->> 'JDBC_ENFORCE_SSL' = 'true' then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when connection_properties ->> 'JDBC_ENFORCE_SSL' = 'true' then name || ' SSL enabled.'
+        else name || ' SSL disabled.'
+      end as reason
+      ${local.common_dimensions_sql}
+    from
+      aws_glue_connection;
+  EOQ
+}
diff --git a/conformance_pack/vpc.sp b/conformance_pack/vpc.sp
@@ -415,6 +415,14 @@ control "vpc_subnet_public_and_private" {
   tags = local.conformance_pack_vpc_common_tags
 }
 
+control "vpc_peering_connection_route_table_least_privilege" {
+  title       = "VPCs peering connection route tables should have least privilege"
+  description = "Ensure that all VPCs peering connection route tables have least privilege."
+  query       = query.vpc_peering_connection_route_table_least_privilege
+
+  tags = local.conformance_pack_vpc_common_tags
+}
+
 query "vpc_flow_logs_enabled" {
   sql = <<-EOQ
     select
@@ -1740,3 +1748,39 @@ query "vpc_subnet_public_and_private" {
       aws_vpc as v;
   EOQ
 }
+
+query "vpc_peering_connection_route_table_least_privilege" {
+  sql = <<-EOQ
+    with vpc_peering_routing_tables as (
+      select
+        r ->> 'VpcPeeringConnectionId' as peering_connection_id
+      from
+        aws_vpc_route_table,
+        jsonb_array_elements(routes) as r
+        inner join aws_vpc_peering_connection as c on r ->> 'VpcPeeringConnectionId' = c.id
+      where
+        ( r ->> 'DestinationCidrBlock' = '0.0.0.0/0'
+          or r ->> 'DestinationCidrBlock' = '::/0'
+          or (r ->> 'DestinationCidrBlock')::cidr = c.accepter_cidr_block
+          or (r ->> 'DestinationCidrBlock')::cidr = c.requester_cidr_block
+        )
+      group by
+      r ->> 'VpcPeeringConnectionId'
+    )
+    select
+      c.id as resource,
+      case
+        when t.peering_connection_id is not null then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when t.peering_connection_id is not null then c.title || ' does not have least privilege access.'
+        else c.title || ' have least privilege access.'
+      end as reason
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      aws_vpc_peering_connection as c
+      left join vpc_peering_routing_tables as t on t.peering_connection_id = c.id;
+  EOQ
+}