Skip to content

aquasecurity/cloud-metadata

BranchesTags

Repository files navigation

Cloud Metadata

What is this

This project contains the metadata for rules that will feed into IaC tools and potentially CSPM.

Rules are broken down into provider/category/rule and will eventually contain markdown files for remediation.

Things you need to know now

Generating Metadata Code

The json metadata should be converted to code files for use in downstream tools. This can be done by running

make generate

OR from Windows build and run ./cmd/metadata

Schema Validation

A GitHub action will run on each PR to ensure that changes to the metadata.json files still meet the schema.

Metadata json

Metadata files define the common information about rules; description, impact, severity and links to the external tools ids (tfsec, cspm, cfsec)

An example metadata.json

{
  "id": "AVD-AWS-0028",
  "apiVersion": 2,
  "version": 1,
  "title": "aws_instance should activate session tokens for Instance Metadata Service.",
  "description": "IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.\nBy default eaws_instance resource sets IMDS session auth tokens to be optional. \nTo fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.",
  "custom": {
    "severity": "HIGH",
    "possibleImpact": "Instance metadata service can be interacted with freely",
    "references": [
      {
        "title": "EC2 Instance Metadata Service blog post",
        "url": "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
      }
    ],
    "externalToolIds": {
      "cfsec": [
        "aws-ec2-enforce-http-token-imds"
      ],
      "cspm": [
        {
          "id": 692,
          "name": "ec2/ec2MetadataOptions"
        }
      ],
      "tfsec": [
        "aws-ec2-enforce-http-token-imds"
      ]
    }
  }
}

The metadata.json file for each rule should match the following schema

Type: object

path: #

$schema: http://json-schema.org/draft-04/schema#

Properties

  • id required
    • Type: string
    • path: #/properties/id
  • apiVersion required
    • Type: integer
    • path: #/properties/apiVersion
  • version required
    • Type: integer
    • path: #/properties/version
  • title required
    • Type: string
    • path: #/properties/title
  • description required
    • Type: string
    • path: #/properties/description
  • description_file_path
    • Type: string
    • path: #/properties/description_file_path
  • custom required
    • Type: object
    • path: #/properties/custom
    • Properties
      • severity required
        • Type: string
        • path: #/properties/custom/properties/severity
      • possibleImpact required
        • Type: string
        • path: #/properties/custom/properties/possibleImpact
      • remediations
        • Type: array
        • path: #/properties/custom/properties/remediations
          • Items
          • Type: object
          • path: #/properties/custom/properties/remediations/items
          • Properties
            • title required
              • Type: string
              • path: #/properties/custom/properties/remediations/items/properties/title
            • remediation_path required
              • Type: string
              • path: #/properties/custom/properties/remediations/items/properties/remediation_path
            • remediation_type required
              • Type: string
              • path: #/properties/custom/properties/remediations/items/properties/remediation_type
      • references required
        • Type: array
        • path: #/properties/custom/properties/references
          • Items
          • Type: object
          • path: #/properties/custom/properties/references/items
          • Properties
            • title required
              • Type: string
              • path: #/properties/custom/properties/references/items/properties/title
            • url required
              • Type: string
              • path: #/properties/custom/properties/references/items/properties/url
      • externalToolIds required
        • Type: object
        • path: #/properties/custom/properties/externalToolIds
        • Properties
          • cfsec
            • Type: array
            • path: #/properties/custom/properties/externalToolIds/properties/cfsec
              • Items
              • Type: string
              • path: #/properties/custom/properties/externalToolIds/properties/cfsec/items
          • cspm
            • Type: array
            • path: #/properties/custom/properties/externalToolIds/properties/cspm
              • Items
              • Type: object
              • path: #/properties/custom/properties/externalToolIds/properties/cspm/items
              • Properties
                • id required
                  • Type: integer
                  • path: #/properties/custom/properties/externalToolIds/properties/cspm/items/properties/id
                • name required
                  • Type: string
                  • path: #/properties/custom/properties/externalToolIds/properties/cspm/items/properties/name
          • tfsec
            • Type: array
            • path: #/properties/custom/properties/externalToolIds/properties/tfsec
              • Items
              • Type: string
              • path: #/properties/custom/properties/externalToolIds/properties/tfsec/items

About

Common metadata repository for CSPM and TFSec checks

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct
Activity
Custom properties

Stars

9 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages