Skip to content

Commit

Permalink
refactor(checks): migrate AWS ec2 to Rego
Browse files Browse the repository at this point in the history
Signed-off-by: Nikita Pivkin <[email protected]>
  • Loading branch information
nikpivkin committed Jul 8, 2024
1 parent 9968cc8 commit 8841331
Show file tree
Hide file tree
Showing 71 changed files with 1,031 additions and 459 deletions.
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0008/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Block devices should be encrypted to ensure sensitive data is held securely at rest.


### Impact
The block device could be compromised and read from
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0009/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application.


### Impact
The instance or configuration is publicly accessible
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0026/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

By enabling encryption on EBS volumes you protect the volume, the disk I/O and any derived snapshots from compromise if intercepted.


### Impact
Unencrypted sensitive data is vulnerable to compromise.
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0027/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Encryption using AWS keys provides protection for your EBS volume. To increase control of the encryption and manage factors like rotation use customer managed keys.


### Impact
Using AWS managed keys does not allow for fine grained control
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
7 changes: 4 additions & 3 deletions avd_docs/aws/ec2/AVD-AWS-0028/docs.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@


IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


### Impact
Instance metadata service can be interacted with freely
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0029/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.


### Impact
User data is visible through the AWS Management console
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0099/docs.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,9 @@ Security groups should include a description for auditing purposes.

Simplifies auditing, debugging, and managing security groups.


### Impact
Descriptions provide context for the firewall rule reasons
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0101/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Default VPC does not have a lot of the critical security features that standard VPC comes with, new resources should not be created in the default VPC and it should not be present in the Terraform.


### Impact
The default VPC does not have critical security features applied
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0102/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Ensure access to specific required ports is allowed, and nothing else.


### Impact
All ports exposed for ingressing/egressing data
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0104/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.


### Impact
Your port is egressing data to the internet
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0105/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible.


### Impact
The ports are exposed for ingressing data to the internet
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
14 changes: 0 additions & 14 deletions avd_docs/aws/ec2/AVD-AWS-0107/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,20 +7,6 @@ Set a more restrictive cidr range
cidr_blocks = ["10.0.0.0/16"]
}
```
```hcl
resource "aws_security_group_rule" "allow_partner_rsync" {
type = "ingress"
security_group_id = aws_security_group.….id
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [
"1.2.3.4/32",
"4.5.6.7/32",
]
}
```

#### Remediation Links
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0107/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.


### Impact
Your port exposed to the internet
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
9 changes: 0 additions & 9 deletions avd_docs/aws/ec2/AVD-AWS-0122/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,6 @@ Don't use sensitive data in user data
EOF
}
```
```hcl
resource "aws_launch_configuration" "as_conf" {
name = "web_config"
image_id = data.aws_ami.ubuntu.id
instance_type = "t2.micro"
user_data_base64 = "ZXhwb3J0IEVESVRPUj12aW1hY3M="
}
```

#### Remediation Links
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0122/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

When creating Launch Configurations, user data can be used for the initial configuration of the instance. User data must not contain any sensitive data.


### Impact
Sensitive credentials in user data can be leaked
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0124/docs.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,9 @@ Security group rules should include a description for auditing purposes.

Simplifies auditing, debugging, and managing security groups.


### Impact
Descriptions provide context for the firewall rule reasons
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0129/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.


### Impact
User data is visible through the AWS Management console
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
7 changes: 4 additions & 3 deletions avd_docs/aws/ec2/AVD-AWS-0130/docs.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@


IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


### Impact
Instance metadata service can be interacted with freely
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0131/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

Block devices should be encrypted to ensure sensitive data is held securely at rest.


### Impact
The block device could be compromised and read from
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0164/docs.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@

You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application.


### Impact
The instance is publicly accessible
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
5 changes: 3 additions & 2 deletions avd_docs/aws/ec2/AVD-AWS-0173/docs.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@


Configuring all VPC default security groups to restrict all traffic will encourage least

privilege security group development and mindful placement of AWS resources into

security groups which will in-turn reduce the exposure of those resources.


### Impact
Easier to accidentally expose resources - goes against principle of least privilege
<!-- Add Impact here -->

<!-- DO NOT CHANGE -->
{{ remediationActions }}
Expand Down
3 changes: 2 additions & 1 deletion checks/cloud/aws/ec2/add_description_to_security_group.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ Simplifies auditing, debugging, and managing security groups.`,
Links: cloudFormationAddDescriptionToSecurityGroupLinks,
RemediationMarkdown: cloudFormationAddDescriptionToSecurityGroupRemediationMarkdown,
},
Severity: severity.Low,
Severity: severity.Low,
Deprecated: true,
},
func(s *state.State) (results scan.Results) {
for _, group := range s.AWS.EC2.SecurityGroups {
Expand Down
51 changes: 51 additions & 0 deletions checks/cloud/aws/ec2/add_description_to_security_group.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# METADATA
# title: Missing description for security group.
# description: |
# Security groups should include a description for auditing purposes.
#
# Simplifies auditing, debugging, and managing security groups.
# scope: package
# schemas:
# - input: schema["cloud"]
# related_resources:
# - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html
# custom:
# id: AVD-AWS-0099
# avd_id: AVD-AWS-0099
# provider: aws
# service: ec2
# severity: LOW
# short_code: add-description-to-security-group
# recommended_action: Add descriptions for all security groups
# input:
# selector:
# - type: cloud
# subtypes:
# - service: ec2
# provider: aws
# terraform:
# links:
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
# good_examples: checks/cloud/aws/ec2/add_description_to_security_group.tf.go
# bad_examples: checks/cloud/aws/ec2/add_description_to_security_group.tf.go
# cloudformation:
# good_examples: checks/cloud/aws/ec2/add_description_to_security_group.cf.go
# bad_examples: checks/cloud/aws/ec2/add_description_to_security_group.cf.go
package builtin.aws.ec2.aws0099

import rego.v1

deny contains res if {
some sg in input.aws.ec2.securitygroups
sg.__defsec_metadata.managed
sg.description.value == ""
res := result.new("Security group does not have a description.", sg)
}

deny contains res if {
some sg in input.aws.ec2.securitygroups
sg.__defsec_metadata.managed
sg.description.value == "Managed by Terraform"
res := result.new("Security group explicitly uses the default description.", sg)
}
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ Simplifies auditing, debugging, and managing security groups.`,
Links: cloudFormationAddDescriptionToSecurityGroupRuleLinks,
RemediationMarkdown: cloudFormationAddDescriptionToSecurityGroupRuleRemediationMarkdown,
},
Severity: severity.Low,
Severity: severity.Low,
Deprecated: true,
},
func(s *state.State) (results scan.Results) {
for _, group := range s.AWS.EC2.SecurityGroups {
Expand Down
47 changes: 47 additions & 0 deletions checks/cloud/aws/ec2/add_description_to_security_group_rule.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# METADATA
# title: Missing description for security group rule.
# description: |
# Security group rules should include a description for auditing purposes.
#
# Simplifies auditing, debugging, and managing security groups.
# scope: package
# schemas:
# - input: schema["cloud"]
# related_resources:
# - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html
# custom:
# id: AVD-AWS-0124
# avd_id: AVD-AWS-0124
# provider: aws
# service: ec2
# severity: LOW
# short_code: add-description-to-security-group-rule
# recommended_action: Add descriptions for all security groups rules
# input:
# selector:
# - type: cloud
# subtypes:
# - service: ec2
# provider: aws
# terraform:
# links:
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
# - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
# good_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.tf.go
# bad_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.tf.go
# cloudformation:
# good_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.cf.go
# bad_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.cf.go
package builtin.aws.ec2.aws0124

import rego.v1

deny contains res if {
some group in input.aws.ec2.securitygroups
some rule in array.concat(
object.get(group, "egressrules", []),
object.get(group, "ingressrules", []),
)
rule.description.value == ""
res := result.new("Security group rule does not have a description.", rule.description)
}
Loading

0 comments on commit 8841331

Please sign in to comment.