aquasecurity · nikpivkin · Jun 13, 2024 · Jun 17, 2024 · Jun 17, 2024 · Jun 18, 2024
@@ -3,11 +3,11 @@ description: Setup OPA CLI
 runs:
   using: composite
   steps:
-    - name: Setup OPA v0.58.0
+    - name: Setup OPA
       shell: bash
       run: |
-        curl --retry 3 -L -o opa_linux_amd64_static https://github.com/open-policy-agent/opa/releases/download/v0.58.0/opa_linux_amd64_static 
-        curl -L -o checksum https://github.com/open-policy-agent/opa/releases/download/v0.58.0/opa_linux_amd64_static.sha256
+        curl --retry 3 -L -o opa_linux_amd64_static https://github.com/open-policy-agent/opa/releases/download/v0.65.0/opa_linux_amd64_static 
+        curl -L -o checksum https://github.com/open-policy-agent/opa/releases/download/v0.65.0/opa_linux_amd64_static.sha256
         sha256sum -c checksum
         chmod 755 ./opa_linux_amd64_static
         sudo mv ./opa_linux_amd64_static /usr/local/bin/opa
@@ -1,5 +1,4 @@
 
-
 AWS IAM Access Analyzer helps you identify the resources in your organization and
 accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
 This lets you identify unintended access to your resources and data. Access Analyzer
@@ -10,7 +9,7 @@ keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.
 
 
 ### Impact
-Reduced visibility of externally shared resources.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
-Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.
+Data can be read if the Athena Database is compromised. Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.
+
 
 ### Impact
-Data can be read if the Athena Database is compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
-Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings.
+Clients can ignore encryption requirements without enforced configuration. Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings.
+
 
 ### Impact
-Clients can ignore encryption requirements
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
-When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.
+Activity could be happening in your account in a different region. When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.
+
 
 ### Impact
-Activity could be happening in your account in a different region
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
-Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.
+Using AWS managed keys does not allow for fine grained control.  Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.
+
 
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
-Log validation should be activated on Cloudtrail logs to prevent the tampering of the underlying data in the S3 bucket. It is feasible that a rogue actor compromising an AWS account might want to modify the log data to remove trace of their actions.
+Illicit activity could be removed from the logs. Log validation should be activated on Cloudtrail logs to prevent the tampering of the underlying data in the S3 bucket. It is feasible that a rogue actor compromising an AWS account might want to modify the log data to remove trace of their actions.
+
 
 ### Impact
-Illicit activity could be removed from the logs
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,10 +1,9 @@
 
-
-CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration.
+CloudTrail logs will be publicly exposed, potentially containing sensitive information. CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration.
 
 
 ### Impact
-CloudTrail logs will be publicly exposed, potentially containing sensitive information
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,4 +1,5 @@
 
+Realtime log analysis is not available without enabling CloudWatch logging.
 
 CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service.
 
@@ -8,7 +9,7 @@ For a trail that is enabled in all Regions in an account, CloudTrail sends log f
 
 
 ### Impact
-Realtime log analysis is not available without enabling CloudWatch logging
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,13 +1,11 @@
 
 Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed.
-
 CIS recommends that you enable bucket access logging on the CloudTrail S3 bucket.
-
 By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows.
 
 
 ### Impact
-There is no way to determine the access to this bucket
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 All artifacts produced by your CodeBuild project pipeline should always be encrypted
 
+
 ### Impact
-CodeBuild project artifacts are unencrypted
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,10 +1,10 @@
 
-The configuration aggregator should be configured with all_regions for the source. 
-
+Sources that aren't covered by the aggregator are not include in the configuration. The configuration aggregator should be configured with all_regions for the source.
 This will help limit the risk of any unmonitored configuration in regions that are thought to be unused.
 
+
 ### Impact
-Sources that aren't covered by the aggregator are not include in the configuration
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Document DB does not have auditing by default. To ensure that you are able to accurately audit the usage of your DocumentDB cluster you should enable export logs.
 
+
 ### Impact
-Limited visibility of audit trail for changes to the DocumentDB
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
-Encryption of the underlying storage used by DocumentDB ensures that if their is compromise of the disks, the data is still protected.
+Unencrypted sensitive data is vulnerable to compromise. Encryption of the underlying storage used by DocumentDB ensures that if their is compromise of the disks, the data is still protected.
+
 
 ### Impact
-Unencrypted sensitive data is vulnerable to compromise.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
-Encryption using AWS keys provides protection for your DocumentDB underlying storage. To increase control of the encryption and manage factors like rotation use customer managed keys.
+Using AWS managed keys does not allow for fine grained control. Encryption using AWS keys provides protection for your DocumentDB underlying storage. To increase control of the encryption and manage factors like rotation use customer managed keys.
+
 
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
-Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.
+Data can be freely read if compromised. Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage.
+
 
 ### Impact
-Data can be freely read if compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,10 +1,10 @@
 
 DynamoDB tables should be protected against accidentally or malicious write/delete actions by ensuring that there is adequate protection.
-
 By enabling point-in-time-recovery you can restore to a known point in the event of loss of data.
 
+
 ### Impact
-Accidental or malicious writes and deletes can't be rolled back
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
-DynamoDB tables are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.
+Using AWS managed keys does not allow for fine grained control. DynamoDB tables are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.
+
 
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Block devices should be encrypted to ensure sensitive data is held securely at rest.
 
+
 ### Impact
-The block device could be compromised and read from
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application.
 
+
 ### Impact
-The instance or configuration is publicly accessible
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 By enabling encryption on EBS volumes you protect the volume, the disk I/O and any derived snapshots from compromise if intercepted.
 
+
 ### Impact
-Unencrypted sensitive data is vulnerable to compromise.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Encryption using AWS keys provides protection for your EBS volume. To increase control of the encryption and manage factors like rotation use customer managed keys.
 
+
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,12 +1,13 @@
 
-
 IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
-By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
+
+By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
+
 To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
 
 
 ### Impact
-Instance metadata service can be interacted with freely
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.
 
+
 ### Impact
-User data is visible through the AWS Management console
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -3,8 +3,9 @@ Security groups should include a description for auditing purposes.
 
 Simplifies auditing, debugging, and managing security groups.
 
+
 ### Impact
-Descriptions provide context for the firewall rule reasons
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Default VPC does not have a lot of the critical security features that standard VPC comes with, new resources should not be created in the default VPC and it should not be present in the Terraform.
 
+
 ### Impact
-The default VPC does not have critical security features applied
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Ensure access to specific required ports is allowed, and nothing else.
 
+
 ### Impact
-All ports exposed for ingressing/egressing data
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
+
 ### Impact
-Your port is egressing data to the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible.
 
+
 ### Impact
-The ports are exposed for ingressing data to the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -7,20 +7,6 @@ Set a more restrictive cidr range
  	cidr_blocks = ["10.0.0.0/16"]
  }
 
-```
-```hcl
-resource "aws_security_group_rule" "allow_partner_rsync" {
-  type              = "ingress"
-  security_group_id = aws_security_group.….id
-  from_port         = 22
-  to_port           = 22
-  protocol          = "tcp"
-  cidr_blocks = [
-    "1.2.3.4/32",
-    "4.5.6.7/32",
-  ]
-}
-
 ```
 
 #### Remediation Links

@@ -1,8 +1,9 @@
 
 Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
 
+
 ### Impact
-Your port exposed to the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}