Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(terraform): Adding yaml based build time policies for corresponding PC run time policies #3900

Merged
merged 6 commits into from
Nov 24, 2022
Merged

feat(terraform): Adding yaml based build time policies for corresponding PC run time policies #3900

merged 6 commits into from
Nov 24, 2022

Conversation

ssiddardha
Copy link
Contributor

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

This PR has 3 Yaml - based checks with detailed description below

Checkov Title: Ensure AWS CloudFront distribution uses custom SSL certificate

PC Title - AWS CloudFront web distribution with default SSL certificate

PC Policy ID - a072bd68-25cd-4245-94e1-fffee0590a50

Compliance Standard - ACSC Information Security Manual (ISM)-ISM-1139, APRA (CPS 234) Information Security-CPS234-15, APRA (CPS 234) Information Security-CPS234-16, APRA (CPS 234) Information Security-CPS234-17, APRA (CPS 234) Information Security-CPS234-21, APRA (CPS 234) Information Security-CPS234-23, APRA (CPS 234) Information Security-CPS234-27, APRA (CPS 234) Information Security-CPS234-34, AWS Foundational Security Best Practices standard-Data protection, Brazilian Data Protection Law (LGPD)-Article 46, CIS Controls v7.1-5.1, CIS Controls v8-4.6, CSA CCM v.4.0.1-CEK-03, CSA CCM v.4.0.1-DSP-10, CSA CCM v.4.0.1-IVS-03, CSA CCM v.4.0.1-UEM-11, Copy of 1Copy of Brazilian Data Protection Law (LGPD)-Article 46, Copy of APRA (CPS 234) Information Security-CPS234-15, Copy of APRA (CPS 234) Information Security-CPS234-16, Copy of APRA (CPS 234) Information Security-CPS234-17, Copy of APRA (CPS 234) Information Security-CPS234-21, Copy of APRA (CPS 234) Information Security-CPS234-23, Copy of APRA (CPS 234) Information Security-CPS234-27, Copy of APRA (CPS 234) Information Security-CPS234-34, Copy of Brazilian Data Protection Law (LGPD)-Article 46, CyberSecurity Law of the People's Republic of China-Article 40, Cybersecurity Maturity Model Certification (CMMC) v.1.02-AC.2.007, Cybersecurity Maturity Model Certification (CMMC) v.1.02-AC.4.032, Fedramp (Moderate)-SC-08 (01), HITRUST CSF v.9.6.0-10.k, HITRUST CSF v.9.6.0-10.m, HITRUST v.9.4.2-Control Reference:01.d, HITRUST v.9.4.2-Control Reference:01.r, ISO/IEC 27002:2013-10.1.1, ISO/IEC 27002:2013-12.2.1, ISO/IEC 27002:2013-12.3.1, ISO/IEC 27002:2013-13.1.1, ISO/IEC 27002:2013-13.1.2, ISO/IEC 27002:2013-13.1.3, ISO/IEC 27002:2013-13.2.1, ISO/IEC 27002:2013-13.2.3, ISO/IEC 27002:2013-14.1.2, ISO/IEC 27002:2013-14.1.3, ISO/IEC 27002:2013-18.1.3, ISO/IEC 27002:2013-8.3.1, ISO/IEC 27002:2013-8.3.3, ISO/IEC 27017:2015-10.1.1, ISO/IEC 27017:2015-10.1.2, ISO/IEC 27017:2015-6.1.1, ISO/IEC 27018:2019-10.1.2, ISO/IEC 27018:2019-12.3.1, MAS TRM 2021-7.2.1, MAS TRM 2021-7.2.2, MLPS 2.0-8.1.2.2, NIST 800-53 Rev 5-Transmission Confidentiality and Integrity | Cryptographic Protection, NIST 800-53 Rev4-SC-8 (1), NIST CSF-PR.DS-2, NIST CSF-PR.DS-5, NIST SP 800-171 Revision 2-3.13.8, NIST SP 800-172-3.4.1e, NIST SP 800-172-3.4.2e, New Zealand Information Security Manual (NZISM v3.4)-17.4, PCI DSS v3.2.1-2.1, Risk Management in Technology (RMiT)-10.68, TestCompliance-CPS234-15, TestCompliance-CPS234-16, TestCompliance-CPS234-17, TestCompliance-CPS234-21, TestCompliance-CPS234-23, TestCompliance-CPS234-27, TestCompliance-CPS234-34

Remediation Steps:

  1. Sign in to the AWS console
  2. Select the region, from the region drop-down, in which the alert is generated
  3. Navigate to CloudFront Distributions Dashboard
  4. Click on the reported distribution
  5. On the 'General' tab, Click on the 'Edit' button
  6. On 'Edit Distribution' page set 'SSL Certificate' to 'Custom SSL Certificate (example.com):', Select a certificate or type your certificate ARN in the field and other parameters as per your requirement.
  7. Click on 'Yes, Edit'

Checkov Title: Ensure S3 Bucket does not allow access to all Authenticated users

PC Policy ID - e8af29c5-eec9-433d-a46b-690c1a286e9b

PC Policy Title - AWS S3 buckets are accessible to any authenticated user

Compliance Standard - ACSC Information Security Manual (ISM)-ISM-0078, ACSC Information Security Manual (ISM)-ISM-0409, ACSC Information Security Manual (ISM)-ISM-0411, ACSC Information Security Manual (ISM)-ISM-0854, API Auto Clone of PIPEDA-4.1.4, APRA (CPS 234) Information Security-CPS234-23, APRA (CPS 234) Information Security-CPS234-27, APRA (CPS 234) Information Security-CPS234-34, Australian Energy Sector Cyber Security Framework (AESCSF)-TVM-AP2, Brazilian Data Protection Law (LGPD)-Article 26, CCPA 2018-1798.150(a)(1), CIS Controls v7.1-14.6, CIS Controls v8-3.3, CSA CCM v3.0.1-DSI-02, CSA CCM v3.0.1-IVS-06, CSA CCM v3.0.1-IVS-08, CSA CCM v3.0.1-MOS-13, Copy of 1Copy of Brazilian Data Protection Law (LGPD)-Article 26, Copy of APRA (CPS 234) Information Security-CPS234-23, Copy of APRA (CPS 234) Information Security-CPS234-27, Copy of APRA (CPS 234) Information Security-CPS234-34, Copy of Brazilian Data Protection Law (LGPD)-Article 26, CyberSecurity Law of the People's Republic of China-Article 30, CyberSecurity Law of the People's Republic of China-Article 31, CyberSecurity Law of the People's Republic of China-Article 45, Cybersecurity Maturity Model Certification (CMMC) v.1.02-AC.1.004, Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)-AC.L1-3.1.1, Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)-AC.L1-3.1.2, GDPR-Article 25, GDPR-Article 46, HITRUST CSF v.9.6.0-01.c, HITRUST CSF v.9.6.0-01.v, HITRUST CSF v9.3-Control Reference:01.m, HITRUST CSF v9.3-Control Reference:01.n, HITRUST CSF v9.3-Control Reference:01.p, HITRUST CSF v9.3-Control Reference:05.j, HITRUST CSF v9.3-Control Reference:06.e, HITRUST CSF v9.3-Control Reference:09.z, ISO 27001:2013-A.18.1.3, MAS TRM 2021-9.1.1, MITRE ATT&CK v10.0-T1530 - Data from Cloud Storage Object, MITRE ATT&CK v6.3-T1530, MITRE ATT&CK v8.2-T1530, MLPS 2.0-8.1.5.4, NIST 800-171 Rev1-3.1.9, NIST 800-171 Rev1-3.13.1, NIST 800-171 Rev1-3.13.2, NIST 800-171 Rev1-3.13.5, NIST 800-53 Rev 5-Boundary Protection, NIST 800-53 Rev 5-System Use Notification, NIST 800-53 Rev4-AC-8c, NIST 800-53 Rev4-SC-7b, NIST CSF-DE.AE-1, NIST CSF-DE.CM-1, NIST CSF-ID.RA-5, NIST CSF-PR.AC-5, NIST CSF-PR.DS-5, NIST CSF-PR.PT-4, NIST SP 800-171 Revision 2-3.1.22, NIST SP 800-172-3.14.3e, NYDFS 23 CRR-NY 500.0-500.02 (b) (2), NYDFS 23 CRR-NY 500.0-500.07, PCI DSS v3.2.1-10.1, PCI DSS v4.0-1.3.1, PIPEDA-4.1.4, Risk Management in Technology (RMiT)-10.55, SOC 2-CC6.1, SOC 2-CC6.6, SOC 2-CC6.7, TestCompliance-CPS234-23, TestCompliance-CPS234-27, TestCompliance-CPS234-34

Remediation Steps:

  1. Login to the AWS Console
  2. Navigate to the 'S3' service
  3. Click on the 'S3' resource reported in the alert
  4. Click on the 'Permissions'
  5. Under 'Public access', Click on 'Any AWS user' and uncheck all items
  6. Click on Save

Checkov Title: Ensure AWS route table with VPC peering does not contain routes overly permissive to all traffic

PC Policy ID - 8d403b9b-794b-4516-84fa-e9415155fb27

PC Policy Title - AWS route table with VPC peering overly permissive to all traffic

Compliance Standard - ACSC Information Security Manual (ISM)-ISM-0520, ACSC Information Security Manual (ISM)-ISM-1006, ACSC Information Security Manual (ISM)-ISM-1627, API Auto Clone of PIPEDA-4.7.3, APRA (CPS 234) Information Security-CPS234-23, APRA (CPS 234) Information Security-CPS234-27, APRA (CPS 234) Information Security-CPS234-34, Australian Energy Sector Cyber Security Framework (AESCSF)-CPM-AP1, CCPA 2018-1798.150(a)(1), CIS Controls v7.1-16.9, CIS Controls v8-3.3, CIS Controls v8-5.4, CIS v1.2.0 (AWS)-4.4, CIS v1.3.0 (AWS)-5.4, CIS v1.4.0 (AWS)-5.4, CIS v1.5.0 (AWS) - Level 2-5.5, CSA CCM v.4.0.1-A&A-03, CSA CCM v.4.0.1-DSP-07, CSA CCM v.4.0.1-DSP-10, CSA CCM v.4.0.1-DSP-17, CSA CCM v.4.0.1-HRS-04, CSA CCM v.4.0.1-IVS-03, CSA CCM v.4.0.1-LOG-05, CSA CCM v.4.0.1-LOG-13, CSA CCM v.4.0.1-STA-14, CSA CCM v.4.0.1-TVM-01, CSA CCM v.4.0.1-TVM-07, CSA CCM v.4.0.1-TVM-08, CSA CCM v.4.0.1-TVM-09, CSA CCM v.4.0.1-TVM-10, CSA CCM v.4.0.1-UEM-03, CSA CCM v.4.0.1-UEM-05, CSA CCM v.4.0.1-UEM-11, Copy of APRA (CPS 234) Information Security-CPS234-23, Copy of APRA (CPS 234) Information Security-CPS234-27, Copy of APRA (CPS 234) Information Security-CPS234-34, CyberSecurity Law of the People's Republic of China-Article 21, CyberSecurity Law of the People's Republic of China-Article 25, Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)-AC.L1-3.1.1, Cybersecurity Maturity Model Certification (CMMC) v.2.0 (Level 1)-AC.L1-3.1.2, FFIEC-D3.PC.Am.B.3, Fedramp (Moderate)-AC-17 (02), Fedramp (Moderate)-SC-07 (05), Fedramp (Moderate)-SI-04 (04), HITRUST CSF v.9.6.0-01.e, HITRUST v.9.4.2-Control Reference:01.n, HITRUST v.9.4.2-Control Reference:01.o, ISO/IEC 27002:2013-12.2.1, ISO/IEC 27002:2013-12.3.1, ISO/IEC 27002:2013-12.4.3, ISO/IEC 27002:2013-12.6.1, ISO/IEC 27002:2013-12.6.2, ISO/IEC 27002:2013-13.1.1, ISO/IEC 27002:2013-13.1.2, ISO/IEC 27002:2013-13.1.3, ISO/IEC 27002:2013-13.2.1, ISO/IEC 27002:2013-13.2.3, ISO/IEC 27002:2013-14.1.1, ISO/IEC 27002:2013-14.2.4, ISO/IEC 27002:2013-14.2.5, ISO/IEC 27002:2013-16.1.1, ISO/IEC 27002:2013-16.1.2, ISO/IEC 27002:2013-16.1.3, ISO/IEC 27002:2013-18.1.3, ISO/IEC 27002:2013-18.1.4, ISO/IEC 27002:2013-18.2.1, ISO/IEC 27002:2013-5.1.1, ISO/IEC 27002:2013-6.2.2, ISO/IEC 27002:2013-8.3.1, ISO/IEC 27002:2013-8.3.3, ISO/IEC 27017:2015-16.1.2, ISO/IEC 27017:2015-6.1.1, ISO/IEC 27018:2019-10.1.2, ISO/IEC 27018:2019-12.3.1, ISO/IEC 27018:2019-18.2.1, MAS TRM 2021-11.2.4 , MAS TRM 2021-11.2.5, MITRE ATT&CK v10.0-T1046 - Network Service Scanning, MITRE ATT&CK v6.3-T1046, MITRE ATT&CK v8.2-T1046, MLPS 2.0-8.1.3.2, MPAA Content Protection Best Practices-DS-1.2, MPAA Content Protection Best Practices-DS-3.0, NIST 800-53 Rev 5-Boundary Protection | Block Communication from Non-organizationally Configured Hosts, NIST 800-53 Rev 5-Boundary Protection | Deny by Default — Allow by Exception, NIST 800-53 Rev 5-Boundary Protection | Restrict Incoming Communications Traffic, NIST 800-53 Rev 5-Remote Access | Protection of Confidentiality and Integrity Using Encryption, NIST 800-53 Rev 5-System Monitoring | Inbound and Outbound Communications Traffic, NIST 800-53 Rev4-AC-17 (2), NIST 800-53 Rev4-SC-7 (11), NIST 800-53 Rev4-SC-7 (19), NIST 800-53 Rev4-SC-7 (5), NIST 800-53 Rev4-SI-4 (4), NIST CSF-DE.AE-2, NIST CSF-DE.CM-6, NIST CSF-DE.CM-7, NIST CSF-DE.DP-2, NIST CSF-ID.RA-1, NIST CSF-PR.AC-5, NIST CSF-PR.DS-5, NIST CSF-PR.PT-4, NIST SP 800-171 Revision 2-3.13.6, NIST SP 800-171 Revision 2-3.14.6, NIST SP 800-172-3.14.2e, PCI DSS v3.2.1-1.2.1, PCI DSS v4.0-1.3.1, PIPEDA-4.7.3, Risk Management in Technology (RMiT)-10.55, Risk Management in Technology (RMiT)-10.68, TestCompliance-CPS234-23, TestCompliance-CPS234-27, TestCompliance-CPS234-34

Remediation Steps:

  1. Log in to the AWS Console
  2. In the console, select the specific region from region drop down on the top right corner, for which the alert is generated.
  3. Navigate to 'VPC' dashboard from 'Services' dropdown
  4. From left menu, select 'Route Tables'
  5. Click on the alerted route table
  6. From top click on 'Action' button
  7. From the Action menu dropdown, select 'Edit routes'
  8. From the list of destination remove the extra permissive destination by clicking the cross symbol available for that destination
  9. Add a destination with 'least access'
  10. Click on 'Save Routes'.

gruebel
gruebel approved these changes Nov 23, 2022
View reviewed changes
Copy link
Contributor

@gruebel gruebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥇

@ssiddardha
Copy link
Contributor Author

@nimrodkor Please approve this MR

CC: @gruebel

@rotemavni rotemavni merged commit 88003f5 into bridgecrewio:master Nov 24, 2022
@ssiddardha
Copy link
Contributor Author

Thanks @gruebel @rotemavni

pull bot pushed a commit to asleekgeek/checkov that referenced this pull request Nov 24, 2022
@ssiddardha @gruebel @actions-user
feat(terraform): Adding yaml based build time policies for correspond…
654cdde 
…ing PC run time policies (bridgecrewio#3900)

* adding yaml based build time policies for corresponding PC run time policies

* adding yaml policies to test framework

* adding checkov id's

* Update checkov/terraform/checks/graph_checks/aws/S3NotAllowAccessToAllAuthenticatedUsers.yaml

Co-authored-by: Anton Grübel <[email protected]>

* Updated MR with suggested changes

* fix wrong test resource types

Co-authored-by: ssiddardha <[email protected]>
Co-authored-by: Anton Grübel <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rotemavni rotemavni rotemavni approved these changes

@gruebel gruebel gruebel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ssiddardha @gruebel @rotemavni