From e289cc65ebec3be5625f4c6ea581469c4e206a6d Mon Sep 17 00:00:00 2001 From: Gaurav Gogia <16029099+gaurav-gogia@users.noreply.github.com> Date: Wed, 19 Oct 2022 21:02:17 +0530 Subject: [PATCH] Update RDS Policies (#1424) * fix cloudwatch log export policy * add backup retention policy --- .../rego/aws/aws_db_instance/AC_AWS_0052.json | 17 +++++++++++++++++ .../aws_db_instance/AWS.ADI.LM.MEDIUM.0076.json | 10 ++++++---- .../dbInstanceLoggingDisabled.rego | 16 ---------------- .../aws/aws_db_instance/rdsBackupDisabled.rego | 9 +++++++++ .../aws_db_instance/rdsLogExportDisabled.rego | 6 ++++++ 5 files changed, 38 insertions(+), 20 deletions(-) create mode 100644 pkg/policies/opa/rego/aws/aws_db_instance/AC_AWS_0052.json delete mode 100644 pkg/policies/opa/rego/aws/aws_db_instance/dbInstanceLoggingDisabled.rego create mode 100644 pkg/policies/opa/rego/aws/aws_db_instance/rdsBackupDisabled.rego create mode 100644 pkg/policies/opa/rego/aws/aws_db_instance/rdsLogExportDisabled.rego diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/AC_AWS_0052.json b/pkg/policies/opa/rego/aws/aws_db_instance/AC_AWS_0052.json new file mode 100644 index 000000000..8fa3ef3e5 --- /dev/null +++ b/pkg/policies/opa/rego/aws/aws_db_instance/AC_AWS_0052.json @@ -0,0 +1,17 @@ +{ + "name": "rdsBackupDisabled", + "file": "rdsBackupDisabled.rego", + "policy_type": "aws", + "resource_type": "aws_db_instance", + "template_args": { + "prefix": "", + "name": "rdsBackupDisabled", + "suffix": "" + }, + "severity": "HIGH", + "description": "Ensure automated backups are enabled for AWS RDS instances", + "reference_id": "AC_AWS_0052", + "category": "Data Protection", + "id": "AC_AWS_0052", + "version": 2 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/AWS.ADI.LM.MEDIUM.0076.json b/pkg/policies/opa/rego/aws/aws_db_instance/AWS.ADI.LM.MEDIUM.0076.json index 6c1ffc92e..bcb419054 100644 --- a/pkg/policies/opa/rego/aws/aws_db_instance/AWS.ADI.LM.MEDIUM.0076.json +++ b/pkg/policies/opa/rego/aws/aws_db_instance/AWS.ADI.LM.MEDIUM.0076.json @@ -1,13 +1,15 @@ { - "name": "dbInstanceLoggingDisabled", - "file": "dbInstanceLoggingDisabled.rego", + "name": "rdsLogExportDisabled", + "file": "rdsLogExportDisabled.rego", "policy_type": "aws", "resource_type": "aws_db_instance", "template_args": { - "prefix": "" + "prefix": "", + "name": "rdsLogExportDisabled", + "suffix": "" }, "severity": "MEDIUM", - "description": "Ensure AWS RDS instances have logging enabled.", + "description": "Ensure CloudWatch logging is enabled for AWS DB instances", "reference_id": "AWS.ADI.LM.MEDIUM.0076", "category": "Logging and Monitoring", "id": "AC_AWS_0454", diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/dbInstanceLoggingDisabled.rego b/pkg/policies/opa/rego/aws/aws_db_instance/dbInstanceLoggingDisabled.rego deleted file mode 100644 index 43f35750c..000000000 --- a/pkg/policies/opa/rego/aws/aws_db_instance/dbInstanceLoggingDisabled.rego +++ /dev/null @@ -1,16 +0,0 @@ -package accurics - -{{.prefix}}dbInstanceLoggingDisabled[db_instance.id] { - db_instance := input.aws_db_instance[_] - object.get(db_instance.config, "enabled_cloudwatch_logs_exports", "undefined") == "undefined" -} - -{{.prefix}}dbInstanceLoggingDisabled[db_instance.id] { - db_instance := input.aws_db_instance[_] - db_instance.config.enabled_cloudwatch_logs_exports == [] -} - -{{.prefix}}dbInstanceLoggingDisabled[db_instance.id] { - db_instance := input.aws_db_instance[_] - db_instance.config.enabled_cloudwatch_logs_exports == null -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/rdsBackupDisabled.rego b/pkg/policies/opa/rego/aws/aws_db_instance/rdsBackupDisabled.rego new file mode 100644 index 000000000..0c547d68b --- /dev/null +++ b/pkg/policies/opa/rego/aws/aws_db_instance/rdsBackupDisabled.rego @@ -0,0 +1,9 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[retVal] { + backup := input.aws_db_instance[_] + object.get(backup.config, "backup_retention_period", "undefined") == ["undefined", null, 0, []][_] + + traverse = "backup_retention_period" + retVal := { "Id": backup.id, "ReplaceType": "add", "CodeType": "attribute", "Traverse": traverse, "Attribute": "backup_retention_period", "AttributeDataType": "int", "Expected": 30, "Actual": null } +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/rdsLogExportDisabled.rego b/pkg/policies/opa/rego/aws/aws_db_instance/rdsLogExportDisabled.rego new file mode 100644 index 000000000..fa729c0b3 --- /dev/null +++ b/pkg/policies/opa/rego/aws/aws_db_instance/rdsLogExportDisabled.rego @@ -0,0 +1,6 @@ +package accurics + +{{.prefix}}{{.name}}{{.suffix}}[db_instance.id] { + db_instance := input.aws_db_instance[_] + object.get(db_instance.config, "enabled_cloudwatch_logs_exports", "undefined") == ["undefined", [], null][_] +} \ No newline at end of file