-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add helm chart for S3 policies (#136)
These are sample S3 policies for terraform-config
- Loading branch information
Showing
8 changed files
with
173 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| apiVersion: v2 | ||
| name: best-practices-s3-tf-config | ||
| description: Best practices S3 terraform-config | ||
| type: application | ||
| version: 0.1.0 | ||
| appVersion: 0.1.0 | ||
| keywords: | ||
| - kubernetes | ||
| - nirmata | ||
| - kyverno | ||
| - policy | ||
| maintainers: | ||
| - name: Nirmata | ||
| url: https://nirmata.com/ |
30 changes: 30 additions & 0 deletions
30
charts/best-practices-s3-tf-config/pols/disable-s3-acl.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| apiVersion: json.kyverno.io/v1alpha1 | ||
| kind: ValidatingPolicy | ||
| metadata: | ||
| name: disable-s3-access-control-list | ||
| annotations: | ||
| policies.kyverno.io/title: Disable S3 Access Control List | ||
| policies.kyverno.io/category: AWS S3 Security Best Practices | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/description: >- | ||
| S3 Object Ownership is an Amazon S3 bucket-level setting that | ||
| you can use to control ownership of objects uploaded to your bucket | ||
| and to disable or enable ACLs. By default, Object Ownership is set to | ||
| the Bucket owner enforced setting and all ACLs are disabled. | ||
| When ACLs are disabled, the bucket owner owns all the objects in the bucket | ||
| and manages access to data exclusively using access management policies. | ||
| spec: | ||
| rules: | ||
| - name: disable-s3-access-control-list | ||
| match: | ||
| all: | ||
| - ($analyzer): | ||
| resource: | ||
| type: terraform-config | ||
| - (planned_values.root_module.resources[?type=='aws_s3_bucket_ownership_controls' || type=='aws_s3_bucket'] | length(@) > `0`): true | ||
| assert: | ||
| all: | ||
| - message: Access Control List(ACL) should be disabled for an S3 Bucket | ||
| check: | ||
| ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_ownership_controls'].values.rule[]): | ||
| object_ownership: BucketOwnerEnforced |
30 changes: 30 additions & 0 deletions
30
charts/best-practices-s3-tf-config/pols/enable-lifecycle-configuration.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| apiVersion: json.kyverno.io/v1alpha1 | ||
| kind: ValidatingPolicy | ||
| metadata: | ||
| name: s3-lifecycle-configuration | ||
| annotations: | ||
| policies.kyverno.io/title: s3-lifecycle-configuration | ||
| policies.kyverno.io/category: AWS S3 Security Best Practices | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/description: >- | ||
| S3 Lifecycle manage your objects so that they are stored cost effectively | ||
| throughout their lifecycle. This policy ensures the lifecycle_configuration | ||
| is set when creating an S3 bucket. | ||
| spec: | ||
| rules: | ||
| - name: check-s3-lifecycle-configuration | ||
| match: | ||
| all: | ||
| - ($analyzer): | ||
| resource: | ||
| type: terraform-config | ||
| - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true | ||
| assert: | ||
| all: | ||
| - message: Use the `aws_s3_bucket_lifecycle_configuration` resource to enable lifecycle configuration. | ||
| check: | ||
| (planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration'] | length(@) > `0`): true | ||
| - message: S3 Bucket Lifecycle Configuration 'status' needs to be set to 'Enabled' | ||
| check: | ||
| ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration']): | ||
| (values.rule[?status=='Enabled'] | length(@) > `0`): true |
29 changes: 29 additions & 0 deletions
29
charts/best-practices-s3-tf-config/pols/enable-server-access-logging.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| apiVersion: json.kyverno.io/v1alpha1 | ||
| kind: ValidatingPolicy | ||
| metadata: | ||
| name: enable-s3-server-access-logging | ||
| annotations: | ||
| policies.kyverno.io/title: enable-s3-server-access-logging | ||
| policies.kyverno.io/category: AWS S3 Security Best Practices | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/description: >- | ||
| Server access logging provides detailed records for the | ||
| requests that are made to an Amazon S3 bucket. Server access | ||
| logs are useful for many applications. For example, access | ||
| log information can be useful in security and access audits. | ||
| This information can also help you learn about your customer | ||
| base and understand your Amazon S3 bill. | ||
| spec: | ||
| rules: | ||
| - name: enable-s3-server-access-logging | ||
| match: | ||
| all: | ||
| - ($analyzer): | ||
| resource: | ||
| type: terraform-config | ||
| - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true | ||
| assert: | ||
| all: | ||
| - message: Use the aws_s3_bucket_logging resource to enable server access logging | ||
| check: | ||
| (planned_values.root_module.resources[?type=='aws_s3_bucket_logging'] | length(@) > `0`): true |
33 changes: 33 additions & 0 deletions
33
charts/best-practices-s3-tf-config/pols/s3-cross-region-replication.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| apiVersion: json.kyverno.io/v1alpha1 | ||
| kind: ValidatingPolicy | ||
| metadata: | ||
| name: enable-s3-cross-region-replication | ||
| annotations: | ||
| policies.kyverno.io/title: enable-s3-cross-region-replication | ||
| policies.kyverno.io/category: AWS S3 Security Best Practices | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/description: >- | ||
| Replication enables automatic, asynchronous copying of objects | ||
| across Amazon S3 buckets. Buckets that are configured for object | ||
| replication can be owned by the same AWS account or by different | ||
| accounts. You can replicate objects to a single destination bucket | ||
| or to multiple destination buckets. The destination buckets can be | ||
| in different AWS Regions or within the same Region as the source bucket. | ||
| spec: | ||
| rules: | ||
| - name: check-s3-cross-region-replication | ||
| match: | ||
| all: | ||
| - ($analyzer): | ||
| resource: | ||
| type: terraform-config | ||
| - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true | ||
| assert: | ||
| all: | ||
| - message: Use the `aws_s3_bucket_replication_configuration` resource to set the status to Enabled | ||
| check: | ||
| (planned_values.root_module.resources[?type=='aws_s3_bucket_replication_configuration'] | length(@) > `0`): true | ||
| - message: Set S3 Bucket Cross Region Replication status to 'Enabled' | ||
| check: | ||
| ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_replication_configuration']): | ||
| (values.rule[?status=='Enabled'] | length(@) > `0`): true |
33 changes: 33 additions & 0 deletions
33
charts/best-practices-s3-tf-config/pols/s3-enable-versioning.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| apiVersion: json.kyverno.io/v1alpha1 | ||
| kind: ValidatingPolicy | ||
| metadata: | ||
| name: enable-s3-versioning | ||
| annotations: | ||
| policies.kyverno.io/title: enable-s3-versioning | ||
| policies.kyverno.io/category: AWS S3 Security Best Practices | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/description: >- | ||
| Versioning in Amazon S3 is a means of keeping multiple variants of an object | ||
| in the same bucket. You can use the S3 Versioning feature to preserve, retrieve, | ||
| and restore every version of every object stored in your buckets. With versioning | ||
| you can recover more easily from both unintended user actions and application | ||
| failures. After versioning is enabled for a bucket, if Amazon S3 receives multiple | ||
| write requests for the same object simultaneously, it stores all of those objects. | ||
| spec: | ||
| rules: | ||
| - name: check-s3-versioning-setting | ||
| match: | ||
| all: | ||
| - ($analyzer): | ||
| resource: | ||
| type: terraform-config | ||
| - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true | ||
| assert: | ||
| all: | ||
| - message: Use the `aws_s3_bucket_versioning` resource to enable versioning. | ||
| check: | ||
| (planned_values.root_module.resources[?type=='aws_s3_bucket_versioning'] | length(@) > `0`): true | ||
| - message: S3 Bucket Versioning needs to be set to 'Enabled' | ||
| check: | ||
| ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_versioning']): | ||
| (values.versioning_configuration[?status=='Enabled'] | length(@) > `0`): true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| {{ range $path, $_ := .Files.Glob "pols/**.yaml" }} | ||
| {{ $.Files.Get $path }} | ||
| --- | ||
| {{ end }} |
Empty file.