Add additional queries to 'Other Compliance Checks'

conformance_pack/autoscaling.sp

@@ -96,6 +96,16 @@ control "autoscaling_launch_config_hop_limit" {
   })
 }
 
+control "autoscaling_ec2_launch_configuration_no_sensitive_data" {
+  title       = "EC2 auto scaling group launch configurations user data should not have any sensitive data"
+  description = "Ensure that sensitive information is not included in the user data of the launch configuration. It is recommended to utilize Secrets Manager as an alternative for securely managing sensitive data."
+  query       = query.autoscaling_ec2_launch_configuration_no_sensitive_data
+
+  tags = merge(local.conformance_pack_autoscaling_common_tags, {
+    other_checks = "true"
+  })
+}
+
 query "autoscaling_launch_config_requires_imdsv2" {
   sql = <<-EOQ
     select
@@ -252,6 +262,29 @@ query "autoscaling_launch_config_hop_limit" {
   EOQ
 }
 
+query "autoscaling_ec2_launch_configuration_no_sensitive_data" {
+  sql = <<-EOQ
+    select
+      launch_configuration_arn as resource,
+      case
+        when
+          user_data like any (array [ '%pass%', '%secret%', '%token%', '%key%' ])
+          or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when
+          user_data like any (array [ '%pass%', '%secret%', '%token%', '%key%' ])
+          or user_data ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]' then title || ' has potential secret patterns in user data.'
+        else title || ' does not contain secret patterns in user data.'
+      end as reason
+      ${local.common_dimensions_sql}
+    from
+      aws_ec2_launch_configuration;
+  EOQ
+}
+
+
 # Non-Config rule query
 
 query "autoscaling_group_uses_ec2_launch_template" {

conformance_pack/eks.sp

@@ -62,6 +62,16 @@ control "eks_cluster_with_latest_kubernetes_version" {
   })
 }
 
+control "eks_cluster_endpoint_public_access_restricted" {
+  title       = "EKS clusters endpoint public access should be restricted"
+  description = "EKS clusters endpoint with private access allows communication between your nodes and the API server stays within. This control is non-compliant if clusters endpoint public access is enabled as cluster API server is accessible from the internet."
+  query       = query.eks_cluster_endpoint_public_access_restricted
+
+  tags = merge(local.conformance_pack_eks_common_tags, {
+    other_checks = "true"
+  })
+}
+
 query "eks_cluster_secrets_encrypted" {
   sql = <<-EOQ
     with eks_secrets_encrypted as (
@@ -194,3 +204,24 @@ query "eks_cluster_with_latest_kubernetes_version" {
       aws_eks_cluster;
   EOQ
 }
+
+query "eks_cluster_endpoint_public_access_restricted" {
+  sql = <<-EOQ
+    select
+      arn as resource,
+      case
+        when resources_vpc_config ->> 'EndpointPrivateAccess' = 'true' and resources_vpc_config ->> 'EndpointPublicAccess' = 'false' then 'ok'
+        when resources_vpc_config ->> 'EndpointPublicAccess' = 'true' and resources_vpc_config -> 'PublicAccessCidrs' @> '["0.0.0.0/0"]' then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when resources_vpc_config ->> 'EndpointPrivateAccess' = 'true' and resources_vpc_config ->> 'EndpointPublicAccess' = 'false' then title || ' endpoint access is private.'
+        when resources_vpc_config ->> 'EndpointPublicAccess' = 'true' and resources_vpc_config -> 'PublicAccessCidrs' @> '["0.0.0.0/0"]' then title || ' endpoint access is public.'
+        else title || ' endpoint public access is restricted.'
+      end as reason
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      aws_eks_cluster;
+  EOQ
+}

conformance_pack/guardduty.sp

@@ -60,6 +60,16 @@ control "guardduty_no_high_severity_findings" {
   })
 }
 
+control "guardduty_centrally_configured" {
+  title       = "GuardDuty Detector should be centrally configured"
+  description = "Ensure that GuardDuty is centrally configured, if GuardDuty is not under central management, it becomes impossible to centrally manage GuardDuty findings, settings, and member accounts."
+  query       = query.guardduty_centrally_configured
+
+  tags = merge(local.conformance_pack_guardduty_common_tags, {
+    other_checks = "true"
+  })
+}
+
 query "guardduty_enabled" {
   sql = <<-EOQ
     select
@@ -135,3 +145,32 @@ query "guardduty_finding_archived" {
       aws_guardduty_finding;
   EOQ
 }
+
+query "guardduty_centrally_configured" {
+  sql = <<-EOQ
+    select
+      'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,
+      case
+        when r.region = any(array['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) then 'skip'
+        -- Skip any regions that are disabled in the account.
+        when r.opt_in_status = 'not-opted-in' then 'skip'
+        when status is null then 'info'
+        when status = 'DISABLED' then 'alarm'
+        when status = 'ENABLED' and master_account ->> 'AccountId' is not null then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when r.region = any(array['af-south-1', 'ap-northeast-3', 'ap-southeast-3', 'eu-south-1', 'cn-north-1', 'cn-northwest-1', 'me-south-1', 'us-gov-east-1']) then r.region || ' region not supported.'
+        when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'
+        when status is null then 'No GuardDuty detector found in ' || r.region || '.'
+        when status = 'DISABLED' then r.region || ' detector ' || d.title || ' disabled.'
+        when status = 'ENABLED' and master_account ->> 'AccountId' is not null then r.region || ' detector ' || d.title || ' centrally configured.'
+        else r.region || ' detector ' || d.title || ' not centrally configured..'
+      end as reason
+    ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "r.")}
+    from
+      aws_region as r
+      left join aws_guardduty_detector d on r.account_id = d.account_id and r.name = d.region;
+  EOQ
+}
+

conformance_pack/iam.sp

@@ -523,9 +523,9 @@ control "iam_policy_unused" {
 }
 
 control "iam_access_analyzer_enabled_without_findings" {
-  title         = "IAM Access analyzer should be enabled without findings"
-  description   = "This control checks whether the IAM Access analyzer is enabled without findings. If you grant permissions to an S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding."
-  query         = query.iam_access_analyzer_enabled_without_findings
+  title       = "IAM Access analyzer should be enabled without findings"
+  description = "This control checks whether the IAM Access analyzer is enabled without findings. If you grant permissions to an S3 bucket in one of your organization member accounts to a principal in another organization member account, IAM Access Analyzer does not generate a finding. But if you grant permission to a principal in an account that is not a member of the organization, IAM Access Analyzer generates a finding."
+  query       = query.iam_access_analyzer_enabled_without_findings
 
   tags = merge(local.conformance_pack_iam_common_tags, {
     other_checks = "true"
@@ -572,6 +572,36 @@ control "iam_policy_no_full_access_to_kms" {
   })
 }
 
+control "iam_role_cross_account_readonlyaccess_policy" {
+  title       = "IAM roles should not have read only access for external AWS accounts"
+  description = "Ensure IAM Roles do not have ReadOnlyAccess access for external AWS account. The AWS-managed ReadOnlyAccess policy carries a high risk of potential data leakage, posing a significant threat to customer security and privacy."
+  query       = query.iam_role_cross_account_readonlyaccess_policy
+
+  tags = merge(local.conformance_pack_iam_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "iam_securityaudit_role" {
+  title       = "IAM Security Audit role should be created to conduct security audits"
+  description = "Ensure IAM Security Audit role is created. By creating an IAM role with a security audit policy, a distinct segregation of responsibilities is established between the security team and other teams within the organization."
+  query       = query.iam_securityaudit_role
+
+  tags = merge(local.conformance_pack_iam_common_tags, {
+    other_checks = "true"
+  })
+}
+
+control "iam_policy_custom_no_permissive_role_assumption" {
+  title       = "IAM custom policy should not have overly permissive STS role assumption"
+  description = "Ensure that no custom IAM policies exist which allow permissive role assumption."
+  query       = query.iam_policy_custom_no_permissive_role_assumption
+
+  tags = merge(local.conformance_pack_iam_common_tags, {
+    other_checks = "true"
+  })
+}
+
 query "iam_account_password_policy_strong_min_reuse_24" {
   sql = <<-EOQ
     select
@@ -1919,3 +1949,125 @@ query "iam_role_unused_60" {
       aws_iam_role;
   EOQ
 }
+
+query "iam_role_cross_account_readonlyaccess_policy" {
+  sql = <<-EOQ
+    with read_only_access_roles as (
+      select
+        *
+      from
+        aws_iam_role,
+        jsonb_array_elements_text(attached_policy_arns) as a
+      where
+        a = 'arn:aws:iam::aws:policy/ReadOnlyAccess'
+    ), read_only_access_roles_with_cross_account_access as (
+      select
+        arn
+      from
+        read_only_access_roles,
+        jsonb_array_elements(assume_role_policy_std -> 'Statement') as stmt,
+        jsonb_array_elements_text( stmt -> 'Principal' -> 'AWS' ) as p
+      where
+        stmt ->> 'Effect' = 'Allow'
+        and (
+          p = '*'
+          or not (p like '%' || account_id || '%')
+        )
+    )
+    select
+      r.arn as resource,
+      case
+        when ar.arn is null then 'skip'
+        when c.arn is not null then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when ar.arn is null then r.title || ' not associated with ReadOnlyAccess policy.'
+        when c.arn is not null then r.title || ' associated with ReadOnlyAccess cross account access.'
+        else r.title || ' associated ReadOnlyAccess without cross account access.'
+      end as reason
+      ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "r.")}
+    from
+      aws_iam_role as r
+      left join read_only_access_roles as ar on r.arn = ar.arn
+      left join read_only_access_roles_with_cross_account_access as c on c.arn = r.arn;
+  EOQ
+}
+
+query "iam_securityaudit_role" {
+  sql = <<-EOQ
+    with securityaudit_role_count as(
+      select
+        'arn:' || a.partition || ':::' || a.account_id as resource,
+        count(policy_arn),
+        a.account_id,
+        a._ctx
+      from
+        aws_account as a
+        left join aws_iam_role as r on r.account_id = a.account_id
+        left join jsonb_array_elements_text(attached_policy_arns) as policy_arn on true
+      where
+        policy_arn = 'arn:aws:iam::aws:policy/SecurityAudit'
+      group by
+        a.account_id,
+        a.partition,
+        a._ctx
+    )
+    select
+      resource,
+      case
+        when count > 0 then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when count = 1 then 'SecurityAudit policy attached to 1 role.'
+        when count > 1 then 'SecurityAudit policy attached to ' || count || ' roles.'
+        else 'SecurityAudit policy not attached to any role.'
+      end as reason
+      ${local.common_dimensions_global_sql}
+    from
+      securityaudit_role_count;
+  EOQ
+}
+
+query "iam_policy_custom_no_permissive_role_assumption" {
+  sql = <<-EOQ
+    with bad_policies as (
+      select
+        arn,
+        count(*) as num
+      from
+        aws_iam_policy,
+        jsonb_array_elements(policy_std -> 'Statement') as s,
+        jsonb_array_elements_text(s -> 'Resource') as resource,
+        jsonb_array_elements_text(s -> 'Action') as action
+      where
+        not is_aws_managed
+        and s ->> 'Effect' = 'Allow'
+        and resource = '*'
+        and (
+          ( action = '*'
+            or action = 'sts:*'
+            or action = 'sts:AssumeRole'
+          )
+        )
+      group by
+        arn
+    )
+    select
+      p.arn as resource,
+      case
+        when b.arn is not null then 'alarm'
+        else 'ok'
+      end as status,
+      p.name || ' contains ' || coalesce(b.num, 0) ||
+          ' statements that allow overly permissive STS role assumption.' as reason
+      ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "p.")}
+      ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "p.")}
+    from
+      aws_iam_policy as p
+      left join bad_policies as b on p.arn = b.arn
+      where
+        not is_aws_managed;
+  EOQ
+}