Release/v1.7.0

README.md

@@ -13,7 +13,7 @@
 
 ## Abstract
 These jobs represent open-sourced remediation jobs to be used in conjunction with the
-[SecureState remediation worker for python](https://hub.docker.com/r/vmware/vss-remediation-worker). In order
+[Secure State remediation worker for python](https://hub.docker.com/r/vmware/vss-remediation-worker). In order
 to make use of this code, you must utilize the worker and have a Secure State worker group properly set up.
 
 ## Quick Start Guide
@@ -101,33 +101,39 @@ The table below lists all the supported jobs with their links.
 | 18.    | e25a319c-0ca7-4e6a-b4b9-19beba480b3b | PostgreSQL server should have Enforce SSL connection enabled                            | [azure-postgresql-enforce-ssl-connection-enable](remediation_worker/jobs/azure_postgresql_enforce_ssl_connection_enable)                                                       |
 | 19.    | 5c8c26977a550e1fb6560cd6             | SQL server should have Advanced Threat Protection types set to all                      | [azure-sql-threat-detection-types-all-server](remediation_worker/jobs/azure_sql_threat_detection_types_all_server)                                                             |
 | 20.    | 7ba94354-ab4c-11ea-bb37-0242ac130002 | Storage account is not configured to have access from trusted Microsoft services        | [azure-storage-trusted-microsoft-services-access-enabled](remediation_worker/jobs/azure_storage_trusted_microsoft_services_access_enabled)                                     |
+| 21.    | 7406e56f-bbf0-4571-8e50-21bd344e0fdb | SQL server should have TDE protector encrypted with customer-managed key                | [azure-sql-tde-protector-encrypted-cmk](remediation_worker/jobs/azure_sql_tde_protector_encrypted_cmk)                                                                         |
+| 22.    | 9b7b5a71-5eaa-4418-a6b0-17f796e8ebaa | PostgreSQL server access from Azure services should be disabled                         | [azure-postgresql-allow-access-to-azure-service-disabled](remediation_worker/jobs/azure_postgresql_allow_access_to_azure_service_disabled)                                     |
+| 23.    | 4e27676b-7e87-4e2e-b756-28c96ed4fdf8 | Network security group should restrict public access to UDP ports                       | [azure-security-udp-access-restricted-from-internet](remediation_worker/jobs/azure_security_udp_access_restricted_from_internet)                                               |
 
 
 **AWS Remediation Jobs**
 
 
-| Sr.No. 	|                Rule Id               	|                                    Rule Name                                   	|                                    Remediation Job Link                                    	|
-|--------	|:------------------------------------:	|:------------------------------------------------------------------------------:	|:------------------------------------------------------------------------------------------:	|
-| 1.     	|       5c8c26417a550e1fb6560c3f       	|           EC2 instance should restrict public access to SSH port (22)          	|               [ec2-close-port-22](remediation_worker/jobs/ec2_close_port_22)               	|
-| 2.     	|       5c8c26437a550e1fb6560c42       	| EC2 security group should restrict public access to Remote Desktop port (3389) 	|             [ec2-close-port-3389](remediation_worker/jobs/ec2_close_port_3389)             	|
-| 3.     	| 657c46b7-1cd0-4cce-80bb-9d195f49c987 	|                Elastic Load Balancer access logs are not enabled               	|          [elb-enable-access-logs](remediation_worker/jobs/elb_enable_access_logs)          	|
-| 4.     	|       5c8c264a7a550e1fb6560c4d       	|              The RDS backup retention period is less than 30 days              	|    [rds-backup-retention-30-days](remediation_worker/jobs/rds_backup_retention_30_days)    	|
-| 5.     	|       5c8c265e7a550e1fb6560c67       	|                       S3 access logging should be enabled                      	|        [s3-enable-access-logging](remediation_worker/jobs/s3_enable_access_logging)        	|
-| 6.     	| 1d187035-9fff-48b2-a7c3-ffc56a4da5e6 	|                 S3 bucket default encryption should be enabled                 	|    [s3-enable-default-encryption](remediation_worker/jobs/s3_enable_default_encryption)    	|
-| 7.     	|       5c8c26507a550e1fb6560c57       	|                  S3 bucket should restrict full public access                  	|         [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)         	|
-| 8.     	|       5c8c26517a550e1fb6560c59       	|                  S3 bucket should restrict public read access                  	|         [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)         	|
-| 9.     	|       5c8c26537a550e1fb6560c5a       	|                S3 bucket should restrict public read ACL access                	|         [s3_remove_public_access](remediation_worker/jobs/s3_remove_public_access)         	|
-| 10.    	|       5c8c26537a550e1fb6560c5b       	|                  S3 bucket should restrict public write access                 	|         [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)         	|
-| 11.    	|       5c8c26547a550e1fb6560c5c       	|                S3 bucket should restrict public write ACL access               	|         [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)         	|
-| 12.    	|       5c8c26637a550e1fb6560c6b       	|               S3 bucket policy should restrict public get access               	|         [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)         	|
-| 13.    	|       5c8c26617a550e1fb6560c69       	|               S3 bucket policy should restrict full public access              	|         [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)         	|
-| 14.    	|       5c8c25ec7a550e1fb6560bbe       	|        EC2 security group should restrict public access to SSH port (22)       	|    [security-group-close-port-22](remediation_worker/jobs/security_group_close_port_22)    	|
-| 15.    	|       5c8c25ef7a550e1fb6560bc4       	|    EC2 instance should restrict public access to Remote Desktop port (3389)    	|  [security-group-close-port-3389](remediation_worker/jobs/security_group_close_port_3389)  	|
-| 16.    	|       5c8c25f07a550e1fb6560bc6       	|   EC2 instance should restrict public access to PostgreSQL server port (5432)  	|  [security-group-close-port-5432](remediation_worker/jobs/security_group_close_port_5432)  	|
-| 17.    	|       5c8c25e47a550e1fb6560bac       	|                       CloudTrail logs should be encrypted                      	|   [aws-cloudtrail-logs-encrypted](remediation_worker/jobs/aws_cloudtrail_logs_encrypted)   	|
-| 18.    	|       5c8c26217a550e1fb6560c12       	|                    KMS automated key rotation is not enabled                   	|             [aws-kms-key-rotates](remediation_worker/jobs/aws_kms_key_rotates)             	|
-| 19.    	|       5c8c265c7a550e1fb6560c63       	|            CloudTrail S3 buckets should have access logging enabled            	|        [s3-enable-access-logging](remediation_worker/jobs/s3_enable_access_logging)        	|
-| 20.    	|       5c8c265d7a550e1fb6560c65       	|         CloudTrail S3 buckets should restrict access to required users         	| [aws-s3-cloudtrail-public-access](remediation_worker/jobs/aws_s3_cloudtrail_public_access) 	|
+| Sr.No. 	|                Rule Id               	|                                     Rule Name                                     	|                                                 Remediation Job Link                                                 	|
+|:------:	|:------------------------------------:	|:---------------------------------------------------------------------------------:	|:--------------------------------------------------------------------------------------------------------------------:	|
+|   1.   	|       5c8c26417a550e1fb6560c3f       	|            EC2 instance should restrict public access to SSH port (22)            	|                            [ec2-close-port-22](remediation_worker/jobs/ec2_close_port_22)                            	|
+|   2.   	|       5c8c26437a550e1fb6560c42       	|   EC2 security group should restrict public access to Remote Desktop port (3389)  	|                          [ec2-close-port-3389](remediation_worker/jobs/ec2_close_port_3389)                          	|
+|   3.   	| 657c46b7-1cd0-4cce-80bb-9d195f49c987 	|                 Elastic Load Balancer access logs are not enabled                 	|                       [elb-enable-access-logs](remediation_worker/jobs/elb_enable_access_logs)                       	|
+|   4.   	|       5c8c264a7a550e1fb6560c4d       	|                The RDS backup retention period is less than 30 days               	|                 [rds-backup-retention-30-days](remediation_worker/jobs/rds_backup_retention_30_days)                 	|
+|   5.   	|       5c8c265e7a550e1fb6560c67       	|                        S3 access logging should be enabled                        	|                     [s3-enable-access-logging](remediation_worker/jobs/s3_enable_access_logging)                     	|
+|   6.   	| 1d187035-9fff-48b2-a7c3-ffc56a4da5e6 	|                   S3 bucket default encryption should be enabled                  	|                 [s3-enable-default-encryption](remediation_worker/jobs/s3_enable_default_encryption)                 	|
+|   7.   	|       5c8c26507a550e1fb6560c57       	|                    S3 bucket should restrict full public access                   	|                      [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)                      	|
+|   8.   	|       5c8c26517a550e1fb6560c59       	|                    S3 bucket should restrict public read access                   	|                      [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)                      	|
+|   9.   	|       5c8c26537a550e1fb6560c5a       	|                  S3 bucket should restrict public read ACL access                 	|                      [s3_remove_public_access](remediation_worker/jobs/s3_remove_public_access)                      	|
+|   10.  	|       5c8c26537a550e1fb6560c5b       	|                   S3 bucket should restrict public write access                   	|                      [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)                      	|
+|   11.  	|       5c8c26547a550e1fb6560c5c       	|                 S3 bucket should restrict public write ACL access                 	|                      [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)                      	|
+|   12.  	|       5c8c26637a550e1fb6560c6b       	|                 S3 bucket policy should restrict public get access                	|                      [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)                      	|
+|   13.  	|       5c8c26617a550e1fb6560c69       	|                S3 bucket policy should restrict full public access                	|                      [s3-remove-public-access](remediation_worker/jobs/s3_remove_public_access)                      	|
+|   14.  	|       5c8c25ec7a550e1fb6560bbe       	|         EC2 security group should restrict public access to SSH port (22)         	|                 [security-group-close-port-22](remediation_worker/jobs/security_group_close_port_22)                 	|
+|   15.  	|       5c8c25ef7a550e1fb6560bc4       	|      EC2 instance should restrict public access to Remote Desktop port (3389)     	|               [security-group-close-port-3389](remediation_worker/jobs/security_group_close_port_3389)               	|
+|   16.  	|       5c8c25f07a550e1fb6560bc6       	|    EC2 instance should restrict public access to PostgreSQL server port (5432)    	|               [security-group-close-port-5432](remediation_worker/jobs/security_group_close_port_5432)               	|
+|   17.  	|       5c8c25e47a550e1fb6560bac       	|                        CloudTrail logs should be encrypted                        	|                [aws-cloudtrail-logs-encrypted](remediation_worker/jobs/aws_cloudtrail_logs_encrypted)                	|
+|   18.  	|       5c8c26217a550e1fb6560c12       	|                     KMS automated key rotation is not enabled                     	|                          [aws-kms-key-rotates](remediation_worker/jobs/aws_kms_key_rotates)                          	|
+|   19.  	|       5c8c265c7a550e1fb6560c63       	|              CloudTrail S3 buckets should have access logging enabled             	|                     [s3-enable-access-logging](remediation_worker/jobs/s3_enable_access_logging)                     	|
+|   20.  	|       5c8c265d7a550e1fb6560c65       	|           CloudTrail S3 buckets should restrict access to required users          	|              [aws-s3-cloudtrail-public-access](remediation_worker/jobs/aws_s3_cloudtrail_public_access)              	|
+|   21.  	| 688d093c-3b8d-11eb-adc1-0242ac120002 	|                     S3 bucket should allow only HTTPS requests                    	|             [aws-s3-bucket-policy-allow-https](remediation_worker/jobs/aws_s3_bucket_policy_allow_https)             	|
+|   22.  	| 09639b9d-98e8-493b-b8a4-916775a7dea9 	|            SQS queue policy should restricted access to required users            	|            [aws-sqs-queue-publicly-accessible](remediation_worker/jobs/aws_sqs_queue_publicly_accessible)            	|
+|   23.  	| 1ec4a1f2-3e08-11eb-b378-0242ac130002 	| Network ACL should restrict administration ports (3389 and 22) from public access 	| [aws-ec2-administration-ports-ingress-allowed](remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed) 	|
 
 ## Contributing
 The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq).

remediation_worker/jobs/aws_ec2_administration_ports_ingress_allowed/README.md

@@ -0,0 +1,68 @@
+# Remove Network ACL Rules that allows public access to administration ports (3389 and 22)
+
+This job removes Network ACL Rules that allows public access to administration ports (3389 and 22).
+
+### Applicable Rule
+
+##### Rule ID:
+1ec4a1f2-3e08-11eb-b378-0242ac130002
+
+##### Rule Name:
+Network ACL should restrict administration ports (3389 and 22) from public access
+
+## Getting Started
+
+### Prerequisites
+
+The provided AWS credential must have access to `ec2:DeleteNetworkAcl`, `ec2:DescribeNetworkAcls` and `ec2:ReplaceNetworkAclEntry`.
+
+You may find the latest example policy file [here](minimum_policy.json)
+
+### Running the script
+
+You may run this script using following commands:
+```shell script
+  pip install -r ../../requirements.txt
+  python3 aws_ec2_administration_ports_ingress_allowed.py
+```
+
+## Running the tests
+You may run test using following command under vss-remediation-worker-job-code-python directory:
+```shell script
+    python3 -m pytest test
+```
+
+## Deployment
+1. Provision a Virtual Machine
+Create an EC2 instance to use for the worker. The minimum required specifications are 128 MB memory and 1/2 Core CPU.
+2. Setup Docker
+Install Docker on the newly provisioned EC2 instance. You can refer to the [docs here](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/docker-basics.html) for more information.
+3. Deploy the worker image
+SSH into the EC2 instance and run the command below to deploy the worker image:
+```shell script
+  docker run --rm -it --name worker \
+  -e VSS_CLIENT_ID={ENTER CLIENT ID}
+  -e VSS_CLIENT_SECRET={ENTER CLIENT SECRET} \
+  vmware/vss-remediation-worker:latest-python
+```
+
+
+## Contributing
+The Secure State team welcomes welcomes contributions from the community. If you wish to contribute code and you have not signed our contributor license agreement (CLA), our bot will update the issue when you open a Pull Request. For any questions about the CLA process, please refer to our [FAQ](https://cla.vmware.com/faq).
+All contributions to this repository must be signed as described on that page. Your signature certifies that you wrote the patch or have the right to pass it on as an open-source patch.
+
+For more detailed information, refer to [CONTRIBUTING.md](../../../CONTRIBUTING.md).
+
+## Versioning
+
+We use [SemVer](http://semver.org/) for versioning. For the versions available, see the [tags on this repository](https://github.com/vmware-samples/secure-state-remediation-jobs/tags).
+
+## Authors
+
+* **VMware Secure State** - *Initial work*
+
+See also the list of [contributors](https://github.com/vmware-samples/secure-state-remediation-jobs/contributors) who participated in this project.
+
+## License
+
+This project is licensed under the Apache License - see the [LICENSE](https://github.com/vmware-samples/secure-state-remediation-jobs/blob/master/LICENSE.txt) file for details