Merge pull request #4 from epam/new_rules_from_sprint

new_rules_from_sprint

iam/All-permissions.json

@@ -199,10 +199,13 @@
                 "sqs:ListQueues",
                 "ssm:DescribeInstanceInformation",
                 "ssm:ListResourceComplianceSummaries",
+                "states:DescribeStateMachine",
+                "states:ListStateMachine",
                 "tag:GetResources",
                 "tagging:GetResources",
                 "waf-regional:ListResourcesForWebACL",
                 "waf-regional:ListWebACLs",
+                "waf-regional:GetWebACL",
                 "waf:GetWebACL",
                 "waf:ListWebACLs",
                 "workspaces:DescribeWorkspaceDirectories",

policies/ecc-aws-272-eliminate_use_root_user_for_administrative_and_daily_tasks.yml

@@ -12,18 +12,13 @@ policies:
       Root user is used for administrative and daily tasks
     filters:
       - or:
-          - and:
-              - type: credential
-                key: access_keys.active
-                value: true
-              - type: credential
-                key: access_keys.last_used_date
-                value: present
-
-          - and:
-              - type: credential
-                key: password_enabled
-                value: true
-              - type: credential
-                key: password_last_used
-                value: present
+        - type: credential
+          key: password_last_used
+          op: less-than
+          value_type: age
+          value: 90
+        - type: credential
+          key: access_keys.last_used_date
+          op: less-than
+          value_type: age
+          value: 90

policies/ecc-aws-914-waf_regional_webacl_not_empty.yml

@@ -0,0 +1,16 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-914-waf_regional_webacl_not_empty
+    description: |
+      A WAF Classic Regional web ACL does not have at least one rule or rule group
+    resource: aws.waf-regional
+    filters:
+      - type: value
+        key: Rules
+        value: empty

policies/ecc-aws-964-glue_job_autoscaling_enabled.yml

@@ -0,0 +1,20 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-964-glue_job_autoscaling_enabled
+    description: |
+      Amazon Glue Job with disabled autoscaling
+    resource: aws.glue-job
+    filters:
+      - or:
+        - type: value
+          key: DefaultArguments."--enable-auto-scaling"
+          value: absent
+        - type: value
+          key: DefaultArguments."--enable-auto-scaling"
+          value: "false" 

policies/ecc-aws-968-cloudtrail_delivery_failing.yml

@@ -0,0 +1,16 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-968-cloudtrail_delivery_failing
+    description: |
+      CloudTrail logs delivery failing
+    resource: aws.cloudtrail
+    filters:
+      - type: status
+        key: LatestDeliveryError
+        value: present

policies/ecc-aws-969-step_function_state_machine_logging_enabled.yml

@@ -0,0 +1,16 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-969-step_function_state_machine_logging_enabled
+    description: |
+      AWS Step Function State Machine logging is disabled
+    resource: aws.step-machine
+    filters:
+      - type: value
+        key: loggingConfiguration.level
+        value: 'OFF'

terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-914-waf_regional_webacl_not_empty"
+      ComplianceStatus = "Green"
+    }
+  }
+}

terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}

terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/waf.tf

@@ -0,0 +1,81 @@
+resource "aws_wafregional_ipset" "this" {
+  name = "914_ipset_green"
+
+  ip_set_descriptor {
+    type  = "IPV4"
+    value = "1.1.1.0/24"
+  }
+}
+
+resource "aws_wafregional_rule" "this" {
+  name        = "914_waf_rule_green"
+  metric_name = "914WafRuleMetricGreen"
+
+  predicate {
+    data_id = aws_wafregional_ipset.this.id
+    negated = false
+    type    = "IPMatch"
+  }
+  depends_on = [aws_wafregional_ipset.this]
+}
+
+resource "aws_wafregional_rule_group" "this" {
+  name        = "914_waf_rule_group_green"
+  metric_name = "914WafRuleGroupMetricGreen"
+
+  activated_rule {
+    action {
+      type = "ALLOW"
+    }
+
+    priority = 1
+    rule_id  = aws_wafregional_rule.this.id
+  }
+}
+
+resource "aws_wafregional_web_acl" "this" {
+  name        = "914_webacl_green"
+  metric_name = "914WebaclMetricGreen"
+
+  default_action {
+    type = "ALLOW"
+  }
+
+  rule {
+    override_action {
+      type = "NONE"
+    }
+    priority = 1
+    rule_id  = aws_wafregional_rule_group.this.id
+    type     = "GROUP"
+  }
+
+  depends_on = [
+    aws_wafregional_ipset.this,
+    aws_wafregional_rule_group.this,
+  ]
+}
+
+resource "aws_wafregional_web_acl" "this2" {
+  name        = "914_webacl_green2"
+  metric_name = "914WebaclMetricGreen2"
+
+  default_action {
+    type = "ALLOW"
+  }
+
+  rule {
+    action {
+      type = "ALLOW"
+    }
+
+    priority = 1
+    rule_id  = aws_wafregional_rule.this.id
+    type     = "REGULAR"
+  }
+
+  depends_on = [
+    aws_wafregional_ipset.this,
+    aws_wafregional_rule.this,
+  ]
+}

terraform/ecc-aws-914-waf_regional_webacl_not_empty/iam/914-policy.json

@@ -0,0 +1,15 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "waf-regional:ListWebACLs",
+                "waf-regional:GetWebACL",
+                "tag:GetResources"
+            ],
+            "Resource": "*"
+        }
+    ]
+}

terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-914-waf_regional_webacl_not_empty"
+      ComplianceStatus = "Red"
+    }
+  }
+}

terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}

terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/waf.tf

@@ -0,0 +1,8 @@
+resource "aws_wafregional_web_acl" "this" {
+  name        = "914_webacl_red"
+  metric_name = "914WebaclMetricRed"
+
+  default_action {
+    type = "ALLOW"
+  }
+}

terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/glue.tf

@@ -0,0 +1,11 @@
+resource "aws_glue_job" "this" {
+  name         = "964_glue_job_green"
+  role_arn     = aws_iam_role.this.arn
+  glue_version = "4.0"
+  default_arguments = {
+        "--enable-auto-scaling" = "true"
+  }
+  command {
+    script_location = "s3://${aws_s3_bucket.this.bucket}/script"
+  }
+}

terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/iam.tf

@@ -0,0 +1,40 @@
+resource "aws_iam_role" "this" {
+  name = "964_role_green"
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "glue.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "this" {
+  name = "964_policy_green"
+  role = "${aws_iam_role.this.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:*"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
+EOF
+}

terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-964-glue_job_autoscaling_enabled"
+      ComplianceStatus = "Green"
+    }
+  }
+}

terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/s3.tf

@@ -0,0 +1,21 @@
+resource "aws_s3_object" "this" {
+  bucket = aws_s3_bucket.this.id
+  key    = "script"
+  acl    = "private"
+  source = "script.py"
+  etag = filemd5("script.py")
+}
+
+resource "aws_s3_bucket" "this" {
+  bucket        = "bucket-964-green"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_public_access_block" "this" {
+  bucket = aws_s3_bucket.this.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}