-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #4 from epam/new_rules_from_sprint
new_rules_from_sprint
- Loading branch information
Showing
94 changed files
with
1,774 additions
and
45 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Copyright (c) 2023 EPAM Systems, Inc. | ||
# | ||
# This Source Code Form is subject to the terms of the Mozilla Public | ||
# License, v. 2.0. If a copy of the MPL was not distributed with this | ||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
||
|
||
policies: | ||
- name: ecc-aws-914-waf_regional_webacl_not_empty | ||
description: | | ||
A WAF Classic Regional web ACL does not have at least one rule or rule group | ||
resource: aws.waf-regional | ||
filters: | ||
- type: value | ||
key: Rules | ||
value: empty |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Copyright (c) 2023 EPAM Systems, Inc. | ||
# | ||
# This Source Code Form is subject to the terms of the Mozilla Public | ||
# License, v. 2.0. If a copy of the MPL was not distributed with this | ||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
||
|
||
policies: | ||
- name: ecc-aws-964-glue_job_autoscaling_enabled | ||
description: | | ||
Amazon Glue Job with disabled autoscaling | ||
resource: aws.glue-job | ||
filters: | ||
- or: | ||
- type: value | ||
key: DefaultArguments."--enable-auto-scaling" | ||
value: absent | ||
- type: value | ||
key: DefaultArguments."--enable-auto-scaling" | ||
value: "false" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Copyright (c) 2023 EPAM Systems, Inc. | ||
# | ||
# This Source Code Form is subject to the terms of the Mozilla Public | ||
# License, v. 2.0. If a copy of the MPL was not distributed with this | ||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
||
|
||
policies: | ||
- name: ecc-aws-968-cloudtrail_delivery_failing | ||
description: | | ||
CloudTrail logs delivery failing | ||
resource: aws.cloudtrail | ||
filters: | ||
- type: status | ||
key: LatestDeliveryError | ||
value: present |
16 changes: 16 additions & 0 deletions
16
policies/ecc-aws-969-step_function_state_machine_logging_enabled.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Copyright (c) 2023 EPAM Systems, Inc. | ||
# | ||
# This Source Code Form is subject to the terms of the Mozilla Public | ||
# License, v. 2.0. If a copy of the MPL was not distributed with this | ||
# file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
|
||
|
||
policies: | ||
- name: ecc-aws-969-step_function_state_machine_logging_enabled | ||
description: | | ||
AWS Step Function State Machine logging is disabled | ||
resource: aws.step-machine | ||
filters: | ||
- type: value | ||
key: loggingConfiguration.level | ||
value: 'OFF' |
20 changes: 20 additions & 0 deletions
20
terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/provider.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "~> 4" | ||
} | ||
} | ||
} | ||
|
||
provider "aws" { | ||
profile = var.profile | ||
region = var.default-region | ||
|
||
default_tags { | ||
tags = { | ||
CustodianRule = "ecc-aws-914-waf_regional_webacl_not_empty" | ||
ComplianceStatus = "Green" | ||
} | ||
} | ||
} |
2 changes: 2 additions & 0 deletions
2
terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/terraform.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
profile = "c7n" | ||
default-region = "us-east-1" |
9 changes: 9 additions & 0 deletions
9
terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
variable "default-region" { | ||
type = string | ||
description = "Default region for resources will be created" | ||
} | ||
|
||
variable "profile" { | ||
type = string | ||
description = "Profile name configured before running apply" | ||
} |
81 changes: 81 additions & 0 deletions
81
terraform/ecc-aws-914-waf_regional_webacl_not_empty/green/waf.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
resource "aws_wafregional_ipset" "this" { | ||
name = "914_ipset_green" | ||
|
||
ip_set_descriptor { | ||
type = "IPV4" | ||
value = "1.1.1.0/24" | ||
} | ||
} | ||
|
||
resource "aws_wafregional_rule" "this" { | ||
name = "914_waf_rule_green" | ||
metric_name = "914WafRuleMetricGreen" | ||
|
||
predicate { | ||
data_id = aws_wafregional_ipset.this.id | ||
negated = false | ||
type = "IPMatch" | ||
} | ||
depends_on = [aws_wafregional_ipset.this] | ||
} | ||
|
||
resource "aws_wafregional_rule_group" "this" { | ||
name = "914_waf_rule_group_green" | ||
metric_name = "914WafRuleGroupMetricGreen" | ||
|
||
activated_rule { | ||
action { | ||
type = "ALLOW" | ||
} | ||
|
||
priority = 1 | ||
rule_id = aws_wafregional_rule.this.id | ||
} | ||
} | ||
|
||
resource "aws_wafregional_web_acl" "this" { | ||
name = "914_webacl_green" | ||
metric_name = "914WebaclMetricGreen" | ||
|
||
default_action { | ||
type = "ALLOW" | ||
} | ||
|
||
rule { | ||
override_action { | ||
type = "NONE" | ||
} | ||
priority = 1 | ||
rule_id = aws_wafregional_rule_group.this.id | ||
type = "GROUP" | ||
} | ||
|
||
depends_on = [ | ||
aws_wafregional_ipset.this, | ||
aws_wafregional_rule_group.this, | ||
] | ||
} | ||
|
||
resource "aws_wafregional_web_acl" "this2" { | ||
name = "914_webacl_green2" | ||
metric_name = "914WebaclMetricGreen2" | ||
|
||
default_action { | ||
type = "ALLOW" | ||
} | ||
|
||
rule { | ||
action { | ||
type = "ALLOW" | ||
} | ||
|
||
priority = 1 | ||
rule_id = aws_wafregional_rule.this.id | ||
type = "REGULAR" | ||
} | ||
|
||
depends_on = [ | ||
aws_wafregional_ipset.this, | ||
aws_wafregional_rule.this, | ||
] | ||
} |
15 changes: 15 additions & 0 deletions
15
terraform/ecc-aws-914-waf_regional_webacl_not_empty/iam/914-policy.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "VisualEditor0", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"waf-regional:ListWebACLs", | ||
"waf-regional:GetWebACL", | ||
"tag:GetResources" | ||
], | ||
"Resource": "*" | ||
} | ||
] | ||
} |
20 changes: 20 additions & 0 deletions
20
terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/provider.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "~> 4" | ||
} | ||
} | ||
} | ||
|
||
provider "aws" { | ||
profile = var.profile | ||
region = var.default-region | ||
|
||
default_tags { | ||
tags = { | ||
CustodianRule = "ecc-aws-914-waf_regional_webacl_not_empty" | ||
ComplianceStatus = "Red" | ||
} | ||
} | ||
} |
2 changes: 2 additions & 0 deletions
2
terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/terraform.tfvars
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
profile = "c7n" | ||
default-region = "us-east-1" |
9 changes: 9 additions & 0 deletions
9
terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
variable "default-region" { | ||
type = string | ||
description = "Default region for resources will be created" | ||
} | ||
|
||
variable "profile" { | ||
type = string | ||
description = "Profile name configured before running apply" | ||
} |
8 changes: 8 additions & 0 deletions
8
terraform/ecc-aws-914-waf_regional_webacl_not_empty/red/waf.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
resource "aws_wafregional_web_acl" "this" { | ||
name = "914_webacl_red" | ||
metric_name = "914WebaclMetricRed" | ||
|
||
default_action { | ||
type = "ALLOW" | ||
} | ||
} |
11 changes: 11 additions & 0 deletions
11
terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/glue.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
resource "aws_glue_job" "this" { | ||
name = "964_glue_job_green" | ||
role_arn = aws_iam_role.this.arn | ||
glue_version = "4.0" | ||
default_arguments = { | ||
"--enable-auto-scaling" = "true" | ||
} | ||
command { | ||
script_location = "s3://${aws_s3_bucket.this.bucket}/script" | ||
} | ||
} |
40 changes: 40 additions & 0 deletions
40
terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/iam.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
resource "aws_iam_role" "this" { | ||
name = "964_role_green" | ||
assume_role_policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Action": "sts:AssumeRole", | ||
"Principal": { | ||
"Service": "glue.amazonaws.com" | ||
}, | ||
"Effect": "Allow", | ||
"Sid": "" | ||
} | ||
] | ||
} | ||
EOF | ||
} | ||
|
||
resource "aws_iam_role_policy" "this" { | ||
name = "964_policy_green" | ||
role = "${aws_iam_role.this.id}" | ||
|
||
policy = <<EOF | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:*" | ||
], | ||
"Resource": [ | ||
"*" | ||
] | ||
} | ||
] | ||
} | ||
EOF | ||
} |
20 changes: 20 additions & 0 deletions
20
terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/provider.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
terraform { | ||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = "~> 4" | ||
} | ||
} | ||
} | ||
|
||
provider "aws" { | ||
profile = var.profile | ||
region = var.default-region | ||
|
||
default_tags { | ||
tags = { | ||
CustodianRule = "ecc-aws-964-glue_job_autoscaling_enabled" | ||
ComplianceStatus = "Green" | ||
} | ||
} | ||
} |
21 changes: 21 additions & 0 deletions
21
terraform/ecc-aws-964-glue_job_autoscaling_enabled/green/s3.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
resource "aws_s3_object" "this" { | ||
bucket = aws_s3_bucket.this.id | ||
key = "script" | ||
acl = "private" | ||
source = "script.py" | ||
etag = filemd5("script.py") | ||
} | ||
|
||
resource "aws_s3_bucket" "this" { | ||
bucket = "bucket-964-green" | ||
force_destroy = true | ||
} | ||
|
||
resource "aws_s3_bucket_public_access_block" "this" { | ||
bucket = aws_s3_bucket.this.id | ||
|
||
block_public_acls = true | ||
block_public_policy = true | ||
ignore_public_acls = true | ||
restrict_public_buckets = true | ||
} |
Oops, something went wrong.