Merge pull request #5 from epam/new_rules

New rules

iam/All-permissions.json

@@ -12,6 +12,9 @@
                 "apigateway:GET",
                 "appflow:DescribeFlow",
                 "appflow:ListFlows",
+                "appsync:ListGraphqlApis",
+                "appsync:GetGraphqlApi",
+                "appsync:GetApiCache",
                 "autoscaling:DescribeAutoScalingGroups",
                 "autoscaling:DescribeLaunchConfigurations",
                 "backup:GetBackupPlan",
@@ -105,6 +108,7 @@
                 "elasticloadbalancing:DescribeTargetHealth",
                 "elasticmapreduce:DescribeCluster",
                 "elasticmapreduce:ListClusters",
+                "elasticmapreduce:DescribeSecurityConfiguration",
                 "es:DescribeDomains",
                 "es:DescribeElasticsearchDomain",
                 "es:DescribeElasticsearchDomainConfig",
@@ -144,6 +148,7 @@
                 "kafka:ListClusters",
                 "kinesis:DescribeStream",
                 "kinesis:ListStreams",
+                "kinesisvideo:ListStreams",
                 "kms:DescribeKey",
                 "kms:GetKeyRotationStatus",
                 "kms:ListAliases",
@@ -162,8 +167,10 @@
                 "rds:DescribeDBClusters",
                 "rds:DescribeDBInstances",
                 "rds:DescribeDBParameters",
+                "rds:DescribeOptionGroups",
                 "rds:DescribeDBSnapshotAttributes",
                 "rds:DescribeDBSnapshots",
+                "rds:DescribeDBClusterParameters",
                 "redshift:DescribeClusterParameters",
                 "redshift:DescribeClusters",
                 "redshift:DescribeLoggingStatus",
@@ -184,6 +191,9 @@
                 "s3:GetLifecycleConfiguration",
                 "s3:GetReplicationConfiguration",
                 "s3:ListAllMyBuckets",
+                "s3:GetBucketLifecycle",
+                "s3:GetEncryptionConfiguration",
+                "s3:GetBucketPublicAccessBlock",
                 "sagemaker:DescribeEndpointConfig",
                 "sagemaker:DescribeModel",
                 "sagemaker:DescribeNotebookInstance",

policies/ecc-aws-080-bucket_policy_allows_https_requests.yml

@@ -0,0 +1,36 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-080-bucket_policy_allows_https_requests
+    resource: aws.s3
+    description: |
+      S3 Bucket Policy allows HTTP requests
+    filters:
+      - not:
+          - or:
+              - type: has-statement
+                statements:
+                  - Effect: Deny
+                    Action: 's3:*'
+                    Condition:
+                      Bool:
+                        "aws:SecureTransport": "false"
+              - type: has-statement
+                statements:
+                  - Effect: Deny
+                    Action: '*'
+                    Condition:
+                      Bool:
+                        "aws:SecureTransport": "false"
+              - type: has-statement
+                statements:
+                  - Effect: Deny
+                    Action: 's3:GetObject'
+                    Condition:
+                      Bool:
+                        "aws:SecureTransport": "false"

policies/ecc-aws-141-s3_encrypted_using_kms.yml

@@ -0,0 +1,16 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-141-s3_encrypted_using_kms
+    description: |
+      S3 is not using a KMS key for encryption
+    resource: s3
+    filters:
+      - type: bucket-encryption
+        state: false
+        crypto: aws:kms

policies/ecc-aws-162-s3_bucket_lifecycle.yml

@@ -0,0 +1,16 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-162-s3_bucket_lifecycle
+    description: |
+      S3 Bucket life cycle is not configured
+    resource: s3
+    filters:
+      - type: value
+        key: Lifecycle
+        value: null

policies/ecc-aws-163-s3_buckets_without_tags.yml

@@ -0,0 +1,17 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-163-s3_buckets_without_tags
+    description: |
+      S3 Buckets without tags 
+    resource: s3
+    filters:
+      - not:
+          - type: value
+            key: Tags[0]
+            value: present

policies/ecc-aws-216-s3_bucket_cross_region_replication_enabled.yml

@@ -0,0 +1,16 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-216-s3_bucket_cross_region_replication_enabled
+    description: |
+      S3 bucket cross-region replication is disabled
+    resource: s3
+    filters:
+      - type: value
+        key: Replication
+        value: null

policies/ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled.yml

@@ -0,0 +1,20 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-246-s3_bucket_versioning_mfa_delete_enabled
+    description: |
+      S3 bucket versioning MFA delete is disabled
+    resource: s3
+    filters:
+      - or:
+          - type: value
+            key: Versioning.MFADelete
+            value: Disabled
+          - type: value
+            key: Versioning.MFADelete
+            value: absent

policies/ecc-aws-280-s3_buckets_configured_with_block_public_access.yml

@@ -0,0 +1,14 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-280-s3_buckets_configured_with_block_public_access
+    resource: aws.s3
+    description: |
+      S3 Buckets are not configured with 'Block public access' bucket settings
+    filters:
+      - type: check-public-block

policies/ecc-aws-290-logging_for_s3_enabled.yml

@@ -0,0 +1,15 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-290-logging_for_s3_enabled
+    description: |
+      Logging for S3 bucket is disabled
+    resource: s3
+    filters:
+      - type: bucket-logging
+        op: disabled

policies/ecc-aws-352-rds_mariadb_logging_enabled.yml

@@ -0,0 +1,56 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-352-rds_mariadb_logging_enabled
+    resource: aws.rds
+    description: |
+      MariaDB database logging is disabled
+    filters:
+      - and:
+          - type: value
+            key: Engine
+            value: mariadb
+          - or:
+              - not:
+                  - type: db-option-groups
+                    key: length(Options[].OptionSettings[?Name == 'SERVER_AUDIT_EVENTS' && Value == `CONNECT,QUERY,TABLE,QUERY_DDL,QUERY_DML,QUERY_DCL`].Value[])
+                    op: eq
+                    value: 1
+              - not:
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: audit
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: error
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: general
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: slowquery
+                  - type: db-parameter
+                    key: general_log
+                    op: eq
+                    value: 1
+                  - type: db-parameter
+                    key: slow_query_log
+                    op: eq
+                    value: 1
+                  - type: db-parameter
+                    key: log_output
+                    op: eq
+                    value: FILE

policies/ecc-aws-421-documentdb_logging_enabled.yml

@@ -0,0 +1,35 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-421-documentdb_logging_enabled
+    resource: aws.rds-cluster
+    description: |
+      DocumentDB logging is not enabled
+    filters:
+      - and:
+          - type: value
+            key: Engine
+            value: 'docdb'
+          - not:
+              - and:
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: audit
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: profiler
+                  - type: db-cluster-parameter
+                    key: audit_logs
+                    value: enabled
+                  - type: db-cluster-parameter
+                    key: profiler
+                    value: enabled

policies/ecc-aws-423-rds_aurora_mysql_cluster_logging_enabled.yml

@@ -0,0 +1,48 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-423-rds_aurora_mysql_cluster_logging_enabled
+    resource: aws.rds-cluster
+    description: |
+      Aurora-MySQL cluster logging is disabled
+    filters:
+      - and:
+          - type: value
+            key: Engine
+            value: aurora-mysql
+          - not:
+              - and:
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: audit
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: error
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: general
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: slowquery
+                  - type: db-cluster-parameter
+                    key: general_log
+                    value: 1
+                  - type: db-cluster-parameter
+                    key: slow_query_log
+                    value: 1
+                  - type: db-cluster-parameter
+                    key: log_output
+                    value: FILE

policies/ecc-aws-424-rds_aurora_postgresql_cluster_logging_enabled.yml

@@ -0,0 +1,33 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-424-rds_aurora_postgresql_cluster_logging_enabled
+    resource: aws.rds-cluster
+    description: |
+      Aurora-PostgreSQL cluster logging is disabled
+    filters:
+      - and:
+          - type: value
+            key: Engine
+            value: aurora-postgresql
+          - or:
+              - type: db-cluster-parameter
+                key: log_min_duration_statement
+                value: absent
+              - type: db-cluster-parameter
+                key: log_min_duration_statement
+                value: -1
+              - not:
+                  - type: value
+                    key: EnabledCloudwatchLogsExports
+                    op: in
+                    value_type: swap
+                    value: postgresql
+                  - type: db-cluster-parameter
+                    key: log_statement
+                    value: all