-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(rules): Update guard policies and metadata with October and Nove…
…mber control releases (#245) ## New Controls Added - [AWS Control Tower adds additional controls](https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#q3-new-controls) - [AWS Control Tower announces controls to assist digital sovereignty](https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#digital-sovereignty) ## Metadata Updates - Added `Groups` property for the `digital-sovereignty` controls - Updated `SupportedRegions` property - Updated `ComplianceFrameworkMappings` property --------- Signed-off-by: github-actions <[email protected]> Co-authored-by: github-actions <[email protected]>
- Loading branch information
1 parent
c2c2cb1
commit 2a6efad
Showing
296 changed files
with
13,531 additions
and
757 deletions.
There are no files selected for viewing
98 changes: 98 additions & 0 deletions
98
rules/control-tower/cfn-guard/apigateway/ct-apigateway-pr-6.guard
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
# ################################### | ||
## Rule Specification ## | ||
##################################### | ||
# | ||
# Rule Identifier: | ||
# api_gw_domain_tls_check | ||
# | ||
# Description: | ||
# This control checks whether an Amazon API Gateway REST API domain name requires a minimum Transport Layer Security protocol version of TLSv1.2 by means of its security policy. | ||
# | ||
# Reports on: | ||
# AWS::ApiGateway::DomainName | ||
# | ||
# Evaluates: | ||
# AWS CloudFormation, AWS CloudFormation hook | ||
# | ||
# Rule Parameters: | ||
# None | ||
# | ||
# Scenarios: | ||
# Scenario: 1 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document does not contain any API Gateway domain name resources | ||
# Then: SKIP | ||
# Scenario: 2 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document contains an API Gateway domain name resource | ||
# And: 'SecurityPolicy' has been provided and set to a security policy that allows | ||
# a minimum TLS protocol version earlier than TLSv1.2 | ||
# Then: FAIL | ||
# Scenario: 3 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document contains an API Gateway domain name resource | ||
# And: 'SecurityPolicy' has not been provided | ||
# Then: PASS | ||
# Scenario: 4 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document contains an API Gateway domain name resource | ||
# And: 'SecurityPolicy' has been provided and set to a security policy that requires | ||
# a minimum TLS protocol version of TLSv1.2 | ||
# Then: PASS | ||
|
||
# | ||
# Constants | ||
# | ||
let API_GW_DOMAIN_NAME_TYPE = "AWS::ApiGateway::DomainName" | ||
let ALLOWED_SECURITY_POLICIES = ["TLS_1_2"] | ||
let INPUT_DOCUMENT = this | ||
|
||
# | ||
# Assignments | ||
# | ||
let api_gateway_domain_names = Resources.*[ Type == %API_GW_DOMAIN_NAME_TYPE ] | ||
|
||
# | ||
# Primary Rules | ||
# | ||
rule api_gw_domain_tls_check when is_cfn_template(%INPUT_DOCUMENT) | ||
%api_gateway_domain_names not empty { | ||
check(%api_gateway_domain_names.Properties) | ||
<< | ||
[CT.APIGATEWAY.PR.6]: Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2 | ||
[FIX]: Set the value of SecurityPolicy to TLS_1_2, or to adopt the default value, do not provide a value for SecurityPolicy. | ||
>> | ||
} | ||
|
||
rule api_gw_domain_tls_check when is_cfn_hook(%INPUT_DOCUMENT, %API_GW_DOMAIN_NAME_TYPE) { | ||
check(%INPUT_DOCUMENT.%API_GW_DOMAIN_NAME_TYPE.resourceProperties) | ||
<< | ||
[CT.APIGATEWAY.PR.6]: Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2 | ||
[FIX]: Set the value of SecurityPolicy to TLS_1_2, or to adopt the default value, do not provide a value for SecurityPolicy. | ||
>> | ||
} | ||
|
||
# | ||
# Parameterized Rules | ||
# | ||
rule check(api_gateway_stage) { | ||
%api_gateway_stage { | ||
# Scenario 2, 3, 4 | ||
SecurityPolicy not exists or | ||
SecurityPolicy in %ALLOWED_SECURITY_POLICIES | ||
} | ||
} | ||
|
||
# | ||
# Utility Rules | ||
# | ||
rule is_cfn_template(doc) { | ||
%doc { | ||
AWSTemplateFormatVersion exists or | ||
Resources exists | ||
} | ||
} | ||
|
||
rule is_cfn_hook(doc, RESOURCE_TYPE) { | ||
%doc.%RESOURCE_TYPE.resourceProperties exists | ||
} |
97 changes: 97 additions & 0 deletions
97
rules/control-tower/cfn-guard/appsync/ct-appsync-pr-2.guard
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
# ################################### | ||
## Rule Specification ## | ||
##################################### | ||
# | ||
# Rule Identifier: | ||
# appsync_api_private_visibility_check | ||
# | ||
# Description: | ||
# This control checks whether an AWS AppSync GraphQL API has been configured with private visibility. | ||
# | ||
# Reports on: | ||
# AWS::AppSync::GraphQLApi | ||
# | ||
# Evaluates: | ||
# AWS CloudFormation, AWS CloudFormation hook | ||
# | ||
# Rule Parameters: | ||
# None | ||
# | ||
# Scenarios: | ||
# Scenario: 1 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document does not contain any Appsync GraphQL API resources | ||
# Then: SKIP | ||
# Scenario: 2 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document contains an Appsync GraphQL API resource | ||
# And: 'Visibility' has not been provided | ||
# Then: FAIL | ||
# Scenario: 3 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document contains an Appsync GraphQL API resource | ||
# And: 'Visibility' has been provided and set to a value other than 'PRIVATE' | ||
# Then: FAIL | ||
# Scenario: 4 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document contains an Appsync GraphQL API resource | ||
# And: 'Visibility' has been provided and set to 'PRIVATE' | ||
# Then: PASS | ||
|
||
# | ||
# Constants | ||
# | ||
let APPSYNC_GRAPHQL_API_TYPE = "AWS::AppSync::GraphQLApi" | ||
let ALLOWED_VISIBILITY_LEVELS = [ "PRIVATE" ] | ||
let INPUT_DOCUMENT = this | ||
|
||
# | ||
# Assignments | ||
# | ||
let appsync_graphql_apis = Resources.*[ Type == %APPSYNC_GRAPHQL_API_TYPE ] | ||
|
||
# | ||
# Primary Rules | ||
# | ||
rule appsync_api_private_visibility_check when is_cfn_template(%INPUT_DOCUMENT) | ||
%appsync_graphql_apis not empty { | ||
check(%appsync_graphql_apis.Properties) | ||
<< | ||
[CT.APPSYNC.PR.2]: Require an AWS AppSync GraphQL API to be configured with private visibility | ||
[FIX]: Set the Visibility property to PRIVATE. | ||
>> | ||
} | ||
|
||
rule appsync_api_private_visibility_check when is_cfn_hook(%INPUT_DOCUMENT, %APPSYNC_GRAPHQL_API_TYPE) { | ||
check(%INPUT_DOCUMENT.%APPSYNC_GRAPHQL_API_TYPE.resourceProperties) | ||
<< | ||
[CT.APPSYNC.PR.2]: Require an AWS AppSync GraphQL API to be configured with private visibility | ||
[FIX]: Set the Visibility property to PRIVATE. | ||
>> | ||
} | ||
|
||
# | ||
# Parameterized Rules | ||
# | ||
rule check(appsync_graphql_api) { | ||
%appsync_graphql_api { | ||
# Scenario 2 | ||
Visibility exists | ||
# Scenarios 3 and 4 | ||
Visibility in %ALLOWED_VISIBILITY_LEVELS | ||
} | ||
} | ||
|
||
# | ||
# Utility Rules | ||
# | ||
rule is_cfn_template(doc) { | ||
%doc { | ||
AWSTemplateFormatVersion exists or | ||
Resources exists | ||
} | ||
} | ||
|
||
rule is_cfn_hook(doc, RESOURCE_TYPE) { | ||
%doc.%RESOURCE_TYPE.resourceProperties exists | ||
} |
129 changes: 129 additions & 0 deletions
129
rules/control-tower/cfn-guard/appsync/ct-appsync-pr-3.guard
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,129 @@ | ||
# ################################### | ||
## Rule Specification ## | ||
##################################### | ||
# | ||
# Rule Identifier: | ||
# appsync_authorization_check | ||
# | ||
# Description: | ||
# This control checks that an AWS AppSync GraphQL API has been configured with an authentication type other than API_KEY authentication. | ||
# | ||
# Reports on: | ||
# AWS::AppSync::GraphQLApi | ||
# | ||
# Evaluates: | ||
# AWS CloudFormation, AWS CloudFormation hook | ||
# | ||
# Rule Parameters: | ||
# None | ||
# | ||
# Scenarios: | ||
# Scenario: 1 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document does not contain any AppSync GraphQL API resources | ||
# Then: SKIP | ||
# Scenario: 2 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document contains an AppSync GraphQL API resource | ||
# And: 'AuthenticationType' has not been provided | ||
# Then: FAIL | ||
# Scenario: 3 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document contains an AppSync GraphQL API resource | ||
# And: 'AuthenticationType' has been provided and is equal to 'API_KEY' | ||
# And: 'AdditionalAuthenticationProviders' has not been provided or provided as an empty list | ||
# Then: FAIL | ||
# Scenario: 4 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document contains an AppSync GraphQL API resource | ||
# And: 'AuthenticationType' has been provided and is equal to a value other than 'API_KEY' | ||
# And: 'AdditionalAuthenticationProviders' has been provided as a non-empty list | ||
# And: An entry in 'AdditionalAuthenticationProviders' has 'AuthenticationType' equal to 'API_KEY' | ||
# Then: FAIL | ||
# Scenario: 5 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document contains an AppSync GraphQL API resource | ||
# And: 'AuthenticationType' has been provided and is equal to a value other than 'API_KEY' | ||
# And: 'AdditionalAuthenticationProviders' has not been provided or provided as an empty list | ||
# Then: PASS | ||
# Scenario: 6 | ||
# Given: The input document is an AWS CloudFormation or CloudFormation hook document | ||
# And: The input document contains an AppSync GraphQL API resource | ||
# And: 'AuthenticationType' has been provided and is equal to a value other than 'API_KEY' | ||
# And: 'AdditionalAuthenticationProviders' has been provided as a non-empty list | ||
# And: No entries in 'AdditionalAuthenticationProviders' have 'AuthenticationType' equal to 'API_KEY' | ||
# Then: PASS | ||
|
||
# | ||
# Constants | ||
# | ||
let APPSYNC_GRAPHQL_API_TYPE = "AWS::AppSync::GraphQLApi" | ||
let DISALLOWED_AUTHORIZATION_TYPES = [ "API_KEY" ] | ||
let INPUT_DOCUMENT = this | ||
|
||
# | ||
# Assignments | ||
# | ||
let appsync_graphql_apis = Resources.*[ Type == %APPSYNC_GRAPHQL_API_TYPE ] | ||
|
||
# | ||
# Primary Rules | ||
# | ||
rule appsync_authorization_check when is_cfn_template(%INPUT_DOCUMENT) | ||
%appsync_graphql_apis not empty { | ||
check(%appsync_graphql_apis.Properties) | ||
<< | ||
[CT.APPSYNC.PR.3]: Require that an AWS AppSync GraphQL API is not authenticated with API keys | ||
[FIX]: Set the AuthenticationType property to a value other than API_KEY, and ensure no entry in the AdditionalAuthenticationProviders property has an AuthenticationType value of API_KEY. | ||
>> | ||
} | ||
|
||
rule appsync_authorization_check when is_cfn_hook(%INPUT_DOCUMENT, %APPSYNC_GRAPHQL_API_TYPE) { | ||
check(%INPUT_DOCUMENT.%APPSYNC_GRAPHQL_API_TYPE.resourceProperties) | ||
<< | ||
[CT.APPSYNC.PR.3]: Require that an AWS AppSync GraphQL API is not authenticated with API keys | ||
[FIX]: Set the AuthenticationType property to a value other than API_KEY, and ensure no entry in the AdditionalAuthenticationProviders property has an AuthenticationType value of API_KEY. | ||
>> | ||
} | ||
|
||
# | ||
# Parameterized Rules | ||
# | ||
rule check(appsync_graphql_api) { | ||
%appsync_graphql_api { | ||
# Scenarios 2, 3 and 5 | ||
check_authentication_type(this) | ||
} | ||
|
||
%appsync_graphql_api [ | ||
AdditionalAuthenticationProviders exists | ||
AdditionalAuthenticationProviders is_list | ||
AdditionalAuthenticationProviders not empty | ||
] { | ||
AdditionalAuthenticationProviders[*] { | ||
# Scenarios 4 and 6 | ||
check_authentication_type(this) | ||
} | ||
} | ||
} | ||
|
||
rule check_authentication_type(appsync_configuration) { | ||
%appsync_configuration { | ||
AuthenticationType exists | ||
AuthenticationType not in %DISALLOWED_AUTHORIZATION_TYPES | ||
} | ||
} | ||
|
||
# | ||
# Utility Rules | ||
# | ||
rule is_cfn_template(doc) { | ||
%doc { | ||
AWSTemplateFormatVersion exists or | ||
Resources exists | ||
} | ||
} | ||
|
||
rule is_cfn_hook(doc, RESOURCE_TYPE) { | ||
%doc.%RESOURCE_TYPE.resourceProperties exists | ||
} |
Oops, something went wrong.