Skip to content

Commit

Permalink
feat(rules): Update guard policies and metadata with October and Nove…
Browse files Browse the repository at this point in the history
…mber control releases (#245)

## New Controls Added

- [AWS Control Tower adds additional
controls](https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#q3-new-controls)
- [AWS Control Tower announces controls to assist digital
sovereignty](https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#digital-sovereignty)

## Metadata Updates

- Added `Groups` property for the `digital-sovereignty` controls
- Updated `SupportedRegions` property
- Updated `ComplianceFrameworkMappings` property

---------

Signed-off-by: github-actions <[email protected]>
Co-authored-by: github-actions <[email protected]>
  • Loading branch information
andywick-aws and github-actions authored Dec 12, 2023
1 parent c2c2cb1 commit 2a6efad
Show file tree
Hide file tree
Showing 296 changed files with 13,531 additions and 757 deletions.
59 changes: 53 additions & 6 deletions API.md

Large diffs are not rendered by default.

59 changes: 53 additions & 6 deletions README.md

Large diffs are not rendered by default.

98 changes: 98 additions & 0 deletions rules/control-tower/cfn-guard/apigateway/ct-apigateway-pr-6.guard
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
# ###################################
## Rule Specification ##
#####################################
#
# Rule Identifier:
# api_gw_domain_tls_check
#
# Description:
# This control checks whether an Amazon API Gateway REST API domain name requires a minimum Transport Layer Security protocol version of TLSv1.2 by means of its security policy.
#
# Reports on:
# AWS::ApiGateway::DomainName
#
# Evaluates:
# AWS CloudFormation, AWS CloudFormation hook
#
# Rule Parameters:
# None
#
# Scenarios:
# Scenario: 1
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document does not contain any API Gateway domain name resources
# Then: SKIP
# Scenario: 2
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document contains an API Gateway domain name resource
# And: 'SecurityPolicy' has been provided and set to a security policy that allows
# a minimum TLS protocol version earlier than TLSv1.2
# Then: FAIL
# Scenario: 3
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document contains an API Gateway domain name resource
# And: 'SecurityPolicy' has not been provided
# Then: PASS
# Scenario: 4
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document contains an API Gateway domain name resource
# And: 'SecurityPolicy' has been provided and set to a security policy that requires
# a minimum TLS protocol version of TLSv1.2
# Then: PASS

#
# Constants
#
let API_GW_DOMAIN_NAME_TYPE = "AWS::ApiGateway::DomainName"
let ALLOWED_SECURITY_POLICIES = ["TLS_1_2"]
let INPUT_DOCUMENT = this

#
# Assignments
#
let api_gateway_domain_names = Resources.*[ Type == %API_GW_DOMAIN_NAME_TYPE ]

#
# Primary Rules
#
rule api_gw_domain_tls_check when is_cfn_template(%INPUT_DOCUMENT)
%api_gateway_domain_names not empty {
check(%api_gateway_domain_names.Properties)
<<
[CT.APIGATEWAY.PR.6]: Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2
[FIX]: Set the value of SecurityPolicy to TLS_1_2, or to adopt the default value, do not provide a value for SecurityPolicy.
>>
}

rule api_gw_domain_tls_check when is_cfn_hook(%INPUT_DOCUMENT, %API_GW_DOMAIN_NAME_TYPE) {
check(%INPUT_DOCUMENT.%API_GW_DOMAIN_NAME_TYPE.resourceProperties)
<<
[CT.APIGATEWAY.PR.6]: Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2
[FIX]: Set the value of SecurityPolicy to TLS_1_2, or to adopt the default value, do not provide a value for SecurityPolicy.
>>
}

#
# Parameterized Rules
#
rule check(api_gateway_stage) {
%api_gateway_stage {
# Scenario 2, 3, 4
SecurityPolicy not exists or
SecurityPolicy in %ALLOWED_SECURITY_POLICIES
}
}

#
# Utility Rules
#
rule is_cfn_template(doc) {
%doc {
AWSTemplateFormatVersion exists or
Resources exists
}
}

rule is_cfn_hook(doc, RESOURCE_TYPE) {
%doc.%RESOURCE_TYPE.resourceProperties exists
}
97 changes: 97 additions & 0 deletions rules/control-tower/cfn-guard/appsync/ct-appsync-pr-2.guard
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
# ###################################
## Rule Specification ##
#####################################
#
# Rule Identifier:
# appsync_api_private_visibility_check
#
# Description:
# This control checks whether an AWS AppSync GraphQL API has been configured with private visibility.
#
# Reports on:
# AWS::AppSync::GraphQLApi
#
# Evaluates:
# AWS CloudFormation, AWS CloudFormation hook
#
# Rule Parameters:
# None
#
# Scenarios:
# Scenario: 1
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document does not contain any Appsync GraphQL API resources
# Then: SKIP
# Scenario: 2
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document contains an Appsync GraphQL API resource
# And: 'Visibility' has not been provided
# Then: FAIL
# Scenario: 3
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document contains an Appsync GraphQL API resource
# And: 'Visibility' has been provided and set to a value other than 'PRIVATE'
# Then: FAIL
# Scenario: 4
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document contains an Appsync GraphQL API resource
# And: 'Visibility' has been provided and set to 'PRIVATE'
# Then: PASS

#
# Constants
#
let APPSYNC_GRAPHQL_API_TYPE = "AWS::AppSync::GraphQLApi"
let ALLOWED_VISIBILITY_LEVELS = [ "PRIVATE" ]
let INPUT_DOCUMENT = this

#
# Assignments
#
let appsync_graphql_apis = Resources.*[ Type == %APPSYNC_GRAPHQL_API_TYPE ]

#
# Primary Rules
#
rule appsync_api_private_visibility_check when is_cfn_template(%INPUT_DOCUMENT)
%appsync_graphql_apis not empty {
check(%appsync_graphql_apis.Properties)
<<
[CT.APPSYNC.PR.2]: Require an AWS AppSync GraphQL API to be configured with private visibility
[FIX]: Set the Visibility property to PRIVATE.
>>
}

rule appsync_api_private_visibility_check when is_cfn_hook(%INPUT_DOCUMENT, %APPSYNC_GRAPHQL_API_TYPE) {
check(%INPUT_DOCUMENT.%APPSYNC_GRAPHQL_API_TYPE.resourceProperties)
<<
[CT.APPSYNC.PR.2]: Require an AWS AppSync GraphQL API to be configured with private visibility
[FIX]: Set the Visibility property to PRIVATE.
>>
}

#
# Parameterized Rules
#
rule check(appsync_graphql_api) {
%appsync_graphql_api {
# Scenario 2
Visibility exists
# Scenarios 3 and 4
Visibility in %ALLOWED_VISIBILITY_LEVELS
}
}

#
# Utility Rules
#
rule is_cfn_template(doc) {
%doc {
AWSTemplateFormatVersion exists or
Resources exists
}
}

rule is_cfn_hook(doc, RESOURCE_TYPE) {
%doc.%RESOURCE_TYPE.resourceProperties exists
}
129 changes: 129 additions & 0 deletions rules/control-tower/cfn-guard/appsync/ct-appsync-pr-3.guard
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
# ###################################
## Rule Specification ##
#####################################
#
# Rule Identifier:
# appsync_authorization_check
#
# Description:
# This control checks that an AWS AppSync GraphQL API has been configured with an authentication type other than API_KEY authentication.
#
# Reports on:
# AWS::AppSync::GraphQLApi
#
# Evaluates:
# AWS CloudFormation, AWS CloudFormation hook
#
# Rule Parameters:
# None
#
# Scenarios:
# Scenario: 1
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document does not contain any AppSync GraphQL API resources
# Then: SKIP
# Scenario: 2
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document contains an AppSync GraphQL API resource
# And: 'AuthenticationType' has not been provided
# Then: FAIL
# Scenario: 3
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document contains an AppSync GraphQL API resource
# And: 'AuthenticationType' has been provided and is equal to 'API_KEY'
# And: 'AdditionalAuthenticationProviders' has not been provided or provided as an empty list
# Then: FAIL
# Scenario: 4
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document contains an AppSync GraphQL API resource
# And: 'AuthenticationType' has been provided and is equal to a value other than 'API_KEY'
# And: 'AdditionalAuthenticationProviders' has been provided as a non-empty list
# And: An entry in 'AdditionalAuthenticationProviders' has 'AuthenticationType' equal to 'API_KEY'
# Then: FAIL
# Scenario: 5
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document contains an AppSync GraphQL API resource
# And: 'AuthenticationType' has been provided and is equal to a value other than 'API_KEY'
# And: 'AdditionalAuthenticationProviders' has not been provided or provided as an empty list
# Then: PASS
# Scenario: 6
# Given: The input document is an AWS CloudFormation or CloudFormation hook document
# And: The input document contains an AppSync GraphQL API resource
# And: 'AuthenticationType' has been provided and is equal to a value other than 'API_KEY'
# And: 'AdditionalAuthenticationProviders' has been provided as a non-empty list
# And: No entries in 'AdditionalAuthenticationProviders' have 'AuthenticationType' equal to 'API_KEY'
# Then: PASS

#
# Constants
#
let APPSYNC_GRAPHQL_API_TYPE = "AWS::AppSync::GraphQLApi"
let DISALLOWED_AUTHORIZATION_TYPES = [ "API_KEY" ]
let INPUT_DOCUMENT = this

#
# Assignments
#
let appsync_graphql_apis = Resources.*[ Type == %APPSYNC_GRAPHQL_API_TYPE ]

#
# Primary Rules
#
rule appsync_authorization_check when is_cfn_template(%INPUT_DOCUMENT)
%appsync_graphql_apis not empty {
check(%appsync_graphql_apis.Properties)
<<
[CT.APPSYNC.PR.3]: Require that an AWS AppSync GraphQL API is not authenticated with API keys
[FIX]: Set the AuthenticationType property to a value other than API_KEY, and ensure no entry in the AdditionalAuthenticationProviders property has an AuthenticationType value of API_KEY.
>>
}

rule appsync_authorization_check when is_cfn_hook(%INPUT_DOCUMENT, %APPSYNC_GRAPHQL_API_TYPE) {
check(%INPUT_DOCUMENT.%APPSYNC_GRAPHQL_API_TYPE.resourceProperties)
<<
[CT.APPSYNC.PR.3]: Require that an AWS AppSync GraphQL API is not authenticated with API keys
[FIX]: Set the AuthenticationType property to a value other than API_KEY, and ensure no entry in the AdditionalAuthenticationProviders property has an AuthenticationType value of API_KEY.
>>
}

#
# Parameterized Rules
#
rule check(appsync_graphql_api) {
%appsync_graphql_api {
# Scenarios 2, 3 and 5
check_authentication_type(this)
}

%appsync_graphql_api [
AdditionalAuthenticationProviders exists
AdditionalAuthenticationProviders is_list
AdditionalAuthenticationProviders not empty
] {
AdditionalAuthenticationProviders[*] {
# Scenarios 4 and 6
check_authentication_type(this)
}
}
}

rule check_authentication_type(appsync_configuration) {
%appsync_configuration {
AuthenticationType exists
AuthenticationType not in %DISALLOWED_AUTHORIZATION_TYPES
}
}

#
# Utility Rules
#
rule is_cfn_template(doc) {
%doc {
AWSTemplateFormatVersion exists or
Resources exists
}
}

rule is_cfn_hook(doc, RESOURCE_TYPE) {
%doc.%RESOURCE_TYPE.resourceProperties exists
}
Loading

0 comments on commit 2a6efad

Please sign in to comment.