diff --git a/non-compatible-policies/ecc-aws-005-rds_not_open_to_large_scope.yml b/non-compatible-policies/ecc-aws-005-rds_not_open_to_large_scope.yml index 45950d3fa..ea3b948c2 100644 --- a/non-compatible-policies/ecc-aws-005-rds_not_open_to_large_scope.yml +++ b/non-compatible-policies/ecc-aws-005-rds_not_open_to_large_scope.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-005-rds_not_open_to_large_scope - description: | - RDS is open to a large scope - resource: aws.rds - filters: - - type: rds-vpc-filter - key: SecurityGroups[].IpPermissions[].IpRanges[].CidrIp - op: in - value: - - "0.0.0.0/0" - - "::/0" - comment: '0024062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-005-rds_not_open_to_large_scope + comment: '010024062000' + description: | + RDS is open to a large scope + resource: aws.rds + filters: + - type: rds-vpc-filter + key: SecurityGroups[].IpPermissions[].IpRanges[].CidrIp + op: in + value: + - "0.0.0.0/0" + - "::/0" diff --git a/non-compatible-policies/ecc-aws-010-http_elb_certificate_expire_in_one_week.yml b/non-compatible-policies/ecc-aws-010-http_elb_certificate_expire_in_one_week.yml index d5b187285..8f342f235 100644 --- a/non-compatible-policies/ecc-aws-010-http_elb_certificate_expire_in_one_week.yml +++ b/non-compatible-policies/ecc-aws-010-http_elb_certificate_expire_in_one_week.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-010-http_elb_certificate_expire_in_one_week - description: | - Application or Network Load balancer SSL certificate expire in less than a week - resource: app-elb - filters: - - not: - - type: value - key: Type - value: "gateway" - op: in - - type: appelb-acm-filter - key: 'NotAfter' - op: lt - value: 7 - comment: '0029022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-010-http_elb_certificate_expire_in_one_week + comment: '010029022000' + description: | + Application or Network Load balancer SSL certificate expire in less than a week + resource: app-elb + filters: + - not: + - type: value + key: Type + value: "gateway" + op: in + - type: appelb-acm-filter + key: 'NotAfter' + op: lt + value: 7 diff --git a/non-compatible-policies/ecc-aws-011-http_elb_certificate_expire_in_one_month.yml b/non-compatible-policies/ecc-aws-011-http_elb_certificate_expire_in_one_month.yml index 031a407ee..ed621f28f 100644 --- a/non-compatible-policies/ecc-aws-011-http_elb_certificate_expire_in_one_month.yml +++ b/non-compatible-policies/ecc-aws-011-http_elb_certificate_expire_in_one_month.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-011-http_elb_certificate_expire_in_one_month - description: | - Application or Network Load balancer SSL certificate expire in less than a month - resource: app-elb - filters: - - not: - - type: value - key: Type - value: "gateway" - op: in - - type: appelb-acm-filter - key: 'NotAfter' - op: lt - value: 30 - comment: '0029022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-011-http_elb_certificate_expire_in_one_month + comment: '010029022000' + description: | + Application or Network Load balancer SSL certificate expire in less than a month + resource: app-elb + filters: + - not: + - type: value + key: Type + value: "gateway" + op: in + - type: appelb-acm-filter + key: 'NotAfter' + op: lt + value: 30 diff --git a/non-compatible-policies/ecc-aws-021-ebs-volume_without_recent_snapshot.yml b/non-compatible-policies/ecc-aws-021-ebs-volume_without_recent_snapshot.yml index 461f2bb2f..30aeb85a5 100644 --- a/non-compatible-policies/ecc-aws-021-ebs-volume_without_recent_snapshot.yml +++ b/non-compatible-policies/ecc-aws-021-ebs-volume_without_recent_snapshot.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-021-ebs-volume_without_recent_snapshot - description: | - EBS Volumes without recent snapshots - resource: aws.ebs - filters: - - not: - - type: snapshot-age - op: le - days: 14 - comment: '0049042000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-021-ebs-volume_without_recent_snapshot + comment: '010049042000' + description: | + EBS Volumes without recent snapshots + resource: aws.ebs + filters: + - not: + - type: snapshot-age + op: le + days: 14 diff --git a/non-compatible-policies/ecc-aws-052-cloudtrail_enabled_in_all_regions.yml b/non-compatible-policies/ecc-aws-052-cloudtrail_enabled_in_all_regions.yml index a21876c76..452c95184 100644 --- a/non-compatible-policies/ecc-aws-052-cloudtrail_enabled_in_all_regions.yml +++ b/non-compatible-policies/ecc-aws-052-cloudtrail_enabled_in_all_regions.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-052-cloudtrail_enabled_in_all_regions - resource: aws.account - description: | - CloudTrail is not enabled in all regions - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-052-cloudtrail_enabled_in_all_regions + comment: '010016010301' + description: | + CloudTrail is not enabled in all regions + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-054-iam_policies_full_administrative_privileges.yml b/non-compatible-policies/ecc-aws-054-iam_policies_full_administrative_privileges.yml index 8886f6927..8b1b438d4 100644 --- a/non-compatible-policies/ecc-aws-054-iam_policies_full_administrative_privileges.yml +++ b/non-compatible-policies/ecc-aws-054-iam_policies_full_administrative_privileges.yml @@ -1,15 +1,15 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-054-iam_policies_full_administrative_privileges - description: | - IAM policies that allow full "*:*" administrative privileges are in use - resource: iam-policy-all - filters: - - type: used - - type: has-allow-all - comment: '0022000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-054-iam_policies_full_administrative_privileges + comment: '010022000301' + description: | + IAM policies that allow full "*:*" administrative privileges are in use + resource: iam-policy-all + filters: + - type: used + - type: has-allow-all diff --git a/non-compatible-policies/ecc-aws-056-iam_user_with_password_and_unused_access_keys.yml b/non-compatible-policies/ecc-aws-056-iam_user_with_password_and_unused_access_keys.yml index 29c2477ab..70bbae997 100644 --- a/non-compatible-policies/ecc-aws-056-iam_user_with_password_and_unused_access_keys.yml +++ b/non-compatible-policies/ecc-aws-056-iam_user_with_password_and_unused_access_keys.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-056-iam_user_with_password_and_unused_access_keys - resource: aws.iam-user - description: | - Access key was created during initial IAM user setup - filters: - - type: creation-time-aws-iam-user - field_name_1: access_key_1_last_rotated - field_name_2: CreateDate - seconds: 4 - - type: credential - key: password_enabled - value: true - - type: credential - key: access_keys.last_used_date - value: null - comment: '0033000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-056-iam_user_with_password_and_unused_access_keys + comment: '010033000301' + description: | + Access key was created during initial IAM user setup + resource: aws.iam-user + filters: + - type: creation-time-aws-iam-user + field_name_1: access_key_1_last_rotated + field_name_2: CreateDate + seconds: 4 + - type: credential + key: password_enabled + value: true + - type: credential + key: access_keys.last_used_date + value: null diff --git a/non-compatible-policies/ecc-aws-058-ensure_support_role_created_to_manage_incidents.yml b/non-compatible-policies/ecc-aws-058-ensure_support_role_created_to_manage_incidents.yml index 5a34d973c..6fd8795e7 100644 --- a/non-compatible-policies/ecc-aws-058-ensure_support_role_created_to_manage_incidents.yml +++ b/non-compatible-policies/ecc-aws-058-ensure_support_role_created_to_manage_incidents.yml @@ -1,15 +1,15 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-058-ensure_support_role_created_to_manage_incidents - resource: aws.account - description: | - Support role has not been created to manage incidents with AWS Support - filters: - - type: account-iam-role-light-filter - value: AWSSupportAccess - comment: '0022000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-058-ensure_support_role_created_to_manage_incidents + comment: '010022000301' + description: | + Support role has not been created to manage incidents with AWS Support + resource: aws.account + filters: + - type: account-iam-role-light-filter + value: AWSSupportAccess diff --git a/non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml b/non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml index e32df0b87..b53a21f75 100644 --- a/non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-067-unauthorized_api_calls_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for unauthorized API calls - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "\\(\\(\\$\\.errorCode=\"\\*UnauthorizedOperation\"\\) ?\\|\\| ?\\(\\$\\.errorCode=\"AccessDenied\\*\"\\)\\) ?&& ?\\(\\(\\$\\.sourceIPAddress!=(\")?delivery\\.logs\\.amazonaws\\.com(\")?\\) ?&& ?\\(\\$\\.eventName!=(\")?HeadBucket(\")?\\)\\)" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-067-unauthorized_api_calls_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for unauthorized API calls + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "\\(\\(\\$\\.errorCode=\"\\*UnauthorizedOperation\"\\) ?\\|\\| ?\\(\\$\\.errorCode=\"AccessDenied\\*\"\\)\\) ?&& ?\\(\\(\\$\\.sourceIPAddress!=(\")?delivery\\.logs\\.amazonaws\\.com(\")?\\) ?&& ?\\(\\$\\.eventName!=(\")?HeadBucket(\")?\\)\\)" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml b/non-compatible-policies/ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml index ddbbeb0fb..df06f4fd8 100644 --- a/non-compatible-policies/ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml +++ b/non-compatible-policies/ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml @@ -1,30 +1,30 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible - description: | - S3 bucket used to store CloudTrail logs is publicly accessible - resource: aws.cloudtrail - filters: - - or: - - type: cloudtrail-s3-filter - key: PublicAccessBlockConfiguration.BlockPublicAcls - op: eq - value: false - - type: cloudtrail-s3-filter - key: PublicAccessBlockConfiguration.BlockPublicPolicy - op: eq - value: false - - type: cloudtrail-s3-filter - key: PublicAccessBlockConfiguration.IgnorePublicAcls - op: eq - value: false - - type: cloudtrail-s3-filter - key: PublicAccessBlockConfiguration.RestrictPublicBuckets - op: eq - value: false - comment: '0040010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible + comment: '010040010300' + description: | + S3 bucket used to store CloudTrail logs is publicly accessible + resource: aws.cloudtrail + filters: + - or: + - type: cloudtrail-s3-filter + key: PublicAccessBlockConfiguration.BlockPublicAcls + op: eq + value: false + - type: cloudtrail-s3-filter + key: PublicAccessBlockConfiguration.BlockPublicPolicy + op: eq + value: false + - type: cloudtrail-s3-filter + key: PublicAccessBlockConfiguration.IgnorePublicAcls + op: eq + value: false + - type: cloudtrail-s3-filter + key: PublicAccessBlockConfiguration.RestrictPublicBuckets + op: eq + value: false diff --git a/non-compatible-policies/ecc-aws-069-s3_bucket_should_not_allow_all_actions_from_all_principals.yml b/non-compatible-policies/ecc-aws-069-s3_bucket_should_not_allow_all_actions_from_all_principals.yml index 6cb1a49f7..d2b1b03d3 100644 --- a/non-compatible-policies/ecc-aws-069-s3_bucket_should_not_allow_all_actions_from_all_principals.yml +++ b/non-compatible-policies/ecc-aws-069-s3_bucket_should_not_allow_all_actions_from_all_principals.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-069-s3_bucket_should_not_allow_all_actions_from_all_principals - description: | - S3 bucket allows all actions from all principals - resource: aws.s3-light - filters: - - type: has-statement - statements: - - Effect: Allow - Action: '*' - Principal: '*' - comment: '0033042001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-069-s3_bucket_should_not_allow_all_actions_from_all_principals + comment: '010033042001' + description: | + S3 bucket allows all actions from all principals + resource: aws.s3-light + filters: + - type: has-statement + statements: + - Effect: Allow + Action: '*' + Principal: '*' diff --git a/non-compatible-policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml b/non-compatible-policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml index d9705ad7b..c6ebf0160 100644 --- a/non-compatible-policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml +++ b/non-compatible-policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-077-sign_in_without_mfa_alarm_exist - resource: aws.account - description: | - Log metric filter and alarm do not exist for Management Console sign-in without MFA - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "\\(\\$\\.eventName ?= ?\"ConsoleLogin\"\\) ?&& ?\\(\\$\\.additionalEventData.MFAUsed ?!= ?\"Yes\"\\) ?&& ?\\(\\$\\.userIdentity\\.type ?= ?\"IAMUser\"\\) ?&& ?\\(\\$.responseElements\\.ConsoleLogin ?= ?\"Success\"\\)" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-077-sign_in_without_mfa_alarm_exist + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for Management Console sign-in without MFA + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "\\(\\$\\.eventName ?= ?\"ConsoleLogin\"\\) ?&& ?\\(\\$\\.additionalEventData.MFAUsed ?!= ?\"Yes\"\\) ?&& ?\\(\\$\\.userIdentity\\.type ?= ?\"IAMUser\"\\) ?&& ?\\(\\$.responseElements\\.ConsoleLogin ?= ?\"Success\"\\)" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-078-root_usage_alarm_exists.yml b/non-compatible-policies/ecc-aws-078-root_usage_alarm_exists.yml index f2b5e8582..ab028c5bf 100644 --- a/non-compatible-policies/ecc-aws-078-root_usage_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-078-root_usage_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-078-root_usage_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for usage of "root" account - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.userIdentity\\.type ?= ?\"Root\" ?(\\))? ?\\&\\& ?(\\(?) ?\\$\\.userIdentity\\.invokedBy NOT EXISTS ?(\\))? ?&& ?(\\()? ?\\$\\.eventType ?!= ?\"AwsServiceEvent\" ?(\\))?" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-078-root_usage_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for usage of "root" account + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.userIdentity\\.type ?= ?\"Root\" ?(\\))? ?\\&\\& ?(\\(?) ?\\$\\.userIdentity\\.invokedBy NOT EXISTS ?(\\))? ?&& ?(\\()? ?\\$\\.eventType ?!= ?\"AwsServiceEvent\" ?(\\))?" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml b/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml index f81977f0b..9c5d570a0 100644 --- a/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml +++ b/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-079-iam_policy_changes_alarm_exist - resource: aws.account - description: | - Log metric filter and alarm do not exist for IAM policy changes - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventName=DeleteGroupPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeleteRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeleteUserPolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutGroupPolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutRolePolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=CreatePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeletePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=CreatePolicyVersion ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeletePolicyVersion(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachGroupPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachGroupPolicy ?(\\))?" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-079-iam_policy_changes_alarm_exist + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for IAM policy changes + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.eventName=DeleteGroupPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeleteRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeleteUserPolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutGroupPolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutRolePolicy(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=PutUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=CreatePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeletePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=CreatePolicyVersion ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DeletePolicyVersion(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachRolePolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachUserPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=AttachGroupPolicy ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName=DetachGroupPolicy ?(\\))?" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-080-cloudtrail_configuration_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-080-cloudtrail_configuration_changes_alarm_exists.yml index 8316f9a0c..0f0236022 100644 --- a/non-compatible-policies/ecc-aws-080-cloudtrail_configuration_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-080-cloudtrail_configuration_changes_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-080-cloudtrail_configuration_changes_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for CloudTrail configuration changes - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?CreateTrail(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?UpdateTrail(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteTrail(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?StartLogging(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?StopLogging(\")? ?(\\))?" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-080-cloudtrail_configuration_changes_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for CloudTrail configuration changes + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?CreateTrail(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?UpdateTrail(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteTrail(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?StartLogging(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?StopLogging(\")? ?(\\))?" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-081-console_auth_failure_alarm_exists.yml b/non-compatible-policies/ecc-aws-081-console_auth_failure_alarm_exists.yml index 3f634c87b..36d4b7fd7 100644 --- a/non-compatible-policies/ecc-aws-081-console_auth_failure_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-081-console_auth_failure_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-081-console_auth_failure_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for AWS Management Console authentication failures - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?ConsoleLogin(\")? ?(\\))? ?&& ?(\\()? ?\\$\\.errorMessage ?= ?(\")?Failed authentication(\")? ?(\\))?" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-081-console_auth_failure_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for AWS Management Console authentication failures + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?ConsoleLogin(\")? ?(\\))? ?&& ?(\\()? ?\\$\\.errorMessage ?= ?(\")?Failed authentication(\")? ?(\\))?" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists.yml b/non-compatible-policies/ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists.yml index 5949b3780..e814d8cdf 100644 --- a/non-compatible-policies/ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for disabling or scheduled deletion of customer created CMKs - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventSource ?= ?(\")?kms\\.amazonaws\\.com(\")? ?(\\))? ?&& ?\\((\\()? ?\\$\\.eventName ?= ?(\")?DisableKey(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ScheduleKeyDeletion(\")? ?(\\))?\\)" - op: eq - value: 0 - comment: '0016010300' +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for disabling or scheduled deletion of customer created CMKs + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.eventSource ?= ?(\")?kms\\.amazonaws\\.com(\")? ?(\\))? ?&& ?\\((\\()? ?\\$\\.eventName ?= ?(\")?DisableKey(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ScheduleKeyDeletion(\")? ?(\\))?\\)" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-084-cloudtrail_bucket_logging_enabled.yml b/non-compatible-policies/ecc-aws-084-cloudtrail_bucket_logging_enabled.yml index c4cb4a313..b0effa738 100644 --- a/non-compatible-policies/ecc-aws-084-cloudtrail_bucket_logging_enabled.yml +++ b/non-compatible-policies/ecc-aws-084-cloudtrail_bucket_logging_enabled.yml @@ -1,15 +1,15 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-084-cloudtrail_bucket_logging_enabled - resource: aws.cloudtrail - description: | - S3 bucket access logging is disabled on the CloudTrail S3 bucket - filters: - - type: cloudtrail-s3-logging - enabled: false - comment: '0019010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-084-cloudtrail_bucket_logging_enabled + comment: '010019010300' + description: | + S3 bucket access logging is disabled on the CloudTrail S3 bucket + resource: aws.cloudtrail + filters: + - type: cloudtrail-s3-logging + enabled: false diff --git a/non-compatible-policies/ecc-aws-086-lambda_with_admin_privileges.yml b/non-compatible-policies/ecc-aws-086-lambda_with_admin_privileges.yml index e76897311..8d05c22e6 100644 --- a/non-compatible-policies/ecc-aws-086-lambda_with_admin_privileges.yml +++ b/non-compatible-policies/ecc-aws-086-lambda_with_admin_privileges.yml @@ -1,24 +1,24 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-086-lambda_with_admin_privileges - resource: lambda - description: | - Lambda roles have admin privileges - filters: - - type: awslambda-iam-role-policy-filter - conditions: - - key: Resource - op: eq - value: "*" - - key: Effect - op: eq - value: Allow - - key: Action - op: eq - value: "*" - comment: '0033030400' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-086-lambda_with_admin_privileges + comment: '010033030400' + description: | + Lambda roles have admin privileges + resource: lambda + filters: + - type: awslambda-iam-role-policy-filter + conditions: + - key: Resource + op: eq + value: "*" + - key: Effect + op: eq + value: Allow + - key: Action + op: eq + value: "*" diff --git a/non-compatible-policies/ecc-aws-094-s3_bucket_policy_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-094-s3_bucket_policy_changes_alarm_exists.yml index 0f3626c4d..06d8b316f 100644 --- a/non-compatible-policies/ecc-aws-094-s3_bucket_policy_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-094-s3_bucket_policy_changes_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-094-s3_bucket_policy_changes_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for S3 bucket policy changes - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventSource ?= ?(\")?s3\\.amazonaws\\.com(\")? ?(\\))? ?&& ?\\((\\()? ?\\$\\.eventName ?= ?(\")?PutBucketAcl(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutBucketPolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutBucketCors(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutBucketLifecycle(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutBucketReplication(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteBucketPolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteBucketCors(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteBucketLifecycle(\")? ?(\\)) ?\\|\\| ?(\\() ?\\$\\.eventName ?= ?(\")?DeleteBucketReplication(\")? ?(\\))? ?\\)" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-094-s3_bucket_policy_changes_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for S3 bucket policy changes + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.eventSource ?= ?(\")?s3\\.amazonaws\\.com(\")? ?(\\))? ?&& ?\\((\\()? ?\\$\\.eventName ?= ?(\")?PutBucketAcl(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutBucketPolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutBucketCors(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutBucketLifecycle(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutBucketReplication(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteBucketPolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteBucketCors(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteBucketLifecycle(\")? ?(\\)) ?\\|\\| ?(\\() ?\\$\\.eventName ?= ?(\")?DeleteBucketReplication(\")? ?(\\))? ?\\)" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-095-aws_config_configuration_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-095-aws_config_configuration_changes_alarm_exists.yml index 87f131f39..3703fdc91 100644 --- a/non-compatible-policies/ecc-aws-095-aws_config_configuration_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-095-aws_config_configuration_changes_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-095-aws_config_configuration_changes_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for AWS Config configuration changes - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventSource ?= ?(\")?config\\.amazonaws\\.com(\")? ?(\\))? ?&& ?\\((\\()? ?\\$\\.eventName ?= ?(\")?StopConfigurationRecorder(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteDeliveryChannel(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutDeliveryChannel(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutConfigurationRecorder(\")? ?(\\))? ?\\)" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-095-aws_config_configuration_changes_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for AWS Config configuration changes + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.eventSource ?= ?(\")?config\\.amazonaws\\.com(\")? ?(\\))? ?&& ?\\((\\()? ?\\$\\.eventName ?= ?(\")?StopConfigurationRecorder(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteDeliveryChannel(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutDeliveryChannel(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?PutConfigurationRecorder(\")? ?(\\))? ?\\)" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-096-security_group_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-096-security_group_changes_alarm_exists.yml index 4c2c6a23e..14b20dd2f 100644 --- a/non-compatible-policies/ecc-aws-096-security_group_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-096-security_group_changes_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-096-security_group_changes_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for security group changes - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?AuthorizeSecurityGroupIngress(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?AuthorizeSecurityGroupEgress(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?RevokeSecurityGroupIngress(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?RevokeSecurityGroupEgress(\")? ?(\\))? ?\\|\\| ?(\\()?\\$\\.eventName ?= ?(\")?CreateSecurityGroup(\")? ?(\\))? ?\\|\\| ?(\\()?\\$\\.eventName ?= ?(\")?DeleteSecurityGroup(\")? ?(\\))?" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-096-security_group_changes_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for security group changes + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?AuthorizeSecurityGroupIngress(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?AuthorizeSecurityGroupEgress(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?RevokeSecurityGroupIngress(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?RevokeSecurityGroupEgress(\")? ?(\\))? ?\\|\\| ?(\\()?\\$\\.eventName ?= ?(\")?CreateSecurityGroup(\")? ?(\\))? ?\\|\\| ?(\\()?\\$\\.eventName ?= ?(\")?DeleteSecurityGroup(\")? ?(\\))?" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-097-network_access_control_lists_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-097-network_access_control_lists_changes_alarm_exists.yml index 1373d429b..11eaf0464 100644 --- a/non-compatible-policies/ecc-aws-097-network_access_control_lists_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-097-network_access_control_lists_changes_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-097-network_access_control_lists_changes_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for changes to Network Access Control Lists (NACL) - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?CreateNetworkAcl(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreateNetworkAclEntry(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteNetworkAcl(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteNetworkAclEntry(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ReplaceNetworkAclEntry(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ReplaceNetworkAclAssociation(\")? ?(\\))?" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-097-network_access_control_lists_changes_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for changes to Network Access Control Lists (NACL) + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?CreateNetworkAcl(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreateNetworkAclEntry(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteNetworkAcl(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteNetworkAclEntry(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ReplaceNetworkAclEntry(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ReplaceNetworkAclAssociation(\")? ?(\\))?" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-098-network_gateways_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-098-network_gateways_changes_alarm_exists.yml index 2005391e9..b6a2043e9 100644 --- a/non-compatible-policies/ecc-aws-098-network_gateways_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-098-network_gateways_changes_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-098-network_gateways_changes_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for changes to network gateways - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?CreateCustomerGateway(\")?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteCustomerGateway(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?AttachInternetGateway(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreateInternetGateway(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteInternetGateway(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DetachInternetGateway(\")? ?(\\))?" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-098-network_gateways_changes_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for changes to network gateways + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?CreateCustomerGateway(\")?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteCustomerGateway(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?AttachInternetGateway(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreateInternetGateway(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteInternetGateway(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DetachInternetGateway(\")? ?(\\))?" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-099-route_table_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-099-route_table_changes_alarm_exists.yml index 4c42c43f7..4cbdcab4f 100644 --- a/non-compatible-policies/ecc-aws-099-route_table_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-099-route_table_changes_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-099-route_table_changes_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for route table changes - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?CreateRoute(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreateRouteTable(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ReplaceRoute(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ReplaceRouteTableAssociation(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteRouteTable(\")? ?(\\))? ?\\|\\| ?(\\()?\\$\\.eventName ?= ?(\")?DeleteRoute(\")? ?(\\)) ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DisassociateRouteTable(\")? ?(\\))?" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-099-route_table_changes_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for route table changes + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?CreateRoute(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreateRouteTable(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ReplaceRoute(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ReplaceRouteTableAssociation(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteRouteTable(\")? ?(\\))? ?\\|\\| ?(\\()?\\$\\.eventName ?= ?(\")?DeleteRoute(\")? ?(\\)) ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DisassociateRouteTable(\")? ?(\\))?" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-100-vpc_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-100-vpc_changes_alarm_exists.yml index 1f86be587..65fff8eed 100644 --- a/non-compatible-policies/ecc-aws-100-vpc_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-100-vpc_changes_alarm_exists.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-100-vpc_changes_alarm_exists - resource: aws.account - description: | - Log metric filter and alarm do not exist for VPC changes - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?CreateVpc(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteVpc(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ModifyVpcAttribute(\")? ?(\\)) ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?AcceptVpcPeeringConnection(\")? ?(\\))? ?\\|\\| ?(\\()?\\$\\.eventName ?= ?(\")?CreateVpcPeeringConnection(\")?(\\))? ?\\|\\| ?(\\()?\\$\\.eventName ?= ?(\")?DeleteVpcPeeringConnection(\")? ?(\\)) ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?RejectVpcPeeringConnection(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?AttachClassicLinkVpc(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DetachClassicLinkVpc(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DisableVpcClassicLink(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?EnableVpcClassicLink(\")?(\\))?" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-100-vpc_changes_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for VPC changes + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "(\\()? ?\\$\\.eventName ?= ?(\")?CreateVpc(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteVpc(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?ModifyVpcAttribute(\")? ?(\\)) ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?AcceptVpcPeeringConnection(\")? ?(\\))? ?\\|\\| ?(\\()?\\$\\.eventName ?= ?(\")?CreateVpcPeeringConnection(\")?(\\))? ?\\|\\| ?(\\()?\\$\\.eventName ?= ?(\")?DeleteVpcPeeringConnection(\")? ?(\\)) ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?RejectVpcPeeringConnection(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?AttachClassicLinkVpc(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DetachClassicLinkVpc(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DisableVpcClassicLink(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?EnableVpcClassicLink(\")?(\\))?" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-105-kinesis_streams_keys_are_rotated.yml b/non-compatible-policies/ecc-aws-105-kinesis_streams_keys_are_rotated.yml index c5e77d2c9..2a307ff55 100644 --- a/non-compatible-policies/ecc-aws-105-kinesis_streams_keys_are_rotated.yml +++ b/non-compatible-policies/ecc-aws-105-kinesis_streams_keys_are_rotated.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-105-kinesis_streams_keys_are_rotated - description: | - Kinesis Streams Keys are not rotated - resource: aws.kinesis - filters: - - or: - - type: kms-key-kinesis-filter - key: KeyRotationEnabled - op: eq - value: false - - type: kms-key-kinesis-filter - key: EncryptionType - op: eq - value: NONE - comment: '0029052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-105-kinesis_streams_keys_are_rotated + comment: '010029052000' + description: | + Kinesis Streams Keys are not rotated + resource: aws.kinesis + filters: + - or: + - type: kms-key-kinesis-filter + key: KeyRotationEnabled + op: eq + value: false + - type: kms-key-kinesis-filter + key: EncryptionType + op: eq + value: NONE diff --git a/non-compatible-policies/ecc-aws-110-ecs_cluster_at_rest_encryption.yml b/non-compatible-policies/ecc-aws-110-ecs_cluster_at_rest_encryption.yml index 648e50ef4..1b981b32f 100644 --- a/non-compatible-policies/ecc-aws-110-ecs_cluster_at_rest_encryption.yml +++ b/non-compatible-policies/ecc-aws-110-ecs_cluster_at_rest_encryption.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-110-ecs_cluster_at_rest_encryption - description: | - ECS Cluster At-Rest Encryption is disabled - resource: ecs - filters: - - type: encryption-instance-id-ecs-filter - key: Encrypted - op: eq - value: false - comment: '0043082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-110-ecs_cluster_at_rest_encryption + comment: '010043082000' + description: | + ECS Cluster At-Rest Encryption is disabled + resource: ecs + filters: + - type: encryption-instance-id-ecs-filter + key: Encrypted + op: eq + value: false diff --git a/non-compatible-policies/ecc-aws-118-ecs_cluster_have_empty_roles_for_service_task_definitions.yml b/non-compatible-policies/ecc-aws-118-ecs_cluster_have_empty_roles_for_service_task_definitions.yml index 551bcb308..235d23a36 100644 --- a/non-compatible-policies/ecc-aws-118-ecs_cluster_have_empty_roles_for_service_task_definitions.yml +++ b/non-compatible-policies/ecc-aws-118-ecs_cluster_have_empty_roles_for_service_task_definitions.yml @@ -1,14 +1,14 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-118-ecs_cluster_have_empty_roles_for_service_task_definitions - description: | - Container is using IAM roles for an instance - resource: ecs-service - filters: - - type: ecs-task-definition-filter - comment: '0033082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-118-ecs_cluster_have_empty_roles_for_service_task_definitions + comment: '010033082000' + description: | + Container is using IAM roles for an instance + resource: ecs-service + filters: + - type: ecs-task-definition-filter diff --git a/non-compatible-policies/ecc-aws-131-instance_with_unencrypted_service_is_exposed_to_public_internet.yml b/non-compatible-policies/ecc-aws-131-instance_with_unencrypted_service_is_exposed_to_public_internet.yml index a63d865c0..888fdb29d 100644 --- a/non-compatible-policies/ecc-aws-131-instance_with_unencrypted_service_is_exposed_to_public_internet.yml +++ b/non-compatible-policies/ecc-aws-131-instance_with_unencrypted_service_is_exposed_to_public_internet.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-131-instance_with_unencrypted_service_is_exposed_to_public_internet - description: | - Instance with unencrypted service is exposed to the public internet - resource: aws.ec2 - filters: - - type: cidrip-security-group-ec2-filter - required-ports: 9200, 9300, 11211, 27017, 61620, 9090, 22, 389, 1521, 2483, 6379, 7000, 7199, 8888, 9042, 9160, 3389 - egress: false - cidr: ["0.0.0.0/0", "::/0"] - comment: '0040092000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-131-instance_with_unencrypted_service_is_exposed_to_public_internet + comment: '010040092000' + description: | + Instance with unencrypted service is exposed to the public internet + resource: aws.ec2 + filters: + - type: cidrip-security-group-ec2-filter + required-ports: 9200, 9300, 11211, 27017, 61620, 9090, 22, 389, 1521, 2483, 6379, 7000, 7199, 8888, 9042, 9160, 3389 + egress: false + cidr: ["0.0.0.0/0", "::/0"] diff --git a/non-compatible-policies/ecc-aws-132-public_instance_with_sensitive_service_is_exposed_to_entire_internet.yml b/non-compatible-policies/ecc-aws-132-public_instance_with_sensitive_service_is_exposed_to_entire_internet.yml index cbb70acc0..c1810695e 100644 --- a/non-compatible-policies/ecc-aws-132-public_instance_with_sensitive_service_is_exposed_to_entire_internet.yml +++ b/non-compatible-policies/ecc-aws-132-public_instance_with_sensitive_service_is_exposed_to_entire_internet.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-132-public_instance_with_sensitive_service_is_exposed_to_entire_internet - description: | - Public Instance with a sensitive service is exposed to the entire internet - resource: aws.ec2 - filters: - - type: cidrip-security-group-ec2-filter - required-ports: 135, 636, 1433, 2383, 2484, 3306, 5432, 7001, 9000, 11214, 11215, 23, 445, 25, 110, 137, 138, 139, 161, 53, 3000, 3020, 4505, 4506, 8000, 8080, 5500, 5900, 1434, 2382, 8140, 27018, 61621 - egress: false - cidr: ["0.0.0.0/0", "::/0"] - comment: '0040032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-132-public_instance_with_sensitive_service_is_exposed_to_entire_internet + comment: '010040032000' + description: | + Public Instance with a sensitive service is exposed to the entire internet + resource: aws.ec2 + filters: + - type: cidrip-security-group-ec2-filter + required-ports: 135, 636, 1433, 2383, 2484, 3306, 5432, 7001, 9000, 11214, 11215, 23, 445, 25, 110, 137, 138, 139, 161, 53, 3000, 3020, 4505, 4506, 8000, 8080, 5500, 5900, 1434, 2382, 8140, 27018, 61621 + egress: false + cidr: ["0.0.0.0/0", "::/0"] diff --git a/non-compatible-policies/ecc-aws-134-clb_with_sensitive_service_is_exposed_to_entire_internet.yml b/non-compatible-policies/ecc-aws-134-clb_with_sensitive_service_is_exposed_to_entire_internet.yml index 962960d68..c427c5aeb 100644 --- a/non-compatible-policies/ecc-aws-134-clb_with_sensitive_service_is_exposed_to_entire_internet.yml +++ b/non-compatible-policies/ecc-aws-134-clb_with_sensitive_service_is_exposed_to_entire_internet.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-134-clb_with_sensitive_service_is_exposed_to_entire_internet - description: | - Classic Load Balancer with sensitive services is exposed to the entire internet - resource: aws.elb - filters: - - type: cidr-egress-port-range-elb-filter - required-ports: 135, 636, 2383, 2484, 3306, 5432, 7001, 9000, 11214, 11215, 23, 445, 25, 110, 137, 138, 139, 161, 53, 3000, 3020, 4505, 4506, 8000, 8080, 5500, 5900, 1434, 2382, 8140, 27018, 61621, 1433 - egress: false - cidr: ["0.0.0.0/0", "::/0"] - comment: '0040022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-134-clb_with_sensitive_service_is_exposed_to_entire_internet + comment: '010040022000' + description: | + Classic Load Balancer with sensitive services is exposed to the entire internet + resource: aws.elb + filters: + - type: cidr-egress-port-range-elb-filter + required-ports: 135, 636, 2383, 2484, 3306, 5432, 7001, 9000, 11214, 11215, 23, 445, 25, 110, 137, 138, 139, 161, 53, 3000, 3020, 4505, 4506, 8000, 8080, 5500, 5900, 1434, 2382, 8140, 27018, 61621, 1433 + egress: false + cidr: ["0.0.0.0/0", "::/0"] diff --git a/non-compatible-policies/ecc-aws-135-clb_with_unencrypted_service_is_exposed_to_public_internet.yml b/non-compatible-policies/ecc-aws-135-clb_with_unencrypted_service_is_exposed_to_public_internet.yml index c4b354464..838cf6829 100644 --- a/non-compatible-policies/ecc-aws-135-clb_with_unencrypted_service_is_exposed_to_public_internet.yml +++ b/non-compatible-policies/ecc-aws-135-clb_with_unencrypted_service_is_exposed_to_public_internet.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-135-clb_with_unencrypted_service_is_exposed_to_public_internet - description: | - Classic Load Balancer with an unencrypted sensitive service is exposed to the public internet - resource: aws.elb - filters: - - type: cidr-egress-port-range-elb-filter - required-ports: 22, 3389, 9090, 389, 1521, 2483, 6379, 7000, 7199, 8888, 9042, 9160, 9200, 9300, 11211, 27017, 61620 - egress: false - cidr: ["0.0.0.0/0", "::/0"] - comment: '0040022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-135-clb_with_unencrypted_service_is_exposed_to_public_internet + comment: '010040022000' + description: | + Classic Load Balancer with an unencrypted sensitive service is exposed to the public internet + resource: aws.elb + filters: + - type: cidr-egress-port-range-elb-filter + required-ports: 22, 3389, 9090, 389, 1521, 2483, 6379, 7000, 7199, 8888, 9042, 9160, 9200, 9300, 11211, 27017, 61620 + egress: false + cidr: ["0.0.0.0/0", "::/0"] diff --git a/non-compatible-policies/ecc-aws-136-alb_with_sensitive_service_is_exposed_to_entire_internet.yml b/non-compatible-policies/ecc-aws-136-alb_with_sensitive_service_is_exposed_to_entire_internet.yml index 2b2fb6add..79e6cd706 100644 --- a/non-compatible-policies/ecc-aws-136-alb_with_sensitive_service_is_exposed_to_entire_internet.yml +++ b/non-compatible-policies/ecc-aws-136-alb_with_sensitive_service_is_exposed_to_entire_internet.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-136-alb_with_sensitive_service_is_exposed_to_entire_internet - description: | - Application Load Balancer with sensitive services is exposed to the entire internet - resource: aws.app-elb - filters: - - type: cidrip-security-group-appelb-filter - required-ports: 61621, 8140, 2382, 1434, 5900, 5500, 8080, 8000, 4506, 4505, 3020, 3000, 53, 161, 139, 138, 137, 110, 25, 445, 23, 11215, 27018, 11214, 9000, 7001, 5432, 3306, 2484, 2383, 1433, 636, 135 - egress: false - cidr: ["0.0.0.0/0", "::/0"] - comment: '0040022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-136-alb_with_sensitive_service_is_exposed_to_entire_internet + comment: '010040022000' + description: | + Application Load Balancer with sensitive services is exposed to the entire internet + resource: aws.app-elb + filters: + - type: cidrip-security-group-appelb-filter + required-ports: 61621, 8140, 2382, 1434, 5900, 5500, 8080, 8000, 4506, 4505, 3020, 3000, 53, 161, 139, 138, 137, 110, 25, 445, 23, 11215, 27018, 11214, 9000, 7001, 5432, 3306, 2484, 2383, 1433, 636, 135 + egress: false + cidr: ["0.0.0.0/0", "::/0"] diff --git a/non-compatible-policies/ecc-aws-137-alb_with_unencrypted_service_is_exposed_to_public_internet.yml b/non-compatible-policies/ecc-aws-137-alb_with_unencrypted_service_is_exposed_to_public_internet.yml index 8244c3954..00db6bd43 100644 --- a/non-compatible-policies/ecc-aws-137-alb_with_unencrypted_service_is_exposed_to_public_internet.yml +++ b/non-compatible-policies/ecc-aws-137-alb_with_unencrypted_service_is_exposed_to_public_internet.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-137-alb_with_unencrypted_service_is_exposed_to_public_internet - description: | - Application Load Balancer with an unencrypted sensitive service is exposed to the public internet - resource: aws.app-elb - filters: - - type: cidrip-security-group-appelb-filter - required-ports: 22, 3389, 9090, 389, 1521, 2483, 6379, 7000, 7199, 8888, 9042, 9160, 9200, 9300, 11211, 27017, 61620 - egress: false - cidr: ["0.0.0.0/0", "::/0"] - comment: '0040022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-137-alb_with_unencrypted_service_is_exposed_to_public_internet + comment: '010040022000' + description: | + Application Load Balancer with an unencrypted sensitive service is exposed to the public internet + resource: aws.app-elb + filters: + - type: cidrip-security-group-appelb-filter + required-ports: 22, 3389, 9090, 389, 1521, 2483, 6379, 7000, 7199, 8888, 9042, 9160, 9200, 9300, 11211, 27017, 61620 + egress: false + cidr: ["0.0.0.0/0", "::/0"] diff --git a/non-compatible-policies/ecc-aws-143-bucket_object-level_logging_for_write_enabled.yml b/non-compatible-policies/ecc-aws-143-bucket_object-level_logging_for_write_enabled.yml index b2a67fa5f..aabdb5c3d 100644 --- a/non-compatible-policies/ecc-aws-143-bucket_object-level_logging_for_write_enabled.yml +++ b/non-compatible-policies/ecc-aws-143-bucket_object-level_logging_for_write_enabled.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-143-bucket_object-level_logging_for_write_enabled - description: | - Object-level logging for write events is disabled for S3 bucket - resource: aws.account - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?EventSelectors[?DataResources[?Type=='AWS::S3::Object' && Values==['arn:aws:s3']] && (ReadWriteType=='All' || ReadWriteType=='WriteOnly' )] || AdvancedEventSelectors[?FieldSelectors[?Equals[?contains(@, 'AWS::S3::Object')==`true`] && Field == 'resources.type'] && FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Data')==`true`]] && !(FieldSelectors[?Field=='resources.ARN']) && ( !(FieldSelectors[?Field=='readOnly']) || (FieldSelectors[?contains(values(@), 'readOnly') && Equals[?contains(@, 'true')==`false`]] ))]] - op: eq - value: 0 - comment: '0019010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-143-bucket_object-level_logging_for_write_enabled + comment: '010019010300' + description: | + Object-level logging for write events is disabled for S3 bucket + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?EventSelectors[?DataResources[?Type=='AWS::S3::Object' && Values==['arn:aws:s3']] && (ReadWriteType=='All' || ReadWriteType=='WriteOnly' )] || AdvancedEventSelectors[?FieldSelectors[?Equals[?contains(@, 'AWS::S3::Object')==`true`] && Field == 'resources.type'] && FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Data')==`true`]] && !(FieldSelectors[?Field=='resources.ARN']) && ( !(FieldSelectors[?Field=='readOnly']) || (FieldSelectors[?contains(values(@), 'readOnly') && Equals[?contains(@, 'true')==`false`]] ))]] + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-144-bucket_object-level_logging_for_read_enabled.yml b/non-compatible-policies/ecc-aws-144-bucket_object-level_logging_for_read_enabled.yml index 757d1f304..7576cb1f1 100644 --- a/non-compatible-policies/ecc-aws-144-bucket_object-level_logging_for_read_enabled.yml +++ b/non-compatible-policies/ecc-aws-144-bucket_object-level_logging_for_read_enabled.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-144-bucket_object-level_logging_for_read_enabled - description: | - Object-level logging for read events is disabled for S3 bucket - resource: aws.account - filters: - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?EventSelectors[?DataResources[?Type=='AWS::S3::Object'] && (ReadWriteType=='All' || ReadWriteType=='ReadOnly' )] || AdvancedEventSelectors[?FieldSelectors[? Equals[?contains(@, 'AWS::S3::Object')==`true`] && Field == 'resources.type'] && FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Data')==`true`]] && ( !(FieldSelectors[?Field=='readOnly']) || (FieldSelectors[?contains(values(@), 'readOnly') && Equals[?contains(@, 'true')==`true`]] ))]] - op: eq - value: 0 - comment: '0019010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-144-bucket_object-level_logging_for_read_enabled + comment: '010019010300' + description: | + Object-level logging for read events is disabled for S3 bucket + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?EventSelectors[?DataResources[?Type=='AWS::S3::Object'] && (ReadWriteType=='All' || ReadWriteType=='ReadOnly' )] || AdvancedEventSelectors[?FieldSelectors[? Equals[?contains(@, 'AWS::S3::Object')==`true`] && Field == 'resources.type'] && FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Data')==`true`]] && ( !(FieldSelectors[?Field=='readOnly']) || (FieldSelectors[?contains(values(@), 'readOnly') && Equals[?contains(@, 'true')==`true`]] ))]] + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-145-organizations_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-145-organizations_changes_alarm_exists.yml index 3f25ae135..7b23cb005 100644 --- a/non-compatible-policies/ecc-aws-145-organizations_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-145-organizations_changes_alarm_exists.yml @@ -1,27 +1,27 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-145-organizations_changes_alarm_exists - description: | - Log metric filter and alarm do not exist for AWS Organizations changes - resource: aws.account - filters: - - type: organization - key: Id - value: present - - type: organization - key: MasterAccountId - value: "{account_id}" - - - type: cloudtrails - valueList: trailList[?IsMultiRegionTrail == `true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] - configurationChangesAlarmList: "{ ?(\\()? ?\\$\\.eventSource ?= ?organizations\\.amazonaws\\.com(\\))? ?&& ?\\( ?(\\()? ?\\$\\.eventName ?= ?(\")?AcceptHandshake(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?AttachPolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreateAccount(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreateOrganizationalUnit(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreatePolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeclineHandshake(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteOrganization(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteOrganizationalUnit(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeletePolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DetachPolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DisablePolicyType(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?EnablePolicyType(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?InviteAccountToOrganization(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?LeaveOrganization(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?MoveAccount(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?RemoveAccountFromOrganization(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?UpdatePolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?UpdateOrganizationalUnit(\")? ?(\\))? ?\\) ?}" - op: eq - value: 0 - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-145-organizations_changes_alarm_exists + comment: '010016010300' + description: | + Log metric filter and alarm do not exist for AWS Organizations changes + resource: aws.account + filters: + - type: organization + key: Id + value: present + - type: organization + key: MasterAccountId + value: "{account_id}" + + - type: cloudtrails + valueList: trailList[?IsMultiRegionTrail == `true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] || EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All']] + configurationChangesAlarmList: "{ ?(\\()? ?\\$\\.eventSource ?= ?organizations\\.amazonaws\\.com(\\))? ?&& ?\\( ?(\\()? ?\\$\\.eventName ?= ?(\")?AcceptHandshake(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?AttachPolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreateAccount(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreateOrganizationalUnit(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?CreatePolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeclineHandshake(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteOrganization(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeleteOrganizationalUnit(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DeletePolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DetachPolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?DisablePolicyType(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?EnablePolicyType(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?InviteAccountToOrganization(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?LeaveOrganization(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?MoveAccount(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?RemoveAccountFromOrganization(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?UpdatePolicy(\")? ?(\\))? ?\\|\\| ?(\\()? ?\\$\\.eventName ?= ?(\")?UpdateOrganizationalUnit(\")? ?(\\))? ?\\) ?}" + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml b/non-compatible-policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml index 86d4615d1..6346e50ce 100644 --- a/non-compatible-policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml +++ b/non-compatible-policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports - description: | - Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports - resource: aws.network-acl - filters: - - type: cidr-egress-port-range - egress: false - required-ports: 22,3389 - cidr: 0.0.0.0/0 - rule-action: allow - comment: '0024020300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports + comment: '010024020300' + description: | + Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports + resource: aws.network-acl + filters: + - type: cidr-egress-port-range + egress: false + required-ports: 22,3389 + cidr: 0.0.0.0/0 + rule-action: allow diff --git a/non-compatible-policies/ecc-aws-154-elasticsearch_domains_have_at_least_three_data_nodes.yml b/non-compatible-policies/ecc-aws-154-elasticsearch_domains_have_at_least_three_data_nodes.yml index c430bd660..f300a2080 100644 --- a/non-compatible-policies/ecc-aws-154-elasticsearch_domains_have_at_least_three_data_nodes.yml +++ b/non-compatible-policies/ecc-aws-154-elasticsearch_domains_have_at_least_three_data_nodes.yml @@ -1,30 +1,30 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-154-elasticsearch_domains_have_at_least_three_data_nodes - resource: aws.elasticsearch - description: | - Elasticsearch domains have less than three data nodes - filters: - - or: - - not: - - and: - - type: value - key: ElasticsearchClusterConfig.InstanceCount - value: 3 - op: gte - - type: value - key: ElasticsearchClusterConfig.ZoneAwarenessEnabled - value: true - - and: - - type: value - key: ElasticsearchClusterConfig.ZoneAwarenessConfig.AvailabilityZoneCount - value: 3 - op: eq - - not: - - type: elasticsearch-domain-filter - comment: '0050052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-154-elasticsearch_domains_have_at_least_three_data_nodes + comment: '010050052000' + description: | + Elasticsearch domains have less than three data nodes + resource: aws.elasticsearch + filters: + - or: + - not: + - and: + - type: value + key: ElasticsearchClusterConfig.InstanceCount + value: 3 + op: gte + - type: value + key: ElasticsearchClusterConfig.ZoneAwarenessEnabled + value: true + - and: + - type: value + key: ElasticsearchClusterConfig.ZoneAwarenessConfig.AvailabilityZoneCount + value: 3 + op: eq + - not: + - type: elasticsearch-domain-filter diff --git a/non-compatible-policies/ecc-aws-159-rds_critical_cluster_events_notification_exists.yml b/non-compatible-policies/ecc-aws-159-rds_critical_cluster_events_notification_exists.yml index 1df295bac..906e9adfa 100644 --- a/non-compatible-policies/ecc-aws-159-rds_critical_cluster_events_notification_exists.yml +++ b/non-compatible-policies/ecc-aws-159-rds_critical_cluster_events_notification_exists.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-159-rds_critical_cluster_events_notification_exists - resource: aws.account - description: | - RDS event notifications subscription is not configured for critical cluster events - filters: - - type: rds-sns-subscription-filter - check_in: cluster - key: SourceType=='db-cluster' && SourceIdsList==null && ( EventCategoriesList==null || (EventCategoriesList.contains(@, 'failure')==`true` && EventCategoriesList.contains(@'maintenance')==`true`)) && Enabled==`true` - value: true - op: eq - comment: '0032062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-159-rds_critical_cluster_events_notification_exists + comment: '010032062000' + description: | + RDS event notifications subscription is not configured for critical cluster events + resource: aws.account + filters: + - type: rds-sns-subscription-filter + check_in: cluster + key: SourceType=='db-cluster' && SourceIdsList==null && ( EventCategoriesList==null || (EventCategoriesList.contains(@, 'failure')==`true` && EventCategoriesList.contains(@'maintenance')==`true`)) && Enabled==`true` + value: true + op: eq diff --git a/non-compatible-policies/ecc-aws-160-rds_database_instance_events_notification_exists.yml b/non-compatible-policies/ecc-aws-160-rds_database_instance_events_notification_exists.yml index 3204a31b1..f8527f99b 100644 --- a/non-compatible-policies/ecc-aws-160-rds_database_instance_events_notification_exists.yml +++ b/non-compatible-policies/ecc-aws-160-rds_database_instance_events_notification_exists.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-160-rds_database_instance_events_notification_exists - resource: aws.account - description: | - RDS event notifications subscription is not configured for critical database instance events - filters: - - type: rds-sns-subscription-filter - check_in: rds - key: SourceType=='db-instance' && SourceIdsList==null && ( EventCategoriesList==null || (EventCategoriesList.contains(@, 'configuration change')==`true` && EventCategoriesList.contains(@, 'failure')==`true` && EventCategoriesList.contains(@, 'maintenance')==`true`)) && Enabled==`true` - value: true - op: eq - comment: '0032062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-160-rds_database_instance_events_notification_exists + comment: '010032062000' + description: | + RDS event notifications subscription is not configured for critical database instance events + resource: aws.account + filters: + - type: rds-sns-subscription-filter + check_in: rds + key: SourceType=='db-instance' && SourceIdsList==null && ( EventCategoriesList==null || (EventCategoriesList.contains(@, 'configuration change')==`true` && EventCategoriesList.contains(@, 'failure')==`true` && EventCategoriesList.contains(@, 'maintenance')==`true`)) && Enabled==`true` + value: true + op: eq diff --git a/non-compatible-policies/ecc-aws-161-rds_database_parameter_group_events_notification_exists.yml b/non-compatible-policies/ecc-aws-161-rds_database_parameter_group_events_notification_exists.yml index b7919538a..46c73fdf3 100644 --- a/non-compatible-policies/ecc-aws-161-rds_database_parameter_group_events_notification_exists.yml +++ b/non-compatible-policies/ecc-aws-161-rds_database_parameter_group_events_notification_exists.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-161-rds_database_parameter_group_events_notification_exists - resource: aws.account - description: | - RDS event notifications subscription is not configured for database parameter group events - filters: - - type: rds-sns-subscription-filter - check_in: rds - key: SourceType=='db-parameter-group' && SourceIdsList==null && ( EventCategoriesList==null || EventCategoriesList.contains(@, 'configuration change')==`true`) && Enabled==`true` - value: true - op: eq - comment: '0032062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-161-rds_database_parameter_group_events_notification_exists + comment: '010032062000' + description: | + RDS event notifications subscription is not configured for database parameter group events + resource: aws.account + filters: + - type: rds-sns-subscription-filter + check_in: rds + key: SourceType=='db-parameter-group' && SourceIdsList==null && ( EventCategoriesList==null || EventCategoriesList.contains(@, 'configuration change')==`true`) && Enabled==`true` + value: true + op: eq diff --git a/non-compatible-policies/ecc-aws-162-rds_database_security_group_events_notification_exists.yml b/non-compatible-policies/ecc-aws-162-rds_database_security_group_events_notification_exists.yml index 61544bdd1..e96f286e4 100644 --- a/non-compatible-policies/ecc-aws-162-rds_database_security_group_events_notification_exists.yml +++ b/non-compatible-policies/ecc-aws-162-rds_database_security_group_events_notification_exists.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-162-rds_database_security_group_events_notification_exists - resource: aws.account - description: | - RDS event notifications subscription is not configured for critical database security group events - filters: - - type: rds-sns-subscription-filter - check_in: rds - key: SourceType=='db-security-group' && Enabled==`true` && SourceIdsList==null && ( EventCategoriesList==null || length(EventCategoriesList[])==`2`) - value: true - op: eq - comment: '0032062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-162-rds_database_security_group_events_notification_exists + comment: '010032062000' + description: | + RDS event notifications subscription is not configured for critical database security group events + resource: aws.account + filters: + - type: rds-sns-subscription-filter + check_in: rds + key: SourceType=='db-security-group' && Enabled==`true` && SourceIdsList==null && ( EventCategoriesList==null || length(EventCategoriesList[])==`2`) + value: true + op: eq diff --git a/non-compatible-policies/ecc-aws-163-rds_database_instance_engine_no_default_ports.yml b/non-compatible-policies/ecc-aws-163-rds_database_instance_engine_no_default_ports.yml index d75d42a5c..337ba19e6 100644 --- a/non-compatible-policies/ecc-aws-163-rds_database_instance_engine_no_default_ports.yml +++ b/non-compatible-policies/ecc-aws-163-rds_database_instance_engine_no_default_ports.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-163-rds_database_instance_engine_no_default_ports - resource: aws.rds - description: | - RDS database instances are using database engine default ports - filters: - - type: endpoint-port - required-ports: 1433, 1521, 3306, 5432 - - type: vpc-security-group-inbound-ports - required-ports: 1433, 1521, 3306, 5432 - comment: '0024062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-163-rds_database_instance_engine_no_default_ports + comment: '010024062000' + description: | + RDS database instances are using database engine default ports + resource: aws.rds + filters: + - type: endpoint-port + required-ports: 1433, 1521, 3306, 5432 + - type: vpc-security-group-inbound-ports + required-ports: 1433, 1521, 3306, 5432 diff --git a/non-compatible-policies/ecc-aws-182-dynamodb_tables_autoscaling_enabled.yml b/non-compatible-policies/ecc-aws-182-dynamodb_tables_autoscaling_enabled.yml index 4aa3bcc5e..bc2cc571f 100644 --- a/non-compatible-policies/ecc-aws-182-dynamodb_tables_autoscaling_enabled.yml +++ b/non-compatible-policies/ecc-aws-182-dynamodb_tables_autoscaling_enabled.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-182-dynamodb_tables_autoscaling_enabled - description: | - DynamoDB table Auto Scaling or On-Demand is not enabled on DynamoDB tables - resource: aws.dynamodb-table - filters: - - type: value - key: ProvisionedThroughput.ReadCapacityUnits - op: ne - value: 0 - - type: auto-scaling - enabled: false - comment: '0005062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-182-dynamodb_tables_autoscaling_enabled + comment: '010005062000' + description: | + DynamoDB table Auto Scaling or On-Demand is not enabled on DynamoDB tables + resource: aws.dynamodb-table + filters: + - type: value + key: ProvisionedThroughput.ReadCapacityUnits + op: ne + value: 0 + - type: auto-scaling + enabled: false diff --git a/non-compatible-policies/ecc-aws-218-secrets_manager_rotation_enabled.yml b/non-compatible-policies/ecc-aws-218-secrets_manager_rotation_enabled.yml index ac1e1f2a3..3090cada2 100644 --- a/non-compatible-policies/ecc-aws-218-secrets_manager_rotation_enabled.yml +++ b/non-compatible-policies/ecc-aws-218-secrets_manager_rotation_enabled.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-218-secrets_manager_rotation_enabled - description: | - Secrets Manager secrets automatic rotation disabled - resource: aws.secrets-manager - filters: - - or: - - type: value - key: RotationEnabled - value: false - - type: value - key: RotationEnabled - value: absent - comment: '0028092000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-218-secrets_manager_rotation_enabled + comment: '010028092000' + description: | + Secrets Manager secrets automatic rotation disabled + resource: aws.secrets-manager + filters: + - or: + - type: value + key: RotationEnabled + value: false + - type: value + key: RotationEnabled + value: absent diff --git a/non-compatible-policies/ecc-aws-219-secrets_manager_successful_rotation_check.yml b/non-compatible-policies/ecc-aws-219-secrets_manager_successful_rotation_check.yml index 86f3e22db..b01f16c53 100644 --- a/non-compatible-policies/ecc-aws-219-secrets_manager_successful_rotation_check.yml +++ b/non-compatible-policies/ecc-aws-219-secrets_manager_successful_rotation_check.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-219-secrets_manager_successful_rotation_check - description: | - Secrets Manager secrets configured with automatic rotation are not rotating successfully - resource: aws.secrets-manager - filters: - - and: - - type: value - key: RotationEnabled - value: true - - not: - - type: value - key: LastRotatedDate - value: present - comment: '0028092000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-219-secrets_manager_successful_rotation_check + comment: '010028092000' + description: | + Secrets Manager secrets configured with automatic rotation are not rotating successfully + resource: aws.secrets-manager + filters: + - and: + - type: value + key: RotationEnabled + value: true + - not: + - type: value + key: LastRotatedDate + value: present diff --git a/non-compatible-policies/ecc-aws-220-secrets_manager_unused_secret.yml b/non-compatible-policies/ecc-aws-220-secrets_manager_unused_secret.yml index 3597175c5..6d4295fe0 100644 --- a/non-compatible-policies/ecc-aws-220-secrets_manager_unused_secret.yml +++ b/non-compatible-policies/ecc-aws-220-secrets_manager_unused_secret.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-220-secrets_manager_unused_secret - description: | - Unused Secrets Manager secrets are not removed - resource: aws.secrets-manager - filters: - - or: - - type: value - key: LastAccessedDate - op: greater-than - value_type: age - value: 90 - - type: value - key: LastAccessedDate - value: empty - comment: '0002092000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-220-secrets_manager_unused_secret + comment: '010002092000' + description: | + Unused Secrets Manager secrets are not removed + resource: aws.secrets-manager + filters: + - or: + - type: value + key: LastAccessedDate + op: greater-than + value_type: age + value: 90 + - type: value + key: LastAccessedDate + value: empty diff --git a/non-compatible-policies/ecc-aws-251-appflow_encrypted_with_kms_cmk.yml b/non-compatible-policies/ecc-aws-251-appflow_encrypted_with_kms_cmk.yml index 972cabd54..4d5ea549c 100644 --- a/non-compatible-policies/ecc-aws-251-appflow_encrypted_with_kms_cmk.yml +++ b/non-compatible-policies/ecc-aws-251-appflow_encrypted_with_kms_cmk.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-251-appflow_encrypted_with_kms_cmk - description: | - Appflow is not encrypted with KMS CMK - resource: aws.app-flow - filters: - - type: appflow-kms-key-filter - key: KeyManager - op: eq - value: AWS - comment: '0045142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-251-appflow_encrypted_with_kms_cmk + comment: '010045142000' + description: | + Appflow is not encrypted with KMS CMK + resource: aws.app-flow + filters: + - type: appflow-kms-key-filter + key: KeyManager + op: eq + value: AWS diff --git a/non-compatible-policies/ecc-aws-262-vpc_endpoint_manual_acceptance.yml b/non-compatible-policies/ecc-aws-262-vpc_endpoint_manual_acceptance.yml index cd13b7ee6..29b715531 100644 --- a/non-compatible-policies/ecc-aws-262-vpc_endpoint_manual_acceptance.yml +++ b/non-compatible-policies/ecc-aws-262-vpc_endpoint_manual_acceptance.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-262-vpc_endpoint_manual_acceptance - description: | - Manual acceptance is not enabled for VPC endpoints - resource: vpc-endpoint-service - filters: - - type: vpc-endpoint-service-configurations-filter - key: AcceptanceRequired - op: eq - value: false - comment: '0024022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-262-vpc_endpoint_manual_acceptance + comment: '010024022000' + description: | + Manual acceptance is not enabled for VPC endpoints + resource: vpc-endpoint-service + filters: + - type: vpc-endpoint-service-configurations-filter + key: AcceptanceRequired + op: eq + value: false diff --git a/non-compatible-policies/ecc-aws-264-elasticache_no_default_ports.yml b/non-compatible-policies/ecc-aws-264-elasticache_no_default_ports.yml index f730590c3..6e4c73f3e 100644 --- a/non-compatible-policies/ecc-aws-264-elasticache_no_default_ports.yml +++ b/non-compatible-policies/ecc-aws-264-elasticache_no_default_ports.yml @@ -1,15 +1,15 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-264-elasticache_no_default_ports - description: | - Elasticache is using default ports - resource: cache-cluster - filters: - - type: redis-memcache-filter - port: ["11211", "6379"] - comment: '0024062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-264-elasticache_no_default_ports + comment: '010024062000' + description: | + Elasticache is using default ports + resource: cache-cluster + filters: + - type: redis-memcache-filter + port: ["11211", "6379"] diff --git a/non-compatible-policies/ecc-aws-269-elasticache_not_using_default_vpc.yml b/non-compatible-policies/ecc-aws-269-elasticache_not_using_default_vpc.yml index 6f77d8912..228993750 100644 --- a/non-compatible-policies/ecc-aws-269-elasticache_not_using_default_vpc.yml +++ b/non-compatible-policies/ecc-aws-269-elasticache_not_using_default_vpc.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-269-elasticache_not_using_default_vpc - description: | - Elasticache is using default VPC - resource: cache-cluster - filters: - - type: vpc-elastic-cache-filter - key: IsDefault - op: eq - value: true - comment: '0024062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-269-elasticache_not_using_default_vpc + comment: '010024062000' + description: | + Elasticache is using default VPC + resource: cache-cluster + filters: + - type: vpc-elastic-cache-filter + key: IsDefault + op: eq + value: true diff --git a/non-compatible-policies/ecc-aws-274-rds_aurora_cluster_logging_enabled.yml b/non-compatible-policies/ecc-aws-274-rds_aurora_cluster_logging_enabled.yml index 71275a8ae..25b53b9ca 100644 --- a/non-compatible-policies/ecc-aws-274-rds_aurora_cluster_logging_enabled.yml +++ b/non-compatible-policies/ecc-aws-274-rds_aurora_cluster_logging_enabled.yml @@ -1,51 +1,51 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-274-rds_aurora_cluster_logging_enabled - resource: aws.rds-cluster - description: | - Aurora cluster logging is disabled - filters: - - and: - - type: value - key: Engine - value: aurora - - not: - - and: - - type: value - key: EnabledCloudwatchLogsExports - op: in - value_type: swap - value: audit - - type: value - key: EnabledCloudwatchLogsExports - op: in - value_type: swap - value: error - - type: value - key: EnabledCloudwatchLogsExports - op: in - value_type: swap - value: general - - type: value - key: EnabledCloudwatchLogsExports - op: in - value_type: swap - value: slowquery - - type: rds-cluster-parameter-filter - parameters: - - key: general_log - value: 1 - - type: rds-cluster-parameter-filter - parameters: - - key: slow_query_log - value: 1 - - type: rds-cluster-parameter-filter - parameters: - - key: log_output - value: FILE - comment: '0019062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-274-rds_aurora_cluster_logging_enabled + comment: '010019062000' + description: | + Aurora cluster logging is disabled + resource: aws.rds-cluster + filters: + - and: + - type: value + key: Engine + value: aurora + - not: + - and: + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: audit + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: error + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: general + - type: value + key: EnabledCloudwatchLogsExports + op: in + value_type: swap + value: slowquery + - type: rds-cluster-parameter-filter + parameters: + - key: general_log + value: 1 + - type: rds-cluster-parameter-filter + parameters: + - key: slow_query_log + value: 1 + - type: rds-cluster-parameter-filter + parameters: + - key: log_output + value: FILE diff --git a/non-compatible-policies/ecc-aws-278-iam_access_analyzer_findings_are_reviewed_and_resolved.yml b/non-compatible-policies/ecc-aws-278-iam_access_analyzer_findings_are_reviewed_and_resolved.yml index 983e2c052..adf6b6439 100644 --- a/non-compatible-policies/ecc-aws-278-iam_access_analyzer_findings_are_reviewed_and_resolved.yml +++ b/non-compatible-policies/ecc-aws-278-iam_access_analyzer_findings_are_reviewed_and_resolved.yml @@ -1,14 +1,14 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-278-iam_access_analyzer_findings_are_reviewed_and_resolved - resource: account - description: | - IAM Access Analyzer findings are not reviewed and resolved - filters: - - type: analyzer-findings-filter - comment: '0016002000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-278-iam_access_analyzer_findings_are_reviewed_and_resolved + comment: '010016002000' + description: | + IAM Access Analyzer findings are not reviewed and resolved + resource: account + filters: + - type: analyzer-findings-filter diff --git a/non-compatible-policies/ecc-aws-292-elastic_beanstalk_access_logs_enabled.yml b/non-compatible-policies/ecc-aws-292-elastic_beanstalk_access_logs_enabled.yml index 8a9648345..1ffc3b72b 100644 --- a/non-compatible-policies/ecc-aws-292-elastic_beanstalk_access_logs_enabled.yml +++ b/non-compatible-policies/ecc-aws-292-elastic_beanstalk_access_logs_enabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-292-elastic_beanstalk_access_logs_enabled - description: | - Elastic Beanstalk environments with application load balancer do not have access logs enabled - resource: aws.elasticbeanstalk-environment - filters: - - type: elasticbeanstalk-configuration-settings-filter - key: AccessLogsS3Enabled - op: eq - value: "false" - - type: elasticbeanstalk-configuration-settings-filter - key: LoadBalancerType - op: eq - value: "application" - comment: '0019030400' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-292-elastic_beanstalk_access_logs_enabled + comment: '010019030400' + description: | + Elastic Beanstalk environments with application load balancer do not have access logs enabled + resource: aws.elasticbeanstalk-environment + filters: + - type: elasticbeanstalk-configuration-settings-filter + key: AccessLogsS3Enabled + op: eq + value: "false" + - type: elasticbeanstalk-configuration-settings-filter + key: LoadBalancerType + op: eq + value: "application" diff --git a/non-compatible-policies/ecc-aws-294-elastic_beanstalk_notifications_enabled.yml b/non-compatible-policies/ecc-aws-294-elastic_beanstalk_notifications_enabled.yml index 6fa23e5d5..799f8be66 100644 --- a/non-compatible-policies/ecc-aws-294-elastic_beanstalk_notifications_enabled.yml +++ b/non-compatible-policies/ecc-aws-294-elastic_beanstalk_notifications_enabled.yml @@ -1,15 +1,15 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-294-elastic_beanstalk_notifications_enabled - description: | - Elastic Beanstalk environments notifications disabled - resource: aws.elasticbeanstalk-environment - filters: - - not: - - type: describe-configuration-settings-filter - comment: '0032032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-294-elastic_beanstalk_notifications_enabled + comment: '010032032000' + description: | + Elastic Beanstalk environments notifications disabled + resource: aws.elasticbeanstalk-environment + filters: + - not: + - type: describe-configuration-settings-filter diff --git a/non-compatible-policies/ecc-aws-297-elastic_beanstalk_managed_platform_updates.yml b/non-compatible-policies/ecc-aws-297-elastic_beanstalk_managed_platform_updates.yml index 26ae5cd87..5f67dbaca 100644 --- a/non-compatible-policies/ecc-aws-297-elastic_beanstalk_managed_platform_updates.yml +++ b/non-compatible-policies/ecc-aws-297-elastic_beanstalk_managed_platform_updates.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-297-elastic_beanstalk_managed_platform_updates - description: | - Elastic Beanstalk managed platform updates is disabled - resource: aws.elasticbeanstalk-environment - filters: - - type: elasticbeanstalk-configuration-settings-filter - key: ManagedActionsEnabled - op: eq - value: "false" - comment: '0021030400' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-297-elastic_beanstalk_managed_platform_updates + comment: '010021030400' + description: | + Elastic Beanstalk managed platform updates is disabled + resource: aws.elasticbeanstalk-environment + filters: + - type: elasticbeanstalk-configuration-settings-filter + key: ManagedActionsEnabled + op: eq + value: "false" diff --git a/non-compatible-policies/ecc-aws-301-sqs_dead_letter_queue_enabled.yml b/non-compatible-policies/ecc-aws-301-sqs_dead_letter_queue_enabled.yml index 895bfd9ed..f4555980b 100644 --- a/non-compatible-policies/ecc-aws-301-sqs_dead_letter_queue_enabled.yml +++ b/non-compatible-policies/ecc-aws-301-sqs_dead_letter_queue_enabled.yml @@ -1,14 +1,14 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-301-sqs_dead_letter_queue_enabled - description: | - SQS Queue dead letter queue is disabled - resource: sqs - filters: - - type: redrive-policy-sqs-filter - comment: '0023142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-301-sqs_dead_letter_queue_enabled + comment: '010023142000' + description: | + SQS Queue dead letter queue is disabled + resource: sqs + filters: + - type: redrive-policy-sqs-filter diff --git a/non-compatible-policies/ecc-aws-358-cloudtrail_security_trail_enabled.yml b/non-compatible-policies/ecc-aws-358-cloudtrail_security_trail_enabled.yml index 5e0fc1bef..d4b91f01a 100644 --- a/non-compatible-policies/ecc-aws-358-cloudtrail_security_trail_enabled.yml +++ b/non-compatible-policies/ecc-aws-358-cloudtrail_security_trail_enabled.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-358-cloudtrail_security_trail_enabled - resource: aws.account - description: | - CloudTrail Global Services disabled - filters: - - type: cloudtrails - valueList: trailList[?IncludeGlobalServiceEvents == `true` && IsMultiRegionTrail == `true` && LogFileValidationEnabled == `true` && contains(*, KmsKeyId)==`true`] - statusList: statusList[?IsLogging == `true`] - selectorList: selectorList[?EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All' && !not_null(ExcludeManagementEventSources)] || AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] ] - op: eq - value: 0 - comment: '0019012000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-358-cloudtrail_security_trail_enabled + comment: '010019012000' + description: | + CloudTrail Global Services disabled + resource: aws.account + filters: + - type: cloudtrails + valueList: trailList[?IncludeGlobalServiceEvents == `true` && IsMultiRegionTrail == `true` && LogFileValidationEnabled == `true` && contains(*, KmsKeyId)==`true`] + statusList: statusList[?IsLogging == `true`] + selectorList: selectorList[?EventSelectors[?IncludeManagementEvents==`true` && ReadWriteType=='All' && !not_null(ExcludeManagementEventSources)] || AdvancedEventSelectors[?FieldSelectors[?Field == 'eventCategory' && Equals[?contains(@, 'Management')==`true`]] && !(FieldSelectors[?Field=='readOnly']) && !(FieldSelectors[?Field=='eventSource'])] ] + op: eq + value: 0 diff --git a/non-compatible-policies/ecc-aws-363-kinesis_video_stream_encrypted_with_kms_cmk.yml b/non-compatible-policies/ecc-aws-363-kinesis_video_stream_encrypted_with_kms_cmk.yml index de95b4194..21adcd338 100644 --- a/non-compatible-policies/ecc-aws-363-kinesis_video_stream_encrypted_with_kms_cmk.yml +++ b/non-compatible-policies/ecc-aws-363-kinesis_video_stream_encrypted_with_kms_cmk.yml @@ -1,16 +1,16 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-363-kinesis_video_stream_encrypted_with_kms_cmk - description: | - AWS Kinesis Video Streams are not encrypted with KMS customer master keys - resource: aws.kinesis-video - filters: - - type: kms-key - key: KeyManager - value: AWS - comment: '0043052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-363-kinesis_video_stream_encrypted_with_kms_cmk + comment: '010043052000' + description: | + AWS Kinesis Video Streams are not encrypted with KMS customer master keys + resource: aws.kinesis-video + filters: + - type: kms-key + key: KeyManager + value: AWS diff --git a/non-compatible-policies/ecc-aws-369-workspaces_cloudwatch_integration.yml b/non-compatible-policies/ecc-aws-369-workspaces_cloudwatch_integration.yml index a8c32f76a..b7a20fa15 100644 --- a/non-compatible-policies/ecc-aws-369-workspaces_cloudwatch_integration.yml +++ b/non-compatible-policies/ecc-aws-369-workspaces_cloudwatch_integration.yml @@ -1,14 +1,14 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-369-workspaces_cloudwatch_integration - description: | - CloudWatch Events is not set up for successful logins to WorkSpaces - resource: account - filters: - - type: event-rule-filter - comment: '0019120600' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-369-workspaces_cloudwatch_integration + comment: '010019120600' + description: | + CloudWatch Events is not set up for successful logins to WorkSpaces + resource: account + filters: + - type: event-rule-filter diff --git a/non-compatible-policies/ecc-aws-371-workspaces_primary_interface_ports_not_open_to_all_inbound_traffic.yml b/non-compatible-policies/ecc-aws-371-workspaces_primary_interface_ports_not_open_to_all_inbound_traffic.yml index 1a0110315..c55ab0372 100644 --- a/non-compatible-policies/ecc-aws-371-workspaces_primary_interface_ports_not_open_to_all_inbound_traffic.yml +++ b/non-compatible-policies/ecc-aws-371-workspaces_primary_interface_ports_not_open_to_all_inbound_traffic.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-371-workspaces_primary_interface_ports_not_open_to_all_inbound_traffic - resource: aws.workspaces - description: | - Primary interface ports for Workspaces are open to all inbound traffic - filters: - - type: security-group-workspace-filter - key: length(IpPermissions[?(IpRanges[?CidrIp=='0.0.0.0/0'] || Ipv6Ranges[?CidrIpv6=='::/0']) && IpProtocol=='-1'&& !FromPort&& !ToPort ]) - op: ge - value: 1 - comment: '0040120600' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-371-workspaces_primary_interface_ports_not_open_to_all_inbound_traffic + comment: '010040120600' + description: | + Primary interface ports for Workspaces are open to all inbound traffic + resource: aws.workspaces + filters: + - type: security-group-workspace-filter + key: length(IpPermissions[?(IpRanges[?CidrIp=='0.0.0.0/0'] || Ipv6Ranges[?CidrIpv6=='::/0']) && IpProtocol=='-1'&& !FromPort&& !ToPort ]) + op: ge + value: 1 diff --git a/non-compatible-policies/ecc-aws-372-workspaces_api_requests_flow_through_vpc_endpoint.yml b/non-compatible-policies/ecc-aws-372-workspaces_api_requests_flow_through_vpc_endpoint.yml index 7100a8060..3bd31c8d4 100644 --- a/non-compatible-policies/ecc-aws-372-workspaces_api_requests_flow_through_vpc_endpoint.yml +++ b/non-compatible-policies/ecc-aws-372-workspaces_api_requests_flow_through_vpc_endpoint.yml @@ -1,14 +1,14 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-372-workspaces_api_requests_flow_through_vpc_endpoint - resource: aws.workspaces-directory - description: | - WorkSpaces API requests do not flow through a VPC Endpoint - filters: - - type: check-vpc-endpoints-availability - comment: '0040120600' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-372-workspaces_api_requests_flow_through_vpc_endpoint + comment: '010040120600' + description: | + WorkSpaces API requests do not flow through a VPC Endpoint + resource: aws.workspaces-directory + filters: + - type: check-vpc-endpoints-availability diff --git a/non-compatible-policies/ecc-aws-373-workspaces_radius_server_uses_strongest_security_protocol.yml b/non-compatible-policies/ecc-aws-373-workspaces_radius_server_uses_strongest_security_protocol.yml index 1ad8d1a5c..f22e92901 100644 --- a/non-compatible-policies/ecc-aws-373-workspaces_radius_server_uses_strongest_security_protocol.yml +++ b/non-compatible-policies/ecc-aws-373-workspaces_radius_server_uses_strongest_security_protocol.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-373-workspaces_radius_server_uses_strongest_security_protocol - resource: aws.workspaces-directory - description: | - Radius server is not using the recommended strongest security protocol - filters: - - or: - - type: radius-settings - key: AuthenticationProtocol - value: PAP - - type: radius-settings - key: AuthenticationProtocol - value: CHAP - - type: radius-settings - key: AuthenticationProtocol - value: MS-CHAPv1 - comment: '0024120600' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-373-workspaces_radius_server_uses_strongest_security_protocol + comment: '010024120600' + description: | + Radius server is not using the recommended strongest security protocol + resource: aws.workspaces-directory + filters: + - or: + - type: radius-settings + key: AuthenticationProtocol + value: PAP + - type: radius-settings + key: AuthenticationProtocol + value: CHAP + - type: radius-settings + key: AuthenticationProtocol + value: MS-CHAPv1 diff --git a/non-compatible-policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml b/non-compatible-policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml index c23f39c0e..1b5a09159 100644 --- a/non-compatible-policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml +++ b/non-compatible-policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled - description: | - API Gateway HTTP and WEBSOCKET API does not have logging enabled - resource: aws.api-stage - filters: - - or: - - type: value - key: AccessLogSettings - value: absent - - type: value - key: DefaultRouteSettings.LoggingLevel - value: "OFF" - comment: '0019022010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled + comment: '010019022010' + description: | + API Gateway HTTP and WEBSOCKET API does not have logging enabled + resource: aws.api-stage + filters: + - or: + - type: value + key: AccessLogSettings + value: absent + - type: value + key: DefaultRouteSettings.LoggingLevel + value: "OFF" diff --git a/non-compatible-policies/ecc-aws-437-s3_bucket_object_lock_enabled.yml b/non-compatible-policies/ecc-aws-437-s3_bucket_object_lock_enabled.yml index 8c776f450..eb707ff7f 100644 --- a/non-compatible-policies/ecc-aws-437-s3_bucket_object_lock_enabled.yml +++ b/non-compatible-policies/ecc-aws-437-s3_bucket_object_lock_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-437-s3_bucket_object_lock_enabled - description: | - S3 Bucket object lock disabled - resource: s3-light - filters: - - not: - - type: lock-configuration-filter - mode: COMPLIANCE - days: 7 - comment: '0047042011' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-437-s3_bucket_object_lock_enabled + comment: '010047042011' + description: | + S3 Bucket object lock disabled + resource: s3-light + filters: + - not: + - type: lock-configuration-filter + mode: COMPLIANCE + days: 7 diff --git a/non-compatible-policies/ecc-aws-450-elastic_beanstalk_imdsv1_disabled.yml b/non-compatible-policies/ecc-aws-450-elastic_beanstalk_imdsv1_disabled.yml index c21565851..1d185ca77 100644 --- a/non-compatible-policies/ecc-aws-450-elastic_beanstalk_imdsv1_disabled.yml +++ b/non-compatible-policies/ecc-aws-450-elastic_beanstalk_imdsv1_disabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-450-elastic_beanstalk_imdsv1_disabled - description: | - Elastic Beanstalk IMDSv1 is enabled - resource: aws.elasticbeanstalk-environment - filters: - - type: elasticbeanstalk-configuration-settings-filter - key: DisableIMDSv1 - op: eq - value: "false" - comment: '0024032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-450-elastic_beanstalk_imdsv1_disabled + comment: '010024032000' + description: | + Elastic Beanstalk IMDSv1 is enabled + resource: aws.elasticbeanstalk-environment + filters: + - type: elasticbeanstalk-configuration-settings-filter + key: DisableIMDSv1 + op: eq + value: "false" diff --git a/non-compatible-policies/ecc-aws-451-elastic_beanstalk_x_ray_enabled.yml b/non-compatible-policies/ecc-aws-451-elastic_beanstalk_x_ray_enabled.yml index c52982b11..7525d7daa 100644 --- a/non-compatible-policies/ecc-aws-451-elastic_beanstalk_x_ray_enabled.yml +++ b/non-compatible-policies/ecc-aws-451-elastic_beanstalk_x_ray_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-451-elastic_beanstalk_x_ray_enabled - description: | - Elastic Beanstalk X-Ray is disabled - resource: aws.elasticbeanstalk-environment - filters: - - type: elasticbeanstalk-configuration-settings-filter - key: XRayEnabled - op: eq - value: "false" - comment: '0016032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-451-elastic_beanstalk_x_ray_enabled + comment: '010016032000' + description: | + Elastic Beanstalk X-Ray is disabled + resource: aws.elasticbeanstalk-environment + filters: + - type: elasticbeanstalk-configuration-settings-filter + key: XRayEnabled + op: eq + value: "false" diff --git a/non-compatible-policies/ecc-aws-452-elastic_beanstalk_connection_draining_enabled.yml b/non-compatible-policies/ecc-aws-452-elastic_beanstalk_connection_draining_enabled.yml index 79d13e093..009507141 100644 --- a/non-compatible-policies/ecc-aws-452-elastic_beanstalk_connection_draining_enabled.yml +++ b/non-compatible-policies/ecc-aws-452-elastic_beanstalk_connection_draining_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-452-elastic_beanstalk_connection_draining_enabled - description: | - Elastic Beanstalk connection draining is disabled - resource: aws.elasticbeanstalk-environment - filters: - - type: elasticbeanstalk-configuration-settings-filter - key: ConnectionDrainingEnabled - op: eq - value: "false" - comment: '0031032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-452-elastic_beanstalk_connection_draining_enabled + comment: '010031032000' + description: | + Elastic Beanstalk connection draining is disabled + resource: aws.elasticbeanstalk-environment + filters: + - type: elasticbeanstalk-configuration-settings-filter + key: ConnectionDrainingEnabled + op: eq + value: "false" diff --git a/non-compatible-policies/ecc-aws-459-lambda_code_signing_enabled.yml b/non-compatible-policies/ecc-aws-459-lambda_code_signing_enabled.yml index d47006323..106a4268c 100644 --- a/non-compatible-policies/ecc-aws-459-lambda_code_signing_enabled.yml +++ b/non-compatible-policies/ecc-aws-459-lambda_code_signing_enabled.yml @@ -1,15 +1,15 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-459-lambda_code_signing_enabled - resource: aws.lambda - description: | - Lambda code signing not enabled - filters: - - not: - - type: awslambda-signing-config-filter - comment: '0023030400' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-459-lambda_code_signing_enabled + comment: '010023030400' + description: | + Lambda code signing not enabled + resource: aws.lambda + filters: + - not: + - type: awslambda-signing-config-filter diff --git a/non-compatible-policies/ecc-aws-468-fsx_openzfs_copy_tags_to_snapshots.yml b/non-compatible-policies/ecc-aws-468-fsx_openzfs_copy_tags_to_snapshots.yml index 78a5d2c6d..a00192920 100644 --- a/non-compatible-policies/ecc-aws-468-fsx_openzfs_copy_tags_to_snapshots.yml +++ b/non-compatible-policies/ecc-aws-468-fsx_openzfs_copy_tags_to_snapshots.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-468-fsx_openzfs_copy_tags_to_snapshots - description: | - FSx OpenZFS file system does not copy tags to snapshots - resource: aws.fsx - filters: - - type: value - key: FileSystemType - value: OPENZFS - - type: attached-volume-filter - key: OpenZFSConfiguration.CopyTagsToSnapshots - value: false - op: eq - comment: '0010042000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-468-fsx_openzfs_copy_tags_to_snapshots + comment: '010010042000' + description: | + FSx OpenZFS file system does not copy tags to snapshots + resource: aws.fsx + filters: + - type: value + key: FileSystemType + value: OPENZFS + - type: attached-volume-filter + key: OpenZFSConfiguration.CopyTagsToSnapshots + value: false + op: eq diff --git a/non-compatible-policies/ecc-aws-477-cloudformation_stack_notification_check.yml b/non-compatible-policies/ecc-aws-477-cloudformation_stack_notification_check.yml index 631314052..2d28b96de 100644 --- a/non-compatible-policies/ecc-aws-477-cloudformation_stack_notification_check.yml +++ b/non-compatible-policies/ecc-aws-477-cloudformation_stack_notification_check.yml @@ -1,25 +1,25 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-477-cloudformation_stack_notification_check - description: | - CloudFormation Stack notifications do not enabled - resource: aws.cfn - filters: - - type: value - key: StackStatus - op: in - value: ["CREATE_COMPLETE", "UPDATE_COMPLETE", "UPDATE_ROLLBACK_COMPLETE", "UPDATE_ROLLBACK_FAILED"] - - or: - - type: subscription - key: SubscriptionsConfirmed - op: eq - value: "0" - - type: value - key: NotificationARNs - value: empty - comment: '0032132000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-477-cloudformation_stack_notification_check + comment: '010032132000' + description: | + CloudFormation Stack notifications do not enabled + resource: aws.cfn + filters: + - type: value + key: StackStatus + op: in + value: ["CREATE_COMPLETE", "UPDATE_COMPLETE", "UPDATE_ROLLBACK_COMPLETE", "UPDATE_ROLLBACK_FAILED"] + - or: + - type: subscription + key: SubscriptionsConfirmed + op: eq + value: "0" + - type: value + key: NotificationARNs + value: empty diff --git a/non-compatible-policies/ecc-aws-485-codedeploy_ec2_minimum_healthy_hosts_configured.yml b/non-compatible-policies/ecc-aws-485-codedeploy_ec2_minimum_healthy_hosts_configured.yml index b6a21aa12..ed31f1eec 100644 --- a/non-compatible-policies/ecc-aws-485-codedeploy_ec2_minimum_healthy_hosts_configured.yml +++ b/non-compatible-policies/ecc-aws-485-codedeploy_ec2_minimum_healthy_hosts_configured.yml @@ -1,33 +1,33 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-485-codedeploy_ec2_minimum_healthy_hosts_configured - description: | - CodeDeploy deployment config of application does not meet the requirements - resource: aws.codedeploy-group - filters: - - type: value - key: computePlatform - value: Server - - or: - - and: - - type: deployment-config-filter - key: minimumHealthyHosts.type - value: "FLEET_PERCENT" - - type: deployment-config-filter - key: minimumHealthyHosts.value - op: lt - value: 50 - - and: - - type: deployment-config-filter - key: minimumHealthyHosts.type - value: "HOST_COUNT" - - type: deployment-config-filter - key: minimumHealthyHosts.value - op: lt - value: 1 - comment: '0031132010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-485-codedeploy_ec2_minimum_healthy_hosts_configured + comment: '010031132010' + description: | + CodeDeploy deployment config of application does not meet the requirements + resource: aws.codedeploy-group + filters: + - type: value + key: computePlatform + value: Server + - or: + - and: + - type: deployment-config-filter + key: minimumHealthyHosts.type + value: "FLEET_PERCENT" + - type: deployment-config-filter + key: minimumHealthyHosts.value + op: lt + value: 50 + - and: + - type: deployment-config-filter + key: minimumHealthyHosts.type + value: "HOST_COUNT" + - type: deployment-config-filter + key: minimumHealthyHosts.value + op: lt + value: 1 diff --git a/non-compatible-policies/ecc-aws-493-ecs_container_insights_enabled.yml b/non-compatible-policies/ecc-aws-493-ecs_container_insights_enabled.yml index 46648acbb..2b9eb7e45 100644 --- a/non-compatible-policies/ecc-aws-493-ecs_container_insights_enabled.yml +++ b/non-compatible-policies/ecc-aws-493-ecs_container_insights_enabled.yml @@ -1,16 +1,16 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-493-ecs_container_insights_enabled - description: | - ECS container insight is disabled - resource: aws.ecs - filters: - - type: include-settings-ecs - key: containerInsights - value: disabled - comment: '0019082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-493-ecs_container_insights_enabled + comment: '010019082000' + description: | + ECS container insight is disabled + resource: aws.ecs + filters: + - type: include-settings-ecs + key: containerInsights + value: disabled diff --git a/non-compatible-policies/ecc-aws-525-waf_global_rule_not_empty.yml b/non-compatible-policies/ecc-aws-525-waf_global_rule_not_empty.yml index daa3b50f1..a9e5e9172 100644 --- a/non-compatible-policies/ecc-aws-525-waf_global_rule_not_empty.yml +++ b/non-compatible-policies/ecc-aws-525-waf_global_rule_not_empty.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-525-waf_global_rule_not_empty - description: | - A WAF global rule does not have at least one condition - resource: aws.waf-rule - filters: - - type: waf-rule-value - key: Predicates - op: eq - value: empty - comment: '0002092001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-525-waf_global_rule_not_empty + comment: '010002092001' + description: | + A WAF global rule does not have at least one condition + resource: aws.waf-rule + filters: + - type: waf-rule-value + key: Predicates + op: eq + value: empty diff --git a/non-compatible-policies/ecc-aws-526-waf_global_rulegroup_not_empty.yml b/non-compatible-policies/ecc-aws-526-waf_global_rulegroup_not_empty.yml index 671b09371..568cc0e57 100644 --- a/non-compatible-policies/ecc-aws-526-waf_global_rulegroup_not_empty.yml +++ b/non-compatible-policies/ecc-aws-526-waf_global_rulegroup_not_empty.yml @@ -7,10 +7,10 @@ policies: - name: ecc-aws-526-waf_global_rulegroup_not_empty + comment: '010018092001' description: | A WAF global rule group does not have at least one rule resource: aws.waf-rule-groups filters: - - not: - - type: active-rules-filter - comment: '0018092001' \ No newline at end of file + - not: + - type: active-rules-filter diff --git a/policies/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml b/policies/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml index 219af2ddf..af38766bc 100644 --- a/policies/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml +++ b/policies/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password - resource: aws.iam-user - description: | - Multi-factor authentication (MFA) is not enabled for all IAM users that have console password - filters: - - type: credential - key: password_enabled - value: true - - type: credential - key: mfa_active - value: false - comment: '0036000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password + comment: '010036000301' + description: | + Multi-factor authentication (MFA) is not enabled for all IAM users that have console password + resource: aws.iam-user + filters: + - type: credential + key: password_enabled + value: true + - type: credential + key: mfa_active + value: false diff --git a/policies/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days.yml b/policies/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days.yml index 82bc9f587..eac1692ae 100644 --- a/policies/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days.yml +++ b/policies/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-002-ensure_access_keys_are_rotated_every_90_days - resource: aws.iam-user - description: | - Access keys are not rotated every 90 days or less - filters: - - type: credential - key: access_keys.active - value: true - - type: credential - key: access_keys.last_rotated - value_type: age - value: 90 - op: gt - comment: '0022000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-002-ensure_access_keys_are_rotated_every_90_days + comment: '010022000301' + description: | + Access keys are not rotated every 90 days or less + resource: aws.iam-user + filters: + - type: credential + key: access_keys.active + value: true + - type: credential + key: access_keys.last_rotated + value_type: age + value: 90 + op: gt diff --git a/policies/ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc.yml b/policies/ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc.yml index 628bc24ce..4ebf312a7 100644 --- a/policies/ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc.yml +++ b/policies/ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc - resource: aws.vpc - description: | - VPC flow logging is not enabled in all VPCs - filters: - - not: - - type: flow-logs - enabled: true - comment: '0019010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc + comment: '010019010300' + description: | + VPC flow logging is not enabled in all VPCs + resource: aws.vpc + filters: + - not: + - type: flow-logs + enabled: true diff --git a/policies/ecc-aws-004-bucket_policy_allows_https_requests.yml b/policies/ecc-aws-004-bucket_policy_allows_https_requests.yml index 58c545071..3415ceb76 100644 --- a/policies/ecc-aws-004-bucket_policy_allows_https_requests.yml +++ b/policies/ecc-aws-004-bucket_policy_allows_https_requests.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-004-bucket_policy_allows_https_requests - resource: aws.s3 + comment: '010022040301' description: | S3 Bucket Policy allows HTTP requests + resource: aws.s3 filters: - not: - or: @@ -34,4 +35,3 @@ policies: Condition: Bool: "aws:SecureTransport": "false" - comment: '0022040301' \ No newline at end of file diff --git a/policies/ecc-aws-006-rds_retention_backup_is_at_least_7_days.yml b/policies/ecc-aws-006-rds_retention_backup_is_at_least_7_days.yml index e1ac5aa38..680e9229d 100644 --- a/policies/ecc-aws-006-rds_retention_backup_is_at_least_7_days.yml +++ b/policies/ecc-aws-006-rds_retention_backup_is_at_least_7_days.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-006-rds_retention_backup_is_at_least_7_days - resource: rds - description: | - RDS retention policy is less than 7 days - filters: - - type: value - key: BackupRetentionPeriod - value: 7 - op: lt - comment: '0049062010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-006-rds_retention_backup_is_at_least_7_days + comment: '010049062010' + description: | + RDS retention policy is less than 7 days + resource: rds + filters: + - type: value + key: BackupRetentionPeriod + value: 7 + op: lt diff --git a/policies/ecc-aws-007-rds_high-availability_zone.yml b/policies/ecc-aws-007-rds_high-availability_zone.yml index 142213a3d..f616f4284 100644 --- a/policies/ecc-aws-007-rds_high-availability_zone.yml +++ b/policies/ecc-aws-007-rds_high-availability_zone.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-007-rds_high-availability_zone - resource: rds - description: | - RDS instances do not have multi-availability zone enabled - filters: - - type: value - key: MultiAZ - value: false - comment: '0050062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-007-rds_high-availability_zone + comment: '010050062000' + description: | + RDS instances do not have multi-availability zone enabled + resource: rds + filters: + - type: value + key: MultiAZ + value: false diff --git a/policies/ecc-aws-008-iam_ssl_or_tls_certificates_expire_in_one_month.yml b/policies/ecc-aws-008-iam_ssl_or_tls_certificates_expire_in_one_month.yml index c9d9532a9..d12669bac 100644 --- a/policies/ecc-aws-008-iam_ssl_or_tls_certificates_expire_in_one_month.yml +++ b/policies/ecc-aws-008-iam_ssl_or_tls_certificates_expire_in_one_month.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-008-iam_ssl_or_tls_certificates_expire_in_one_month - resource: iam-certificate - description: | - SSL/TLS certificates expire in less than a month - filters: - - type: value - key: Expiration - value_type: expiration - value: 30 - op: le - comment: '0029092001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-008-iam_ssl_or_tls_certificates_expire_in_one_month + comment: '010029092001' + description: | + SSL/TLS certificates expire in less than a month + resource: iam-certificate + filters: + - type: value + key: Expiration + value_type: expiration + value: 30 + op: le diff --git a/policies/ecc-aws-009-iam_ssl_or_tls_certificates_expire_in_one_week.yml b/policies/ecc-aws-009-iam_ssl_or_tls_certificates_expire_in_one_week.yml index 19c718103..b88ae8b5f 100644 --- a/policies/ecc-aws-009-iam_ssl_or_tls_certificates_expire_in_one_week.yml +++ b/policies/ecc-aws-009-iam_ssl_or_tls_certificates_expire_in_one_week.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-009-iam_ssl_or_tls_certificates_expire_in_one_week - resource: iam-certificate - description: | - SSL/TLS certificates expire in less than a week - filters: - - type: value - key: Expiration - value_type: expiration - value: 7 - op: le - comment: '0029092001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-009-iam_ssl_or_tls_certificates_expire_in_one_week + comment: '010029092001' + description: | + SSL/TLS certificates expire in less than a week + resource: iam-certificate + filters: + - type: value + key: Expiration + value_type: expiration + value: 7 + op: le diff --git a/policies/ecc-aws-012-use_secure_ciphers_in_cloudfront_distribution.yml b/policies/ecc-aws-012-use_secure_ciphers_in_cloudfront_distribution.yml index 4996b040b..ff587aabf 100644 --- a/policies/ecc-aws-012-use_secure_ciphers_in_cloudfront_distribution.yml +++ b/policies/ecc-aws-012-use_secure_ciphers_in_cloudfront_distribution.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-012-use_secure_ciphers_in_cloudfront_distribution + comment: '010023022001' description: | Cloudfront Distribution uses weak ciphers resource: aws.distribution @@ -16,4 +17,3 @@ policies: key: ViewerCertificate.MinimumProtocolVersion op: regex value: 'TLSv1\.2_*' - comment: '0023022001' \ No newline at end of file diff --git a/policies/ecc-aws-013-remove_weak_ciphers_for_clb.yml b/policies/ecc-aws-013-remove_weak_ciphers_for_clb.yml index a6d3bae1c..d75afa366 100644 --- a/policies/ecc-aws-013-remove_weak_ciphers_for_clb.yml +++ b/policies/ecc-aws-013-remove_weak_ciphers_for_clb.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-013-remove_weak_ciphers_for_clb - description: | - Classic Load Balancer uses weak ciphers - resource: elb - filters: - - type: ssl-policy - blacklist: - - "Protocol-SSLv2" - - "Protocol-SSLv3" - - "Protocol-TLSv1.1" - - "Protocol-TLSv1" - comment: '0023022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-013-remove_weak_ciphers_for_clb + comment: '010023022000' + description: | + Classic Load Balancer uses weak ciphers + resource: elb + filters: + - type: ssl-policy + blacklist: + - "Protocol-SSLv2" + - "Protocol-SSLv3" + - "Protocol-TLSv1.1" + - "Protocol-TLSv1" diff --git a/policies/ecc-aws-014-clb_uses_https.yml b/policies/ecc-aws-014-clb_uses_https.yml index bc6a31b70..e0a5d9ee6 100644 --- a/policies/ecc-aws-014-clb_uses_https.yml +++ b/policies/ecc-aws-014-clb_uses_https.yml @@ -1,26 +1,26 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-014-clb_uses_https - description: | - Classic Load Balancer listeners are not blocking connection requests over http - resource: elb - filters: - - not: - - or: - - type: value - key: ListenerDescriptions[].Listener.Protocol - value_type: swap - value: HTTPS - op: in - - type: value - key: ListenerDescriptions[].Listener.Protocol - value_type: swap - value: SSL - op: in - comment: '0044022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-014-clb_uses_https + comment: '010044022000' + description: | + Classic Load Balancer listeners are not blocking connection requests over http + resource: elb + filters: + - not: + - or: + - type: value + key: ListenerDescriptions[].Listener.Protocol + value_type: swap + value: HTTPS + op: in + - type: value + key: ListenerDescriptions[].Listener.Protocol + value_type: swap + value: SSL + op: in diff --git a/policies/ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account.yml b/policies/ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account.yml index 7107c9f91..6f397b579 100644 --- a/policies/ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account.yml +++ b/policies/ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account - resource: aws.account - description: | - Virtual MFA is not enabled for the "root" account - filters: - - type: credential - key: mfa_active - value: false - comment: '0036000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account + comment: '010036000301' + description: | + Virtual MFA is not enabled for the "root" account + resource: aws.account + filters: + - type: credential + key: mfa_active + value: false diff --git a/policies/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account.yml b/policies/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account.yml index 7ea518a96..f47dd99e1 100644 --- a/policies/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account.yml +++ b/policies/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account - resource: account - description: | - Hardware MFA is not enabled for the 'root' account - filters: - - type: has-virtual-mfa - value: false - - type: credential - key: mfa_active - value: true - comment: '0036000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account + comment: '010036000301' + description: | + Hardware MFA is not enabled for the 'root' account + resource: account + filters: + - type: has-virtual-mfa + value: false + - type: credential + key: mfa_active + value: true diff --git a/policies/ecc-aws-017-credentials_unused_for_45_days.yml b/policies/ecc-aws-017-credentials_unused_for_45_days.yml index 6c5be97fd..093419552 100644 --- a/policies/ecc-aws-017-credentials_unused_for_45_days.yml +++ b/policies/ecc-aws-017-credentials_unused_for_45_days.yml @@ -1,56 +1,56 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-017-credentials_unused_for_45_days - resource: aws.iam-user - description: | - Credentials unused for 45 days or more are not disabled - filters: - - or: - - and: - - type: credential - key: password_enabled - value: true - - type: credential - key: password_last_used - value_type: age - value: 45 - op: ge - - and: - - type: credential - key: password_enabled - value: true - - type: credential - key: password_last_used - value: null - - type: credential - key: password_last_changed - value_type: age - value: 45 - op: ge - - and: - - type: credential - key: access_keys.active - value: true - - type: credential - key: access_keys.last_used_date - value_type: age - value: 45 - op: ge - - and: - - type: credential - key: access_keys.active - value: true - - type: credential - key: access_keys.last_used_date - value: null - - type: credential - key: access_keys.last_rotated - value: 45 - op: ge - comment: '0022000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-017-credentials_unused_for_45_days + comment: '010022000301' + description: | + Credentials unused for 45 days or more are not disabled + resource: aws.iam-user + filters: + - or: + - and: + - type: credential + key: password_enabled + value: true + - type: credential + key: password_last_used + value_type: age + value: 45 + op: ge + - and: + - type: credential + key: password_enabled + value: true + - type: credential + key: password_last_used + value: null + - type: credential + key: password_last_changed + value_type: age + value: 45 + op: ge + - and: + - type: credential + key: access_keys.active + value: true + - type: credential + key: access_keys.last_used_date + value_type: age + value: 45 + op: ge + - and: + - type: credential + key: access_keys.active + value: true + - type: credential + key: access_keys.last_used_date + value: null + - type: credential + key: access_keys.last_rotated + value: 45 + op: ge diff --git a/policies/ecc-aws-018-iam_users_receive_permissions_only_through_groups.yml b/policies/ecc-aws-018-iam_users_receive_permissions_only_through_groups.yml index db9f19aea..5b5bc94f5 100644 --- a/policies/ecc-aws-018-iam_users_receive_permissions_only_through_groups.yml +++ b/policies/ecc-aws-018-iam_users_receive_permissions_only_through_groups.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-018-iam_users_receive_permissions_only_through_groups - resource: aws.iam-user - description: | - IAM Users receive permissions not only through groups - filters: - - type: policy - key: 'PolicyName' - value: present - comment: '0022000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-018-iam_users_receive_permissions_only_through_groups + comment: '010022000301' + description: | + IAM Users receive permissions not only through groups + resource: aws.iam-user + filters: + - type: policy + key: 'PolicyName' + value: present diff --git a/policies/ecc-aws-019-iam_password_policy_password_reuse.yml b/policies/ecc-aws-019-iam_password_policy_password_reuse.yml index 3e05c399d..88c9316bc 100644 --- a/policies/ecc-aws-019-iam_password_policy_password_reuse.yml +++ b/policies/ecc-aws-019-iam_password_policy_password_reuse.yml @@ -1,29 +1,29 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-019-iam_password_policy_password_reuse - resource: aws.account - description: | - IAM password policy does not prevent password reuse - filters: - - or: - - type: password-policy - key: PasswordPolicyConfigured - value: false - - type: password-policy - key: PasswordReusePrevention - value: 24 - op: lt - - and: - - type: password-policy - key: PasswordReusePrevention - value: null - - type: password-policy - key: PasswordPolicyConfigured - value: true - comment: '0022000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-019-iam_password_policy_password_reuse + comment: '010022000301' + description: | + IAM password policy does not prevent password reuse + resource: aws.account + filters: + - or: + - type: password-policy + key: PasswordPolicyConfigured + value: false + - type: password-policy + key: PasswordReusePrevention + value: 24 + op: lt + - and: + - type: password-policy + key: PasswordReusePrevention + value: null + - type: password-policy + key: PasswordPolicyConfigured + value: true diff --git a/policies/ecc-aws-020-instance_without_any_tag.yml b/policies/ecc-aws-020-instance_without_any_tag.yml index 3eb4c5d5c..e21a3cf5e 100644 --- a/policies/ecc-aws-020-instance_without_any_tag.yml +++ b/policies/ecc-aws-020-instance_without_any_tag.yml @@ -1,27 +1,27 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-020-instance_without_any_tag - description: | - Instances without any tags - resource: ec2 - filters: - - and: - - not: - - type: value - key: State.Name - value: terminated - - or: - - type: value - key: Tags - value: absent - - type: value - key: Tags - value_type: size - value: 0 - comment: '0010032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-020-instance_without_any_tag + comment: '010010032000' + description: | + Instances without any tags + resource: ec2 + filters: + - and: + - not: + - type: value + key: State.Name + value: terminated + - or: + - type: value + key: Tags + value: absent + - type: value + key: Tags + value_type: size + value: 0 diff --git a/policies/ecc-aws-022-ebs_volumes_too_old_snapshots.yml b/policies/ecc-aws-022-ebs_volumes_too_old_snapshots.yml index 4b633230d..b766591e3 100644 --- a/policies/ecc-aws-022-ebs_volumes_too_old_snapshots.yml +++ b/policies/ecc-aws-022-ebs_volumes_too_old_snapshots.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-022-ebs_volumes_too_old_snapshots + comment: '010002042000' description: | EBS Snapshots older than 30 days resource: aws.ebs-snapshot @@ -21,4 +22,3 @@ policies: value: true - type: skip-ami-snapshots value: true - comment: '0002042000' \ No newline at end of file diff --git a/policies/ecc-aws-023-clb_access_logging_disabled.yml b/policies/ecc-aws-023-clb_access_logging_disabled.yml index 004442808..2a15e9d02 100644 --- a/policies/ecc-aws-023-clb_access_logging_disabled.yml +++ b/policies/ecc-aws-023-clb_access_logging_disabled.yml @@ -1,15 +1,15 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-023-clb_access_logging_disabled - description: | - Classic Load Balancer Access Logging is disabled - resource: elb - filters: - - type: is-not-logging - comment: '0019022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-023-clb_access_logging_disabled + comment: '010019022000' + description: | + Classic Load Balancer Access Logging is disabled + resource: elb + filters: + - type: is-not-logging diff --git a/policies/ecc-aws-024-ensures_sqs_encryption_is_enabled.yml b/policies/ecc-aws-024-ensures_sqs_encryption_is_enabled.yml index b4d0034e7..eb19f0f8d 100644 --- a/policies/ecc-aws-024-ensures_sqs_encryption_is_enabled.yml +++ b/policies/ecc-aws-024-ensures_sqs_encryption_is_enabled.yml @@ -1,15 +1,15 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-024-ensures_sqs_encryption_is_enabled - description: | - SQS encryption is disabled - resource: sqs - filters: - - KmsMasterKeyId: absent - comment: '0043142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-024-ensures_sqs_encryption_is_enabled + comment: '010043142000' + description: | + SQS encryption is disabled + resource: sqs + filters: + - KmsMasterKeyId: absent diff --git a/policies/ecc-aws-025-instance_without_termination_protection.yml b/policies/ecc-aws-025-instance_without_termination_protection.yml index 5e822c8a0..7ddaec521 100644 --- a/policies/ecc-aws-025-instance_without_termination_protection.yml +++ b/policies/ecc-aws-025-instance_without_termination_protection.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-025-instance_without_termination_protection - description: | - Instances without termination protection - resource: ec2 - filters: - - not: - - type: value - key: State.Name - value: terminated - - not: - - type: termination-protected - comment: '0047032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-025-instance_without_termination_protection + comment: '010047032000' + description: | + Instances without termination protection + resource: ec2 + filters: + - not: + - type: value + key: State.Name + value: terminated + - not: + - type: termination-protected diff --git a/policies/ecc-aws-026-rds_instance_with_no_backups.yml b/policies/ecc-aws-026-rds_instance_with_no_backups.yml index 9829754c9..601c18590 100644 --- a/policies/ecc-aws-026-rds_instance_with_no_backups.yml +++ b/policies/ecc-aws-026-rds_instance_with_no_backups.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-026-rds_instance_with_no_backups - description: | - RDS instances without automated backups - resource: rds - filters: - - not: - - type: value - key: BackupRetentionPeriod - value_type: swap - op: ne - value: 0 - comment: '0049062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-026-rds_instance_with_no_backups + comment: '010049062000' + description: | + RDS instances without automated backups + resource: rds + filters: + - not: + - type: value + key: BackupRetentionPeriod + value_type: swap + op: ne + value: 0 diff --git a/policies/ecc-aws-027-prevent_0-65535_ingress_and_all.yml b/policies/ecc-aws-027-prevent_0-65535_ingress_and_all.yml index 83e87e3d9..2ebbe79c0 100644 --- a/policies/ecc-aws-027-prevent_0-65535_ingress_and_all.yml +++ b/policies/ecc-aws-027-prevent_0-65535_ingress_and_all.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-027-prevent_0-65535_ingress_and_all - resource: aws.security-group + comment: '010042022000' description: | Security groups do not prevent all incoming traffic from 0-65535 + resource: aws.security-group filters: - or: - and: @@ -26,4 +27,3 @@ policies: - and: - type: ingress IpProtocol: "-1" - comment: '0042022000' \ No newline at end of file diff --git a/policies/ecc-aws-028-security_group_ingress_is_restricted_traffic_to_dns_port_53.yml b/policies/ecc-aws-028-security_group_ingress_is_restricted_traffic_to_dns_port_53.yml index c779af77a..c6f61a5dc 100644 --- a/policies/ecc-aws-028-security_group_ingress_is_restricted_traffic_to_dns_port_53.yml +++ b/policies/ecc-aws-028-security_group_ingress_is_restricted_traffic_to_dns_port_53.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-028-security_group_ingress_is_restricted_traffic_to_dns_port_53 - resource: aws.security-group - description: | - Security group rule allows internet traffic to DNS port (53) - filters: - - type: ingress - Ports: [53] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-028-security_group_ingress_is_restricted_traffic_to_dns_port_53 + comment: '010042022000' + description: | + Security group rule allows internet traffic to DNS port (53) + resource: aws.security-group + filters: + - type: ingress + Ports: [53] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-029-security_group_ingress_is_restricted_traffic_to_ftp_port_21.yml b/policies/ecc-aws-029-security_group_ingress_is_restricted_traffic_to_ftp_port_21.yml index e8a1db108..27f5dfd78 100644 --- a/policies/ecc-aws-029-security_group_ingress_is_restricted_traffic_to_ftp_port_21.yml +++ b/policies/ecc-aws-029-security_group_ingress_is_restricted_traffic_to_ftp_port_21.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-029-security_group_ingress_is_restricted_traffic_to_ftp_port_21 - resource: aws.security-group - description: | - Security group rule allows internet traffic to FTP port (21) - filters: - - type: ingress - Ports: [21] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-029-security_group_ingress_is_restricted_traffic_to_ftp_port_21 + comment: '010042022000' + description: | + Security group rule allows internet traffic to FTP port (21) + resource: aws.security-group + filters: + - type: ingress + Ports: [21] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-030-security_group_ingress_is_restricted_traffic_to_http_port_80.yml b/policies/ecc-aws-030-security_group_ingress_is_restricted_traffic_to_http_port_80.yml index d70946491..4b846d074 100644 --- a/policies/ecc-aws-030-security_group_ingress_is_restricted_traffic_to_http_port_80.yml +++ b/policies/ecc-aws-030-security_group_ingress_is_restricted_traffic_to_http_port_80.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-030-security_group_ingress_is_restricted_traffic_to_http_port_80 - resource: aws.security-group - description: | - Security group rule allows internet traffic to HTTP port (80) - filters: - - type: ingress - Ports: [80] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-030-security_group_ingress_is_restricted_traffic_to_http_port_80 + comment: '010042022000' + description: | + Security group rule allows internet traffic to HTTP port (80) + resource: aws.security-group + filters: + - type: ingress + Ports: [80] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-031-security_group_ingress_is_restricted_traffic_to_microsoft_ds_port_445.yml b/policies/ecc-aws-031-security_group_ingress_is_restricted_traffic_to_microsoft_ds_port_445.yml index ad1f10e43..441f923ed 100644 --- a/policies/ecc-aws-031-security_group_ingress_is_restricted_traffic_to_microsoft_ds_port_445.yml +++ b/policies/ecc-aws-031-security_group_ingress_is_restricted_traffic_to_microsoft_ds_port_445.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-031-security_group_ingress_is_restricted_traffic_to_microsoft_ds_port_445 - resource: aws.security-group - description: | - Security group rule allows internet traffic to Microsoft-DS port (445) - filters: - - type: ingress - Ports: [445] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-031-security_group_ingress_is_restricted_traffic_to_microsoft_ds_port_445 + comment: '010042022000' + description: | + Security group rule allows internet traffic to Microsoft-DS port (445) + resource: aws.security-group + filters: + - type: ingress + Ports: [445] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-032-security_group_ingress_is_restricted_traffic_to_mongodb_port_27017.yml b/policies/ecc-aws-032-security_group_ingress_is_restricted_traffic_to_mongodb_port_27017.yml index dd10482ba..efdf54ee3 100644 --- a/policies/ecc-aws-032-security_group_ingress_is_restricted_traffic_to_mongodb_port_27017.yml +++ b/policies/ecc-aws-032-security_group_ingress_is_restricted_traffic_to_mongodb_port_27017.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-032-security_group_ingress_is_restricted_traffic_to_mongodb_port_27017 - resource: aws.security-group - description: | - Security group rule allows internet traffic to MongoDB port (27017) - filters: - - type: ingress - Ports: [27017] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-032-security_group_ingress_is_restricted_traffic_to_mongodb_port_27017 + comment: '010042022000' + description: | + Security group rule allows internet traffic to MongoDB port (27017) + resource: aws.security-group + filters: + - type: ingress + Ports: [27017] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-033-security_group_ingress_is_restricted_traffic_to_mysql_db_port_3306.yml b/policies/ecc-aws-033-security_group_ingress_is_restricted_traffic_to_mysql_db_port_3306.yml index ee7d40617..1fc97aa5b 100644 --- a/policies/ecc-aws-033-security_group_ingress_is_restricted_traffic_to_mysql_db_port_3306.yml +++ b/policies/ecc-aws-033-security_group_ingress_is_restricted_traffic_to_mysql_db_port_3306.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-033-security_group_ingress_is_restricted_traffic_to_mysql_db_port_3306 - resource: aws.security-group - description: | - Security group rule allows internet traffic to MySQL DB port (3306) - filters: - - type: ingress - Ports: [3306] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-033-security_group_ingress_is_restricted_traffic_to_mysql_db_port_3306 + comment: '010042022000' + description: | + Security group rule allows internet traffic to MySQL DB port (3306) + resource: aws.security-group + filters: + - type: ingress + Ports: [3306] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-034-security_group_ingress_is_restricted_traffic_to_netbios_ssn_port_139.yml b/policies/ecc-aws-034-security_group_ingress_is_restricted_traffic_to_netbios_ssn_port_139.yml index f72c6af17..9ff200084 100644 --- a/policies/ecc-aws-034-security_group_ingress_is_restricted_traffic_to_netbios_ssn_port_139.yml +++ b/policies/ecc-aws-034-security_group_ingress_is_restricted_traffic_to_netbios_ssn_port_139.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-034-security_group_ingress_is_restricted_traffic_to_netbios_ssn_port_139 - resource: aws.security-group - description: | - Security group rule allows internet traffic to NetBIOS-SSN port (139) - filters: - - type: ingress - Ports: [139] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-034-security_group_ingress_is_restricted_traffic_to_netbios_ssn_port_139 + comment: '010042022000' + description: | + Security group rule allows internet traffic to NetBIOS-SSN port (139) + resource: aws.security-group + filters: + - type: ingress + Ports: [139] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-035-security_group_ingress_is_restricted_traffic_to_oracle_db_port_1521.yml b/policies/ecc-aws-035-security_group_ingress_is_restricted_traffic_to_oracle_db_port_1521.yml index 6ca239854..afff8aea9 100644 --- a/policies/ecc-aws-035-security_group_ingress_is_restricted_traffic_to_oracle_db_port_1521.yml +++ b/policies/ecc-aws-035-security_group_ingress_is_restricted_traffic_to_oracle_db_port_1521.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-035-security_group_ingress_is_restricted_traffic_to_oracle_db_port_1521 - resource: aws.security-group - description: | - Security group rule allows internet traffic to Oracle DB port (1521) - filters: - - type: ingress - Ports: [1521] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-035-security_group_ingress_is_restricted_traffic_to_oracle_db_port_1521 + comment: '010042022000' + description: | + Security group rule allows internet traffic to Oracle DB port (1521) + resource: aws.security-group + filters: + - type: ingress + Ports: [1521] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-036-security_group_ingress_is_restricted_traffic_to_pop3_port_110.yml b/policies/ecc-aws-036-security_group_ingress_is_restricted_traffic_to_pop3_port_110.yml index d70775ba0..ecb26be30 100644 --- a/policies/ecc-aws-036-security_group_ingress_is_restricted_traffic_to_pop3_port_110.yml +++ b/policies/ecc-aws-036-security_group_ingress_is_restricted_traffic_to_pop3_port_110.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-036-security_group_ingress_is_restricted_traffic_to_pop3_port_110 - resource: aws.security-group - description: | - Security group rule allows internet traffic to POP3 port (110) - filters: - - type: ingress - Ports: [110] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-036-security_group_ingress_is_restricted_traffic_to_pop3_port_110 + comment: '010042022000' + description: | + Security group rule allows internet traffic to POP3 port (110) + resource: aws.security-group + filters: + - type: ingress + Ports: [110] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-037-security_group_ingress_is_restricted_traffic_to_postgresql_port_5432.yml b/policies/ecc-aws-037-security_group_ingress_is_restricted_traffic_to_postgresql_port_5432.yml index 7485203ed..65c2bcae1 100644 --- a/policies/ecc-aws-037-security_group_ingress_is_restricted_traffic_to_postgresql_port_5432.yml +++ b/policies/ecc-aws-037-security_group_ingress_is_restricted_traffic_to_postgresql_port_5432.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-037-security_group_ingress_is_restricted_traffic_to_postgresql_port_5432 - resource: aws.security-group - description: | - Security group rule allows internet traffic to PostgreSQL port (5432) - filters: - - type: ingress - Ports: [5432] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-037-security_group_ingress_is_restricted_traffic_to_postgresql_port_5432 + comment: '010042022000' + description: | + Security group rule allows internet traffic to PostgreSQL port (5432) + resource: aws.security-group + filters: + - type: ingress + Ports: [5432] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-038-security_group_ingress_is_restricted_traffic_to_smtp_port_25.yml b/policies/ecc-aws-038-security_group_ingress_is_restricted_traffic_to_smtp_port_25.yml index 1d534ed80..7eca46cf8 100644 --- a/policies/ecc-aws-038-security_group_ingress_is_restricted_traffic_to_smtp_port_25.yml +++ b/policies/ecc-aws-038-security_group_ingress_is_restricted_traffic_to_smtp_port_25.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-038-security_group_ingress_is_restricted_traffic_to_smtp_port_25 - resource: aws.security-group - description: | - Security group rule allows internet traffic to SMTP port (25) - filters: - - type: ingress - Ports: [25] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-038-security_group_ingress_is_restricted_traffic_to_smtp_port_25 + comment: '010042022000' + description: | + Security group rule allows internet traffic to SMTP port (25) + resource: aws.security-group + filters: + - type: ingress + Ports: [25] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-039-security_group_ingress_is_restricted_traffic_to_telnet_port_23.yml b/policies/ecc-aws-039-security_group_ingress_is_restricted_traffic_to_telnet_port_23.yml index fa607cea5..ccf0cc266 100644 --- a/policies/ecc-aws-039-security_group_ingress_is_restricted_traffic_to_telnet_port_23.yml +++ b/policies/ecc-aws-039-security_group_ingress_is_restricted_traffic_to_telnet_port_23.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-039-security_group_ingress_is_restricted_traffic_to_telnet_port_23 - resource: aws.security-group - description: | - Security group rule allows internet traffic to Telnet port (23) - filters: - - type: ingress - Ports: [23] - Cidr: - value: - - "0.0.0.0/0" - op: in - comment: '0042022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-039-security_group_ingress_is_restricted_traffic_to_telnet_port_23 + comment: '010042022000' + description: | + Security group rule allows internet traffic to Telnet port (23) + resource: aws.security-group + filters: + - type: ingress + Ports: [23] + Cidr: + value: + - "0.0.0.0/0" + op: in diff --git a/policies/ecc-aws-040-eks_cluster_version_latest.yml b/policies/ecc-aws-040-eks_cluster_version_latest.yml index a6a231afd..23c14777f 100644 --- a/policies/ecc-aws-040-eks_cluster_version_latest.yml +++ b/policies/ecc-aws-040-eks_cluster_version_latest.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-040-eks_cluster_version_latest - description: | - EKS cluster is not using the latest version - resource: aws.eks - filters: - - type: value - key: version - value: "1.25" - op: lt - comment: '0021072000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-040-eks_cluster_version_latest + comment: '010021072000' + description: | + EKS cluster is not using the latest version + resource: aws.eks + filters: + - type: value + key: version + value: "1.25" + op: lt diff --git a/policies/ecc-aws-041-rds_without_tag_information.yml b/policies/ecc-aws-041-rds_without_tag_information.yml index a850ed5ff..95223ca78 100644 --- a/policies/ecc-aws-041-rds_without_tag_information.yml +++ b/policies/ecc-aws-041-rds_without_tag_information.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-041-rds_without_tag_information - description: | - RDS Instances without tags - resource: rds - filters: - - type: tag-count - op: lt - count: 1 - comment: '0010062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-041-rds_without_tag_information + comment: '010010062000' + description: | + RDS Instances without tags + resource: rds + filters: + - type: tag-count + op: lt + count: 1 diff --git a/policies/ecc-aws-042-s3_encrypted_using_kms.yml b/policies/ecc-aws-042-s3_encrypted_using_kms.yml index e29918a1f..a9f32f7c7 100644 --- a/policies/ecc-aws-042-s3_encrypted_using_kms.yml +++ b/policies/ecc-aws-042-s3_encrypted_using_kms.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-042-s3_encrypted_using_kms - description: | - S3 is not using a KMS key for encryption - resource: s3 - filters: - - type: bucket-encryption - state: false - crypto: aws:kms - comment: '0043042001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-042-s3_encrypted_using_kms + comment: '010043042001' + description: | + S3 is not using a KMS key for encryption + resource: s3 + filters: + - type: bucket-encryption + state: false + crypto: aws:kms diff --git a/policies/ecc-aws-043-s3_bucket_lifecycle.yml b/policies/ecc-aws-043-s3_bucket_lifecycle.yml index fadaf9116..ca3fb7fa0 100644 --- a/policies/ecc-aws-043-s3_bucket_lifecycle.yml +++ b/policies/ecc-aws-043-s3_bucket_lifecycle.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-043-s3_bucket_lifecycle - description: | - S3 Bucket life cycle is not configured - resource: s3 - filters: - - type: value - key: Lifecycle - value: null - comment: '0001042001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-043-s3_bucket_lifecycle + comment: '010001042001' + description: | + S3 Bucket life cycle is not configured + resource: s3 + filters: + - type: value + key: Lifecycle + value: null diff --git a/policies/ecc-aws-044-s3_buckets_without_tags.yml b/policies/ecc-aws-044-s3_buckets_without_tags.yml index 37c40e2a0..98a3a0cc7 100644 --- a/policies/ecc-aws-044-s3_buckets_without_tags.yml +++ b/policies/ecc-aws-044-s3_buckets_without_tags.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-044-s3_buckets_without_tags - description: | - S3 Buckets without tags - resource: s3 - filters: - - not: - - type: value - key: Tags[0] - value: present - comment: '0010042001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-044-s3_buckets_without_tags + comment: '010010042001' + description: | + S3 Buckets without tags + resource: s3 + filters: + - not: + - type: value + key: Tags[0] + value: present diff --git a/policies/ecc-aws-045-iam_password_policy_one_uppercase_letter.yml b/policies/ecc-aws-045-iam_password_policy_one_uppercase_letter.yml index 13bc78050..113300da8 100644 --- a/policies/ecc-aws-045-iam_password_policy_one_uppercase_letter.yml +++ b/policies/ecc-aws-045-iam_password_policy_one_uppercase_letter.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-045-iam_password_policy_one_uppercase_letter - resource: aws.account - description: | - Password policy does not require at least one uppercase letter - filters: - - or: - - type: password-policy - key: PasswordPolicyConfigured - value: false - - type: password-policy - key: RequireUppercaseCharacters - value: false - comment: '0022000101' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-045-iam_password_policy_one_uppercase_letter + comment: '010022000101' + description: | + Password policy does not require at least one uppercase letter + resource: aws.account + filters: + - or: + - type: password-policy + key: PasswordPolicyConfigured + value: false + - type: password-policy + key: RequireUppercaseCharacters + value: false diff --git a/policies/ecc-aws-046-ensure_no_root_account_access_key_exists.yml b/policies/ecc-aws-046-ensure_no_root_account_access_key_exists.yml index 1d74dd5ff..a2cfac897 100644 --- a/policies/ecc-aws-046-ensure_no_root_account_access_key_exists.yml +++ b/policies/ecc-aws-046-ensure_no_root_account_access_key_exists.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-046-ensure_no_root_account_access_key_exists - resource: aws.account - description: | - Root user account access key exists - filters: - - type: credential - key: access_keys.active - value: true - comment: '0035000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-046-ensure_no_root_account_access_key_exists + comment: '010035000301' + description: | + Root user account access key exists + resource: aws.account + filters: + - type: credential + key: access_keys.active + value: true diff --git a/policies/ecc-aws-047-iam_password_policy_one_lowercase_letter.yml b/policies/ecc-aws-047-iam_password_policy_one_lowercase_letter.yml index 4ac6afbb2..2e9eb931c 100644 --- a/policies/ecc-aws-047-iam_password_policy_one_lowercase_letter.yml +++ b/policies/ecc-aws-047-iam_password_policy_one_lowercase_letter.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-047-iam_password_policy_one_lowercase_letter - resource: aws.account - description: | - Password policy does not require at least one lowercase letter - filters: - - or: - - type: password-policy - key: PasswordPolicyConfigured - value: false - - type: password-policy - key: RequireLowercaseCharacters - value: false - comment: '0022000101' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-047-iam_password_policy_one_lowercase_letter + comment: '010022000101' + description: | + Password policy does not require at least one lowercase letter + resource: aws.account + filters: + - or: + - type: password-policy + key: PasswordPolicyConfigured + value: false + - type: password-policy + key: RequireLowercaseCharacters + value: false diff --git a/policies/ecc-aws-048-iam_password_policy_one_symbol.yml b/policies/ecc-aws-048-iam_password_policy_one_symbol.yml index 55bd660fc..65dac4259 100644 --- a/policies/ecc-aws-048-iam_password_policy_one_symbol.yml +++ b/policies/ecc-aws-048-iam_password_policy_one_symbol.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-048-iam_password_policy_one_symbol - resource: aws.account + comment: '010022000101' description: | Password policy does not require at least one symbol + resource: aws.account filters: - or: - type: password-policy @@ -18,4 +19,3 @@ policies: - type: password-policy key: RequireSymbols value: false - comment: '0022000101' \ No newline at end of file diff --git a/policies/ecc-aws-049-iam_password_policy_one_number.yml b/policies/ecc-aws-049-iam_password_policy_one_number.yml index 31c5d0935..fd61d0eeb 100644 --- a/policies/ecc-aws-049-iam_password_policy_one_number.yml +++ b/policies/ecc-aws-049-iam_password_policy_one_number.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-049-iam_password_policy_one_number - resource: aws.account + comment: '010022000101' description: | Password policy does not require at least one number + resource: aws.account filters: - or: - type: password-policy @@ -18,4 +19,3 @@ policies: - type: password-policy key: RequireNumbers value: false - comment: '0022000101' \ No newline at end of file diff --git a/policies/ecc-aws-050-iam_password_min_length_ge_14.yml b/policies/ecc-aws-050-iam_password_min_length_ge_14.yml index fba0fb7a2..1233b7ace 100644 --- a/policies/ecc-aws-050-iam_password_min_length_ge_14.yml +++ b/policies/ecc-aws-050-iam_password_min_length_ge_14.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-050-iam_password_min_length_ge_14 - resource: aws.account - description: | - Password policy does not require minimum length of 14 characters or greater - filters: - - or: - - type: password-policy - key: PasswordPolicyConfigured - value: false - - type: password-policy - key: MinimumPasswordLength - value: 14 - op: lt - comment: '0022000301' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-050-iam_password_min_length_ge_14 + comment: '010022000301' + description: | + Password policy does not require minimum length of 14 characters or greater + resource: aws.account + filters: + - or: + - type: password-policy + key: PasswordPolicyConfigured + value: false + - type: password-policy + key: MinimumPasswordLength + value: 14 + op: lt diff --git a/policies/ecc-aws-051-iam_password_policy_passwd_expires_le_90.yml b/policies/ecc-aws-051-iam_password_policy_passwd_expires_le_90.yml index 7ed9a8fff..30f3d7b7a 100644 --- a/policies/ecc-aws-051-iam_password_policy_passwd_expires_le_90.yml +++ b/policies/ecc-aws-051-iam_password_policy_passwd_expires_le_90.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-051-iam_password_policy_passwd_expires_le_90 - resource: aws.account - description: | - IAM password policy is not configured to expire passwords after 90 days or less - filters: - - or: - - type: password-policy - key: PasswordPolicyConfigured - value: false - - type: password-policy - key: MaxPasswordAge - value: 90 - op: gt - comment: '0022000101' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-051-iam_password_policy_passwd_expires_le_90 + comment: '010022000101' + description: | + IAM password policy is not configured to expire passwords after 90 days or less + resource: aws.account + filters: + - or: + - type: password-policy + key: PasswordPolicyConfigured + value: false + - type: password-policy + key: MaxPasswordAge + value: 90 + op: gt diff --git a/policies/ecc-aws-053-cloudtrail_log_validation_enabled.yml b/policies/ecc-aws-053-cloudtrail_log_validation_enabled.yml index 34eb46535..3b87e8f87 100644 --- a/policies/ecc-aws-053-cloudtrail_log_validation_enabled.yml +++ b/policies/ecc-aws-053-cloudtrail_log_validation_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-053-cloudtrail_log_validation_enabled - resource: aws.cloudtrail - description: | - CloudTrail log file validation is disabled - filters: - - type: value - key: LogFileValidationEnabled - value: false - comment: '0019010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-053-cloudtrail_log_validation_enabled + comment: '010019010300' + description: | + CloudTrail log file validation is disabled + resource: aws.cloudtrail + filters: + - type: value + key: LogFileValidationEnabled + value: false diff --git a/policies/ecc-aws-055-cloudtrail_integrated_with_cloudwatch.yml b/policies/ecc-aws-055-cloudtrail_integrated_with_cloudwatch.yml index fa4b33e06..b4ef6f3e4 100644 --- a/policies/ecc-aws-055-cloudtrail_integrated_with_cloudwatch.yml +++ b/policies/ecc-aws-055-cloudtrail_integrated_with_cloudwatch.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-055-cloudtrail_integrated_with_cloudwatch - resource: aws.cloudtrail - description: | - CloudTrail trails are not integrated with CloudWatch Logs - filters: - - type: value - key: CloudWatchLogsLogGroupArn - value: absent - comment: '0019010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-055-cloudtrail_integrated_with_cloudwatch + comment: '010019010300' + description: | + CloudTrail trails are not integrated with CloudWatch Logs + resource: aws.cloudtrail + filters: + - type: value + key: CloudWatchLogsLogGroupArn + value: absent diff --git a/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml b/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml index 7b87859eb..e1d012506 100644 --- a/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml +++ b/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance - resource: aws.ec2 - description: | - IAM instance roles are not used for AWS resource access from instances - filters: - - type: value - key: IamInstanceProfile - value: absent - comment: '0048000300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance + comment: '010048000300' + description: | + IAM instance roles are not used for AWS resource access from instances + resource: aws.ec2 + filters: + - type: value + key: IamInstanceProfile + value: absent diff --git a/policies/ecc-aws-059-config_enabled_all_regions.yml b/policies/ecc-aws-059-config_enabled_all_regions.yml index bfc8cbd6c..ff7d5c8c2 100644 --- a/policies/ecc-aws-059-config_enabled_all_regions.yml +++ b/policies/ecc-aws-059-config_enabled_all_regions.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-059-config_enabled_all_regions - resource: account - description: | - AWS Config is not enabled in all regions - filters: - - type: check-config - running: true - all-resources: true - global-resources: true - comment: '0016010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-059-config_enabled_all_regions + comment: '010016010301' + description: | + AWS Config is not enabled in all regions + resource: account + filters: + - type: check-config + running: true + all-resources: true + global-resources: true diff --git a/policies/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs.yml b/policies/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs.yml index a2d2505e1..44230ae8c 100644 --- a/policies/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs.yml +++ b/policies/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs.yml @@ -1,16 +1,16 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs - resource: aws.cloudtrail - description: | - CloudTrail logs are not encrypted at rest using KMS CMK - filters: - - not: - - KmsKeyId: present - comment: '0043010300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs + comment: '010043010300' + description: | + CloudTrail logs are not encrypted at rest using KMS CMK + resource: aws.cloudtrail + filters: + - not: + - KmsKeyId: present diff --git a/policies/ecc-aws-061-kms_key_rotation_is_enabled.yml b/policies/ecc-aws-061-kms_key_rotation_is_enabled.yml index c23ec66b1..152ad2d2c 100644 --- a/policies/ecc-aws-061-kms_key_rotation_is_enabled.yml +++ b/policies/ecc-aws-061-kms_key_rotation_is_enabled.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-061-kms_key_rotation_is_enabled - description: | - Rotation for symmetric customer-created CMKs is not enabled - resource: aws.kms-key - filters: - - type: value - key: 'KeyState' - value: Enabled - - type: key-rotation-status - key: KeyRotationEnabled - value: false - - type: value - key: KeySpec - value: SYMMETRIC_DEFAULT - comment: '0029090300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-061-kms_key_rotation_is_enabled + comment: '010029090300' + description: | + Rotation for symmetric customer-created CMKs is not enabled + resource: aws.kms-key + filters: + - type: value + key: 'KeyState' + value: Enabled + - type: key-rotation-status + key: KeyRotationEnabled + value: false + - type: value + key: KeySpec + value: SYMMETRIC_DEFAULT diff --git a/policies/ecc-aws-062-security_group_ingress_is_restricted_22.yml b/policies/ecc-aws-062-security_group_ingress_is_restricted_22.yml index d3d48cdf8..f67ade65c 100644 --- a/policies/ecc-aws-062-security_group_ingress_is_restricted_22.yml +++ b/policies/ecc-aws-062-security_group_ingress_is_restricted_22.yml @@ -1,27 +1,27 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-062-security_group_ingress_is_restricted_22 - resource: aws.security-group - description: | - Security groups allow ingress from 0.0.0.0/0 or ::/0 to remote server administration port (22) - filters: - - or: - - type: ingress - Ports: [22] - Cidr: - value: - - "0.0.0.0/0" - op: in - - type: ingress - Ports: [22] - CidrV6: - value: - - "::/0" - op: in - comment: '0042020300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-062-security_group_ingress_is_restricted_22 + comment: '010042020300' + description: | + Security groups allow ingress from 0.0.0.0/0 or ::/0 to remote server administration port (22) + resource: aws.security-group + filters: + - or: + - type: ingress + Ports: [22] + Cidr: + value: + - "0.0.0.0/0" + op: in + - type: ingress + Ports: [22] + CidrV6: + value: + - "::/0" + op: in diff --git a/policies/ecc-aws-063-security_group_ingress_is_restricted_3389.yml b/policies/ecc-aws-063-security_group_ingress_is_restricted_3389.yml index ee635b4e7..a4974ed20 100644 --- a/policies/ecc-aws-063-security_group_ingress_is_restricted_3389.yml +++ b/policies/ecc-aws-063-security_group_ingress_is_restricted_3389.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-063-security_group_ingress_is_restricted_3389 - resource: aws.security-group + comment: '010042020300' description: | Security groups allow ingress from 0.0.0.0/0 or ::/0 to remote server administration port (3389) + resource: aws.security-group filters: - or: - type: ingress @@ -24,4 +25,3 @@ policies: value: - "::/0" op: in - comment: '0042020300' \ No newline at end of file diff --git a/policies/ecc-aws-064-default_security_group_every_vpc_restricts_all_traffic.yml b/policies/ecc-aws-064-default_security_group_every_vpc_restricts_all_traffic.yml index f6487454d..0c487b541 100644 --- a/policies/ecc-aws-064-default_security_group_every_vpc_restricts_all_traffic.yml +++ b/policies/ecc-aws-064-default_security_group_every_vpc_restricts_all_traffic.yml @@ -1,24 +1,24 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-064-default_security_group_every_vpc_restricts_all_traffic - description: | - VPC default security group does not restrict all traffic - resource: aws.security-group - filters: - - type: value - key: "GroupName" - value: "default" - - or: - - type: value - key: IpPermissions - value: not-null - - type: value - key: IpPermissionsEgress - value: not-null - comment: '0042020300' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-064-default_security_group_every_vpc_restricts_all_traffic + comment: '010042020300' + description: | + VPC default security group does not restrict all traffic + resource: aws.security-group + filters: + - type: value + key: "GroupName" + value: "default" + - or: + - type: value + key: IpPermissions + value: not-null + - type: value + key: IpPermissionsEgress + value: not-null diff --git a/policies/ecc-aws-065-encrypted_connection_between_cloudfront_origin.yml b/policies/ecc-aws-065-encrypted_connection_between_cloudfront_origin.yml index fa2816b23..c4eb6a34c 100644 --- a/policies/ecc-aws-065-encrypted_connection_between_cloudfront_origin.yml +++ b/policies/ecc-aws-065-encrypted_connection_between_cloudfront_origin.yml @@ -1,28 +1,28 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-065-encrypted_connection_between_cloudfront_origin - description: | - Traffic between a CloudFront distribution and the origin is not enforced to allow HTTPS-only - resource: aws.distribution - filters: - - not: - - or: - - type: value - key: Origins.Items[].CustomOriginConfig.OriginProtocolPolicy - value_type: swap - value: https-only - op: in - - or: - - type: value - key: DefaultCacheBehavior.ViewerProtocolPolicy - value: redirect-to-https - - type: value - key: DefaultCacheBehavior.ViewerProtocolPolicy - value: https-only - comment: '0044022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-065-encrypted_connection_between_cloudfront_origin + comment: '010044022001' + description: | + Traffic between a CloudFront distribution and the origin is not enforced to allow HTTPS-only + resource: aws.distribution + filters: + - not: + - or: + - type: value + key: Origins.Items[].CustomOriginConfig.OriginProtocolPolicy + value_type: swap + value: https-only + op: in + - or: + - type: value + key: DefaultCacheBehavior.ViewerProtocolPolicy + value: redirect-to-https + - type: value + key: DefaultCacheBehavior.ViewerProtocolPolicy + value: https-only diff --git a/policies/ecc-aws-066-eks_cluster_protected_endpoint_access.yml b/policies/ecc-aws-066-eks_cluster_protected_endpoint_access.yml index ad5243dc6..14d4e7419 100644 --- a/policies/ecc-aws-066-eks_cluster_protected_endpoint_access.yml +++ b/policies/ecc-aws-066-eks_cluster_protected_endpoint_access.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-066-eks_cluster_protected_endpoint_access - description: | - EKS cluster endpoint does not have protected access - resource: aws.eks - filters: - - type: value - key: resourcesVpcConfig.endpointPublicAccess - value: true - - type: value - key: resourcesVpcConfig.publicAccessCidrs - value: "0.0.0.0/0" - value_type: swap - op: in - comment: '0040072000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-066-eks_cluster_protected_endpoint_access + comment: '010040072000' + description: | + EKS cluster endpoint does not have protected access + resource: aws.eks + filters: + - type: value + key: resourcesVpcConfig.endpointPublicAccess + value: true + - type: value + key: resourcesVpcConfig.publicAccessCidrs + value: "0.0.0.0/0" + value_type: swap + op: in diff --git a/policies/ecc-aws-070-unused_ec2_security_groups.yml b/policies/ecc-aws-070-unused_ec2_security_groups.yml index ea7108026..ccfdf4054 100644 --- a/policies/ecc-aws-070-unused_ec2_security_groups.yml +++ b/policies/ecc-aws-070-unused_ec2_security_groups.yml @@ -1,15 +1,15 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-070-unused_ec2_security_groups - description: | - Unused security groups exist - resource: security-group - filters: - - unused - comment: '0018022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-070-unused_ec2_security_groups + comment: '010018022000' + description: | + Unused security groups exist + resource: security-group + filters: + - unused diff --git a/policies/ecc-aws-071-codebuild_project_source_repo_url_check.yml b/policies/ecc-aws-071-codebuild_project_source_repo_url_check.yml index d9d71d31a..7d234a4cd 100644 --- a/policies/ecc-aws-071-codebuild_project_source_repo_url_check.yml +++ b/policies/ecc-aws-071-codebuild_project_source_repo_url_check.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-071-codebuild_project_source_repo_url_check + comment: '010048132200' description: | CodeBuild GitHub or Bitbucket source repository URLs do not use OAuth resource: aws.codebuild @@ -28,4 +29,3 @@ policies: key: source.auth.resource op: regex value: '^.*token.*$' - comment: '0048132200' \ No newline at end of file diff --git a/policies/ecc-aws-072-autoscaling_group_health_checks.yml b/policies/ecc-aws-072-autoscaling_group_health_checks.yml index 9f601c58f..c755b6394 100644 --- a/policies/ecc-aws-072-autoscaling_group_health_checks.yml +++ b/policies/ecc-aws-072-autoscaling_group_health_checks.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-072-autoscaling_group_health_checks - description: | - Auto scaling groups associated with a load balancer do not use health checks - resource: asg - filters: - - not: - - type: value - key: HealthCheckType - value: ELB - - type: value - key: HealthCheckGracePeriod - value: 300 - comment: '0018032200' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-072-autoscaling_group_health_checks + comment: '010018032200' + description: | + Auto scaling groups associated with a load balancer do not use health checks + resource: asg + filters: + - not: + - type: value + key: HealthCheckType + value: ELB + - type: value + key: HealthCheckGracePeriod + value: 300 diff --git a/policies/ecc-aws-073-unused_eip_should_be_removed.yml b/policies/ecc-aws-073-unused_eip_should_be_removed.yml index 3fb790b05..d2878b98b 100644 --- a/policies/ecc-aws-073-unused_eip_should_be_removed.yml +++ b/policies/ecc-aws-073-unused_eip_should_be_removed.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-073-unused_eip_should_be_removed - description: | - Unused EC2 EIPs exist - resource: network-addr - filters: - - type: value - key: AssociationId - value: absent - comment: '0002022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-073-unused_eip_should_be_removed + comment: '010002022000' + description: | + Unused EC2 EIPs exist + resource: network-addr + filters: + - type: value + key: AssociationId + value: absent diff --git a/policies/ecc-aws-074-elasticsearch_service_domains_in_vpc.yml b/policies/ecc-aws-074-elasticsearch_service_domains_in_vpc.yml index 6c3bc6ec7..d356aec07 100644 --- a/policies/ecc-aws-074-elasticsearch_service_domains_in_vpc.yml +++ b/policies/ecc-aws-074-elasticsearch_service_domains_in_vpc.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-074-elasticsearch_service_domains_in_vpc - description: | - Elasticsearch Service domains are not in a VPC - resource: elasticsearch - filters: - - type: value - key: VPCOptions.VPCId - value: absent - comment: '0041052200' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-074-elasticsearch_service_domains_in_vpc + comment: '010041052200' + description: | + Elasticsearch Service domains are not in a VPC + resource: elasticsearch + filters: + - type: value + key: VPCOptions.VPCId + value: absent diff --git a/policies/ecc-aws-075-elasticsearch_service_domains_encryption_at_rest.yml b/policies/ecc-aws-075-elasticsearch_service_domains_encryption_at_rest.yml index 894e24158..9ef83c2dc 100644 --- a/policies/ecc-aws-075-elasticsearch_service_domains_encryption_at_rest.yml +++ b/policies/ecc-aws-075-elasticsearch_service_domains_encryption_at_rest.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-075-elasticsearch_service_domains_encryption_at_rest - description: | - Elasticsearch Service domains do not have encryption at rest - resource: elasticsearch - filters: - - type: value - key: EncryptionAtRestOptions.Enabled - value: false - comment: '0043052200' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-075-elasticsearch_service_domains_encryption_at_rest + comment: '010043052200' + description: | + Elasticsearch Service domains do not have encryption at rest + resource: elasticsearch + filters: + - type: value + key: EncryptionAtRestOptions.Enabled + value: false diff --git a/policies/ecc-aws-076-ebs_snapshots_not_publicly_restorable.yml b/policies/ecc-aws-076-ebs_snapshots_not_publicly_restorable.yml index 6beb57967..4d7e57726 100644 --- a/policies/ecc-aws-076-ebs_snapshots_not_publicly_restorable.yml +++ b/policies/ecc-aws-076-ebs_snapshots_not_publicly_restorable.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-076-ebs_snapshots_not_publicly_restorable + comment: '010040040400' description: | EBS snapshots are publicly restorable resource: ebs-snapshot @@ -16,4 +17,3 @@ policies: - type: value key: '"c7n:CrossAccountViolations"[0]' value: all - comment: '0040040400' \ No newline at end of file diff --git a/policies/ecc-aws-083-cloud_front_waf_integration.yml b/policies/ecc-aws-083-cloud_front_waf_integration.yml index 70afeb15b..c62fa9bcb 100644 --- a/policies/ecc-aws-083-cloud_front_waf_integration.yml +++ b/policies/ecc-aws-083-cloud_front_waf_integration.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-083-cloud_front_waf_integration - description: | - Cloud Front is not integrated with WAF - resource: distribution - filters: - - or: - - type: value - key: WebACLId - value: "" - - type: value - key: WebACLId - value: None - comment: '0027022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-083-cloud_front_waf_integration + comment: '010027022001' + description: | + Cloud Front is not integrated with WAF + resource: distribution + filters: + - or: + - type: value + key: WebACLId + value: "" + - type: value + key: WebACLId + value: None diff --git a/policies/ecc-aws-085-lambda_in_vpc.yml b/policies/ecc-aws-085-lambda_in_vpc.yml index 0474e680d..01fa2915f 100644 --- a/policies/ecc-aws-085-lambda_in_vpc.yml +++ b/policies/ecc-aws-085-lambda_in_vpc.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-085-lambda_in_vpc + comment: '010041032200' description: | Lambda functions are not in a VPC resource: lambda @@ -29,4 +30,3 @@ policies: key: VpcConfig.SecurityGroupIds[0] op: regex value: '^.*' - comment: '0041032200' \ No newline at end of file diff --git a/policies/ecc-aws-087-redshift_cluster_prohibit_public_access.yml b/policies/ecc-aws-087-redshift_cluster_prohibit_public_access.yml index feaf9ddb0..4be25a200 100644 --- a/policies/ecc-aws-087-redshift_cluster_prohibit_public_access.yml +++ b/policies/ecc-aws-087-redshift_cluster_prohibit_public_access.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-087-redshift_cluster_prohibit_public_access - description: | - Redshift clusters do not prohibit public access - resource: redshift - filters: - - type: value - key: PubliclyAccessible - value: true - comment: '0040062200' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-087-redshift_cluster_prohibit_public_access + comment: '010040062200' + description: | + Redshift clusters do not prohibit public access + resource: redshift + filters: + - type: value + key: PubliclyAccessible + value: true diff --git a/policies/ecc-aws-088-s3_bucket_cross_region_replication_enabled.yml b/policies/ecc-aws-088-s3_bucket_cross_region_replication_enabled.yml index fabdbbdbb..c18677666 100644 --- a/policies/ecc-aws-088-s3_bucket_cross_region_replication_enabled.yml +++ b/policies/ecc-aws-088-s3_bucket_cross_region_replication_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-088-s3_bucket_cross_region_replication_enabled - description: | - S3 bucket cross-region replication is disabled - resource: s3 - filters: - - type: value - key: Replication - value: null - comment: '0049042001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-088-s3_bucket_cross_region_replication_enabled + comment: '010049042001' + description: | + S3 bucket cross-region replication is disabled + resource: s3 + filters: + - type: value + key: Replication + value: null diff --git a/policies/ecc-aws-089-codebuild_environment_variables_contain_text_credentials.yml b/policies/ecc-aws-089-codebuild_environment_variables_contain_text_credentials.yml index 533de917f..19bef6779 100644 --- a/policies/ecc-aws-089-codebuild_environment_variables_contain_text_credentials.yml +++ b/policies/ecc-aws-089-codebuild_environment_variables_contain_text_credentials.yml @@ -1,25 +1,25 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-089-codebuild_environment_variables_contain_text_credentials - description: | - CodeBuild project environment variables contain clear text credentials - resource: codebuild - filters: - - or: - - type: value - key: environment.environmentVariables[].name - value_type: swap - value: AWS_ACCESS_KEY_ID - op: in - - type: value - key: environment.environmentVariables[].name - value_type: swap - value: AWS_SECRET_ACCESS_KEY - op: in - comment: '0048132200' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-089-codebuild_environment_variables_contain_text_credentials + comment: '010048132200' + description: | + CodeBuild project environment variables contain clear text credentials + resource: codebuild + filters: + - or: + - type: value + key: environment.environmentVariables[].name + value_type: swap + value: AWS_ACCESS_KEY_ID + op: in + - type: value + key: environment.environmentVariables[].name + value_type: swap + value: AWS_SECRET_ACCESS_KEY + op: in diff --git a/policies/ecc-aws-090-rds_snapshot_prohibit_public_access.yml b/policies/ecc-aws-090-rds_snapshot_prohibit_public_access.yml index 6d5047728..4882cdfe3 100644 --- a/policies/ecc-aws-090-rds_snapshot_prohibit_public_access.yml +++ b/policies/ecc-aws-090-rds_snapshot_prohibit_public_access.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-090-rds_snapshot_prohibit_public_access - description: | - RDS snapshots do not prohibit public access - resource: rds-snapshot - filters: - - and: - - type: cross-account - - type: value - key: '"c7n:CrossAccountViolations"[0]' - value: all - comment: '0040062200' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-090-rds_snapshot_prohibit_public_access + comment: '010040062200' + description: | + RDS snapshots do not prohibit public access + resource: rds-snapshot + filters: + - and: + - type: cross-account + - type: value + key: '"c7n:CrossAccountViolations"[0]' + value: all diff --git a/policies/ecc-aws-091-ec2_managed_ssm_patch_compliance.yml b/policies/ecc-aws-091-ec2_managed_ssm_patch_compliance.yml index 436e81ab4..90b74076b 100644 --- a/policies/ecc-aws-091-ec2_managed_ssm_patch_compliance.yml +++ b/policies/ecc-aws-091-ec2_managed_ssm_patch_compliance.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-091-ec2_managed_ssm_patch_compliance - description: | - Amazon EC2 instances managed by Systems Manager have a patch compliance status of NON-COMPLIANT after a patch installation - resource: ec2 - filters: - - type: ssm-compliance - compliance_types: - - Patch - states: - - NON_COMPLIANT - comment: '0016032200' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-091-ec2_managed_ssm_patch_compliance + comment: '010016032200' + description: | + Amazon EC2 instances managed by Systems Manager have a patch compliance status of NON-COMPLIANT after a patch installation + resource: ec2 + filters: + - type: ssm-compliance + compliance_types: + - Patch + states: + - NON_COMPLIANT diff --git a/policies/ecc-aws-092-ami_public_access.yml b/policies/ecc-aws-092-ami_public_access.yml index 6798ea435..a3600ad78 100644 --- a/policies/ecc-aws-092-ami_public_access.yml +++ b/policies/ecc-aws-092-ami_public_access.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-092-ami_public_access - description: | - AMIs are exposed to public access - resource: ami - filters: - - and: - - type: cross-account - - type: value - key: '"c7n:CrossAccountViolations"[0]' - value: all - comment: '0040030400' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-092-ami_public_access + comment: '010040030400' + description: | + AMIs are exposed to public access + resource: ami + filters: + - and: + - type: cross-account + - type: value + key: '"c7n:CrossAccountViolations"[0]' + value: all diff --git a/policies/ecc-aws-093-ensure_that_sagemaker_in_vpc.yml b/policies/ecc-aws-093-ensure_that_sagemaker_in_vpc.yml index c989f35fa..24875d49c 100644 --- a/policies/ecc-aws-093-ensure_that_sagemaker_in_vpc.yml +++ b/policies/ecc-aws-093-ensure_that_sagemaker_in_vpc.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-093-ensure_that_sagemaker_in_vpc - description: | - SageMaker is not placed in VPC - resource: aws.sagemaker-notebook - filters: - - or: - - type: value - key: SubnetId - value: absent - - type: value - key: DirectInternetAccess - value: Enabled - comment: '0041112000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-093-ensure_that_sagemaker_in_vpc + comment: '010041112000' + description: | + SageMaker is not placed in VPC + resource: aws.sagemaker-notebook + filters: + - or: + - type: value + key: SubnetId + value: absent + - type: value + key: DirectInternetAccess + value: Enabled diff --git a/policies/ecc-aws-101-vpc-subnets_automatic_public_ip_assignment.yml b/policies/ecc-aws-101-vpc-subnets_automatic_public_ip_assignment.yml index 68eee1908..ed6776a32 100644 --- a/policies/ecc-aws-101-vpc-subnets_automatic_public_ip_assignment.yml +++ b/policies/ecc-aws-101-vpc-subnets_automatic_public_ip_assignment.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-101-vpc-subnets_automatic_public_ip_assignment - description: | - VPC subnets automatic public ip assignment is enabled - resource: subnet - filters: - - type: value - key: MapPublicIpOnLaunch - value: true - comment: '0024022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-101-vpc-subnets_automatic_public_ip_assignment + comment: '010024022000' + description: | + VPC subnets automatic public ip assignment is enabled + resource: subnet + filters: + - type: value + key: MapPublicIpOnLaunch + value: true diff --git a/policies/ecc-aws-102-sagemaker_does_not_have_direct_internet_access.yml b/policies/ecc-aws-102-sagemaker_does_not_have_direct_internet_access.yml index 41a818c27..d82fdacc3 100644 --- a/policies/ecc-aws-102-sagemaker_does_not_have_direct_internet_access.yml +++ b/policies/ecc-aws-102-sagemaker_does_not_have_direct_internet_access.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-102-sagemaker_does_not_have_direct_internet_access - description: | - SageMaker Notebook has direct internet access - resource: aws.sagemaker-notebook - filters: - - type: value - key: DirectInternetAccess - value: Enabled - comment: '0040112000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-102-sagemaker_does_not_have_direct_internet_access + comment: '010040112000' + description: | + SageMaker Notebook has direct internet access + resource: aws.sagemaker-notebook + filters: + - type: value + key: DirectInternetAccess + value: Enabled diff --git a/policies/ecc-aws-103-cloudfront_web_distributions_use_custom_ssl_certificates.yml b/policies/ecc-aws-103-cloudfront_web_distributions_use_custom_ssl_certificates.yml index 3eeb627e0..12267b3cd 100644 --- a/policies/ecc-aws-103-cloudfront_web_distributions_use_custom_ssl_certificates.yml +++ b/policies/ecc-aws-103-cloudfront_web_distributions_use_custom_ssl_certificates.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-103-cloudfront_web_distributions_use_custom_ssl_certificates - description: | - Cloudfront web distributions do not use custom SSL certificates - resource: distribution - filters: - - and: - - type: value - key: ViewerCertificate.CloudFrontDefaultCertificate - value: true - - type: value - key: ViewerCertificate.CertificateSource - value: cloudfront - comment: '0044022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-103-cloudfront_web_distributions_use_custom_ssl_certificates + comment: '010044022001' + description: | + Cloudfront web distributions do not use custom SSL certificates + resource: distribution + filters: + - and: + - type: value + key: ViewerCertificate.CloudFrontDefaultCertificate + value: true + - type: value + key: ViewerCertificate.CertificateSource + value: cloudfront diff --git a/policies/ecc-aws-104-cloudfront_web_distributions_with_geo_restriction_enabled.yml b/policies/ecc-aws-104-cloudfront_web_distributions_with_geo_restriction_enabled.yml index 59aab5a48..e1b926116 100644 --- a/policies/ecc-aws-104-cloudfront_web_distributions_with_geo_restriction_enabled.yml +++ b/policies/ecc-aws-104-cloudfront_web_distributions_with_geo_restriction_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-104-cloudfront_web_distributions_with_geo_restriction_enabled - description: | - Cloudfront web distribution with geo restriction is not enabled - resource: distribution - filters: - - type: value - key: Restrictions.GeoRestriction.RestrictionType - value: none - comment: '0024022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-104-cloudfront_web_distributions_with_geo_restriction_enabled + comment: '010024022001' + description: | + Cloudfront web distribution with geo restriction is not enabled + resource: distribution + filters: + - type: value + key: Restrictions.GeoRestriction.RestrictionType + value: none diff --git a/policies/ecc-aws-106-acm_has_certificates_single_domain_names.yml b/policies/ecc-aws-106-acm_has_certificates_single_domain_names.yml index e1c9a8d22..007f298c1 100644 --- a/policies/ecc-aws-106-acm_has_certificates_single_domain_names.yml +++ b/policies/ecc-aws-106-acm_has_certificates_single_domain_names.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-106-acm_has_certificates_single_domain_names + comment: '010024102000' description: | ACM has certificates with wildcard domain names resource: acm-certificate @@ -15,4 +16,3 @@ policies: key: DomainName op: regex value: '.*\*.*' - comment: '0024102000' \ No newline at end of file diff --git a/policies/ecc-aws-107-acm_has_no_unused_certificates.yml b/policies/ecc-aws-107-acm_has_no_unused_certificates.yml index 5e371f4a6..b739c9b5b 100644 --- a/policies/ecc-aws-107-acm_has_no_unused_certificates.yml +++ b/policies/ecc-aws-107-acm_has_no_unused_certificates.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-107-acm_has_no_unused_certificates + comment: '010029102000' description: | AWS Certificate Manager (ACM) has unused certificates resource: acm-certificate @@ -14,4 +15,3 @@ policies: - type: value key: InUseBy[0] value: absent - comment: '0029102000' \ No newline at end of file diff --git a/policies/ecc-aws-108-cloudfront_distribution_access_logging.yml b/policies/ecc-aws-108-cloudfront_distribution_access_logging.yml index 057cf7874..729a389d7 100644 --- a/policies/ecc-aws-108-cloudfront_distribution_access_logging.yml +++ b/policies/ecc-aws-108-cloudfront_distribution_access_logging.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-108-cloudfront_distribution_access_logging + comment: '010019022001' description: | AWS CloudFront distribution with access logging is disabled resource: distribution @@ -14,4 +15,3 @@ policies: - type: distribution-config key: Logging.Enabled value: false - comment: '0019022001' \ No newline at end of file diff --git a/policies/ecc-aws-109-invalid_or_failed_certificates_are_removed_from_acm.yml b/policies/ecc-aws-109-invalid_or_failed_certificates_are_removed_from_acm.yml index 69f88c0ee..d9a8c7957 100644 --- a/policies/ecc-aws-109-invalid_or_failed_certificates_are_removed_from_acm.yml +++ b/policies/ecc-aws-109-invalid_or_failed_certificates_are_removed_from_acm.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-109-invalid_or_failed_certificates_are_removed_from_acm + comment: '010029102000' description: | Invalid or failed certificates are not removed from ACM resource: acm-certificate @@ -18,4 +19,3 @@ policies: - type: value key: Status value: VALIDATION_TIMED_OUT - comment: '0029102000' \ No newline at end of file diff --git a/policies/ecc-aws-111-alb_is_protected_by_waf_regional.yml b/policies/ecc-aws-111-alb_is_protected_by_waf_regional.yml index 0000efe2d..84db87f8d 100644 --- a/policies/ecc-aws-111-alb_is_protected_by_waf_regional.yml +++ b/policies/ecc-aws-111-alb_is_protected_by_waf_regional.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-111-alb_is_protected_by_waf_regional + comment: '010027022000' description: | ALB is not protected by WAF regional resource: app-elb @@ -17,4 +18,3 @@ policies: op: in - type: waf-enabled state: false - comment: '0027022000' \ No newline at end of file diff --git a/policies/ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled.yml b/policies/ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled.yml index 494cc7cb4..420e53838 100644 --- a/policies/ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled.yml +++ b/policies/ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled + comment: '010047040301' description: | S3 bucket versioning MFA delete is disabled resource: s3 @@ -18,4 +19,3 @@ policies: - type: value key: Versioning.MFADelete value: absent - comment: '0047040301' \ No newline at end of file diff --git a/policies/ecc-aws-113-managed_policies_instead_of_inline_iam_policies.yml b/policies/ecc-aws-113-managed_policies_instead_of_inline_iam_policies.yml index fc54d3f77..e9819f360 100644 --- a/policies/ecc-aws-113-managed_policies_instead_of_inline_iam_policies.yml +++ b/policies/ecc-aws-113-managed_policies_instead_of_inline_iam_policies.yml @@ -7,9 +7,9 @@ policies: - name: ecc-aws-113-managed_policies_instead_of_inline_iam_policies + comment: '010022002001' description: | Inline IAM policies are in use resource: iam-user filters: - type: has-inline-policy - comment: '0022002001' \ No newline at end of file diff --git a/policies/ecc-aws-114-k8s_cluster_network_firewall_inbound_rule_permissive_to_all_traffic.yml b/policies/ecc-aws-114-k8s_cluster_network_firewall_inbound_rule_permissive_to_all_traffic.yml index e47c7db1e..3b71a3a87 100644 --- a/policies/ecc-aws-114-k8s_cluster_network_firewall_inbound_rule_permissive_to_all_traffic.yml +++ b/policies/ecc-aws-114-k8s_cluster_network_firewall_inbound_rule_permissive_to_all_traffic.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-114-k8s_cluster_network_firewall_inbound_rule_permissive_to_all_traffic + comment: '010042072000' description: | Kubernetes Engine Clusters network firewall inbound rule is overly permissive to all traffic resource: eks @@ -28,4 +29,3 @@ policies: value_type: swap op: in value: "::/0" - comment: '0042072000' \ No newline at end of file diff --git a/policies/ecc-aws-115-expired_certificates_are_removed_from_acm.yml b/policies/ecc-aws-115-expired_certificates_are_removed_from_acm.yml index 4d5234322..4cc8ab8a0 100644 --- a/policies/ecc-aws-115-expired_certificates_are_removed_from_acm.yml +++ b/policies/ecc-aws-115-expired_certificates_are_removed_from_acm.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-115-expired_certificates_are_removed_from_acm + comment: '010029102000' description: | Expired certificates are not removed from the AWS Certificate Manager (ACM) resource: acm-certificate @@ -14,4 +15,3 @@ policies: - type: value key: Status value: EXPIRED - comment: '0029102000' \ No newline at end of file diff --git a/policies/ecc-aws-116-rest_api_gateway_is_set_to_private.yml b/policies/ecc-aws-116-rest_api_gateway_is_set_to_private.yml index e7d9a1054..dce7ccfa1 100644 --- a/policies/ecc-aws-116-rest_api_gateway_is_set_to_private.yml +++ b/policies/ecc-aws-116-rest_api_gateway_is_set_to_private.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-116-rest_api_gateway_is_set_to_private + comment: '010040022000' description: | API endpoint type in the API gateway is not private and exposed to the public internet resource: rest-api @@ -18,4 +19,3 @@ policies: - type: value key: endpointConfiguration.types[0] value: EDGE - comment: '0040022000' \ No newline at end of file diff --git a/policies/ecc-aws-117-api_key_is_required_on_method_request.yml b/policies/ecc-aws-117-api_key_is_required_on_method_request.yml index e74674710..b000c3444 100644 --- a/policies/ecc-aws-117-api_key_is_required_on_method_request.yml +++ b/policies/ecc-aws-117-api_key_is_required_on_method_request.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-117-api_key_is_required_on_method_request + comment: '010033022000' description: | API Key is not required on Method Request resource: rest-resource @@ -14,4 +15,3 @@ policies: - type: rest-method key: apiKeyRequired value: false - comment: '0033022000' \ No newline at end of file diff --git a/policies/ecc-aws-119-kinesis_streams_encrypted_kms_customer_master_keys.yml b/policies/ecc-aws-119-kinesis_streams_encrypted_kms_customer_master_keys.yml index 708550056..a9708aa43 100644 --- a/policies/ecc-aws-119-kinesis_streams_encrypted_kms_customer_master_keys.yml +++ b/policies/ecc-aws-119-kinesis_streams_encrypted_kms_customer_master_keys.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-119-kinesis_streams_encrypted_kms_customer_master_keys + comment: '010043052000' description: | Kinesis streams are not encrypted with KMS CMK resource: kinesis @@ -14,4 +15,3 @@ policies: - type: value key: KeyId value: 'alias/aws/kinesis' - comment: '0043052000' \ No newline at end of file diff --git a/policies/ecc-aws-120-kinesis_server_data_at_rest_has_sse.yml b/policies/ecc-aws-120-kinesis_server_data_at_rest_has_sse.yml index a56cd9d41..133ced1e9 100644 --- a/policies/ecc-aws-120-kinesis_server_data_at_rest_has_sse.yml +++ b/policies/ecc-aws-120-kinesis_server_data_at_rest_has_sse.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-120-kinesis_server_data_at_rest_has_sse + comment: '010043052000' description: | Kinesis Server data at rest has no server-side encryption resource: kinesis @@ -14,4 +15,3 @@ policies: - type: value key: EncryptionType value: NONE - comment: '0043052000' \ No newline at end of file diff --git a/policies/ecc-aws-121-restrict_outbound_traffic.yml b/policies/ecc-aws-121-restrict_outbound_traffic.yml index 83064a575..13f046f5d 100644 --- a/policies/ecc-aws-121-restrict_outbound_traffic.yml +++ b/policies/ecc-aws-121-restrict_outbound_traffic.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-121-restrict_outbound_traffic + comment: '010042022000' description: | Outbound traffic is allowed to all ports resource: security-group @@ -22,4 +23,3 @@ policies: value_type: swap op: in value: '0.0.0.0/0' - comment: '0042022000' \ No newline at end of file diff --git a/policies/ecc-aws-122-dynamodb_is_encrypted_using_managed_cmk.yml b/policies/ecc-aws-122-dynamodb_is_encrypted_using_managed_cmk.yml index d8e67e034..a4affb5a1 100644 --- a/policies/ecc-aws-122-dynamodb_is_encrypted_using_managed_cmk.yml +++ b/policies/ecc-aws-122-dynamodb_is_encrypted_using_managed_cmk.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-122-dynamodb_is_encrypted_using_managed_cmk + comment: '010043062000' description: | DynamoDB is not encrypted using KMS CMK resource: dynamodb-table @@ -15,4 +16,3 @@ policies: - type: value key: SSEDescription.SSEType value: KMS - comment: '0043062000' \ No newline at end of file diff --git a/policies/ecc-aws-123-efs_is_encrypted.yml b/policies/ecc-aws-123-efs_is_encrypted.yml index a3aeffa72..f02912afe 100644 --- a/policies/ecc-aws-123-efs_is_encrypted.yml +++ b/policies/ecc-aws-123-efs_is_encrypted.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-123-efs_is_encrypted + comment: '010043040300' description: | Amazon EFS file systems are not encrypted resource: efs @@ -14,4 +15,3 @@ policies: - type: value key: Encrypted value: false - comment: '0043040300' \ No newline at end of file diff --git a/policies/ecc-aws-124-efs_is_encrypted_using_managed_cmk.yml b/policies/ecc-aws-124-efs_is_encrypted_using_managed_cmk.yml index de3cab448..126ee420b 100644 --- a/policies/ecc-aws-124-efs_is_encrypted_using_managed_cmk.yml +++ b/policies/ecc-aws-124-efs_is_encrypted_using_managed_cmk.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-124-efs_is_encrypted_using_managed_cmk + comment: '010043042000' description: | EFS file systems are not encrypted using KMS CMK resource: efs @@ -22,4 +23,3 @@ policies: - type: kms-key key: KeyManager value: AWS - comment: '0043042000' \ No newline at end of file diff --git a/policies/ecc-aws-125-elasticache_redis_clusters_encryption_at_rest.yml b/policies/ecc-aws-125-elasticache_redis_clusters_encryption_at_rest.yml index 35049c2e5..722996c7c 100644 --- a/policies/ecc-aws-125-elasticache_redis_clusters_encryption_at_rest.yml +++ b/policies/ecc-aws-125-elasticache_redis_clusters_encryption_at_rest.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-125-elasticache_redis_clusters_encryption_at_rest - description: | - ElastiCache Redis cluster at-rest encryption is disabled - resource: cache-cluster - filters: - - type: value - key: Engine - value: "redis" - - type: value - key: AtRestEncryptionEnabled - value: false - comment: '0043062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-125-elasticache_redis_clusters_encryption_at_rest + comment: '010043062000' + description: | + ElastiCache Redis cluster at-rest encryption is disabled + resource: cache-cluster + filters: + - type: value + key: Engine + value: "redis" + - type: value + key: AtRestEncryptionEnabled + value: false diff --git a/policies/ecc-aws-126-redshift_instances_are_encrypted.yml b/policies/ecc-aws-126-redshift_instances_are_encrypted.yml index 2446f03fa..e35cf0c7c 100644 --- a/policies/ecc-aws-126-redshift_instances_are_encrypted.yml +++ b/policies/ecc-aws-126-redshift_instances_are_encrypted.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-126-redshift_instances_are_encrypted + comment: '010043052000' description: | Redshift instances are not encrypted resource: redshift @@ -14,4 +15,3 @@ policies: - type: value key: Encrypted value: false - comment: '0043052000' \ No newline at end of file diff --git a/policies/ecc-aws-127-rds_cluster_storage_is_encrypted.yml b/policies/ecc-aws-127-rds_cluster_storage_is_encrypted.yml index 7994c216f..73ee91ec0 100644 --- a/policies/ecc-aws-127-rds_cluster_storage_is_encrypted.yml +++ b/policies/ecc-aws-127-rds_cluster_storage_is_encrypted.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-127-rds_cluster_storage_is_encrypted + comment: '010043060300' description: | Unencrypted RDS cluster storage is in use resource: rds-cluster @@ -14,4 +15,3 @@ policies: - type: value key: StorageEncrypted value: false - comment: '0043060300' \ No newline at end of file diff --git a/policies/ecc-aws-128-expired_route53_domain_names.yml b/policies/ecc-aws-128-expired_route53_domain_names.yml index ef336d972..f4fa1ae86 100644 --- a/policies/ecc-aws-128-expired_route53_domain_names.yml +++ b/policies/ecc-aws-128-expired_route53_domain_names.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-128-expired_route53_domain_names - description: | - Expired Route53 domain name - resource: aws.r53domain - filters: - - type: value - key: Expiry - value_type: expiration - value: 0 - op: lte - comment: '0023022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-128-expired_route53_domain_names + comment: '010023022001' + description: | + Expired Route53 domain name + resource: aws.r53domain + filters: + - type: value + key: Expiry + value_type: expiration + value: 0 + op: lte diff --git a/policies/ecc-aws-129-enable_elb_access_logs.yml b/policies/ecc-aws-129-enable_elb_access_logs.yml index 1b7c99754..f61c200e8 100644 --- a/policies/ecc-aws-129-enable_elb_access_logs.yml +++ b/policies/ecc-aws-129-enable_elb_access_logs.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-129-enable_elb_access_logs + comment: '010019022000' description: | Application or Network Load Balancer access logs is disabled resource: app-elb @@ -17,4 +18,3 @@ policies: value: "gateway" op: in - type: is-not-logging - comment: '0019022000' \ No newline at end of file diff --git a/policies/ecc-aws-130-update_security_policy_of_network_load_balancer.yml b/policies/ecc-aws-130-update_security_policy_of_network_load_balancer.yml index 55ded3a77..b64922d9e 100644 --- a/policies/ecc-aws-130-update_security_policy_of_network_load_balancer.yml +++ b/policies/ecc-aws-130-update_security_policy_of_network_load_balancer.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-130-update_security_policy_of_network_load_balancer + comment: '010023022000' description: | Security Policy of the Network Load Balancer is not updated resource: app-elb @@ -23,4 +24,3 @@ policies: key: SslPolicy op: regex value: 'ELBSecurityPolicy-(TLS13|FS).*' - comment: '0023022000' \ No newline at end of file diff --git a/policies/ecc-aws-133-guardduty_service_is_enabled.yml b/policies/ecc-aws-133-guardduty_service_is_enabled.yml index 946302b6e..cb4f07ce2 100644 --- a/policies/ecc-aws-133-guardduty_service_is_enabled.yml +++ b/policies/ecc-aws-133-guardduty_service_is_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-133-guardduty_service_is_enabled + comment: '010016092000' description: | Amazon GuardDuty service is not enabled resource: account @@ -14,4 +15,3 @@ policies: - not: - type: guard-duty Detector.Status: ENABLED - comment: '0016092000' \ No newline at end of file diff --git a/policies/ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks.yml b/policies/ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks.yml index b4646a696..127de12e7 100644 --- a/policies/ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks.yml +++ b/policies/ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks.yml @@ -7,19 +7,19 @@ policies: - name: ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks - resource: aws.account + comment: '010035000301' description: | Root user is used for administrative and daily tasks + resource: aws.account filters: - or: - - type: credential - key: password_last_used - op: less-than - value_type: age - value: 90 - - type: credential - key: access_keys.last_used_date - op: less-than - value_type: age - value: 90 - comment: '0035000301' \ No newline at end of file + - type: credential + key: password_last_used + op: less-than + value_type: age + value: 90 + - type: credential + key: access_keys.last_used_date + op: less-than + value_type: age + value: 90 diff --git a/policies/ecc-aws-139-iam_access_analyzer_is_enabled.yml b/policies/ecc-aws-139-iam_access_analyzer_is_enabled.yml index c8223ad0e..be31f90a6 100644 --- a/policies/ecc-aws-139-iam_access_analyzer_is_enabled.yml +++ b/policies/ecc-aws-139-iam_access_analyzer_is_enabled.yml @@ -7,13 +7,13 @@ policies: - name: ecc-aws-139-iam_access_analyzer_is_enabled - resource: aws.account + comment: '010016000300' description: | IAM Access analyzer is not enabled + resource: aws.account filters: - not: - type: access-analyzer key: 'status' value: ACTIVE op: eq - comment: '0016000300' \ No newline at end of file diff --git a/policies/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user.yml b/policies/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user.yml index 3e59b6ffd..2fd85ec78 100644 --- a/policies/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user.yml +++ b/policies/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user - resource: iam-user + comment: '010022000301' description: | More than one active access key is available for a single IAM user + resource: iam-user filters: - type: access-key key: Status @@ -21,4 +22,3 @@ policies: - type: value key: '"c7n:AccessKeys"[1].Status' value: Active - comment: '0022000301' \ No newline at end of file diff --git a/policies/ecc-aws-141-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed.yml b/policies/ecc-aws-141-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed.yml index 548ed5d6e..13d22725d 100644 --- a/policies/ecc-aws-141-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed.yml +++ b/policies/ecc-aws-141-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed.yml @@ -7,13 +7,13 @@ policies: - name: ecc-aws-141-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed - resource: iam-certificate + comment: '010029100301' description: | Expired SSL/TLS certificates stored in IAM are not removed + resource: iam-certificate filters: - type: value key: Expiration value_type: expiration op: le value: 0 - comment: '0029100301' \ No newline at end of file diff --git a/policies/ecc-aws-142-s3_buckets_configured_with_block_public_access.yml b/policies/ecc-aws-142-s3_buckets_configured_with_block_public_access.yml index 08cbcd231..5c2611f53 100644 --- a/policies/ecc-aws-142-s3_buckets_configured_with_block_public_access.yml +++ b/policies/ecc-aws-142-s3_buckets_configured_with_block_public_access.yml @@ -7,9 +7,9 @@ policies: - name: ecc-aws-142-s3_buckets_configured_with_block_public_access - resource: aws.s3 + comment: '010040040301' description: | S3 Buckets are not configured with 'Block public access' bucket settings + resource: aws.s3 filters: - type: check-public-block - comment: '0040040301' \ No newline at end of file diff --git a/policies/ecc-aws-147-ebs_volume_without_encrypt.yml b/policies/ecc-aws-147-ebs_volume_without_encrypt.yml index 92493eaa8..c2ca96a12 100644 --- a/policies/ecc-aws-147-ebs_volume_without_encrypt.yml +++ b/policies/ecc-aws-147-ebs_volume_without_encrypt.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-147-ebs_volume_without_encrypt - resource: aws.ebs + comment: '010043042000' description: | EBS volume encryption is disabled + resource: aws.ebs filters: - type: value key: Encrypted value: false - comment: '0043042000' \ No newline at end of file diff --git a/policies/ecc-aws-148-logging_for_s3_enabled.yml b/policies/ecc-aws-148-logging_for_s3_enabled.yml index d592f6358..9ae2b357d 100644 --- a/policies/ecc-aws-148-logging_for_s3_enabled.yml +++ b/policies/ecc-aws-148-logging_for_s3_enabled.yml @@ -7,10 +7,10 @@ policies: - name: ecc-aws-148-logging_for_s3_enabled + comment: '010019042001' description: | Logging for S3 bucket is disabled resource: s3 filters: - type: bucket-logging op: disabled - comment: '0019042001' \ No newline at end of file diff --git a/policies/ecc-aws-149-rds_public_access_disabled.yml b/policies/ecc-aws-149-rds_public_access_disabled.yml index 74d1b942c..0599930c9 100644 --- a/policies/ecc-aws-149-rds_public_access_disabled.yml +++ b/policies/ecc-aws-149-rds_public_access_disabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-149-rds_public_access_disabled + comment: '010040060300' description: | RDS instance is publicly accessible resource: rds @@ -14,4 +15,3 @@ policies: - type: value key: PubliclyAccessible value: true - comment: '0040060300' \ No newline at end of file diff --git a/policies/ecc-aws-150-api_gateway_rest_api_encryption_at_rest.yml b/policies/ecc-aws-150-api_gateway_rest_api_encryption_at_rest.yml index ac63448fa..ff64a60ac 100644 --- a/policies/ecc-aws-150-api_gateway_rest_api_encryption_at_rest.yml +++ b/policies/ecc-aws-150-api_gateway_rest_api_encryption_at_rest.yml @@ -7,9 +7,9 @@ policies: - name: ecc-aws-150-api_gateway_rest_api_encryption_at_rest + comment: '010043022000' description: | API Gateway REST API cache data is not encrypted at rest resource: rest-stage filters: - methodSettings."*/*".cacheDataEncrypted: false - comment: '0043022000' \ No newline at end of file diff --git a/policies/ecc-aws-151-security_group_ingress_is_restricted_traffic_to_port_20.yml b/policies/ecc-aws-151-security_group_ingress_is_restricted_traffic_to_port_20.yml index f91e522d9..d5f5f92e2 100644 --- a/policies/ecc-aws-151-security_group_ingress_is_restricted_traffic_to_port_20.yml +++ b/policies/ecc-aws-151-security_group_ingress_is_restricted_traffic_to_port_20.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-151-security_group_ingress_is_restricted_traffic_to_port_20 - resource: aws.security-group + comment: '010042022000' description: | Security groups allow unrestricted access to FTP port 20 + resource: aws.security-group filters: - type: ingress Ports: [20] @@ -17,4 +18,3 @@ policies: value: - "0.0.0.0/0" op: in - comment: '0042022000' \ No newline at end of file diff --git a/policies/ecc-aws-152-clb_connection_draining_enabled.yml b/policies/ecc-aws-152-clb_connection_draining_enabled.yml index 056242372..8c63944e9 100644 --- a/policies/ecc-aws-152-clb_connection_draining_enabled.yml +++ b/policies/ecc-aws-152-clb_connection_draining_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-152-clb_connection_draining_enabled + comment: '010031022000' description: | Classic Load Balancers connection draining is not enabled resource: aws.elb @@ -14,4 +15,3 @@ policies: - type: attributes key: ConnectionDraining.Enabled value: false - comment: '0031022000' \ No newline at end of file diff --git a/policies/ecc-aws-153-elasticsearch_domains_audit_logging_enabled.yml b/policies/ecc-aws-153-elasticsearch_domains_audit_logging_enabled.yml index 192be32aa..197f3a02d 100644 --- a/policies/ecc-aws-153-elasticsearch_domains_audit_logging_enabled.yml +++ b/policies/ecc-aws-153-elasticsearch_domains_audit_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-153-elasticsearch_domains_audit_logging_enabled - resource: aws.elasticsearch + comment: '010019052000' description: | Elasticsearch domains audit logging is not enabled + resource: aws.elasticsearch filters: - or: - type: value @@ -18,4 +19,3 @@ policies: - type: value key: LogPublishingOptions.AUDIT_LOGS value: absent - comment: '0019052000' \ No newline at end of file diff --git a/policies/ecc-aws-155-elasticsearch_domains_configured_with_at_least_three_dedicated_master_nodes.yml b/policies/ecc-aws-155-elasticsearch_domains_configured_with_at_least_three_dedicated_master_nodes.yml index ab3729562..0580ae4ca 100644 --- a/policies/ecc-aws-155-elasticsearch_domains_configured_with_at_least_three_dedicated_master_nodes.yml +++ b/policies/ecc-aws-155-elasticsearch_domains_configured_with_at_least_three_dedicated_master_nodes.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-155-elasticsearch_domains_configured_with_at_least_three_dedicated_master_nodes - resource: aws.elasticsearch + comment: '010050052000' description: | Elasticsearch domains are not configured with at least three dedicated master nodes + resource: aws.elasticsearch filters: - not: - and: @@ -20,4 +21,3 @@ policies: - type: value key: ElasticsearchClusterConfig.DedicatedMasterEnabled value: true - comment: '0050052000' \ No newline at end of file diff --git a/policies/ecc-aws-156-elasticsearch_domain_connections_encrypted_using_TLS_1_2.yml b/policies/ecc-aws-156-elasticsearch_domain_connections_encrypted_using_TLS_1_2.yml index 9fa54e563..bc050f5a4 100644 --- a/policies/ecc-aws-156-elasticsearch_domain_connections_encrypted_using_TLS_1_2.yml +++ b/policies/ecc-aws-156-elasticsearch_domain_connections_encrypted_using_TLS_1_2.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-156-elasticsearch_domain_connections_encrypted_using_TLS_1_2 - resource: aws.elasticsearch + comment: '010044052000' description: | Connections to Elasticsearch domains are not encrypted using TLS 1.2 + resource: aws.elasticsearch filters: - not: - and: @@ -19,4 +20,3 @@ policies: - type: value key: DomainEndpointOptions.EnforceHTTPS value: true - comment: '0044052000' \ No newline at end of file diff --git a/policies/ecc-aws-157-rds_db_clusters_configured_to_copy_tags_to_snapshots.yml b/policies/ecc-aws-157-rds_db_clusters_configured_to_copy_tags_to_snapshots.yml index efe418db2..c1a7066d5 100644 --- a/policies/ecc-aws-157-rds_db_clusters_configured_to_copy_tags_to_snapshots.yml +++ b/policies/ecc-aws-157-rds_db_clusters_configured_to_copy_tags_to_snapshots.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-157-rds_db_clusters_configured_to_copy_tags_to_snapshots - resource: aws.rds-cluster + comment: '010010062000' description: | RDS DB clusters are not configured to copy tags to snapshots + resource: aws.rds-cluster filters: - type: value key: CopyTagsToSnapshot value: false - comment: '0010062000' \ No newline at end of file diff --git a/policies/ecc-aws-158-rds_db_instances_configured_to_copy_tags_to_snapshots.yml b/policies/ecc-aws-158-rds_db_instances_configured_to_copy_tags_to_snapshots.yml index a0e5a8c2f..73814c20b 100644 --- a/policies/ecc-aws-158-rds_db_instances_configured_to_copy_tags_to_snapshots.yml +++ b/policies/ecc-aws-158-rds_db_instances_configured_to_copy_tags_to_snapshots.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-158-rds_db_instances_configured_to_copy_tags_to_snapshots - resource: aws.rds + comment: '010010062000' description: | RDS DB instances are not configured to copy tags to snapshots + resource: aws.rds filters: - type: value key: CopyTagsToSnapshot value: false - comment: '0010062000' \ No newline at end of file diff --git a/policies/ecc-aws-164-redshift_clusters_audit_logging_enabled.yml b/policies/ecc-aws-164-redshift_clusters_audit_logging_enabled.yml index a895c436b..88d2436a8 100644 --- a/policies/ecc-aws-164-redshift_clusters_audit_logging_enabled.yml +++ b/policies/ecc-aws-164-redshift_clusters_audit_logging_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-164-redshift_clusters_audit_logging_enabled + comment: '010019052000' description: | Redshift clusters audit logging is disabled resource: redshift @@ -19,4 +20,3 @@ policies: key: enable_user_activity_logging value: false op: eq - comment: '0019052000' \ No newline at end of file diff --git a/policies/ecc-aws-165-ecs_services_public_ip_addresses_not_assigned_automatically.yml b/policies/ecc-aws-165-ecs_services_public_ip_addresses_not_assigned_automatically.yml index 3d74f2ee9..9e04ff85e 100644 --- a/policies/ecc-aws-165-ecs_services_public_ip_addresses_not_assigned_automatically.yml +++ b/policies/ecc-aws-165-ecs_services_public_ip_addresses_not_assigned_automatically.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-165-ecs_services_public_ip_addresses_not_assigned_automatically - resource: aws.ecs-service + comment: '010040082000' description: | Amazon ECS services public IP addresses are assigned to them automatically + resource: aws.ecs-service filters: - type: value key: deployments[0].networkConfiguration.awsvpcConfiguration.assignPublicIp value: ENABLED - comment: '0040082000' \ No newline at end of file diff --git a/policies/ecc-aws-166-security_group_ingress_is_restricted_traffic_to_port_135.yml b/policies/ecc-aws-166-security_group_ingress_is_restricted_traffic_to_port_135.yml index 38d2e446c..5dd2faf25 100644 --- a/policies/ecc-aws-166-security_group_ingress_is_restricted_traffic_to_port_135.yml +++ b/policies/ecc-aws-166-security_group_ingress_is_restricted_traffic_to_port_135.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-166-security_group_ingress_is_restricted_traffic_to_port_135 - resource: aws.security-group + comment: '010042022000' description: | Security groups allow unrestricted access to RPC port 135 + resource: aws.security-group filters: - type: ingress Ports: [135] @@ -17,4 +18,3 @@ policies: value: - "0.0.0.0/0" op: in - comment: '0042022000' \ No newline at end of file diff --git a/policies/ecc-aws-167-security_group_ingress_is_restricted_traffic_to_port_143.yml b/policies/ecc-aws-167-security_group_ingress_is_restricted_traffic_to_port_143.yml index 7ec2cd364..835e51d83 100644 --- a/policies/ecc-aws-167-security_group_ingress_is_restricted_traffic_to_port_143.yml +++ b/policies/ecc-aws-167-security_group_ingress_is_restricted_traffic_to_port_143.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-167-security_group_ingress_is_restricted_traffic_to_port_143 - resource: aws.security-group + comment: '010042022000' description: | Security groups allow unrestricted access to IMAP port 143 + resource: aws.security-group filters: - type: ingress Ports: [143] @@ -17,4 +18,3 @@ policies: value: - "0.0.0.0/0" op: in - comment: '0042022000' \ No newline at end of file diff --git a/policies/ecc-aws-168-security_group_ingress_is_restricted_traffic_to_mssql_ports.yml b/policies/ecc-aws-168-security_group_ingress_is_restricted_traffic_to_mssql_ports.yml index 56c1bec6b..89ea086ce 100644 --- a/policies/ecc-aws-168-security_group_ingress_is_restricted_traffic_to_mssql_ports.yml +++ b/policies/ecc-aws-168-security_group_ingress_is_restricted_traffic_to_mssql_ports.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-168-security_group_ingress_is_restricted_traffic_to_mssql_ports - resource: aws.security-group + comment: '010042022000' description: | Security groups allow unrestricted access to MSSQL ports 1433, 1434 + resource: aws.security-group filters: - type: ingress Ports: [1433, 1434] @@ -17,4 +18,3 @@ policies: value: - "0.0.0.0/0" op: in - comment: '0042022000' \ No newline at end of file diff --git a/policies/ecc-aws-169-security_group_ingress_is_restricted_traffic_to_port_4333.yml b/policies/ecc-aws-169-security_group_ingress_is_restricted_traffic_to_port_4333.yml index 1dd0e4de7..bb148b226 100644 --- a/policies/ecc-aws-169-security_group_ingress_is_restricted_traffic_to_port_4333.yml +++ b/policies/ecc-aws-169-security_group_ingress_is_restricted_traffic_to_port_4333.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-169-security_group_ingress_is_restricted_traffic_to_port_4333 - resource: aws.security-group + comment: '010042022000' description: | Security groups allow unrestricted access to ahsp port 4333 + resource: aws.security-group filters: - type: ingress Ports: [4333] @@ -17,4 +18,3 @@ policies: value: - "0.0.0.0/0" op: in - comment: '0042022000' \ No newline at end of file diff --git a/policies/ecc-aws-170-security_group_ingress_is_restricted_traffic_to_port_5500.yml b/policies/ecc-aws-170-security_group_ingress_is_restricted_traffic_to_port_5500.yml index 2ee15449a..eef2ddb45 100644 --- a/policies/ecc-aws-170-security_group_ingress_is_restricted_traffic_to_port_5500.yml +++ b/policies/ecc-aws-170-security_group_ingress_is_restricted_traffic_to_port_5500.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-170-security_group_ingress_is_restricted_traffic_to_port_5500 - resource: aws.security-group + comment: '010042022000' description: | Security groups allow unrestricted access to fcp-addr-srvr1 port 5500 + resource: aws.security-group filters: - type: ingress Ports: [5500] @@ -17,4 +18,3 @@ policies: value: - "0.0.0.0/0" op: in - comment: '0042022000' \ No newline at end of file diff --git a/policies/ecc-aws-171-security_group_ingress_is_restricted_traffic_to_port_5601.yml b/policies/ecc-aws-171-security_group_ingress_is_restricted_traffic_to_port_5601.yml index ae25984b8..e6983bc8d 100644 --- a/policies/ecc-aws-171-security_group_ingress_is_restricted_traffic_to_port_5601.yml +++ b/policies/ecc-aws-171-security_group_ingress_is_restricted_traffic_to_port_5601.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-171-security_group_ingress_is_restricted_traffic_to_port_5601 - resource: aws.security-group + comment: '010042022000' description: | Security groups allow unrestricted access to Kibana port 5601 + resource: aws.security-group filters: - type: ingress Ports: [5601] @@ -17,4 +18,3 @@ policies: value: - "0.0.0.0/0" op: in - comment: '0042022000' \ No newline at end of file diff --git a/policies/ecc-aws-172-security_group_ingress_is_restricted_traffic_to_port_8080.yml b/policies/ecc-aws-172-security_group_ingress_is_restricted_traffic_to_port_8080.yml index 49bfec75f..297381717 100644 --- a/policies/ecc-aws-172-security_group_ingress_is_restricted_traffic_to_port_8080.yml +++ b/policies/ecc-aws-172-security_group_ingress_is_restricted_traffic_to_port_8080.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-172-security_group_ingress_is_restricted_traffic_to_port_8080 - resource: aws.security-group + comment: '010042022000' description: | Security groups allow unrestricted access to proxy port 8080 + resource: aws.security-group filters: - type: ingress Ports: [8080] @@ -17,4 +18,3 @@ policies: value: - "0.0.0.0/0" op: in - comment: '0042022000' \ No newline at end of file diff --git a/policies/ecc-aws-173-security_group_ingress_is_restricted_traffic_to_elasticsearch_service_ports.yml b/policies/ecc-aws-173-security_group_ingress_is_restricted_traffic_to_elasticsearch_service_ports.yml index afb59d4e4..d46e2d17f 100644 --- a/policies/ecc-aws-173-security_group_ingress_is_restricted_traffic_to_elasticsearch_service_ports.yml +++ b/policies/ecc-aws-173-security_group_ingress_is_restricted_traffic_to_elasticsearch_service_ports.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-173-security_group_ingress_is_restricted_traffic_to_elasticsearch_service_ports - resource: aws.security-group + comment: '010042022000' description: | Security groups allow unrestricted access to Elasticsearch service ports 9200, 9300 + resource: aws.security-group filters: - type: ingress Ports: [9200, 9300] @@ -17,4 +18,3 @@ policies: value: - "0.0.0.0/0" op: in - comment: '0042022000' \ No newline at end of file diff --git a/policies/ecc-aws-174-rds_database_cluster_engine_no_default_ports.yml b/policies/ecc-aws-174-rds_database_cluster_engine_no_default_ports.yml index 801dae859..d3d356c46 100644 --- a/policies/ecc-aws-174-rds_database_cluster_engine_no_default_ports.yml +++ b/policies/ecc-aws-174-rds_database_cluster_engine_no_default_ports.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-174-rds_database_cluster_engine_no_default_ports - resource: aws.rds-cluster + comment: '010024062000' description: | RDS database clusters are using a database engine default ports + resource: aws.rds-cluster filters: - or: - type: value @@ -20,4 +21,3 @@ policies: key: Port op: eq value: 5432 - comment: '0024062000' \ No newline at end of file diff --git a/policies/ecc-aws-175-rds_instances_storage_is_encrypted.yml b/policies/ecc-aws-175-rds_instances_storage_is_encrypted.yml index cc3274d7b..14244950e 100644 --- a/policies/ecc-aws-175-rds_instances_storage_is_encrypted.yml +++ b/policies/ecc-aws-175-rds_instances_storage_is_encrypted.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-175-rds_instances_storage_is_encrypted + comment: '010043060300' description: | RDS instances storage not encrypted resource: rds @@ -14,4 +15,3 @@ policies: - type: value key: StorageEncrypted value: false - comment: '0043060300' \ No newline at end of file diff --git a/policies/ecc-aws-176-rds_snapshots_storage_is_encrypted.yml b/policies/ecc-aws-176-rds_snapshots_storage_is_encrypted.yml index 4bd4485b6..cb9c10e9f 100644 --- a/policies/ecc-aws-176-rds_snapshots_storage_is_encrypted.yml +++ b/policies/ecc-aws-176-rds_snapshots_storage_is_encrypted.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-176-rds_snapshots_storage_is_encrypted + comment: '010043062000' description: | RDS snapshot storage not encrypted resource: rds-snapshot @@ -14,4 +15,3 @@ policies: - type: value key: Encrypted value: false - comment: '0043062000' \ No newline at end of file diff --git a/policies/ecc-aws-177-api_gateway_rest_api_stages_ssl_certificates_configured.yml b/policies/ecc-aws-177-api_gateway_rest_api_stages_ssl_certificates_configured.yml index 0b41a9179..fafaf74f5 100644 --- a/policies/ecc-aws-177-api_gateway_rest_api_stages_ssl_certificates_configured.yml +++ b/policies/ecc-aws-177-api_gateway_rest_api_stages_ssl_certificates_configured.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-177-api_gateway_rest_api_stages_ssl_certificates_configured + comment: '010044022000' description: | API Gateway REST API stages are not configured to use SSL certificates for backend authentication resource: rest-stage @@ -14,4 +15,3 @@ policies: - type: value key: clientCertificateId value: absent - comment: '0044022000' \ No newline at end of file diff --git a/policies/ecc-aws-178-rest_api_aws_x_ray_enabled.yml b/policies/ecc-aws-178-rest_api_aws_x_ray_enabled.yml index c7498dae1..05cef4be7 100644 --- a/policies/ecc-aws-178-rest_api_aws_x_ray_enabled.yml +++ b/policies/ecc-aws-178-rest_api_aws_x_ray_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-178-rest_api_aws_x_ray_enabled + comment: '010016022000' description: | API Gateway REST API stages do not have AWS X-Ray tracing enabled resource: rest-stage @@ -14,4 +15,3 @@ policies: - type: value key: tracingEnabled value: false - comment: '0016022000' \ No newline at end of file diff --git a/policies/ecc-aws-179-cloudfront_default_root_object_configured.yml b/policies/ecc-aws-179-cloudfront_default_root_object_configured.yml index 8164b7065..8eef70595 100644 --- a/policies/ecc-aws-179-cloudfront_default_root_object_configured.yml +++ b/policies/ecc-aws-179-cloudfront_default_root_object_configured.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-179-cloudfront_default_root_object_configured + comment: '010040022001' description: | CloudFront distributions do not have a default root object configured resource: distribution @@ -14,4 +15,3 @@ policies: - type: distribution-config key: DefaultRootObject value: empty - comment: '0040022001' \ No newline at end of file diff --git a/policies/ecc-aws-180-cloudfront_origin_failover_configured.yml b/policies/ecc-aws-180-cloudfront_origin_failover_configured.yml index 5963f46af..8b7be97b2 100644 --- a/policies/ecc-aws-180-cloudfront_origin_failover_configured.yml +++ b/policies/ecc-aws-180-cloudfront_origin_failover_configured.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-180-cloudfront_origin_failover_configured + comment: '010050022001' description: | CloudFront distributions origin failover is not configured resource: distribution @@ -15,4 +16,3 @@ policies: key: OriginGroups.Quantity op: eq value: 0 - comment: '0050022001' \ No newline at end of file diff --git a/policies/ecc-aws-181-dms_replication_not_public.yml b/policies/ecc-aws-181-dms_replication_not_public.yml index a461de7ec..c1b882136 100644 --- a/policies/ecc-aws-181-dms_replication_not_public.yml +++ b/policies/ecc-aws-181-dms_replication_not_public.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-181-dms_replication_not_public + comment: '010040062000' description: | AWS Database Migration Service replication instances are public resource: dms-instance @@ -14,4 +15,3 @@ policies: - type: value key: PubliclyAccessible value: true - comment: '0040062000' \ No newline at end of file diff --git a/policies/ecc-aws-183-dynamodb_tables_pitr_enabled.yml b/policies/ecc-aws-183-dynamodb_tables_pitr_enabled.yml index 4559a5c6e..852edfbd4 100644 --- a/policies/ecc-aws-183-dynamodb_tables_pitr_enabled.yml +++ b/policies/ecc-aws-183-dynamodb_tables_pitr_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-183-dynamodb_tables_pitr_enabled + comment: '010049062000' description: | DynamoDB tables do not have point-in-time recovery enabled resource: dynamodb-table @@ -15,4 +16,3 @@ policies: key: PointInTimeRecoveryDescription.PointInTimeRecoveryStatus op: ne value: ENABLED - comment: '0049062000' \ No newline at end of file diff --git a/policies/ecc-aws-184-dynamodb_dax_encryption_enabled.yml b/policies/ecc-aws-184-dynamodb_dax_encryption_enabled.yml index 443ca3575..60996d4f3 100644 --- a/policies/ecc-aws-184-dynamodb_dax_encryption_enabled.yml +++ b/policies/ecc-aws-184-dynamodb_dax_encryption_enabled.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-184-dynamodb_dax_encryption_enabled - resource: dax + comment: '010043062000' description: | DynamoDB Accelerator clusters are not encrypted at rest + resource: dax filters: - type: value key: SSEDescription.Status value: DISABLED - comment: '0043062000' \ No newline at end of file diff --git a/policies/ecc-aws-185-ec2_stopped_instance.yml b/policies/ecc-aws-185-ec2_stopped_instance.yml index aab77535c..a3014e7b8 100644 --- a/policies/ecc-aws-185-ec2_stopped_instance.yml +++ b/policies/ecc-aws-185-ec2_stopped_instance.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-185-ec2_stopped_instance + comment: '010002030400' description: | Stopped EC2 instances are not removed after a specified time period resource: aws.ec2 @@ -18,4 +19,3 @@ policies: - type: value key: State.Name value: stopped - comment: '0002030400' \ No newline at end of file diff --git a/policies/ecc-aws-186-ec2_instance_no_public_ip.yml b/policies/ecc-aws-186-ec2_instance_no_public_ip.yml index ca2cf4577..56e5f1883 100644 --- a/policies/ecc-aws-186-ec2_instance_no_public_ip.yml +++ b/policies/ecc-aws-186-ec2_instance_no_public_ip.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-186-ec2_instance_no_public_ip - resource: aws.ec2 + comment: '010040032000' description: | EC2 instances have public IP address + resource: aws.ec2 filters: - type: value key: NetworkInterfaces[].Association.PublicIp value: not-null - comment: '0040032000' \ No newline at end of file diff --git a/policies/ecc-aws-187-ec2_service_use_vpc_endpoints.yml b/policies/ecc-aws-187-ec2_service_use_vpc_endpoints.yml index c339f63a2..529bc2ed0 100644 --- a/policies/ecc-aws-187-ec2_service_use_vpc_endpoints.yml +++ b/policies/ecc-aws-187-ec2_service_use_vpc_endpoints.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-187-ec2_service_use_vpc_endpoints + comment: '010039022000' description: | EC2 is not configured to use VPC endpoints that are created for the EC2 service resource: vpc @@ -16,4 +17,3 @@ policies: key: ServiceName op: regex value: 'com\.amazonaws\.[\-a-z1-5]*\.ec2' - comment: '0039022000' \ No newline at end of file diff --git a/policies/ecc-aws-188-vpc_unused_network_acl.yml b/policies/ecc-aws-188-vpc_unused_network_acl.yml index 6a7e3b0c5..1ba3d91e7 100644 --- a/policies/ecc-aws-188-vpc_unused_network_acl.yml +++ b/policies/ecc-aws-188-vpc_unused_network_acl.yml @@ -7,12 +7,12 @@ policies: - name: ecc-aws-188-vpc_unused_network_acl - resource: aws.network-acl + comment: '010018022000' description: | Unused network access control lists are not removed + resource: aws.network-acl filters: - not: - type: value key: Associations value: not-null - comment: '0018022000' \ No newline at end of file diff --git a/policies/ecc-aws-189-ec2_instance_should_not_use_multiple_eni.yml b/policies/ecc-aws-189-ec2_instance_should_not_use_multiple_eni.yml index a8222378e..1c614f23c 100644 --- a/policies/ecc-aws-189-ec2_instance_should_not_use_multiple_eni.yml +++ b/policies/ecc-aws-189-ec2_instance_should_not_use_multiple_eni.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-189-ec2_instance_should_not_use_multiple_eni + comment: '010024032000' description: | EC2 instances are using multiple ENIs resource: ec2 @@ -14,4 +15,3 @@ policies: - type: value key: NetworkInterfaces[1].Status value: "in-use" - comment: '0024032000' \ No newline at end of file diff --git a/policies/ecc-aws-190-ecs_task_definitions_secure_networking_modes_and_user_definitions.yml b/policies/ecc-aws-190-ecs_task_definitions_secure_networking_modes_and_user_definitions.yml index 9f5bce610..a350ae5dd 100644 --- a/policies/ecc-aws-190-ecs_task_definitions_secure_networking_modes_and_user_definitions.yml +++ b/policies/ecc-aws-190-ecs_task_definitions_secure_networking_modes_and_user_definitions.yml @@ -1,36 +1,36 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-190-ecs_task_definitions_secure_networking_modes_and_user_definitions - description: | - Amazon ECS task definitions do not have secure networking modes and user definitions - resource: ecs-task-definition - filters: - - and: - - type: value - key: networkMode - value: host - - or: - - type: value - key: containerDefinitions[].privileged - value: empty - - type: value - key: containerDefinitions[].privileged - value_type: swap - op: in - value: false - - or: - - type: value - key: containerDefinitions[].user - value: empty - - type: value - key: containerDefinitions[].user - value_type: swap - op: in - value: root - comment: '0022082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-190-ecs_task_definitions_secure_networking_modes_and_user_definitions + comment: '010022082000' + description: | + Amazon ECS task definitions do not have secure networking modes and user definitions + resource: ecs-task-definition + filters: + - and: + - type: value + key: networkMode + value: host + - or: + - type: value + key: containerDefinitions[].privileged + value: empty + - type: value + key: containerDefinitions[].privileged + value_type: swap + op: in + value: false + - or: + - type: value + key: containerDefinitions[].user + value: empty + - type: value + key: containerDefinitions[].user + value_type: swap + op: in + value: root diff --git a/policies/ecc-aws-191-efs_in_backup_plan.yml b/policies/ecc-aws-191-efs_in_backup_plan.yml index e6b00ec3f..6455e9778 100644 --- a/policies/ecc-aws-191-efs_in_backup_plan.yml +++ b/policies/ecc-aws-191-efs_in_backup_plan.yml @@ -7,9 +7,9 @@ policies: - name: ecc-aws-191-efs_in_backup_plan + comment: '010049042000' description: | Amazon EFS volumes are not in backup plans resource: efs filters: - "tag:aws:elasticfilesystem:default-backup": absent - comment: '0049042000' \ No newline at end of file diff --git a/policies/ecc-aws-192-elastic_beanstalk_enhanced_health_reporting_enabled.yml b/policies/ecc-aws-192-elastic_beanstalk_enhanced_health_reporting_enabled.yml index 657bc19a7..5e5ff6bf0 100644 --- a/policies/ecc-aws-192-elastic_beanstalk_enhanced_health_reporting_enabled.yml +++ b/policies/ecc-aws-192-elastic_beanstalk_enhanced_health_reporting_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-192-elastic_beanstalk_enhanced_health_reporting_enabled + comment: '010032032000' description: | Elastic Beanstalk environments do not have enhanced health reporting enabled resource: aws.elasticbeanstalk-environment @@ -14,4 +15,3 @@ policies: - type: value key: HealthStatus value: absent - comment: '0032032000' \ No newline at end of file diff --git a/policies/ecc-aws-193-alb_drop_invalid_http_header.yml b/policies/ecc-aws-193-alb_drop_invalid_http_header.yml index 97ad2a14c..57833cd1d 100644 --- a/policies/ecc-aws-193-alb_drop_invalid_http_header.yml +++ b/policies/ecc-aws-193-alb_drop_invalid_http_header.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-193-alb_drop_invalid_http_header + comment: '010024022000' description: | Application load balancers are not configured to drop invalid HTTP headers resource: aws.app-elb @@ -15,4 +16,3 @@ policies: key: routing.http.drop_invalid_header_fields.enabled value: false op: eq - comment: '0024022000' \ No newline at end of file diff --git a/policies/ecc-aws-194-elb_deletion_protection_enabled.yml b/policies/ecc-aws-194-elb_deletion_protection_enabled.yml index fed1157d5..177b826f2 100644 --- a/policies/ecc-aws-194-elb_deletion_protection_enabled.yml +++ b/policies/ecc-aws-194-elb_deletion_protection_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-194-elb_deletion_protection_enabled + comment: '010047022000' description: | Application, Network or Gateway Load Balancer deletion protection is not enabled resource: aws.app-elb @@ -15,4 +16,3 @@ policies: key: deletion_protection.enabled value: false op: eq - comment: '0047022000' \ No newline at end of file diff --git a/policies/ecc-aws-195-alb_http_to_https_redirection_enabled.yml b/policies/ecc-aws-195-alb_http_to_https_redirection_enabled.yml index cd4ba3f81..7d74e9fea 100644 --- a/policies/ecc-aws-195-alb_http_to_https_redirection_enabled.yml +++ b/policies/ecc-aws-195-alb_http_to_https_redirection_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-195-alb_http_to_https_redirection_enabled + comment: '010044022000' description: | Application Load Balancer is not configured to redirect all HTTP requests to HTTPS resource: app-elb @@ -22,4 +23,3 @@ policies: - type: listener key: DefaultActions[?Type==`redirect`].RedirectConfig.Protocol value: [HTTPS] - comment: '0044022000' \ No newline at end of file diff --git a/policies/ecc-aws-196-emr_master_nodes_no_public_ip.yml b/policies/ecc-aws-196-emr_master_nodes_no_public_ip.yml index 5dc54830d..fcc9f0f95 100644 --- a/policies/ecc-aws-196-emr_master_nodes_no_public_ip.yml +++ b/policies/ecc-aws-196-emr_master_nodes_no_public_ip.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-196-emr_master_nodes_no_public_ip + comment: '010040052000' description: | Amazon EMR cluster master nodes have public IP addresses resource: emr @@ -20,4 +21,3 @@ policies: key: MasterPublicDnsName op: regex value: '^([0-9]{1,3}\.){3}[0-9]{1,3}$' - comment: '0040052000' \ No newline at end of file diff --git a/policies/ecc-aws-197-elasticsearch_node_to_node_encryption_enabled.yml b/policies/ecc-aws-197-elasticsearch_node_to_node_encryption_enabled.yml index 0ab20ed88..b980398c8 100644 --- a/policies/ecc-aws-197-elasticsearch_node_to_node_encryption_enabled.yml +++ b/policies/ecc-aws-197-elasticsearch_node_to_node_encryption_enabled.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-197-elasticsearch_node_to_node_encryption_enabled - resource: aws.elasticsearch + comment: '010044052000' description: | Elasticsearch domains data sent between nodes is not encrypted + resource: aws.elasticsearch filters: - type: value key: NodeToNodeEncryptionOptions.Enabled value: false - comment: '0044052000' \ No newline at end of file diff --git a/policies/ecc-aws-198-elasticsearch_error_logging_to_cloudwatch_enabled.yml b/policies/ecc-aws-198-elasticsearch_error_logging_to_cloudwatch_enabled.yml index e74d97e38..3f342ca62 100644 --- a/policies/ecc-aws-198-elasticsearch_error_logging_to_cloudwatch_enabled.yml +++ b/policies/ecc-aws-198-elasticsearch_error_logging_to_cloudwatch_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-198-elasticsearch_error_logging_to_cloudwatch_enabled + comment: '010019052000' description: | Elasticsearch domain error logging to CloudWatch Logs is not enabled resource: aws.elasticsearch @@ -18,4 +19,3 @@ policies: - type: value key: LogPublishingOptions.ES_APPLICATION_LOGS value: absent - comment: '0019052000' \ No newline at end of file diff --git a/policies/ecc-aws-199-rds_instance_enhanced_monitoring_enabled.yml b/policies/ecc-aws-199-rds_instance_enhanced_monitoring_enabled.yml index 863b0f1cf..6e3cee6a3 100644 --- a/policies/ecc-aws-199-rds_instance_enhanced_monitoring_enabled.yml +++ b/policies/ecc-aws-199-rds_instance_enhanced_monitoring_enabled.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-199-rds_instance_enhanced_monitoring_enabled - resource: aws.rds + comment: '010016062000' description: | Enhanced monitoring is not configured for RDS DB instances + resource: aws.rds filters: - type: value key: EnhancedMonitoringResourceArn value: null - comment: '0016062000' \ No newline at end of file diff --git a/policies/ecc-aws-200-rds_cluster_deletion_protection_enabled.yml b/policies/ecc-aws-200-rds_cluster_deletion_protection_enabled.yml index ab1ce0857..21eb547d4 100644 --- a/policies/ecc-aws-200-rds_cluster_deletion_protection_enabled.yml +++ b/policies/ecc-aws-200-rds_cluster_deletion_protection_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-200-rds_cluster_deletion_protection_enabled + comment: '010047062000' description: | RDS clusters deletion protection is not enabled resource: aws.rds-cluster @@ -14,4 +15,3 @@ policies: - type: value key: DeletionProtection value: false - comment: '0047062000' \ No newline at end of file diff --git a/policies/ecc-aws-201-rds_instance_deletion_protection_enabled.yml b/policies/ecc-aws-201-rds_instance_deletion_protection_enabled.yml index e0f0b670f..9e0ae1158 100644 --- a/policies/ecc-aws-201-rds_instance_deletion_protection_enabled.yml +++ b/policies/ecc-aws-201-rds_instance_deletion_protection_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-201-rds_instance_deletion_protection_enabled + comment: '010047062000' description: | RDS DB instances deletion protection is not enabled resource: rds @@ -14,4 +15,3 @@ policies: - type: value key: DeletionProtection value: false - comment: '0047062000' \ No newline at end of file diff --git a/policies/ecc-aws-202-rds_oracle_logging_enabled.yml b/policies/ecc-aws-202-rds_oracle_logging_enabled.yml index 8fd9840dc..05e503fce 100644 --- a/policies/ecc-aws-202-rds_oracle_logging_enabled.yml +++ b/policies/ecc-aws-202-rds_oracle_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-202-rds_oracle_logging_enabled - resource: aws.rds + comment: '010019062000' description: | Oracle database logging is disabled + resource: aws.rds filters: - and: - type: value @@ -38,4 +39,3 @@ policies: op: in value_type: swap value: listener - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-203-rds_postgresql_logging_enabled.yml b/policies/ecc-aws-203-rds_postgresql_logging_enabled.yml index d53aa55ef..5e3a589b7 100644 --- a/policies/ecc-aws-203-rds_postgresql_logging_enabled.yml +++ b/policies/ecc-aws-203-rds_postgresql_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-203-rds_postgresql_logging_enabled - resource: aws.rds + comment: '010019062000' description: | PostgreSQL database logging is disabled + resource: aws.rds filters: - and: - type: value @@ -38,4 +39,3 @@ policies: key: log_statement op: eq value: 'all' - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-204-rds_mysql_logging_enabled.yml b/policies/ecc-aws-204-rds_mysql_logging_enabled.yml index 4e0501057..ea596b10e 100644 --- a/policies/ecc-aws-204-rds_mysql_logging_enabled.yml +++ b/policies/ecc-aws-204-rds_mysql_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-204-rds_mysql_logging_enabled - resource: aws.rds + comment: '010019062000' description: | MySQL database logging is disabled + resource: aws.rds filters: - and: - type: value @@ -49,4 +50,3 @@ policies: key: log_output op: eq value: FILE - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-205-rds_mariadb_logging_enabled.yml b/policies/ecc-aws-205-rds_mariadb_logging_enabled.yml index e764df60a..c7cd62e95 100644 --- a/policies/ecc-aws-205-rds_mariadb_logging_enabled.yml +++ b/policies/ecc-aws-205-rds_mariadb_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-205-rds_mariadb_logging_enabled - resource: aws.rds + comment: '010019062000' description: | MariaDB database logging is disabled + resource: aws.rds filters: - and: - type: value @@ -54,4 +55,3 @@ policies: key: log_output op: eq value: FILE - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-206-rds_sql_server_logging_enabled.yml b/policies/ecc-aws-206-rds_sql_server_logging_enabled.yml index 7d8526652..07e8a37ad 100644 --- a/policies/ecc-aws-206-rds_sql_server_logging_enabled.yml +++ b/policies/ecc-aws-206-rds_sql_server_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-206-rds_sql_server_logging_enabled - resource: aws.rds + comment: '010019062000' description: | SQL Server database logging is disabled + resource: aws.rds filters: - and: - type: value @@ -28,4 +29,3 @@ policies: op: in value_type: swap value: error - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-207-rds_aurora_logging_enabled.yml b/policies/ecc-aws-207-rds_aurora_logging_enabled.yml index 4f7bb3bad..f960e1a5f 100644 --- a/policies/ecc-aws-207-rds_aurora_logging_enabled.yml +++ b/policies/ecc-aws-207-rds_aurora_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-207-rds_aurora_logging_enabled - resource: rds + comment: '010019062000' description: | Aurora database logging is disabled + resource: rds filters: - and: - type: value @@ -49,4 +50,3 @@ policies: key: log_output op: eq value: FILE - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-208-rds_aurora_mysql_logging_enabled.yml b/policies/ecc-aws-208-rds_aurora_mysql_logging_enabled.yml index e290697e2..ae4e796cf 100644 --- a/policies/ecc-aws-208-rds_aurora_mysql_logging_enabled.yml +++ b/policies/ecc-aws-208-rds_aurora_mysql_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-208-rds_aurora_mysql_logging_enabled - resource: rds + comment: '010019062000' description: | Aurora-MySQL database logging is disabled + resource: rds filters: - and: - type: value @@ -49,4 +50,3 @@ policies: key: log_output op: eq value: FILE - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-209-rds_aurora_postgresql_logging_enabled.yml b/policies/ecc-aws-209-rds_aurora_postgresql_logging_enabled.yml index a29ca8aff..ccdfaac2b 100644 --- a/policies/ecc-aws-209-rds_aurora_postgresql_logging_enabled.yml +++ b/policies/ecc-aws-209-rds_aurora_postgresql_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-209-rds_aurora_postgresql_logging_enabled - resource: rds + comment: '010019062000' description: | Aurora-PostgreSQL database logging is disabled + resource: rds filters: - and: - type: value @@ -33,4 +34,3 @@ policies: key: log_statement op: eq value: all - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-210-rds_instance_iam_authentication_configured.yml b/policies/ecc-aws-210-rds_instance_iam_authentication_configured.yml index 4da03b5ca..69d32b488 100644 --- a/policies/ecc-aws-210-rds_instance_iam_authentication_configured.yml +++ b/policies/ecc-aws-210-rds_instance_iam_authentication_configured.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-210-rds_instance_iam_authentication_configured - resource: aws.rds + comment: '010034062000' description: | IAM authentication is not configured for RDS instances + resource: aws.rds filters: - type: value key: IAMDatabaseAuthenticationEnabled value: false - comment: '0034062000' \ No newline at end of file diff --git a/policies/ecc-aws-211-rds_cluster_iam_authentication_configured.yml b/policies/ecc-aws-211-rds_cluster_iam_authentication_configured.yml index 21016037f..6c023fef7 100644 --- a/policies/ecc-aws-211-rds_cluster_iam_authentication_configured.yml +++ b/policies/ecc-aws-211-rds_cluster_iam_authentication_configured.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-211-rds_cluster_iam_authentication_configured + comment: '010034062000' description: | IAM authentication is not configured for RDS clusters resource: rds-cluster @@ -14,4 +15,3 @@ policies: - type: value key: IAMDatabaseAuthenticationEnabled value: false - comment: '0034062000' \ No newline at end of file diff --git a/policies/ecc-aws-212-rds_aurora_mysql_backtracking_enabled.yml b/policies/ecc-aws-212-rds_aurora_mysql_backtracking_enabled.yml index df930425c..93126df54 100644 --- a/policies/ecc-aws-212-rds_aurora_mysql_backtracking_enabled.yml +++ b/policies/ecc-aws-212-rds_aurora_mysql_backtracking_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-212-rds_aurora_mysql_backtracking_enabled + comment: '010049062000' description: | Amazon Aurora clusters backtracking is disabled resource: aws.rds-cluster @@ -18,4 +19,3 @@ policies: - type: value key: BacktrackWindow value: absent - comment: '0049062000' \ No newline at end of file diff --git a/policies/ecc-aws-213-rds_cluster_multi_az_enabled.yml b/policies/ecc-aws-213-rds_cluster_multi_az_enabled.yml index 77c27f608..f60928f45 100644 --- a/policies/ecc-aws-213-rds_cluster_multi_az_enabled.yml +++ b/policies/ecc-aws-213-rds_cluster_multi_az_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-213-rds_cluster_multi_az_enabled + comment: '010050062000' description: | DS DB clusters are not configured for multiple Availability Zones resource: aws.rds-cluster @@ -14,4 +15,3 @@ policies: - type: value key: MultiAZ value: false - comment: '0050062000' \ No newline at end of file diff --git a/policies/ecc-aws-214-redshift_cluster_encrypted_in_transit.yml b/policies/ecc-aws-214-redshift_cluster_encrypted_in_transit.yml index 01e7d1307..edc06758e 100644 --- a/policies/ecc-aws-214-redshift_cluster_encrypted_in_transit.yml +++ b/policies/ecc-aws-214-redshift_cluster_encrypted_in_transit.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-214-redshift_cluster_encrypted_in_transit + comment: '010044052000' description: | Connections to Redshift clusters are not encrypted in transit resource: redshift @@ -15,4 +16,3 @@ policies: key: require_ssl value: false op: eq - comment: '0044052000' \ No newline at end of file diff --git a/policies/ecc-aws-215-redshift_cluster_automatic_snapshot_enabled.yml b/policies/ecc-aws-215-redshift_cluster_automatic_snapshot_enabled.yml index 64527f1ef..090dee2ee 100644 --- a/policies/ecc-aws-215-redshift_cluster_automatic_snapshot_enabled.yml +++ b/policies/ecc-aws-215-redshift_cluster_automatic_snapshot_enabled.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-215-redshift_cluster_automatic_snapshot_enabled - description: | - Amazon Redshift clusters automatic snapshots are disabled - resource: redshift - filters: - - type: value - key: AutomatedSnapshotRetentionPeriod - value: 7 - op: lt - comment: '0049052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-215-redshift_cluster_automatic_snapshot_enabled + comment: '010049052000' + description: | + Amazon Redshift clusters automatic snapshots are disabled + resource: redshift + filters: + - type: value + key: AutomatedSnapshotRetentionPeriod + value: 7 + op: lt diff --git a/policies/ecc-aws-216-redshift_cluster_automatic_upgrade_to_major_version_enabled.yml b/policies/ecc-aws-216-redshift_cluster_automatic_upgrade_to_major_version_enabled.yml index 2eca05aeb..91e811875 100644 --- a/policies/ecc-aws-216-redshift_cluster_automatic_upgrade_to_major_version_enabled.yml +++ b/policies/ecc-aws-216-redshift_cluster_automatic_upgrade_to_major_version_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-216-redshift_cluster_automatic_upgrade_to_major_version_enabled + comment: '010021052200' description: | Amazon Redshift automatic upgrades to major versions are disabled resource: redshift @@ -14,4 +15,3 @@ policies: - type: value key: AllowVersionUpgrade value: false - comment: '0021052200' \ No newline at end of file diff --git a/policies/ecc-aws-217-redshift_cluster_enhanced_vpc_routing_enabled.yml b/policies/ecc-aws-217-redshift_cluster_enhanced_vpc_routing_enabled.yml index 05a8c6be6..ba8b1ca6b 100644 --- a/policies/ecc-aws-217-redshift_cluster_enhanced_vpc_routing_enabled.yml +++ b/policies/ecc-aws-217-redshift_cluster_enhanced_vpc_routing_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-217-redshift_cluster_enhanced_vpc_routing_enabled - description: | - Amazon Redshift clusters are not using enhanced VPC routing - resource: redshift - filters: - - type: value - key: EnhancedVpcRouting - value: false - comment: '0039052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-217-redshift_cluster_enhanced_vpc_routing_enabled + comment: '010039052000' + description: | + Amazon Redshift clusters are not using enhanced VPC routing + resource: redshift + filters: + - type: value + key: EnhancedVpcRouting + value: false diff --git a/policies/ecc-aws-221-sns_kms_encryption_enabled.yml b/policies/ecc-aws-221-sns_kms_encryption_enabled.yml index 441bceeef..5e6c66e48 100644 --- a/policies/ecc-aws-221-sns_kms_encryption_enabled.yml +++ b/policies/ecc-aws-221-sns_kms_encryption_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-221-sns_kms_encryption_enabled + comment: '010043142000' description: | SNS topics are not encrypted at rest using AWS KMS resource: sns @@ -14,4 +15,3 @@ policies: - type: value key: KmsMasterKeyId value: absent - comment: '0043142000' \ No newline at end of file diff --git a/policies/ecc-aws-222-ec2_instance_managed_by_systems_manager.yml b/policies/ecc-aws-222-ec2_instance_managed_by_systems_manager.yml index 7168f211c..531bb8694 100644 --- a/policies/ecc-aws-222-ec2_instance_managed_by_systems_manager.yml +++ b/policies/ecc-aws-222-ec2_instance_managed_by_systems_manager.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-222-ec2_instance_managed_by_systems_manager + comment: '010028030400' description: | EC2 instances are not managed by AWS Systems Manager resource: aws.ec2 @@ -19,4 +20,3 @@ policies: - type: ssm key: InstanceId value: empty - comment: '0028030400' \ No newline at end of file diff --git a/policies/ecc-aws-223-ec2_managed_instance_association_compliance_status_check.yml b/policies/ecc-aws-223-ec2_managed_instance_association_compliance_status_check.yml index dca97b366..457ae2e19 100644 --- a/policies/ecc-aws-223-ec2_managed_instance_association_compliance_status_check.yml +++ b/policies/ecc-aws-223-ec2_managed_instance_association_compliance_status_check.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-223-ec2_managed_instance_association_compliance_status_check + comment: '010016032000' description: | Instances managed by Systems Manager do not have association compliance status of COMPLIANT resource: aws.ec2 @@ -21,4 +22,3 @@ policies: - Association states: - NON_COMPLIANT - comment: '0016032000' \ No newline at end of file diff --git a/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml b/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml index 1e12aec2d..be203988b 100644 --- a/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml +++ b/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-224-ec2_instance_imdsv2_enabled + comment: '010024030400' description: | EC2 instances do not use IMDSv2 resource: aws.ec2 @@ -14,4 +15,3 @@ policies: - type: value key: MetadataOptions.HttpTokens value: optional - comment: '0024030400' \ No newline at end of file diff --git a/policies/ecc-aws-225-eks_control_plane_logging_enabled.yml b/policies/ecc-aws-225-eks_control_plane_logging_enabled.yml index 7352d7a4a..c7516932b 100644 --- a/policies/ecc-aws-225-eks_control_plane_logging_enabled.yml +++ b/policies/ecc-aws-225-eks_control_plane_logging_enabled.yml @@ -1,26 +1,26 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-225-eks_control_plane_logging_enabled - description: | - EKS control plane logging is disabled - resource: aws.eks - filters: - - not: - - and: - - type: value - key: logging.clusterLogging[].types[] - value_type: swap - value: [api, audit, authenticator, controllerManager, scheduler] - - - type: value - key: logging.clusterLogging[].enabled - op: in - value_type: swap - value: true - comment: '0019070500' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-225-eks_control_plane_logging_enabled + comment: '010019070500' + description: | + EKS control plane logging is disabled + resource: aws.eks + filters: + - not: + - and: + - type: value + key: logging.clusterLogging[].types[] + value_type: swap + value: [api, audit, authenticator, controllerManager, scheduler] + + - type: value + key: logging.clusterLogging[].enabled + op: in + value_type: swap + value: true diff --git a/policies/ecc-aws-226-eks_clusters_security_group_traffic_restricted.yml b/policies/ecc-aws-226-eks_clusters_security_group_traffic_restricted.yml index 34e8fd6aa..bae999244 100644 --- a/policies/ecc-aws-226-eks_clusters_security_group_traffic_restricted.yml +++ b/policies/ecc-aws-226-eks_clusters_security_group_traffic_restricted.yml @@ -1,56 +1,56 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-226-eks_clusters_security_group_traffic_restricted - description: | - Amazon EKS clusters security group traffic is not restricted - resource: aws.eks - filters: - - not: - - and: - - type: security-group - key: IpPermissions[].FromPort - value_type: swap - op: in - value: 443 - - type: security-group - key: IpPermissions[].ToPort - value_type: swap - op: in - value: 443 - - type: security-group - key: IpPermissions[].FromPort - value_type: swap - op: in - value: 10250 - - type: security-group - key: IpPermissions[].ToPort - value_type: swap - op: in - value: 10250 - - type: security-group - key: IpPermissionsEgress[].FromPort - value_type: swap - op: in - value: 443 - - type: security-group - key: IpPermissionsEgress[].ToPort - value_type: swap - op: in - value: 443 - - type: security-group - key: IpPermissionsEgress[].FromPort - value_type: swap - op: in - value: 10250 - - type: security-group - key: IpPermissionsEgress[].ToPort - value_type: swap - op: in - value: 10250 - comment: '0024072000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-226-eks_clusters_security_group_traffic_restricted + comment: '010024072000' + description: | + Amazon EKS clusters security group traffic is not restricted + resource: aws.eks + filters: + - not: + - and: + - type: security-group + key: IpPermissions[].FromPort + value_type: swap + op: in + value: 443 + - type: security-group + key: IpPermissions[].ToPort + value_type: swap + op: in + value: 443 + - type: security-group + key: IpPermissions[].FromPort + value_type: swap + op: in + value: 10250 + - type: security-group + key: IpPermissions[].ToPort + value_type: swap + op: in + value: 10250 + - type: security-group + key: IpPermissionsEgress[].FromPort + value_type: swap + op: in + value: 443 + - type: security-group + key: IpPermissionsEgress[].ToPort + value_type: swap + op: in + value: 443 + - type: security-group + key: IpPermissionsEgress[].FromPort + value_type: swap + op: in + value: 10250 + - type: security-group + key: IpPermissionsEgress[].ToPort + value_type: swap + op: in + value: 10250 diff --git a/policies/ecc-aws-227-eks_secrets_encrypted.yml b/policies/ecc-aws-227-eks_secrets_encrypted.yml index a3427cdc5..1d6cad955 100644 --- a/policies/ecc-aws-227-eks_secrets_encrypted.yml +++ b/policies/ecc-aws-227-eks_secrets_encrypted.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-227-eks_secrets_encrypted - description: | - Kubernetes Secrets are not encrypted using KMS CMK - resource: aws.eks - filters: - - not: - - type: value - key: encryptionConfig[].provider - value: present - comment: '0043072000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-227-eks_secrets_encrypted + comment: '010043072000' + description: | + Kubernetes Secrets are not encrypted using KMS CMK + resource: aws.eks + filters: + - not: + - type: value + key: encryptionConfig[].provider + value: present diff --git a/policies/ecc-aws-228-ecr_immutable_image_tags.yml b/policies/ecc-aws-228-ecr_immutable_image_tags.yml index 83caf4142..049397d09 100644 --- a/policies/ecc-aws-228-ecr_immutable_image_tags.yml +++ b/policies/ecc-aws-228-ecr_immutable_image_tags.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-228-ecr_immutable_image_tags - description: | - Amazon ECR is not configured with immutable tags - resource: ecr - filters: - - type: value - key: imageTagMutability - value: MUTABLE - comment: '0010082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-228-ecr_immutable_image_tags + comment: '010010082000' + description: | + Amazon ECR is not configured with immutable tags + resource: ecr + filters: + - type: value + key: imageTagMutability + value: MUTABLE diff --git a/policies/ecc-aws-229-ecr_repository_kms_encryption_enabled.yml b/policies/ecc-aws-229-ecr_repository_kms_encryption_enabled.yml index f4673c91a..a2d91c87a 100644 --- a/policies/ecc-aws-229-ecr_repository_kms_encryption_enabled.yml +++ b/policies/ecc-aws-229-ecr_repository_kms_encryption_enabled.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-229-ecr_repository_kms_encryption_enabled - description: | - Amazon ECR repository does not have encryption with KMS enabled - resource: ecr - filters: - - not: - - type: value - key: encryptionConfiguration.encryptionType - value: KMS - comment: '0043082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-229-ecr_repository_kms_encryption_enabled + comment: '010043082000' + description: | + Amazon ECR repository does not have encryption with KMS enabled + resource: ecr + filters: + - not: + - type: value + key: encryptionConfiguration.encryptionType + value: KMS diff --git a/policies/ecc-aws-230-ecr_image_scanning_on_push_enabled.yml b/policies/ecc-aws-230-ecr_image_scanning_on_push_enabled.yml index 3f7df83e1..d35b72949 100644 --- a/policies/ecc-aws-230-ecr_image_scanning_on_push_enabled.yml +++ b/policies/ecc-aws-230-ecr_image_scanning_on_push_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-230-ecr_image_scanning_on_push_enabled + comment: '010021082000' description: | Amazon ECR image scanning on push is disabled resource: ecr @@ -14,4 +15,3 @@ policies: - type: value key: imageScanningConfiguration.scanOnPush value: false - comment: '0021082000' \ No newline at end of file diff --git a/policies/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60.yml b/policies/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60.yml index 20ede47b0..621e9da68 100644 --- a/policies/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60.yml +++ b/policies/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60 - resource: aws.rds + comment: '010019061900' description: | Maximum log file lifetime is not set correctly for PostgreSQL + resource: aws.rds filters: - and: - type: value @@ -25,4 +26,3 @@ policies: key: log_rotation_age op: eq value: 60 - comment: '0019061900' \ No newline at end of file diff --git a/policies/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly.yml b/policies/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly.yml index c86fe622e..96eb3fc1d 100644 --- a/policies/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly.yml +++ b/policies/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly - resource: aws.rds - description: | - Maximum log file size is not set correctly for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - not: - - type: db-parameter - key: log_rotation_size - op: eq - value: 1000000 - comment: '0019061910' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly + comment: '010019061910' + description: | + Maximum log file size is not set correctly for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - not: + - type: db-parameter + key: log_rotation_size + op: eq + value: 1000000 diff --git a/policies/ecc-aws-233-postgresql_debug_print_parse_flag_disabled.yml b/policies/ecc-aws-233-postgresql_debug_print_parse_flag_disabled.yml index 899097b60..87876dcde 100644 --- a/policies/ecc-aws-233-postgresql_debug_print_parse_flag_disabled.yml +++ b/policies/ecc-aws-233-postgresql_debug_print_parse_flag_disabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-233-postgresql_debug_print_parse_flag_disabled - resource: aws.rds - description: | - The 'debug_print_parse' flag is enabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - type: db-parameter - key: debug_print_parse - value: 1 - comment: '0025061900' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-233-postgresql_debug_print_parse_flag_disabled + comment: '010025061900' + description: | + The 'debug_print_parse' flag is enabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - type: db-parameter + key: debug_print_parse + value: 1 diff --git a/policies/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled.yml b/policies/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled.yml index 526b52994..07c2a1ba0 100644 --- a/policies/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled.yml +++ b/policies/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled - resource: aws.rds - description: | - The 'debug_print_rewritten' flag is enabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - type: db-parameter - key: debug_print_rewritten - value: 1 - comment: '0025061900' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled + comment: '010025061900' + description: | + The 'debug_print_rewritten' flag is enabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - type: db-parameter + key: debug_print_rewritten + value: 1 diff --git a/policies/ecc-aws-235-postgresql_debug_print_plan_flag_disabled.yml b/policies/ecc-aws-235-postgresql_debug_print_plan_flag_disabled.yml index 7d50c3a4a..108fe3d41 100644 --- a/policies/ecc-aws-235-postgresql_debug_print_plan_flag_disabled.yml +++ b/policies/ecc-aws-235-postgresql_debug_print_plan_flag_disabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-235-postgresql_debug_print_plan_flag_disabled - resource: aws.rds - description: | - The 'debug_print_plan' flag is enabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - type: db-parameter - key: debug_print_plan - value: 1 - comment: '0025061900' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-235-postgresql_debug_print_plan_flag_disabled + comment: '010025061900' + description: | + The 'debug_print_plan' flag is enabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - type: db-parameter + key: debug_print_plan + value: 1 diff --git a/policies/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled.yml b/policies/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled.yml index 0abaa6ee1..b886542c1 100644 --- a/policies/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled.yml +++ b/policies/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-236-postgresql_debug_pretty_print_flag_enabled - resource: aws.rds - description: | - The 'debug_pretty_print' flag is disabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - not: - - type: db-parameter - key: debug_pretty_print - value: 1 - comment: '0019061900' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-236-postgresql_debug_pretty_print_flag_enabled + comment: '010019061900' + description: | + The 'debug_pretty_print' flag is disabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - not: + - type: db-parameter + key: debug_pretty_print + value: 1 diff --git a/policies/ecc-aws-237-postgresql_log_connections_flag_enabled.yml b/policies/ecc-aws-237-postgresql_log_connections_flag_enabled.yml index 1b425dd73..601f7a3d3 100644 --- a/policies/ecc-aws-237-postgresql_log_connections_flag_enabled.yml +++ b/policies/ecc-aws-237-postgresql_log_connections_flag_enabled.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-237-postgresql_log_connections_flag_enabled - resource: aws.rds - description: | - The 'log_connections' flag is disabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - not: - - type: db-parameter - key: log_connections - value: 1 - comment: '0019061900' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-237-postgresql_log_connections_flag_enabled + comment: '010019061900' + description: | + The 'log_connections' flag is disabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - not: + - type: db-parameter + key: log_connections + value: 1 diff --git a/policies/ecc-aws-238-postgresql_log_disconnections_flag_enabled.yml b/policies/ecc-aws-238-postgresql_log_disconnections_flag_enabled.yml index 7660d1baf..84d35864e 100644 --- a/policies/ecc-aws-238-postgresql_log_disconnections_flag_enabled.yml +++ b/policies/ecc-aws-238-postgresql_log_disconnections_flag_enabled.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-238-postgresql_log_disconnections_flag_enabled - resource: aws.rds - description: | - The 'log_disconnections' flag is disabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - not: - - type: db-parameter - key: log_disconnections - op: eq - value: 1 - comment: '0019061900' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-238-postgresql_log_disconnections_flag_enabled + comment: '010019061900' + description: | + The 'log_disconnections' flag is disabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - not: + - type: db-parameter + key: log_disconnections + op: eq + value: 1 diff --git a/policies/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly.yml b/policies/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly.yml index 4be71702a..4ad7df21c 100644 --- a/policies/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly.yml +++ b/policies/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly - resource: aws.rds - description: | - The 'log_error_verbosity' flag is not set correctly for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - not: - - type: db-parameter - key: log_error_verbosity - value: default - comment: '0019061910' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly + comment: '010019061910' + description: | + The 'log_error_verbosity' flag is not set correctly for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - not: + - type: db-parameter + key: log_error_verbosity + value: default diff --git a/policies/ecc-aws-240-postgresql_log_hostname_flag_disabled.yml b/policies/ecc-aws-240-postgresql_log_hostname_flag_disabled.yml index 55d0dce0a..504549bf1 100644 --- a/policies/ecc-aws-240-postgresql_log_hostname_flag_disabled.yml +++ b/policies/ecc-aws-240-postgresql_log_hostname_flag_disabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-240-postgresql_log_hostname_flag_disabled - resource: aws.rds - description: | - The 'log_hostname' flag is not disabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - type: db-parameter - key: log_hostname - value: 1 - comment: '0019061900' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-240-postgresql_log_hostname_flag_disabled + comment: '010019061900' + description: | + The 'log_hostname' flag is not disabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - type: db-parameter + key: log_hostname + value: 1 diff --git a/policies/ecc-aws-241-postgresql_log_statement_flag_set_correctly.yml b/policies/ecc-aws-241-postgresql_log_statement_flag_set_correctly.yml index 02f31a7f2..c5c20d605 100644 --- a/policies/ecc-aws-241-postgresql_log_statement_flag_set_correctly.yml +++ b/policies/ecc-aws-241-postgresql_log_statement_flag_set_correctly.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-241-postgresql_log_statement_flag_set_correctly - resource: aws.rds - description: | - The 'log_statement' flag is not set correctly for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - not: - - type: db-parameter - key: log_statement - value: all - comment: '0019061910' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-241-postgresql_log_statement_flag_set_correctly + comment: '010019061910' + description: | + The 'log_statement' flag is not set correctly for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - not: + - type: db-parameter + key: log_statement + value: all diff --git a/policies/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog.yml b/policies/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog.yml index 4b22567c6..0d2d03e06 100644 --- a/policies/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog.yml +++ b/policies/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog - resource: aws.rds + comment: '010019061900' description: | The 'log_destination' flag is not set to csvlog for PostgreSQL + resource: aws.rds filters: - and: - type: value @@ -18,4 +19,3 @@ policies: - type: db-parameter key: log_destination value: "stderr" - comment: '0019061900' \ No newline at end of file diff --git a/policies/ecc-aws-243-postgresql_log_checkpoints_flag_enabled.yml b/policies/ecc-aws-243-postgresql_log_checkpoints_flag_enabled.yml index 114bfd5eb..7f3ca52f1 100644 --- a/policies/ecc-aws-243-postgresql_log_checkpoints_flag_enabled.yml +++ b/policies/ecc-aws-243-postgresql_log_checkpoints_flag_enabled.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-243-postgresql_log_checkpoints_flag_enabled - resource: aws.rds - description: | - The 'log_checkpoints' flag is not enabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - not: - - type: db-parameter - key: log_checkpoints - op: eq - value: 1 - comment: '0019062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-243-postgresql_log_checkpoints_flag_enabled + comment: '010019062000' + description: | + The 'log_checkpoints' flag is not enabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - not: + - type: db-parameter + key: log_checkpoints + op: eq + value: 1 diff --git a/policies/ecc-aws-244-postgresql_log_lock_waits_flag_enabled.yml b/policies/ecc-aws-244-postgresql_log_lock_waits_flag_enabled.yml index 1bfd513ca..871a90266 100644 --- a/policies/ecc-aws-244-postgresql_log_lock_waits_flag_enabled.yml +++ b/policies/ecc-aws-244-postgresql_log_lock_waits_flag_enabled.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-244-postgresql_log_lock_waits_flag_enabled - resource: aws.rds - description: | - The 'log_lock_waits' flag is not enabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - not: - - type: db-parameter - key: log_lock_waits - value: 1 - comment: '0019062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-244-postgresql_log_lock_waits_flag_enabled + comment: '010019062000' + description: | + The 'log_lock_waits' flag is not enabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - not: + - type: db-parameter + key: log_lock_waits + value: 1 diff --git a/policies/ecc-aws-245-postgresql_log_duration_flag_enabled.yml b/policies/ecc-aws-245-postgresql_log_duration_flag_enabled.yml index 80b64cc51..84b2aece1 100644 --- a/policies/ecc-aws-245-postgresql_log_duration_flag_enabled.yml +++ b/policies/ecc-aws-245-postgresql_log_duration_flag_enabled.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-245-postgresql_log_duration_flag_enabled - resource: aws.rds - description: | - The 'log_duration' flag is not enabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - not: - - type: db-parameter - key: log_duration - op: eq - value: 1 - comment: '0019062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-245-postgresql_log_duration_flag_enabled + comment: '010019062000' + description: | + The 'log_duration' flag is not enabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - not: + - type: db-parameter + key: log_duration + op: eq + value: 1 diff --git a/policies/ecc-aws-246-transit_gateway_default_route_table_association_disabled.yml b/policies/ecc-aws-246-transit_gateway_default_route_table_association_disabled.yml index 1ed409655..a5ed7ca66 100644 --- a/policies/ecc-aws-246-transit_gateway_default_route_table_association_disabled.yml +++ b/policies/ecc-aws-246-transit_gateway_default_route_table_association_disabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-246-transit_gateway_default_route_table_association_disabled - description: | - Transit gateway default route table association is enabled - resource: aws.transit-gateway - filters: - - and: - - type: value - key: Options.DefaultRouteTableAssociation - value: enable - - type: value - key: State - value: available - comment: '0024022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-246-transit_gateway_default_route_table_association_disabled + comment: '010024022000' + description: | + Transit gateway default route table association is enabled + resource: aws.transit-gateway + filters: + - and: + - type: value + key: Options.DefaultRouteTableAssociation + value: enable + - type: value + key: State + value: available diff --git a/policies/ecc-aws-247-transit_gateway_default_route_table_propagation_disabled.yml b/policies/ecc-aws-247-transit_gateway_default_route_table_propagation_disabled.yml index 47cdf852e..264afb1ef 100644 --- a/policies/ecc-aws-247-transit_gateway_default_route_table_propagation_disabled.yml +++ b/policies/ecc-aws-247-transit_gateway_default_route_table_propagation_disabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-247-transit_gateway_default_route_table_propagation_disabled - description: | - Transit gateway default route table propagation is enabled - resource: aws.transit-gateway - filters: - - and: - - type: value - key: Options.DefaultRouteTablePropagation - value: enable - - type: value - key: State - value: available - comment: '0024022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-247-transit_gateway_default_route_table_propagation_disabled + comment: '010024022000' + description: | + Transit gateway default route table propagation is enabled + resource: aws.transit-gateway + filters: + - and: + - type: value + key: Options.DefaultRouteTablePropagation + value: enable + - type: value + key: State + value: available diff --git a/policies/ecc-aws-248-rest_api_gateway_is_protected_by_waf.yml b/policies/ecc-aws-248-rest_api_gateway_is_protected_by_waf.yml index fba735ed2..bd096fb60 100644 --- a/policies/ecc-aws-248-rest_api_gateway_is_protected_by_waf.yml +++ b/policies/ecc-aws-248-rest_api_gateway_is_protected_by_waf.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-248-rest_api_gateway_is_protected_by_waf - description: | - Api gateway is not protected by WAF - resource: rest-stage - filters: - - type: value - key: webAclArn - value: absent - comment: '0027022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-248-rest_api_gateway_is_protected_by_waf + comment: '010027022000' + description: | + Api gateway is not protected by WAF + resource: rest-stage + filters: + - type: value + key: webAclArn + value: absent diff --git a/policies/ecc-aws-249-rest_api_gateway_contend_encoding_enabled.yml b/policies/ecc-aws-249-rest_api_gateway_contend_encoding_enabled.yml index 7a76df5d3..273277e55 100644 --- a/policies/ecc-aws-249-rest_api_gateway_contend_encoding_enabled.yml +++ b/policies/ecc-aws-249-rest_api_gateway_contend_encoding_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-249-rest_api_gateway_contend_encoding_enabled - description: | - Content encoding is not enabled for API Gateway - resource: rest-api - filters: - - type: value - key: minimumCompressionSize - value: absent - comment: '0023022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-249-rest_api_gateway_contend_encoding_enabled + comment: '010023022000' + description: | + Content encoding is not enabled for API Gateway + resource: rest-api + filters: + - type: value + key: minimumCompressionSize + value: absent diff --git a/policies/ecc-aws-250-rest_api_gateway_cache_enabled.yml b/policies/ecc-aws-250-rest_api_gateway_cache_enabled.yml index 5ff94e0cc..27b47cace 100644 --- a/policies/ecc-aws-250-rest_api_gateway_cache_enabled.yml +++ b/policies/ecc-aws-250-rest_api_gateway_cache_enabled.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-250-rest_api_gateway_cache_enabled - description: | - Cache is not enabled for api gateway - resource: rest-stage - filters: - - or: - - type: value - key: cacheClusterEnabled - value: false - - not: - - type: value - key: cacheClusterStatus - value: AVAILABLE - comment: '0009022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-250-rest_api_gateway_cache_enabled + comment: '010009022000' + description: | + Cache is not enabled for api gateway + resource: rest-stage + filters: + - or: + - type: value + key: cacheClusterEnabled + value: false + - not: + - type: value + key: cacheClusterStatus + value: AVAILABLE diff --git a/policies/ecc-aws-252-glue_data_catalog_encrypted_at_rest.yml b/policies/ecc-aws-252-glue_data_catalog_encrypted_at_rest.yml index 6fd5da14e..841acd55d 100644 --- a/policies/ecc-aws-252-glue_data_catalog_encrypted_at_rest.yml +++ b/policies/ecc-aws-252-glue_data_catalog_encrypted_at_rest.yml @@ -1,16 +1,16 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-252-glue_data_catalog_encrypted_at_rest - description: | - Data catalog encryption is not enabled for AWS Glue - resource: aws.glue-catalog - filters: - - type: glue-security-config - CatalogEncryptionMode: DISABLED - comment: '0043052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-252-glue_data_catalog_encrypted_at_rest + comment: '010043052000' + description: | + Data catalog encryption is not enabled for AWS Glue + resource: aws.glue-catalog + filters: + - type: glue-security-config + CatalogEncryptionMode: DISABLED diff --git a/policies/ecc-aws-253-glue_data_catalog_encrypted_with_kms_customer_master_keys.yml b/policies/ecc-aws-253-glue_data_catalog_encrypted_with_kms_customer_master_keys.yml index 4a1fa0f52..8f2719811 100644 --- a/policies/ecc-aws-253-glue_data_catalog_encrypted_with_kms_customer_master_keys.yml +++ b/policies/ecc-aws-253-glue_data_catalog_encrypted_with_kms_customer_master_keys.yml @@ -1,16 +1,16 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-253-glue_data_catalog_encrypted_with_kms_customer_master_keys - description: | - Data catalog for AWS Glue is not encrypted with KMS CMK - resource: aws.glue-catalog - filters: - - type: glue-security-config - SseAwsKmsKeyId: alias/aws/glue - comment: '0043052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-253-glue_data_catalog_encrypted_with_kms_customer_master_keys + comment: '010043052000' + description: | + Data catalog for AWS Glue is not encrypted with KMS CMK + resource: aws.glue-catalog + filters: + - type: glue-security-config + SseAwsKmsKeyId: alias/aws/glue diff --git a/policies/ecc-aws-254-glue_job_bookmarks_encrypted.yml b/policies/ecc-aws-254-glue_job_bookmarks_encrypted.yml index 3d8f5a8b1..73710a841 100644 --- a/policies/ecc-aws-254-glue_job_bookmarks_encrypted.yml +++ b/policies/ecc-aws-254-glue_job_bookmarks_encrypted.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-254-glue_job_bookmarks_encrypted - description: | - Job bookmarks encryption is not enabled for AWS Glue - resource: aws.glue-security-configuration - filters: - - type: value - key: EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode - value: DISABLED - comment: '0043052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-254-glue_job_bookmarks_encrypted + comment: '010043052000' + description: | + Job bookmarks encryption is not enabled for AWS Glue + resource: aws.glue-security-configuration + filters: + - type: value + key: EncryptionConfiguration.JobBookmarksEncryption.JobBookmarksEncryptionMode + value: DISABLED diff --git a/policies/ecc-aws-255-glue_cloudwatch_logs_encrypted.yml b/policies/ecc-aws-255-glue_cloudwatch_logs_encrypted.yml index fa0279bd8..77a8e9a92 100644 --- a/policies/ecc-aws-255-glue_cloudwatch_logs_encrypted.yml +++ b/policies/ecc-aws-255-glue_cloudwatch_logs_encrypted.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-255-glue_cloudwatch_logs_encrypted - description: | - CloudWatch logs are not encrypted for AWS Glue - resource: aws.glue-security-configuration - filters: - - type: value - key: EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode - value: DISABLED - comment: '0043052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-255-glue_cloudwatch_logs_encrypted + comment: '010043052000' + description: | + CloudWatch logs are not encrypted for AWS Glue + resource: aws.glue-security-configuration + filters: + - type: value + key: EncryptionConfiguration.CloudWatchEncryption.CloudWatchEncryptionMode + value: DISABLED diff --git a/policies/ecc-aws-256-glue_s3_encryption_enabled.yml b/policies/ecc-aws-256-glue_s3_encryption_enabled.yml index 8b4b0a342..ff846a653 100644 --- a/policies/ecc-aws-256-glue_s3_encryption_enabled.yml +++ b/policies/ecc-aws-256-glue_s3_encryption_enabled.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-256-glue_s3_encryption_enabled - description: | - S3 is not encrypted for AWS Glue - resource: aws.glue-security-configuration - filters: - - type: value - key: EncryptionConfiguration.S3Encryption[].S3EncryptionMode - op: in - value_type: swap - value: DISABLED - comment: '0043052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-256-glue_s3_encryption_enabled + comment: '010043052000' + description: | + S3 is not encrypted for AWS Glue + resource: aws.glue-security-configuration + filters: + - type: value + key: EncryptionConfiguration.S3Encryption[].S3EncryptionMode + op: in + value_type: swap + value: DISABLED diff --git a/policies/ecc-aws-257-emr_kerberos_authentication_enabled.yml b/policies/ecc-aws-257-emr_kerberos_authentication_enabled.yml index c3a3b41aa..b895527e1 100644 --- a/policies/ecc-aws-257-emr_kerberos_authentication_enabled.yml +++ b/policies/ecc-aws-257-emr_kerberos_authentication_enabled.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-257-emr_kerberos_authentication_enabled - description: | - Kerberos authentication is not enabled for EMR clusters - resource: emr - filters: - - and: - - type: value - key: Status.State - op: in - value: [RUNNING, WAITING] - - type: value - key: KerberosAttributes.Realm - value: absent - comment: '0034052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-257-emr_kerberos_authentication_enabled + comment: '010034052000' + description: | + Kerberos authentication is not enabled for EMR clusters + resource: emr + filters: + - and: + - type: value + key: Status.State + op: in + value: [RUNNING, WAITING] + - type: value + key: KerberosAttributes.Realm + value: absent diff --git a/policies/ecc-aws-258-emr_at_rest_and_in_transit_encryption_enabled.yml b/policies/ecc-aws-258-emr_at_rest_and_in_transit_encryption_enabled.yml index a4e6d85c4..9c3dbaabe 100644 --- a/policies/ecc-aws-258-emr_at_rest_and_in_transit_encryption_enabled.yml +++ b/policies/ecc-aws-258-emr_at_rest_and_in_transit_encryption_enabled.yml @@ -1,29 +1,29 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-258-emr_at_rest_and_in_transit_encryption_enabled - description: | - At-rest and in-transit encryption is not enabled for EMR clusters - resource: aws.emr - filters: - - type: value - key: Status.State - op: in - value: [RUNNING, WAITING] - - not: - - and: - - type: cluster-security-configuration - key: EncryptionConfiguration.EnableInTransitEncryption - op: eq - value: true - - type: cluster-security-configuration - key: EncryptionConfiguration.AtRestEncryptionConfiguration.S3EncryptionConfiguration.EncryptionMode - value: present - - type: cluster-security-configuration - key: EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType - value: present - comment: '0045052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-258-emr_at_rest_and_in_transit_encryption_enabled + comment: '010045052000' + description: | + At-rest and in-transit encryption is not enabled for EMR clusters + resource: aws.emr + filters: + - type: value + key: Status.State + op: in + value: [RUNNING, WAITING] + - not: + - and: + - type: cluster-security-configuration + key: EncryptionConfiguration.EnableInTransitEncryption + op: eq + value: true + - type: cluster-security-configuration + key: EncryptionConfiguration.AtRestEncryptionConfiguration.S3EncryptionConfiguration.EncryptionMode + value: present + - type: cluster-security-configuration + key: EncryptionConfiguration.AtRestEncryptionConfiguration.LocalDiskEncryptionConfiguration.EncryptionKeyProviderType + value: present diff --git a/policies/ecc-aws-259-emr_clusters_in_vpc.yml b/policies/ecc-aws-259-emr_clusters_in_vpc.yml index a77631abf..90dc50a0d 100644 --- a/policies/ecc-aws-259-emr_clusters_in_vpc.yml +++ b/policies/ecc-aws-259-emr_clusters_in_vpc.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-259-emr_clusters_in_vpc - description: | - EMR clusters are not in VPC - resource: emr - filters: - - and: - - type: value - key: Status.State - op: in - value: [RUNNING, WAITING] - - type: value - key: Ec2InstanceAttributes.Ec2SubnetId - value: empty - comment: '0041052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-259-emr_clusters_in_vpc + comment: '010041052000' + description: | + EMR clusters are not in VPC + resource: emr + filters: + - and: + - type: value + key: Status.State + op: in + value: [RUNNING, WAITING] + - type: value + key: Ec2InstanceAttributes.Ec2SubnetId + value: empty diff --git a/policies/ecc-aws-260-emr_logging_to_s3_enabled.yml b/policies/ecc-aws-260-emr_logging_to_s3_enabled.yml index a7f2c36d1..5227133c7 100644 --- a/policies/ecc-aws-260-emr_logging_to_s3_enabled.yml +++ b/policies/ecc-aws-260-emr_logging_to_s3_enabled.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-260-emr_logging_to_s3_enabled - description: | - Logging is not enabled for EMR clusters - resource: emr - filters: - - and: - - type: value - key: Status.State - op: in - value: [RUNNING, WAITING] - - type: value - key: LogUri - value: absent - comment: '0019052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-260-emr_logging_to_s3_enabled + comment: '010019052000' + description: | + Logging is not enabled for EMR clusters + resource: emr + filters: + - and: + - type: value + key: Status.State + op: in + value: [RUNNING, WAITING] + - type: value + key: LogUri + value: absent diff --git a/policies/ecc-aws-261-vpc_unused_internet_gateway.yml b/policies/ecc-aws-261-vpc_unused_internet_gateway.yml index 74225813c..b29a2d769 100644 --- a/policies/ecc-aws-261-vpc_unused_internet_gateway.yml +++ b/policies/ecc-aws-261-vpc_unused_internet_gateway.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-261-vpc_unused_internet_gateway - description: | - Unused Internet Gateways are not removed - resource: internet-gateway - filters: - - type: value - key: Attachments - value: empty - comment: '0018022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-261-vpc_unused_internet_gateway + comment: '010018022000' + description: | + Unused Internet Gateways are not removed + resource: internet-gateway + filters: + - type: value + key: Attachments + value: empty diff --git a/policies/ecc-aws-263-unused_virtual_private_gateways.yml b/policies/ecc-aws-263-unused_virtual_private_gateways.yml index 7dfdc351d..92676c447 100644 --- a/policies/ecc-aws-263-unused_virtual_private_gateways.yml +++ b/policies/ecc-aws-263-unused_virtual_private_gateways.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-263-unused_virtual_private_gateways - description: | - Unused Virtual Private Gateways is not removed - resource: vpn-gateway - filters: - - type: value - key: State - value: "available" - - type: value - key: VpcAttachments - value: empty - comment: '0018022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-263-unused_virtual_private_gateways + comment: '010018022000' + description: | + Unused Virtual Private Gateways is not removed + resource: vpn-gateway + filters: + - type: value + key: State + value: "available" + - type: value + key: VpcAttachments + value: empty diff --git a/policies/ecc-aws-265-elasticache_previous_generation_instances_not_used.yml b/policies/ecc-aws-265-elasticache_previous_generation_instances_not_used.yml index e5518b2b4..46be783ef 100644 --- a/policies/ecc-aws-265-elasticache_previous_generation_instances_not_used.yml +++ b/policies/ecc-aws-265-elasticache_previous_generation_instances_not_used.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-265-elasticache_previous_generation_instances_not_used - description: | - Elasticache is not using last generation nodes - resource: cache-cluster - filters: - - type: value - key: CacheNodeType - op: regex - value: 'cache.(m1|m2|m3|r3|t1|c1).[^\s]+' - comment: '0006062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-265-elasticache_previous_generation_instances_not_used + comment: '010006062000' + description: | + Elasticache is not using last generation nodes + resource: cache-cluster + filters: + - type: value + key: CacheNodeType + op: regex + value: 'cache.(m1|m2|m3|r3|t1|c1).[^\s]+' diff --git a/policies/ecc-aws-266-elasticache_automatic_backups.yml b/policies/ecc-aws-266-elasticache_automatic_backups.yml index 37fdc39f0..1523c5ecf 100644 --- a/policies/ecc-aws-266-elasticache_automatic_backups.yml +++ b/policies/ecc-aws-266-elasticache_automatic_backups.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-266-elasticache_automatic_backups - description: | - ElastiCache Redis cluster automatic backups are not enabled or a retention period is not set to at least 7 days - resource: cache-cluster - filters: - - type: value - key: SnapshotRetentionLimit - value: 7 - op: lt - comment: '0049062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-266-elasticache_automatic_backups + comment: '010049062000' + description: | + ElastiCache Redis cluster automatic backups are not enabled or a retention period is not set to at least 7 days + resource: cache-cluster + filters: + - type: value + key: SnapshotRetentionLimit + value: 7 + op: lt diff --git a/policies/ecc-aws-267-elasticache_encrypted_in_transit.yml b/policies/ecc-aws-267-elasticache_encrypted_in_transit.yml index 267124c71..8d4cc1a5a 100644 --- a/policies/ecc-aws-267-elasticache_encrypted_in_transit.yml +++ b/policies/ecc-aws-267-elasticache_encrypted_in_transit.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-267-elasticache_encrypted_in_transit - description: | - ElastiCache is not encrypted in transit - resource: cache-cluster - filters: - - type: value - key: TransitEncryptionEnabled - value: false - comment: '0044062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-267-elasticache_encrypted_in_transit + comment: '010044062000' + description: | + ElastiCache is not encrypted in transit + resource: cache-cluster + filters: + - type: value + key: TransitEncryptionEnabled + value: false diff --git a/policies/ecc-aws-268-elasticache_encrypted_at_rest_using_cmk.yml b/policies/ecc-aws-268-elasticache_encrypted_at_rest_using_cmk.yml index b318321ec..c05587a02 100644 --- a/policies/ecc-aws-268-elasticache_encrypted_at_rest_using_cmk.yml +++ b/policies/ecc-aws-268-elasticache_encrypted_at_rest_using_cmk.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-268-elasticache_encrypted_at_rest_using_cmk - description: | - Elasticache Redis replication group is not encrypted at-rest with KMS CMK - resource: elasticache-group - filters: - - type: value - key: KmsKeyId - value: absent - comment: '0043062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-268-elasticache_encrypted_at_rest_using_cmk + comment: '010043062000' + description: | + Elasticache Redis replication group is not encrypted at-rest with KMS CMK + resource: elasticache-group + filters: + - type: value + key: KmsKeyId + value: absent diff --git a/policies/ecc-aws-270-elasticache_redis_multi_az_enabled.yml b/policies/ecc-aws-270-elasticache_redis_multi_az_enabled.yml index 18b67d7fd..cd7ca0f28 100644 --- a/policies/ecc-aws-270-elasticache_redis_multi_az_enabled.yml +++ b/policies/ecc-aws-270-elasticache_redis_multi_az_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-270-elasticache_redis_multi_az_enabled - description: | - Elasticache Redis Multi-AZ is not enabled - resource: elasticache-group - filters: - - type: value - key: MultiAZ - value: disabled - comment: '0050062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-270-elasticache_redis_multi_az_enabled + comment: '010050062000' + description: | + Elasticache Redis Multi-AZ is not enabled + resource: elasticache-group + filters: + - type: value + key: MultiAZ + value: disabled diff --git a/policies/ecc-aws-271-elasticache_redis_auth_enabled.yml b/policies/ecc-aws-271-elasticache_redis_auth_enabled.yml index a87e400e6..bca7c11f9 100644 --- a/policies/ecc-aws-271-elasticache_redis_auth_enabled.yml +++ b/policies/ecc-aws-271-elasticache_redis_auth_enabled.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-271-elasticache_redis_auth_enabled - description: | - Elasticache redis Auth is not enabled - resource: cache-cluster - filters: - - type: value - key: AuthTokenEnabled - value: false - - type: value - key: Engine - value: "redis" - comment: '0022062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-271-elasticache_redis_auth_enabled + comment: '010022062000' + description: | + Elasticache redis Auth is not enabled + resource: cache-cluster + filters: + - type: value + key: AuthTokenEnabled + value: false + - type: value + key: Engine + value: "redis" diff --git a/policies/ecc-aws-272-elasticache_latest_version.yml b/policies/ecc-aws-272-elasticache_latest_version.yml index f8e0ce571..f4ffbb31d 100644 --- a/policies/ecc-aws-272-elasticache_latest_version.yml +++ b/policies/ecc-aws-272-elasticache_latest_version.yml @@ -1,31 +1,31 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-272-elasticache_latest_version - description: | - Elasticache is not using the latest version - resource: cache-cluster - filters: - - not: - - or: - - and: - - type: value - key: Engine - value: memcached - - type: value - key: EngineVersion - value: "1.6.17" - - and: - - type: value - key: Engine - value: redis - - type: value - key: EngineVersion - op: regex - value: '7.0.*' - comment: '0021062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-272-elasticache_latest_version + comment: '010021062000' + description: | + Elasticache is not using the latest version + resource: cache-cluster + filters: + - not: + - or: + - and: + - type: value + key: Engine + value: memcached + - type: value + key: EngineVersion + value: "1.6.17" + - and: + - type: value + key: Engine + value: redis + - type: value + key: EngineVersion + op: regex + value: '7.0.*' diff --git a/policies/ecc-aws-273-documentdb_logging_enabled.yml b/policies/ecc-aws-273-documentdb_logging_enabled.yml index d38dd9deb..49ba6bfa4 100644 --- a/policies/ecc-aws-273-documentdb_logging_enabled.yml +++ b/policies/ecc-aws-273-documentdb_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-273-documentdb_logging_enabled - resource: aws.rds-cluster + comment: '010019062000' description: | DocumentDB logging is not enabled + resource: aws.rds-cluster filters: - and: - type: value @@ -33,4 +34,3 @@ policies: - type: db-cluster-parameter key: profiler value: enabled - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-275-rds_aurora_mysql_cluster_logging_enabled.yml b/policies/ecc-aws-275-rds_aurora_mysql_cluster_logging_enabled.yml index 3e891bbb7..bf9216c8e 100644 --- a/policies/ecc-aws-275-rds_aurora_mysql_cluster_logging_enabled.yml +++ b/policies/ecc-aws-275-rds_aurora_mysql_cluster_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-275-rds_aurora_mysql_cluster_logging_enabled - resource: aws.rds-cluster + comment: '010019062000' description: | Aurora-MySQL cluster logging is disabled + resource: aws.rds-cluster filters: - and: - type: value @@ -46,4 +47,3 @@ policies: - type: db-cluster-parameter key: log_output value: FILE - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-276-rds_aurora_postgresql_cluster_logging_enabled.yml b/policies/ecc-aws-276-rds_aurora_postgresql_cluster_logging_enabled.yml index 4dfb4242e..250d40725 100644 --- a/policies/ecc-aws-276-rds_aurora_postgresql_cluster_logging_enabled.yml +++ b/policies/ecc-aws-276-rds_aurora_postgresql_cluster_logging_enabled.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-276-rds_aurora_postgresql_cluster_logging_enabled - resource: aws.rds-cluster + comment: '010019062000' description: | Aurora-PostgreSQL cluster logging is disabled + resource: aws.rds-cluster filters: - and: - type: value @@ -31,4 +32,3 @@ policies: - type: db-cluster-parameter key: log_statement value: all - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-277-elasticsearch_slow_logs_enabled.yml b/policies/ecc-aws-277-elasticsearch_slow_logs_enabled.yml index 081c00156..47dc0def5 100644 --- a/policies/ecc-aws-277-elasticsearch_slow_logs_enabled.yml +++ b/policies/ecc-aws-277-elasticsearch_slow_logs_enabled.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-277-elasticsearch_slow_logs_enabled - description: | - Elasticsearch slow logs is disabled - resource: aws.elasticsearch - filters: - - not: - - and: - - type: value - key: LogPublishingOptions.INDEX_SLOW_LOGS.Enabled - value: true - - type: value - key: LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled - value: true - comment: '0019052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-277-elasticsearch_slow_logs_enabled + comment: '010019052000' + description: | + Elasticsearch slow logs is disabled + resource: aws.elasticsearch + filters: + - not: + - and: + - type: value + key: LogPublishingOptions.INDEX_SLOW_LOGS.Enabled + value: true + - type: value + key: LogPublishingOptions.SEARCH_SLOW_LOGS.Enabled + value: true diff --git a/policies/ecc-aws-279-elasticache_auth_token_rotated_every_90_days.yml b/policies/ecc-aws-279-elasticache_auth_token_rotated_every_90_days.yml index 6dd79fb80..51c598a32 100644 --- a/policies/ecc-aws-279-elasticache_auth_token_rotated_every_90_days.yml +++ b/policies/ecc-aws-279-elasticache_auth_token_rotated_every_90_days.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-279-elasticache_auth_token_rotated_every_90_days - description: | - Elasticache AUTH token is not rotated every 90 days - resource: cache-cluster - filters: - - type: value - key: AuthTokenLastModifiedDate - op: gt - value_type: age - value: 90 - comment: '0029062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-279-elasticache_auth_token_rotated_every_90_days + comment: '010029062000' + description: | + Elasticache AUTH token is not rotated every 90 days + resource: cache-cluster + filters: + - type: value + key: AuthTokenLastModifiedDate + op: gt + value_type: age + value: 90 diff --git a/policies/ecc-aws-280-elasticsearch_encrypted_with_kms_cmk.yml b/policies/ecc-aws-280-elasticsearch_encrypted_with_kms_cmk.yml index 6ad662e67..8bc9b4373 100644 --- a/policies/ecc-aws-280-elasticsearch_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-280-elasticsearch_encrypted_with_kms_cmk.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-280-elasticsearch_encrypted_with_kms_cmk - description: | - ElasticSearch is not encrypted with KMS CMK - resource: elasticsearch - filters: - - not: - - type: kms-key - key: KeyManager - value: CUSTOMER - comment: '0043052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-280-elasticsearch_encrypted_with_kms_cmk + comment: '010043052000' + description: | + ElasticSearch is not encrypted with KMS CMK + resource: elasticsearch + filters: + - not: + - type: kms-key + key: KeyManager + value: CUSTOMER diff --git a/policies/ecc-aws-281-autoscaling_group_cooldown_period.yml b/policies/ecc-aws-281-autoscaling_group_cooldown_period.yml index 69d8e3edf..3fe6e63ca 100644 --- a/policies/ecc-aws-281-autoscaling_group_cooldown_period.yml +++ b/policies/ecc-aws-281-autoscaling_group_cooldown_period.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-281-autoscaling_group_cooldown_period - resource: aws.asg - description: | - Auto Scaling Groups are not utilizing cooldown period - filters: - - type: value - key: DefaultCooldown - op: eq - value: 0 - comment: '0023032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-281-autoscaling_group_cooldown_period + comment: '010023032000' + description: | + Auto Scaling Groups are not utilizing cooldown period + resource: aws.asg + filters: + - type: value + key: DefaultCooldown + op: eq + value: 0 diff --git a/policies/ecc-aws-282-elasticsearch_enforces_https.yml b/policies/ecc-aws-282-elasticsearch_enforces_https.yml index d7bac447e..3e8e15992 100644 --- a/policies/ecc-aws-282-elasticsearch_enforces_https.yml +++ b/policies/ecc-aws-282-elasticsearch_enforces_https.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-282-elasticsearch_enforces_https - description: | - Elasticsearch does not enforce HTTPS - resource: elasticsearch - filters: - - type: value - key: DomainEndpointOptions.EnforceHTTPS - value: false - comment: '0044052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-282-elasticsearch_enforces_https + comment: '010044052000' + description: | + Elasticsearch does not enforce HTTPS + resource: elasticsearch + filters: + - type: value + key: DomainEndpointOptions.EnforceHTTPS + value: false diff --git a/policies/ecc-aws-283-elasticsearch_latest_version.yml b/policies/ecc-aws-283-elasticsearch_latest_version.yml index 92c8703aa..bdb5f1d35 100644 --- a/policies/ecc-aws-283-elasticsearch_latest_version.yml +++ b/policies/ecc-aws-283-elasticsearch_latest_version.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-283-elasticsearch_latest_version - description: | - ElasticSearch is not using the latest OpenSearch version - resource: elasticsearch - filters: - - not: - - type: value - key: ElasticsearchVersion - value: 'OpenSearch_2.3' - comment: '0021052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-283-elasticsearch_latest_version + comment: '010021052000' + description: | + ElasticSearch is not using the latest OpenSearch version + resource: elasticsearch + filters: + - not: + - type: value + key: ElasticsearchVersion + value: 'OpenSearch_2.3' diff --git a/policies/ecc-aws-284-autoscaling_group_has_associated_elb.yml b/policies/ecc-aws-284-autoscaling_group_has_associated_elb.yml index 7d7a46516..57e218310 100644 --- a/policies/ecc-aws-284-autoscaling_group_has_associated_elb.yml +++ b/policies/ecc-aws-284-autoscaling_group_has_associated_elb.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-284-autoscaling_group_has_associated_elb - resource: aws.asg - description: | - Auto Scaling Groups does not have an associated Elastic Load Balancers or Target Groups - filters: - - and: - - type: value - key: LoadBalancerNames - value: empty - - type: value - key: TargetGroupARNs - value: empty - comment: '0024032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-284-autoscaling_group_has_associated_elb + comment: '010024032000' + description: | + Auto Scaling Groups does not have an associated Elastic Load Balancers or Target Groups + resource: aws.asg + filters: + - and: + - type: value + key: LoadBalancerNames + value: empty + - type: value + key: TargetGroupARNs + value: empty diff --git a/policies/ecc-aws-285-xray-encrypted_with_kms_cmk.yml b/policies/ecc-aws-285-xray-encrypted_with_kms_cmk.yml index f2c4ac102..dca6ab581 100644 --- a/policies/ecc-aws-285-xray-encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-285-xray-encrypted_with_kms_cmk.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-285-xray-encrypted_with_kms_cmk - resource: aws.account - description: | - AWS X-Ray is not encrypted using KMS CMK - filters: - - or: - - type: xray-encrypt-key - key: default - - and: - - type: xray-encrypt-key - key: kms - - type: xray-encrypt-key - key: alias/aws/xray - comment: '0043132000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-285-xray-encrypted_with_kms_cmk + comment: '010043132000' + description: | + AWS X-Ray is not encrypted using KMS CMK + resource: aws.account + filters: + - or: + - type: xray-encrypt-key + key: default + - and: + - type: xray-encrypt-key + key: kms + - type: xray-encrypt-key + key: alias/aws/xray diff --git a/policies/ecc-aws-286-workspaces_unused_instances.yml b/policies/ecc-aws-286-workspaces_unused_instances.yml index d4c1b6a1d..b2312d5ef 100644 --- a/policies/ecc-aws-286-workspaces_unused_instances.yml +++ b/policies/ecc-aws-286-workspaces_unused_instances.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-286-workspaces_unused_instances - description: | - Unused Workspaces instances are not removed - resource: aws.workspaces - filters: - - type: connection-status - value_type: age - key: LastKnownUserConnectionTimestamp - op: ge - value: 30 - comment: '0002120600' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-286-workspaces_unused_instances + comment: '010002120600' + description: | + Unused Workspaces instances are not removed + resource: aws.workspaces + filters: + - type: connection-status + value_type: age + key: LastKnownUserConnectionTimestamp + op: ge + value: 30 diff --git a/policies/ecc-aws-287-autoscaling_group_utilize_multi_az.yml b/policies/ecc-aws-287-autoscaling_group_utilize_multi_az.yml index fc1fd4e86..a5857e600 100644 --- a/policies/ecc-aws-287-autoscaling_group_utilize_multi_az.yml +++ b/policies/ecc-aws-287-autoscaling_group_utilize_multi_az.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-287-autoscaling_group_utilize_multi_az - resource: aws.asg - description: | - Auto Scaling Groups do not utilize multiple Availability Zones - filters: - - type: value - key: AvailabilityZones - value_type: size - value: 1 - comment: '0050032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-287-autoscaling_group_utilize_multi_az + comment: '010050032000' + description: | + Auto Scaling Groups do not utilize multiple Availability Zones + resource: aws.asg + filters: + - type: value + key: AvailabilityZones + value_type: size + value: 1 diff --git a/policies/ecc-aws-288-workspaces_instances_are_healthy.yml b/policies/ecc-aws-288-workspaces_instances_are_healthy.yml index 6209a2b7b..7b197d997 100644 --- a/policies/ecc-aws-288-workspaces_instances_are_healthy.yml +++ b/policies/ecc-aws-288-workspaces_instances_are_healthy.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-288-workspaces_instances_are_healthy - description: | - Workspaces instances are unhealthy - resource: aws.workspaces - filters: - - type: value - key: State - value: UNHEALTHY - comment: '0018122000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-288-workspaces_instances_are_healthy + comment: '010018122000' + description: | + Workspaces instances are unhealthy + resource: aws.workspaces + filters: + - type: value + key: State + value: UNHEALTHY diff --git a/policies/ecc-aws-289-autoscaling_group_has_valid_configuration.yml b/policies/ecc-aws-289-autoscaling_group_has_valid_configuration.yml index 46023e14a..1638326a6 100644 --- a/policies/ecc-aws-289-autoscaling_group_has_valid_configuration.yml +++ b/policies/ecc-aws-289-autoscaling_group_has_valid_configuration.yml @@ -1,15 +1,15 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-289-autoscaling_group_has_valid_configuration - resource: asg - description: | - Auto Scaling Group has invalid configuration - filters: - - invalid - comment: '0023032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-289-autoscaling_group_has_valid_configuration + comment: '010023032000' + description: | + Auto Scaling Group has invalid configuration + resource: asg + filters: + - invalid diff --git a/policies/ecc-aws-290-workspaces_storage_encrypted.yml b/policies/ecc-aws-290-workspaces_storage_encrypted.yml index 3a3160679..211cd584c 100644 --- a/policies/ecc-aws-290-workspaces_storage_encrypted.yml +++ b/policies/ecc-aws-290-workspaces_storage_encrypted.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-290-workspaces_storage_encrypted - resource: aws.workspaces - description: | - Workspaces storage is not encrypted - filters: - - or: - - not: - - type: value - key: RootVolumeEncryptionEnabled - value: true - - type: value - key: UserVolumeEncryptionEnabled - value: true - comment: '0043120600' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-290-workspaces_storage_encrypted + comment: '010043120600' + description: | + Workspaces storage is not encrypted + resource: aws.workspaces + filters: + - or: + - not: + - type: value + key: RootVolumeEncryptionEnabled + value: true + - type: value + key: UserVolumeEncryptionEnabled + value: true diff --git a/policies/ecc-aws-291-backup_service_compliant_lifecycle_enabled.yml b/policies/ecc-aws-291-backup_service_compliant_lifecycle_enabled.yml index 64e649242..293741e10 100644 --- a/policies/ecc-aws-291-backup_service_compliant_lifecycle_enabled.yml +++ b/policies/ecc-aws-291-backup_service_compliant_lifecycle_enabled.yml @@ -1,27 +1,27 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-291-backup_service_compliant_lifecycle_enabled - resource: aws.backup-plan - description: | - Amazon Backup plan has a non-compliant lifecycle configuration - filters: - - or: - - not: - - type: value - key: Rules[].Lifecycle.MoveToColdStorageAfterDays - op: in - value_type: swap - value: 90 - - not: - - type: value - key: Rules[].Lifecycle.DeleteAfterDays - op: in - value_type: swap - value: 180 - comment: '0001042010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-291-backup_service_compliant_lifecycle_enabled + comment: '010001042010' + description: | + Amazon Backup plan has a non-compliant lifecycle configuration + resource: aws.backup-plan + filters: + - or: + - not: + - type: value + key: Rules[].Lifecycle.MoveToColdStorageAfterDays + op: in + value_type: swap + value: 90 + - not: + - type: value + key: Rules[].Lifecycle.DeleteAfterDays + op: in + value_type: swap + value: 180 diff --git a/policies/ecc-aws-293-backups_encrypted_with_kms_customer_master_keys.yml b/policies/ecc-aws-293-backups_encrypted_with_kms_customer_master_keys.yml index 5700b3fbb..88f40257e 100644 --- a/policies/ecc-aws-293-backups_encrypted_with_kms_customer_master_keys.yml +++ b/policies/ecc-aws-293-backups_encrypted_with_kms_customer_master_keys.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-293-backups_encrypted_with_kms_customer_master_keys - description: | - Backup vaults are not encrypted at rest using KMS CMK - resource: aws.backup-vault - filters: - - not: - - type: kms-key - key: KeyManager - value: CUSTOMER - comment: '0043042000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-293-backups_encrypted_with_kms_customer_master_keys + comment: '010043042000' + description: | + Backup vaults are not encrypted at rest using KMS CMK + resource: aws.backup-vault + filters: + - not: + - type: kms-key + key: KeyManager + value: CUSTOMER diff --git a/policies/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin.yml b/policies/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin.yml index ac99fcb8d..40a4eab9b 100644 --- a/policies/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin.yml +++ b/policies/ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin.yml @@ -1,26 +1,26 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin - description: | - Cloudfront origin uses not latest SSL certificate - resource: aws.distribution - filters: - - and: - - type: value - key: Origins.Items[].CustomOriginConfig.OriginProtocolPolicy - value_type: swap - value: https-only - op: in - - not: - - type: value - key: Origins.Items[].CustomOriginConfig.OriginSslProtocols.Items[] - value_type: swap - value: TLSv1.2 - op: in - comment: '0023022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-295-use_secure_ssl_protocols_between_cloudfront_origin + comment: '010023022001' + description: | + Cloudfront origin uses not latest SSL certificate + resource: aws.distribution + filters: + - and: + - type: value + key: Origins.Items[].CustomOriginConfig.OriginProtocolPolicy + value_type: swap + value: https-only + op: in + - not: + - type: value + key: Origins.Items[].CustomOriginConfig.OriginSslProtocols.Items[] + value_type: swap + value: TLSv1.2 + op: in diff --git a/policies/ecc-aws-296-rds_mysql_instances_latest_major_version.yml b/policies/ecc-aws-296-rds_mysql_instances_latest_major_version.yml index d6da06668..8626d5664 100644 --- a/policies/ecc-aws-296-rds_mysql_instances_latest_major_version.yml +++ b/policies/ecc-aws-296-rds_mysql_instances_latest_major_version.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-296-rds_mysql_instances_latest_major_version - description: | - RDS MySQL instances are not using latest major version - resource: rds - filters: - - type: value - key: Engine - value: mysql - - not: - - type: value - key: EngineVersion - op: regex - value: '8.0.*' - comment: '0021062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-296-rds_mysql_instances_latest_major_version + comment: '010021062000' + description: | + RDS MySQL instances are not using latest major version + resource: rds + filters: + - type: value + key: Engine + value: mysql + - not: + - type: value + key: EngineVersion + op: regex + value: '8.0.*' diff --git a/policies/ecc-aws-298-sqs_encrypted_with_kms_cmk.yml b/policies/ecc-aws-298-sqs_encrypted_with_kms_cmk.yml index ef8a01cc6..b7ed57e62 100644 --- a/policies/ecc-aws-298-sqs_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-298-sqs_encrypted_with_kms_cmk.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-298-sqs_encrypted_with_kms_cmk - description: | - Ensure SQS is not encrypted with KMS CMK - resource: sqs - filters: - - or: - - KmsMasterKeyId: absent - - type: kms-key - key: KeyManager - value: "AWS" - comment: '0043142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-298-sqs_encrypted_with_kms_cmk + comment: '010043142000' + description: | + Ensure SQS is not encrypted with KMS CMK + resource: sqs + filters: + - or: + - KmsMasterKeyId: absent + - type: kms-key + key: KeyManager + value: "AWS" diff --git a/policies/ecc-aws-299-cloudfront_distribution_fieldlevel_encryption.yml b/policies/ecc-aws-299-cloudfront_distribution_fieldlevel_encryption.yml index c366a6e7c..d0d794b7b 100644 --- a/policies/ecc-aws-299-cloudfront_distribution_fieldlevel_encryption.yml +++ b/policies/ecc-aws-299-cloudfront_distribution_fieldlevel_encryption.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-299-cloudfront_distribution_fieldlevel_encryption - description: | - CloudFront distributions do not enforce field-level encryption - resource: aws.distribution - filters: - - type: value - key: DefaultCacheBehavior.FieldLevelEncryptionId - value: empty - comment: '0045022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-299-cloudfront_distribution_fieldlevel_encryption + comment: '010045022001' + description: | + CloudFront distributions do not enforce field-level encryption + resource: aws.distribution + filters: + - type: value + key: DefaultCacheBehavior.FieldLevelEncryptionId + value: empty diff --git a/policies/ecc-aws-300-sqs_not_open_to_everyone.yml b/policies/ecc-aws-300-sqs_not_open_to_everyone.yml index 3e14bfdf8..5dc71a3f0 100644 --- a/policies/ecc-aws-300-sqs_not_open_to_everyone.yml +++ b/policies/ecc-aws-300-sqs_not_open_to_everyone.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-300-sqs_not_open_to_everyone - description: | - SQS queue is open to everyone - resource: sqs - filters: - - or: - - type: value - key: Policy - op: regex - value: ".*\\\"Principal\\\":{\\\"AWS\\\":\\\"[*]\\\"}.*" - - type: value - key: Policy - op: regex - value: ".*\\\"Principal\\\":\\\"[*]\\\".*" - comment: '0040142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-300-sqs_not_open_to_everyone + comment: '010040142000' + description: | + SQS queue is open to everyone + resource: sqs + filters: + - or: + - type: value + key: Policy + op: regex + value: ".*\\\"Principal\\\":{\\\"AWS\\\":\\\"[*]\\\"}.*" + - type: value + key: Policy + op: regex + value: ".*\\\"Principal\\\":\\\"[*]\\\".*" diff --git a/policies/ecc-aws-302-postgresql_log_parser_stats_flag_is_disabled.yml b/policies/ecc-aws-302-postgresql_log_parser_stats_flag_is_disabled.yml index b182d41c7..9272c2d80 100644 --- a/policies/ecc-aws-302-postgresql_log_parser_stats_flag_is_disabled.yml +++ b/policies/ecc-aws-302-postgresql_log_parser_stats_flag_is_disabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-302-postgresql_log_parser_stats_flag_is_disabled - resource: aws.rds - description: | - The 'log_parser_stats' flag is enabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - type: db-parameter - key: log_parser_stats - value: 1 - comment: '0019062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-302-postgresql_log_parser_stats_flag_is_disabled + comment: '010019062000' + description: | + The 'log_parser_stats' flag is enabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - type: db-parameter + key: log_parser_stats + value: 1 diff --git a/policies/ecc-aws-303-cloudtrail_logs_management_events.yml b/policies/ecc-aws-303-cloudtrail_logs_management_events.yml index 64dc68a50..bb07fc420 100644 --- a/policies/ecc-aws-303-cloudtrail_logs_management_events.yml +++ b/policies/ecc-aws-303-cloudtrail_logs_management_events.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-303-cloudtrail_logs_management_events - resource: aws.cloudtrail - description: | - Management events are not included into CloudTrail trails configuration - filters: - - type: event-selectors - key: EventSelectors[].IncludeManagementEvents - op: contains - value: false - comment: '0019012000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-303-cloudtrail_logs_management_events + comment: '010019012000' + description: | + Management events are not included into CloudTrail trails configuration + resource: aws.cloudtrail + filters: + - type: event-selectors + key: EventSelectors[].IncludeManagementEvents + op: contains + value: false diff --git a/policies/ecc-aws-304-event_bus_is_exposed_to_everyone.yml b/policies/ecc-aws-304-event_bus_is_exposed_to_everyone.yml index f6ba93b33..8aef4689c 100644 --- a/policies/ecc-aws-304-event_bus_is_exposed_to_everyone.yml +++ b/policies/ecc-aws-304-event_bus_is_exposed_to_everyone.yml @@ -1,16 +1,16 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-304-event_bus_is_exposed_to_everyone - resource: aws.event-bus - description: | - AWS CloudWatch event bus is exposed to everyone - filters: - - type: cross-account - everyone_only: true - comment: '0040142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-304-event_bus_is_exposed_to_everyone + comment: '010040142000' + description: | + AWS CloudWatch event bus is exposed to everyone + resource: aws.event-bus + filters: + - type: cross-account + everyone_only: true diff --git a/policies/ecc-aws-305-postgresql_log_planner_stats_flag_disabled.yml b/policies/ecc-aws-305-postgresql_log_planner_stats_flag_disabled.yml index e2f86ef24..dc41f49ef 100644 --- a/policies/ecc-aws-305-postgresql_log_planner_stats_flag_disabled.yml +++ b/policies/ecc-aws-305-postgresql_log_planner_stats_flag_disabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-305-postgresql_log_planner_stats_flag_disabled - resource: aws.rds - description: | - The 'log_planner_stats' flag is enabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - type: db-parameter - key: log_planner_stats - value: 1 - comment: '0019062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-305-postgresql_log_planner_stats_flag_disabled + comment: '010019062000' + description: | + The 'log_planner_stats' flag is enabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - type: db-parameter + key: log_planner_stats + value: 1 diff --git a/policies/ecc-aws-306-postgresql_log_executor_stats_flag_disabled.yml b/policies/ecc-aws-306-postgresql_log_executor_stats_flag_disabled.yml index 236b4bf1d..95d27693e 100644 --- a/policies/ecc-aws-306-postgresql_log_executor_stats_flag_disabled.yml +++ b/policies/ecc-aws-306-postgresql_log_executor_stats_flag_disabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-306-postgresql_log_executor_stats_flag_disabled - resource: aws.rds - description: | - The 'log_executor_stats' flag is enabled for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - type: db-parameter - key: log_executor_stats - value: 1 - comment: '0019062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-306-postgresql_log_executor_stats_flag_disabled + comment: '010019062000' + description: | + The 'log_executor_stats' flag is enabled for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - type: db-parameter + key: log_executor_stats + value: 1 diff --git a/policies/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly.yml b/policies/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly.yml index 4d71a7e16..acd8f45bf 100644 --- a/policies/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly.yml +++ b/policies/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly - resource: aws.rds - description: | - The 'log_min_error_statement' flag is not set correctly for PostgreSQL - filters: - - and: - - type: value - key: Engine - value: postgres - - not: - - type: db-parameter - key: log_min_error_statement - value: error - comment: '0019062010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly + comment: '010019062010' + description: | + The 'log_min_error_statement' flag is not set correctly for PostgreSQL + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: postgres + - not: + - type: db-parameter + key: log_min_error_statement + value: error diff --git a/policies/ecc-aws-308-glacier_vault_access_policy_does_not_allow_actions_from_all_principals.yml b/policies/ecc-aws-308-glacier_vault_access_policy_does_not_allow_actions_from_all_principals.yml index 26e63f0f6..27c5ab19d 100644 --- a/policies/ecc-aws-308-glacier_vault_access_policy_does_not_allow_actions_from_all_principals.yml +++ b/policies/ecc-aws-308-glacier_vault_access_policy_does_not_allow_actions_from_all_principals.yml @@ -1,16 +1,16 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-308-glacier_vault_access_policy_does_not_allow_actions_from_all_principals - resource: aws.glacier - description: | - Glacier Vault policy allows actions from all principals - filters: - - type: cross-account - everyone_only: true - comment: '0040042000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-308-glacier_vault_access_policy_does_not_allow_actions_from_all_principals + comment: '010040042000' + description: | + Glacier Vault policy allows actions from all principals + resource: aws.glacier + filters: + - type: cross-account + everyone_only: true diff --git a/policies/ecc-aws-309-config_delivery_failed.yml b/policies/ecc-aws-309-config_delivery_failed.yml index 49e8b8316..1c366ec88 100644 --- a/policies/ecc-aws-309-config_delivery_failed.yml +++ b/policies/ecc-aws-309-config_delivery_failed.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-309-config_delivery_failed - description: | - Amazon Config recorder is failing - resource: aws.config-recorder - filters: - - type: value - key: status.recording - value: true - - type: value - key: status.lastStatus - value: FAILURE - comment: '0016092000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-309-config_delivery_failed + comment: '010016092000' + description: | + Amazon Config recorder is failing + resource: aws.config-recorder + filters: + - type: value + key: status.recording + value: true + - type: value + key: status.lastStatus + value: FAILURE diff --git a/policies/ecc-aws-310-dms_latest_version.yml b/policies/ecc-aws-310-dms_latest_version.yml index 6a93c382b..359b9e777 100644 --- a/policies/ecc-aws-310-dms_latest_version.yml +++ b/policies/ecc-aws-310-dms_latest_version.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-310-dms_latest_version - description: | - DMS replication instances are not using latest version - resource: dms-instance - filters: - - not: - - type: value - key: EngineVersion - value: '3.4.7' - comment: '0021062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-310-dms_latest_version + comment: '010021062000' + description: | + DMS replication instances are not using latest version + resource: dms-instance + filters: + - not: + - type: value + key: EngineVersion + value: '3.4.7' diff --git a/policies/ecc-aws-311-sagemaker_instances_encrypted_with_kms_cmk.yml b/policies/ecc-aws-311-sagemaker_instances_encrypted_with_kms_cmk.yml index 27c1cf5a2..46d959918 100644 --- a/policies/ecc-aws-311-sagemaker_instances_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-311-sagemaker_instances_encrypted_with_kms_cmk.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-311-sagemaker_instances_encrypted_with_kms_cmk - description: | - Ensure Sagemaker instances are not encrypted with KMS CMK - resource: sagemaker-notebook - filters: - - type: value - key: KmsKeyId - value: absent - comment: '0043112000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-311-sagemaker_instances_encrypted_with_kms_cmk + comment: '010043112000' + description: | + Ensure Sagemaker instances are not encrypted with KMS CMK + resource: sagemaker-notebook + filters: + - type: value + key: KmsKeyId + value: absent diff --git a/policies/ecc-aws-312-dms_auto_minor_version_upgrade.yml b/policies/ecc-aws-312-dms_auto_minor_version_upgrade.yml index 624b70fb3..99b86ef87 100644 --- a/policies/ecc-aws-312-dms_auto_minor_version_upgrade.yml +++ b/policies/ecc-aws-312-dms_auto_minor_version_upgrade.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-312-dms_auto_minor_version_upgrade - description: | - Amazon DMS replication instances Auto Minor Version Upgrade feature disabled - resource: dms-instance - filters: - - type: value - key: AutoMinorVersionUpgrade - value: false - comment: '0021062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-312-dms_auto_minor_version_upgrade + comment: '010021062000' + description: | + Amazon DMS replication instances Auto Minor Version Upgrade feature disabled + resource: dms-instance + filters: + - type: value + key: AutoMinorVersionUpgrade + value: false diff --git a/policies/ecc-aws-313-dms_replication_instances_encrypted_with_kms_cmk.yml b/policies/ecc-aws-313-dms_replication_instances_encrypted_with_kms_cmk.yml index 94d0a6737..cd214ffb9 100644 --- a/policies/ecc-aws-313-dms_replication_instances_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-313-dms_replication_instances_encrypted_with_kms_cmk.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-313-dms_replication_instances_encrypted_with_kms_cmk - description: | - Amazon DMS replication instances not encrypted with KMS CMK - resource: dms-instance - filters: - - type: kms-key - key: KeyManager - value: AWS - comment: '0043062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-313-dms_replication_instances_encrypted_with_kms_cmk + comment: '010043062000' + description: | + Amazon DMS replication instances not encrypted with KMS CMK + resource: dms-instance + filters: + - type: kms-key + key: KeyManager + value: AWS diff --git a/policies/ecc-aws-314-oracle_audit_sys_operations_flag_enabled.yml b/policies/ecc-aws-314-oracle_audit_sys_operations_flag_enabled.yml index a68c57dc2..a5bc85d7d 100644 --- a/policies/ecc-aws-314-oracle_audit_sys_operations_flag_enabled.yml +++ b/policies/ecc-aws-314-oracle_audit_sys_operations_flag_enabled.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-314-oracle_audit_sys_operations_flag_enabled - resource: aws.rds - description: | - The 'audit_sys_operations' flag for Oracle is disabled - filters: - - and: - - type: value - key: Engine - op: regex - value: 'oracle*?' - - not: - - type: db-parameter - key: audit_sys_operations - value: true - comment: '0019061700' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-314-oracle_audit_sys_operations_flag_enabled + comment: '010019061700' + description: | + The 'audit_sys_operations' flag for Oracle is disabled + resource: aws.rds + filters: + - and: + - type: value + key: Engine + op: regex + value: 'oracle*?' + - not: + - type: db-parameter + key: audit_sys_operations + value: true diff --git a/policies/ecc-aws-315-oracle_audit_trail_flag_set_correctly.yml b/policies/ecc-aws-315-oracle_audit_trail_flag_set_correctly.yml index 653458f1d..0ddf13a7b 100644 --- a/policies/ecc-aws-315-oracle_audit_trail_flag_set_correctly.yml +++ b/policies/ecc-aws-315-oracle_audit_trail_flag_set_correctly.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-315-oracle_audit_trail_flag_set_correctly - resource: aws.rds - description: | - The 'audit_trail' flag is not set correctly for Oracle - filters: - - and: - - type: value - key: Engine - op: regex - value: 'oracle*?' - - not: - - type: db-parameter - key: audit_trail - value: XML - comment: '0019061710' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-315-oracle_audit_trail_flag_set_correctly + comment: '010019061710' + description: | + The 'audit_trail' flag is not set correctly for Oracle + resource: aws.rds + filters: + - and: + - type: value + key: Engine + op: regex + value: 'oracle*?' + - not: + - type: db-parameter + key: audit_trail + value: XML diff --git a/policies/ecc-aws-316-oracle_global_names_flag_enabled.yml b/policies/ecc-aws-316-oracle_global_names_flag_enabled.yml index 2dd4b91c3..ccf5cb131 100644 --- a/policies/ecc-aws-316-oracle_global_names_flag_enabled.yml +++ b/policies/ecc-aws-316-oracle_global_names_flag_enabled.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-316-oracle_global_names_flag_enabled - resource: aws.rds - description: | - The 'global_names' flag for Oracle is disabled - filters: - - and: - - type: value - key: Engine - op: regex - value: 'oracle*?' - - not: - - type: db-parameter - key: global_names - value: true - comment: '0023061700' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-316-oracle_global_names_flag_enabled + comment: '010023061700' + description: | + The 'global_names' flag for Oracle is disabled + resource: aws.rds + filters: + - and: + - type: value + key: Engine + op: regex + value: 'oracle*?' + - not: + - type: db-parameter + key: global_names + value: true diff --git a/policies/ecc-aws-317-oracle_remote_listener_flag_empty.yml b/policies/ecc-aws-317-oracle_remote_listener_flag_empty.yml index ffdbc8089..228e98b63 100644 --- a/policies/ecc-aws-317-oracle_remote_listener_flag_empty.yml +++ b/policies/ecc-aws-317-oracle_remote_listener_flag_empty.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-317-oracle_remote_listener_flag_empty - resource: aws.rds - description: | - The 'remote_listener' flag for Oracle is not empty - filters: - - and: - - type: value - key: Engine - op: regex - value: 'oracle*?' - - not: - - type: db-parameter - key: remote_listener - value: empty - comment: '0023061700' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-317-oracle_remote_listener_flag_empty + comment: '010023061700' + description: | + The 'remote_listener' flag for Oracle is not empty + resource: aws.rds + filters: + - and: + - type: value + key: Engine + op: regex + value: 'oracle*?' + - not: + - type: db-parameter + key: remote_listener + value: empty diff --git a/policies/ecc-aws-318-oracle_sec_max_failed_login_attempts_flag_is_3_or_less.yml b/policies/ecc-aws-318-oracle_sec_max_failed_login_attempts_flag_is_3_or_less.yml index 54ee6771e..5d70084d9 100644 --- a/policies/ecc-aws-318-oracle_sec_max_failed_login_attempts_flag_is_3_or_less.yml +++ b/policies/ecc-aws-318-oracle_sec_max_failed_login_attempts_flag_is_3_or_less.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-318-oracle_sec_max_failed_login_attempts_flag_is_3_or_less - resource: aws.rds - description: | - The 'sec_max_failed_login_attempts' flag for Oracle is not set to 3 or less - filters: - - and: - - type: value - key: Engine - op: regex - value: 'oracle*?' - - type: db-parameter - key: sec_max_failed_login_attempts - value: 3 - op: gt - comment: '0023061700' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-318-oracle_sec_max_failed_login_attempts_flag_is_3_or_less + comment: '010023061700' + description: | + The 'sec_max_failed_login_attempts' flag for Oracle is not set to 3 or less + resource: aws.rds + filters: + - and: + - type: value + key: Engine + op: regex + value: 'oracle*?' + - type: db-parameter + key: sec_max_failed_login_attempts + value: 3 + op: gt diff --git a/policies/ecc-aws-319-oracle_sec_protocol_error_further_action_flag_set_to_drop_3.yml b/policies/ecc-aws-319-oracle_sec_protocol_error_further_action_flag_set_to_drop_3.yml index fca2e6aa5..6a3267e6b 100644 --- a/policies/ecc-aws-319-oracle_sec_protocol_error_further_action_flag_set_to_drop_3.yml +++ b/policies/ecc-aws-319-oracle_sec_protocol_error_further_action_flag_set_to_drop_3.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-319-oracle_sec_protocol_error_further_action_flag_set_to_drop_3 - resource: aws.rds + comment: '010023061700' description: | The 'sec_protocol_error_further_action' flag for Oracle is not set to '(DROP,3)' + resource: aws.rds filters: - and: - type: value @@ -20,4 +21,3 @@ policies: - type: db-parameter key: sec_protocol_error_further_action value: '(DROP,3)' - comment: '0023061700' \ No newline at end of file diff --git a/policies/ecc-aws-320-oracle_sec_protocol_error_trace_action_flag_set_to_log.yml b/policies/ecc-aws-320-oracle_sec_protocol_error_trace_action_flag_set_to_log.yml index f624fb9f2..b5ec52b55 100644 --- a/policies/ecc-aws-320-oracle_sec_protocol_error_trace_action_flag_set_to_log.yml +++ b/policies/ecc-aws-320-oracle_sec_protocol_error_trace_action_flag_set_to_log.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-320-oracle_sec_protocol_error_trace_action_flag_set_to_log - resource: aws.rds - description: | - The 'sec_protocol_error_trace_action' flag for Oracle is not set to 'LOG' - filters: - - and: - - type: value - key: Engine - op: regex - value: 'oracle*?' - - not: - - type: db-parameter - key: sec_protocol_error_trace_action - value: LOG - comment: '0019061700' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-320-oracle_sec_protocol_error_trace_action_flag_set_to_log + comment: '010019061700' + description: | + The 'sec_protocol_error_trace_action' flag for Oracle is not set to 'LOG' + resource: aws.rds + filters: + - and: + - type: value + key: Engine + op: regex + value: 'oracle*?' + - not: + - type: db-parameter + key: sec_protocol_error_trace_action + value: LOG diff --git a/policies/ecc-aws-321-oracle_sec_return_server_release_banner_flag_disabled.yml b/policies/ecc-aws-321-oracle_sec_return_server_release_banner_flag_disabled.yml index 8de98e8c4..2b591d6e9 100644 --- a/policies/ecc-aws-321-oracle_sec_return_server_release_banner_flag_disabled.yml +++ b/policies/ecc-aws-321-oracle_sec_return_server_release_banner_flag_disabled.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-321-oracle_sec_return_server_release_banner_flag_disabled - resource: aws.rds - description: | - The 'sec_return_server_release_banner' flag for Oracle is enabled - filters: - - and: - - type: value - key: Engine - op: regex - value: 'oracle*?' - - not: - - type: db-parameter - key: sec_return_server_release_banner - value: false - comment: '0023061700' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-321-oracle_sec_return_server_release_banner_flag_disabled + comment: '010023061700' + description: | + The 'sec_return_server_release_banner' flag for Oracle is enabled + resource: aws.rds + filters: + - and: + - type: value + key: Engine + op: regex + value: 'oracle*?' + - not: + - type: db-parameter + key: sec_return_server_release_banner + value: false diff --git a/policies/ecc-aws-322-oracle_sql92_security_flag_enabled.yml b/policies/ecc-aws-322-oracle_sql92_security_flag_enabled.yml index 18555b186..d56902b4a 100644 --- a/policies/ecc-aws-322-oracle_sql92_security_flag_enabled.yml +++ b/policies/ecc-aws-322-oracle_sql92_security_flag_enabled.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-322-oracle_sql92_security_flag_enabled - resource: aws.rds - description: | - The 'sql92_security' flag for Oracle is disabled - filters: - - and: - - type: value - key: Engine - op: regex - value: 'oracle*?' - - not: - - type: db-parameter - key: sql92_security - value: true - comment: '0023061700' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-322-oracle_sql92_security_flag_enabled + comment: '010023061700' + description: | + The 'sql92_security' flag for Oracle is disabled + resource: aws.rds + filters: + - and: + - type: value + key: Engine + op: regex + value: 'oracle*?' + - not: + - type: db-parameter + key: sql92_security + value: true diff --git a/policies/ecc-aws-323-oracle_trace_files_public.yml b/policies/ecc-aws-323-oracle_trace_files_public.yml index cf32f10d6..dba01535c 100644 --- a/policies/ecc-aws-323-oracle_trace_files_public.yml +++ b/policies/ecc-aws-323-oracle_trace_files_public.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-323-oracle_trace_files_public - resource: aws.rds - description: | - The '_trace_files_public' flag for Oracle is enabled - filters: - - and: - - type: value - key: Engine - op: regex - value: 'oracle*?' - - not: - - type: db-parameter - key: _trace_files_public - value: false - comment: '0023061700' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-323-oracle_trace_files_public + comment: '010023061700' + description: | + The '_trace_files_public' flag for Oracle is enabled + resource: aws.rds + filters: + - and: + - type: value + key: Engine + op: regex + value: 'oracle*?' + - not: + - type: db-parameter + key: _trace_files_public + value: false diff --git a/policies/ecc-aws-324-oracle_resource_limit_flag_enabled.yml b/policies/ecc-aws-324-oracle_resource_limit_flag_enabled.yml index 11d78b7d9..2a6a37884 100644 --- a/policies/ecc-aws-324-oracle_resource_limit_flag_enabled.yml +++ b/policies/ecc-aws-324-oracle_resource_limit_flag_enabled.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-324-oracle_resource_limit_flag_enabled - resource: aws.rds - description: | - The 'resource_limit' flag for Oracle is disabled - filters: - - and: - - type: value - key: Engine - op: regex - value: 'oracle*?' - - not: - - type: db-parameter - key: resource_limit - value: true - comment: '0023061700' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-324-oracle_resource_limit_flag_enabled + comment: '010023061700' + description: | + The 'resource_limit' flag for Oracle is disabled + resource: aws.rds + filters: + - and: + - type: value + key: Engine + op: regex + value: 'oracle*?' + - not: + - type: db-parameter + key: resource_limit + value: true diff --git a/policies/ecc-aws-325-dms_multi_az_enabled.yml b/policies/ecc-aws-325-dms_multi_az_enabled.yml index 31d0347af..fe4e3623e 100644 --- a/policies/ecc-aws-325-dms_multi_az_enabled.yml +++ b/policies/ecc-aws-325-dms_multi_az_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-325-dms_multi_az_enabled - description: | - Amazon DMS replication instances do not have the Multi-AZ feature enabled - resource: dms-instance - filters: - - type: value - key: MultiAZ - value: false - comment: '0050062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-325-dms_multi_az_enabled + comment: '010050062000' + description: | + Amazon DMS replication instances do not have the Multi-AZ feature enabled + resource: dms-instance + filters: + - type: value + key: MultiAZ + value: false diff --git a/policies/ecc-aws-326-ebs_volume_encrypted_with_kms_cmk.yml b/policies/ecc-aws-326-ebs_volume_encrypted_with_kms_cmk.yml index 8897de84b..a9e7007d9 100644 --- a/policies/ecc-aws-326-ebs_volume_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-326-ebs_volume_encrypted_with_kms_cmk.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-326-ebs_volume_encrypted_with_kms_cmk - resource: aws.ebs - description: | - EBS volume not encrypted with KMS CMK - filters: - - or: - - type: value - key: Encrypted - value: false - - type: kms-alias - key: "AliasName" - value: alias/aws/ebs - comment: '0043042000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-326-ebs_volume_encrypted_with_kms_cmk + comment: '010043042000' + description: | + EBS volume not encrypted with KMS CMK + resource: aws.ebs + filters: + - or: + - type: value + key: Encrypted + value: false + - type: kms-alias + key: "AliasName" + value: alias/aws/ebs diff --git a/policies/ecc-aws-327-ebs_snapshot_encrypted.yml b/policies/ecc-aws-327-ebs_snapshot_encrypted.yml index 0c1b371d7..396703b6d 100644 --- a/policies/ecc-aws-327-ebs_snapshot_encrypted.yml +++ b/policies/ecc-aws-327-ebs_snapshot_encrypted.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-327-ebs_snapshot_encrypted - resource: aws.ebs-snapshot - description: | - EBS snapshot encryption is disabled - filters: - - type: value - key: Encrypted - value: false - comment: '0043040400' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-327-ebs_snapshot_encrypted + comment: '010043040400' + description: | + EBS snapshot encryption is disabled + resource: aws.ebs-snapshot + filters: + - type: value + key: Encrypted + value: false diff --git a/policies/ecc-aws-328-unused_ebs_volumes.yml b/policies/ecc-aws-328-unused_ebs_volumes.yml index 9d9db7d30..0b58a0eb4 100644 --- a/policies/ecc-aws-328-unused_ebs_volumes.yml +++ b/policies/ecc-aws-328-unused_ebs_volumes.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-328-unused_ebs_volumes - resource: aws.ebs + comment: '010002040400' description: | Unused EBS volumes exist + resource: aws.ebs filters: - type: value key: Attachments value: empty - comment: '0002040400' \ No newline at end of file diff --git a/policies/ecc-aws-329-unused_ec2_access_keys.yml b/policies/ecc-aws-329-unused_ec2_access_keys.yml index 01dbd0026..8388ccceb 100644 --- a/policies/ecc-aws-329-unused_ec2_access_keys.yml +++ b/policies/ecc-aws-329-unused_ec2_access_keys.yml @@ -7,9 +7,9 @@ policies: - name: ecc-aws-329-unused_ec2_access_keys - resource: aws.key-pair + comment: '010018102000' description: | Unused key pairs exist + resource: aws.key-pair filters: - type: unused - comment: '0018102000' \ No newline at end of file diff --git a/policies/ecc-aws-330-mysql_sql_mode_flag_contains_strict_all_tables.yml b/policies/ecc-aws-330-mysql_sql_mode_flag_contains_strict_all_tables.yml index 22da38596..afdb58870 100644 --- a/policies/ecc-aws-330-mysql_sql_mode_flag_contains_strict_all_tables.yml +++ b/policies/ecc-aws-330-mysql_sql_mode_flag_contains_strict_all_tables.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-330-mysql_sql_mode_flag_contains_strict_all_tables - resource: aws.rds - description: | - The 'sql_mode' flag for MySQL not contains 'strict_all_tables' - filters: - - and: - - type: value - key: Engine - value: mysql - - not: - - type: db-parameter - key: sql_mode - op: contains - value: STRICT_ALL_TABLES - comment: '0023061600' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-330-mysql_sql_mode_flag_contains_strict_all_tables + comment: '010023061600' + description: | + The 'sql_mode' flag for MySQL not contains 'strict_all_tables' + resource: aws.rds + filters: + - and: + - type: value + key: Engine + value: mysql + - not: + - type: db-parameter + key: sql_mode + op: contains + value: STRICT_ALL_TABLES diff --git a/policies/ecc-aws-331-workspaces_images_not_older_than_90_days.yml b/policies/ecc-aws-331-workspaces_images_not_older_than_90_days.yml index 29e9d808c..a472ea536 100644 --- a/policies/ecc-aws-331-workspaces_images_not_older_than_90_days.yml +++ b/policies/ecc-aws-331-workspaces_images_not_older_than_90_days.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-331-workspaces_images_not_older_than_90_days - resource: aws.workspaces-image - description: | - Workspaces images are older than 90 days - filters: - - type: value - key: Created - value_type: age - value: 90 - op: ge - comment: '0021120600' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-331-workspaces_images_not_older_than_90_days + comment: '010021120600' + description: | + Workspaces images are older than 90 days + resource: aws.workspaces-image + filters: + - type: value + key: Created + value_type: age + value: 90 + op: ge diff --git a/policies/ecc-aws-332-workspaces_web_access_disabled.yml b/policies/ecc-aws-332-workspaces_web_access_disabled.yml index e992cea11..344e93995 100644 --- a/policies/ecc-aws-332-workspaces_web_access_disabled.yml +++ b/policies/ecc-aws-332-workspaces_web_access_disabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-332-workspaces_web_access_disabled - resource: aws.workspaces-directory - description: | - Workspaces web access is enabled - filters: - - type: value - key: WorkspaceAccessProperties.DeviceTypeWeb - value: ALLOW - comment: '0024120600' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-332-workspaces_web_access_disabled + comment: '010024120600' + description: | + Workspaces web access is enabled + resource: aws.workspaces-directory + filters: + - type: value + key: WorkspaceAccessProperties.DeviceTypeWeb + value: ALLOW diff --git a/policies/ecc-aws-333-fsx_all_types_of_file_systems_encrypted_with_kms_cmk.yml b/policies/ecc-aws-333-fsx_all_types_of_file_systems_encrypted_with_kms_cmk.yml index cf4ea73b0..6db7c8b0e 100644 --- a/policies/ecc-aws-333-fsx_all_types_of_file_systems_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-333-fsx_all_types_of_file_systems_encrypted_with_kms_cmk.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-333-fsx_all_types_of_file_systems_encrypted_with_kms_cmk - description: | - AWS FSx file system is not encrypted with KMS CMK - resource: aws.fsx - filters: - - type: kms-key - key: KeyManager - value: AWS - comment: '0043042000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-333-fsx_all_types_of_file_systems_encrypted_with_kms_cmk + comment: '010043042000' + description: | + AWS FSx file system is not encrypted with KMS CMK + resource: aws.fsx + filters: + - type: kms-key + key: KeyManager + value: AWS diff --git a/policies/ecc-aws-334-kinesis_firehose_delivery_streams_encrypted_using_SSE.yml b/policies/ecc-aws-334-kinesis_firehose_delivery_streams_encrypted_using_SSE.yml index a1fb5c8c8..c993c962d 100644 --- a/policies/ecc-aws-334-kinesis_firehose_delivery_streams_encrypted_using_SSE.yml +++ b/policies/ecc-aws-334-kinesis_firehose_delivery_streams_encrypted_using_SSE.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-334-kinesis_firehose_delivery_streams_encrypted_using_SSE - description: | - Kinesis Data Firehose delivery streams are not encrypted using Server-side encryption - resource: aws.firehose - filters: - - type: value - key: DeliveryStreamType - value: DirectPut - - type: value - key: DeliveryStreamEncryptionConfiguration.Status - value: DISABLED - comment: '0043052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-334-kinesis_firehose_delivery_streams_encrypted_using_SSE + comment: '010043052000' + description: | + Kinesis Data Firehose delivery streams are not encrypted using Server-side encryption + resource: aws.firehose + filters: + - type: value + key: DeliveryStreamType + value: DirectPut + - type: value + key: DeliveryStreamEncryptionConfiguration.Status + value: DISABLED diff --git a/policies/ecc-aws-335-lambda_active_tracing_enabled.yml b/policies/ecc-aws-335-lambda_active_tracing_enabled.yml index 5ee07500a..e0f7d61ce 100644 --- a/policies/ecc-aws-335-lambda_active_tracing_enabled.yml +++ b/policies/ecc-aws-335-lambda_active_tracing_enabled.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-335-lambda_active_tracing_enabled - resource: lambda + comment: '010019032000' description: | Lambda has active tracing disabled + resource: lambda filters: - type: value key: TracingConfig.Mode value: PassThrough - comment: '0019032000' \ No newline at end of file diff --git a/policies/ecc-aws-336-sagemaker_endpoint_configuration_encrypted.yml b/policies/ecc-aws-336-sagemaker_endpoint_configuration_encrypted.yml index e933da6a7..febfa5cc7 100644 --- a/policies/ecc-aws-336-sagemaker_endpoint_configuration_encrypted.yml +++ b/policies/ecc-aws-336-sagemaker_endpoint_configuration_encrypted.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-336-sagemaker_endpoint_configuration_encrypted - description: | - Sagemaker endpoint configurations are not encrypted with KMS CMK - resource: sagemaker-endpoint-config - filters: - - not: - - type: kms-key - key: KeyManager - value: CUSTOMER - comment: '0043112000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-336-sagemaker_endpoint_configuration_encrypted + comment: '010043112000' + description: | + Sagemaker endpoint configurations are not encrypted with KMS CMK + resource: sagemaker-endpoint-config + filters: + - not: + - type: kms-key + key: KeyManager + value: CUSTOMER diff --git a/policies/ecc-aws-337-lambda_variables_encrypted_with_kms_cmk.yml b/policies/ecc-aws-337-lambda_variables_encrypted_with_kms_cmk.yml index 1be3d4bd6..070f71ba6 100644 --- a/policies/ecc-aws-337-lambda_variables_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-337-lambda_variables_encrypted_with_kms_cmk.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-337-lambda_variables_encrypted_with_kms_cmk + comment: '010043032000' description: | Lambda environment variables not encrypted with KMS CMK resource: lambda @@ -15,4 +16,3 @@ policies: - type: kms-key key: KeyManager value: CUSTOMER - comment: '0043032000' \ No newline at end of file diff --git a/policies/ecc-aws-338-sagemaker_instance_root_disabled.yml b/policies/ecc-aws-338-sagemaker_instance_root_disabled.yml index 150311a3c..9c644cbd7 100644 --- a/policies/ecc-aws-338-sagemaker_instance_root_disabled.yml +++ b/policies/ecc-aws-338-sagemaker_instance_root_disabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-338-sagemaker_instance_root_disabled - description: | - Sagemaker instances root access enabled - resource: sagemaker-notebook - filters: - - type: value - key: RootAccess - value: Enabled - comment: '0023112000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-338-sagemaker_instance_root_disabled + comment: '010023112000' + description: | + Sagemaker instances root access enabled + resource: sagemaker-notebook + filters: + - type: value + key: RootAccess + value: Enabled diff --git a/policies/ecc-aws-339-mq_broker_auto_minor_version_upgrade_enabled.yml b/policies/ecc-aws-339-mq_broker_auto_minor_version_upgrade_enabled.yml index 470c79ebf..8f6dac957 100644 --- a/policies/ecc-aws-339-mq_broker_auto_minor_version_upgrade_enabled.yml +++ b/policies/ecc-aws-339-mq_broker_auto_minor_version_upgrade_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-339-mq_broker_auto_minor_version_upgrade_enabled - resource: aws.message-broker - description: | - MQ auto minor version upgrade not enabled - filters: - - type: value - key: AutoMinorVersionUpgrade - value: false - comment: '0021142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-339-mq_broker_auto_minor_version_upgrade_enabled + comment: '010021142000' + description: | + MQ auto minor version upgrade not enabled + resource: aws.message-broker + filters: + - type: value + key: AutoMinorVersionUpgrade + value: false diff --git a/policies/ecc-aws-340-mq_broker_logging_enabled.yml b/policies/ecc-aws-340-mq_broker_logging_enabled.yml index 605fa9b53..72cc36f2a 100644 --- a/policies/ecc-aws-340-mq_broker_logging_enabled.yml +++ b/policies/ecc-aws-340-mq_broker_logging_enabled.yml @@ -1,32 +1,32 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-340-mq_broker_logging_enabled - resource: aws.message-broker - description: | - MQ broker logging not enabled - filters: - - or: - - and: - - type: value - key: EngineType - value: ActiveMQ - - type: value - key: Logs.Audit - value: false - - type: value - key: Logs.General - value: false - - and: - - type: value - key: EngineType - value: RabbitMQ - - type: value - key: Logs.General - value: false - comment: '0019142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-340-mq_broker_logging_enabled + comment: '010019142000' + description: | + MQ broker logging not enabled + resource: aws.message-broker + filters: + - or: + - and: + - type: value + key: EngineType + value: ActiveMQ + - type: value + key: Logs.Audit + value: false + - type: value + key: Logs.General + value: false + - and: + - type: value + key: EngineType + value: RabbitMQ + - type: value + key: Logs.General + value: false diff --git a/policies/ecc-aws-341-sagemaker_network_isolation_enabled.yml b/policies/ecc-aws-341-sagemaker_network_isolation_enabled.yml index efffc951d..44cdb3e63 100644 --- a/policies/ecc-aws-341-sagemaker_network_isolation_enabled.yml +++ b/policies/ecc-aws-341-sagemaker_network_isolation_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-341-sagemaker_network_isolation_enabled - description: | - Sagemaker model network isolation disabled - resource: sagemaker-model - filters: - - type: value - key: EnableNetworkIsolation - value: false - comment: '0040112000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-341-sagemaker_network_isolation_enabled + comment: '010040112000' + description: | + Sagemaker model network isolation disabled + resource: sagemaker-model + filters: + - type: value + key: EnableNetworkIsolation + value: false diff --git a/policies/ecc-aws-342-route53_domain_automatic_renewal_enabled.yml b/policies/ecc-aws-342-route53_domain_automatic_renewal_enabled.yml index e09170bfb..e5e8cda55 100644 --- a/policies/ecc-aws-342-route53_domain_automatic_renewal_enabled.yml +++ b/policies/ecc-aws-342-route53_domain_automatic_renewal_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-342-route53_domain_automatic_renewal_enabled - description: | - Route53 has automatic domain renewal disabled - resource: aws.r53domain - filters: - - type: value - key: AutoRenew - value: false - comment: '0023022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-342-route53_domain_automatic_renewal_enabled + comment: '010023022001' + description: | + Route53 has automatic domain renewal disabled + resource: aws.r53domain + filters: + - type: value + key: AutoRenew + value: false diff --git a/policies/ecc-aws-343-mq_broker_not_publicly_accessible.yml b/policies/ecc-aws-343-mq_broker_not_publicly_accessible.yml index 3ef434e1f..09e0b3886 100644 --- a/policies/ecc-aws-343-mq_broker_not_publicly_accessible.yml +++ b/policies/ecc-aws-343-mq_broker_not_publicly_accessible.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-343-mq_broker_not_publicly_accessible - resource: aws.message-broker - description: | - MQ is publicly accessible - filters: - - type: value - key: PubliclyAccessible - value: true - comment: '0040142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-343-mq_broker_not_publicly_accessible + comment: '010040142000' + description: | + MQ is publicly accessible + resource: aws.message-broker + filters: + - type: value + key: PubliclyAccessible + value: true diff --git a/policies/ecc-aws-344-route53_domain_expires_in_30_days.yml b/policies/ecc-aws-344-route53_domain_expires_in_30_days.yml index f9b3bb2aa..e1d511347 100644 --- a/policies/ecc-aws-344-route53_domain_expires_in_30_days.yml +++ b/policies/ecc-aws-344-route53_domain_expires_in_30_days.yml @@ -1,24 +1,24 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-344-route53_domain_expires_in_30_days - description: | - Route53 domain name expire in less 30 days - resource: aws.r53domain - filters: - - type: value - key: Expiry - value_type: expiration - value: 30 - op: le - - type: value - key: Expiry - value_type: expiration - value: 0 - op: ge - comment: '0023022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-344-route53_domain_expires_in_30_days + comment: '010023022001' + description: | + Route53 domain name expire in less 30 days + resource: aws.r53domain + filters: + - type: value + key: Expiry + value_type: expiration + value: 30 + op: le + - type: value + key: Expiry + value_type: expiration + value: 0 + op: ge diff --git a/policies/ecc-aws-345-mq_broker_open_to_all_ports_protocols.yml b/policies/ecc-aws-345-mq_broker_open_to_all_ports_protocols.yml index e267260c8..fcc21d04d 100644 --- a/policies/ecc-aws-345-mq_broker_open_to_all_ports_protocols.yml +++ b/policies/ecc-aws-345-mq_broker_open_to_all_ports_protocols.yml @@ -7,29 +7,29 @@ policies: - name: ecc-aws-345-mq_broker_open_to_all_ports_protocols - resource: aws.message-broker + comment: '010024142000' description: | Mq broker not restricted only to default ports + resource: aws.message-broker filters: - not: - - type: security-group - key: IpPermissions[].FromPort - value_type: swap - op: in - value: 8162 - - type: security-group - key: IpPermissions[].FromPort - value_type: swap - op: in - value: 61617 - - type: security-group - key: IpPermissions[].ToPort - value_type: swap - op: in - value: 8162 - - type: security-group - key: IpPermissions[].ToPort - value_type: swap - op: in - value: 61617 - comment: '0024142000' \ No newline at end of file + - type: security-group + key: IpPermissions[].FromPort + value_type: swap + op: in + value: 8162 + - type: security-group + key: IpPermissions[].FromPort + value_type: swap + op: in + value: 61617 + - type: security-group + key: IpPermissions[].ToPort + value_type: swap + op: in + value: 8162 + - type: security-group + key: IpPermissions[].ToPort + value_type: swap + op: in + value: 61617 diff --git a/policies/ecc-aws-346-route53_hosted_zone_records_health_check_configured.yml b/policies/ecc-aws-346-route53_hosted_zone_records_health_check_configured.yml index ed2ae7917..30e6f46d7 100644 --- a/policies/ecc-aws-346-route53_hosted_zone_records_health_check_configured.yml +++ b/policies/ecc-aws-346-route53_hosted_zone_records_health_check_configured.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-346-route53_hosted_zone_records_health_check_configured - description: | - Route53 hosted zone records is not configured with health check - resource: aws.rrset - filters: - - type: value - key: SetIdentifier - value: present - - type: value - key: HealthCheckId - value: absent - comment: '0018022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-346-route53_hosted_zone_records_health_check_configured + comment: '010018022000' + description: | + Route53 hosted zone records is not configured with health check + resource: aws.rrset + filters: + - type: value + key: SetIdentifier + value: present + - type: value + key: HealthCheckId + value: absent diff --git a/policies/ecc-aws-347-msk_data_encrypted_with_kms_cmk.yml b/policies/ecc-aws-347-msk_data_encrypted_with_kms_cmk.yml index 70d8ab13e..444b8840f 100644 --- a/policies/ecc-aws-347-msk_data_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-347-msk_data_encrypted_with_kms_cmk.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-347-msk_data_encrypted_with_kms_cmk - resource: aws.kafka - description: | - MSK not encrypted with KMS CMK - filters: - - not: - - type: kms-key - key: KeyManager - value: CUSTOMER - comment: '0043052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-347-msk_data_encrypted_with_kms_cmk + comment: '010043052000' + description: | + MSK not encrypted with KMS CMK + resource: aws.kafka + filters: + - not: + - type: kms-key + key: KeyManager + value: CUSTOMER diff --git a/policies/ecc-aws-348-msk_encryption_in_transit_enabled.yml b/policies/ecc-aws-348-msk_encryption_in_transit_enabled.yml index 4e2317d1e..09222a97d 100644 --- a/policies/ecc-aws-348-msk_encryption_in_transit_enabled.yml +++ b/policies/ecc-aws-348-msk_encryption_in_transit_enabled.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-348-msk_encryption_in_transit_enabled - resource: aws.kafka - description: | - MSK encryption in transit not set only to 'TLS'. - filters: - - not: - - type: value - key: EncryptionInfo.EncryptionInTransit.ClientBroker - value: TLS - comment: '0044052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-348-msk_encryption_in_transit_enabled + comment: '010044052000' + description: | + MSK encryption in transit not set only to 'TLS'. + resource: aws.kafka + filters: + - not: + - type: value + key: EncryptionInfo.EncryptionInTransit.ClientBroker + value: TLS diff --git a/policies/ecc-aws-349-route53_query_logging_enabled.yml b/policies/ecc-aws-349-route53_query_logging_enabled.yml index 44003b553..74966699a 100644 --- a/policies/ecc-aws-349-route53_query_logging_enabled.yml +++ b/policies/ecc-aws-349-route53_query_logging_enabled.yml @@ -1,16 +1,16 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-349-route53_query_logging_enabled - resource: aws.hostedzone - description: | - Route53 query logging not enabled - filters: - - type: query-logging-enabled - state: false - comment: '0019022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-349-route53_query_logging_enabled + comment: '010019022000' + description: | + Route53 query logging not enabled + resource: aws.hostedzone + filters: + - type: query-logging-enabled + state: false diff --git a/policies/ecc-aws-350-msk_logging_enabled.yml b/policies/ecc-aws-350-msk_logging_enabled.yml index 422bc8581..a062f69e5 100644 --- a/policies/ecc-aws-350-msk_logging_enabled.yml +++ b/policies/ecc-aws-350-msk_logging_enabled.yml @@ -1,25 +1,25 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-350-msk_logging_enabled - resource: aws.kafka - description: | - MSK Logging not enabled - filters: - - not: - - or: - - type: value - key: LoggingInfo.BrokerLogs.Firehose.Enabled - value: true - - type: value - key: LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled - value: true - - type: value - key: LoggingInfo.BrokerLogs.S3.Enabled - value: true - comment: '0019052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-350-msk_logging_enabled + comment: '010019052000' + description: | + MSK Logging not enabled + resource: aws.kafka + filters: + - not: + - or: + - type: value + key: LoggingInfo.BrokerLogs.Firehose.Enabled + value: true + - type: value + key: LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled + value: true + - type: value + key: LoggingInfo.BrokerLogs.S3.Enabled + value: true diff --git a/policies/ecc-aws-351-rds_encrypted_with_kms_cmk.yml b/policies/ecc-aws-351-rds_encrypted_with_kms_cmk.yml index acff76c3b..29022d6be 100644 --- a/policies/ecc-aws-351-rds_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-351-rds_encrypted_with_kms_cmk.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-351-rds_encrypted_with_kms_cmk - description: | - RDS instances are not encrypted with KMS CMK - resource: rds - filters: - - or: - - type: value - key: StorageEncrypted - value: false - - type: kms-alias - key: "AliasName" - value: alias/aws/rds - comment: '0043062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-351-rds_encrypted_with_kms_cmk + comment: '010043062000' + description: | + RDS instances are not encrypted with KMS CMK + resource: rds + filters: + - or: + - type: value + key: StorageEncrypted + value: false + - type: kms-alias + key: "AliasName" + value: alias/aws/rds diff --git a/policies/ecc-aws-352-sns_encrypted_with_kms_cmk.yml b/policies/ecc-aws-352-sns_encrypted_with_kms_cmk.yml index 77c87cc65..a27eba949 100644 --- a/policies/ecc-aws-352-sns_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-352-sns_encrypted_with_kms_cmk.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-352-sns_encrypted_with_kms_cmk - description: | - SNS topics are not encrypted at rest using KMS CMK - resource: sns - filters: - - not: - - type: kms-key - key: KeyManager - value: CUSTOMER - comment: '0043142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-352-sns_encrypted_with_kms_cmk + comment: '010043142000' + description: | + SNS topics are not encrypted at rest using KMS CMK + resource: sns + filters: + - not: + - type: kms-key + key: KeyManager + value: CUSTOMER diff --git a/policies/ecc-aws-353-redshift_user_activity_logging_enabled.yml b/policies/ecc-aws-353-redshift_user_activity_logging_enabled.yml index b6e349ec0..fce8f245c 100644 --- a/policies/ecc-aws-353-redshift_user_activity_logging_enabled.yml +++ b/policies/ecc-aws-353-redshift_user_activity_logging_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-353-redshift_user_activity_logging_enabled + comment: '010019062000' description: | AWS Redshift user activity logging is disabled resource: redshift @@ -19,4 +20,3 @@ policies: key: enable_user_activity_logging value: false op: eq - comment: '0019062000' \ No newline at end of file diff --git a/policies/ecc-aws-354-redshift_not_using_default_port.yml b/policies/ecc-aws-354-redshift_not_using_default_port.yml index 3e68b504e..a56274706 100644 --- a/policies/ecc-aws-354-redshift_not_using_default_port.yml +++ b/policies/ecc-aws-354-redshift_not_using_default_port.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-354-redshift_not_using_default_port + comment: '010024062000' description: | Amazon Redshift uses default port 5439 resource: redshift @@ -14,4 +15,3 @@ policies: - type: value key: Endpoint.Port value: 5439 - comment: '0024062000' \ No newline at end of file diff --git a/policies/ecc-aws-355-redshift_encrypted_with_kms_cmk.yml b/policies/ecc-aws-355-redshift_encrypted_with_kms_cmk.yml index ca41e6e74..b4a76cd6a 100644 --- a/policies/ecc-aws-355-redshift_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-355-redshift_encrypted_with_kms_cmk.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-355-redshift_encrypted_with_kms_cmk + comment: '010043062000' description: | AWS Redshift instances are not encrypted with KMS CMK resource: redshift @@ -15,4 +16,3 @@ policies: - type: kms-key key: KeyManager value: CUSTOMER - comment: '0043062000' \ No newline at end of file diff --git a/policies/ecc-aws-356-redshift_parameter_group_require_ssl.yml b/policies/ecc-aws-356-redshift_parameter_group_require_ssl.yml index 38d0b4b4f..20ec154c5 100644 --- a/policies/ecc-aws-356-redshift_parameter_group_require_ssl.yml +++ b/policies/ecc-aws-356-redshift_parameter_group_require_ssl.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-356-redshift_parameter_group_require_ssl + comment: '010044062000' description: | AWS Redshift parameter group not require SSL resource: redshift @@ -14,4 +15,3 @@ policies: - type: param key: require_ssl value: false - comment: '0044062000' \ No newline at end of file diff --git a/policies/ecc-aws-357-route53_transfer_lock_enabled.yml b/policies/ecc-aws-357-route53_transfer_lock_enabled.yml index 07c74d4f4..251538d28 100644 --- a/policies/ecc-aws-357-route53_transfer_lock_enabled.yml +++ b/policies/ecc-aws-357-route53_transfer_lock_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-357-route53_transfer_lock_enabled - description: | - Route 53 domain Transfer Lock is disabled - resource: aws.r53domain - filters: - - type: value - key: TransferLock - value: false - comment: '0023022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-357-route53_transfer_lock_enabled + comment: '010023022001' + description: | + Route 53 domain Transfer Lock is disabled + resource: aws.r53domain + filters: + - type: value + key: TransferLock + value: false diff --git a/policies/ecc-aws-359-rest_api_gateway_access_logging_enabled.yml b/policies/ecc-aws-359-rest_api_gateway_access_logging_enabled.yml index cd658f983..f5c723099 100644 --- a/policies/ecc-aws-359-rest_api_gateway_access_logging_enabled.yml +++ b/policies/ecc-aws-359-rest_api_gateway_access_logging_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-359-rest_api_gateway_access_logging_enabled - description: | - API Gateway REST API have access logging disabled - resource: rest-stage - filters: - - type: value - key: accessLogSettings - value: absent - comment: '0019022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-359-rest_api_gateway_access_logging_enabled + comment: '010019022000' + description: | + API Gateway REST API have access logging disabled + resource: rest-stage + filters: + - type: value + key: accessLogSettings + value: absent diff --git a/policies/ecc-aws-360-ecs_exec_logging_encryption_enabled.yml b/policies/ecc-aws-360-ecs_exec_logging_encryption_enabled.yml index 37c441c43..304d3abc8 100644 --- a/policies/ecc-aws-360-ecs_exec_logging_encryption_enabled.yml +++ b/policies/ecc-aws-360-ecs_exec_logging_encryption_enabled.yml @@ -1,29 +1,29 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-360-ecs_exec_logging_encryption_enabled - description: | - ECS Cluster execute command logging encryption is disabled - resource: ecs - filters: - - or: - - and: - - type: value - key: configuration.executeCommandConfiguration.logConfiguration.cloudWatchLogGroupName - value: present - - type: value - key: configuration.executeCommandConfiguration.logConfiguration.cloudWatchEncryptionEnabled - value: false - - and: - - type: value - key: configuration.executeCommandConfiguration.logConfiguration.s3BucketName - value: present - - type: value - key: configuration.executeCommandConfiguration.logConfiguration.s3EncryptionEnabled - value: false - comment: '0043082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-360-ecs_exec_logging_encryption_enabled + comment: '010043082000' + description: | + ECS Cluster execute command logging encryption is disabled + resource: ecs + filters: + - or: + - and: + - type: value + key: configuration.executeCommandConfiguration.logConfiguration.cloudWatchLogGroupName + value: present + - type: value + key: configuration.executeCommandConfiguration.logConfiguration.cloudWatchEncryptionEnabled + value: false + - and: + - type: value + key: configuration.executeCommandConfiguration.logConfiguration.s3BucketName + value: present + - type: value + key: configuration.executeCommandConfiguration.logConfiguration.s3EncryptionEnabled + value: false diff --git a/policies/ecc-aws-361-rest_api_gateway_logs_set_correctly.yml b/policies/ecc-aws-361-rest_api_gateway_logs_set_correctly.yml index e314a506a..52ea8b9b8 100644 --- a/policies/ecc-aws-361-rest_api_gateway_logs_set_correctly.yml +++ b/policies/ecc-aws-361-rest_api_gateway_logs_set_correctly.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-361-rest_api_gateway_logs_set_correctly - description: | - API Gateway REST API does not have logging correctly configured - resource: rest-stage - filters: - - type: value - key: methodSettings."*/*".loggingLevel - value: "OFF" - comment: '0019022010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-361-rest_api_gateway_logs_set_correctly + comment: '010019022010' + description: | + API Gateway REST API does not have logging correctly configured + resource: rest-stage + filters: + - type: value + key: methodSettings."*/*".loggingLevel + value: "OFF" diff --git a/policies/ecc-aws-362-mwaa_encrypted_with_kms_cmk.yml b/policies/ecc-aws-362-mwaa_encrypted_with_kms_cmk.yml index 1166850e9..34ab64a59 100644 --- a/policies/ecc-aws-362-mwaa_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-362-mwaa_encrypted_with_kms_cmk.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-362-mwaa_encrypted_with_kms_cmk - description: | - Managed Workflows for Apache Airflow data is not encrypted with KMS CMK - resource: aws.airflow - filters: - - not: - - type: kms-key - key: KeyManager - value: CUSTOMER - comment: '0043142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-362-mwaa_encrypted_with_kms_cmk + comment: '010043142000' + description: | + Managed Workflows for Apache Airflow data is not encrypted with KMS CMK + resource: aws.airflow + filters: + - not: + - type: kms-key + key: KeyManager + value: CUSTOMER diff --git a/policies/ecc-aws-364-autoscaling_launch_config_public_ip_disabled.yml b/policies/ecc-aws-364-autoscaling_launch_config_public_ip_disabled.yml index 28d6edaa9..6750aec4f 100644 --- a/policies/ecc-aws-364-autoscaling_launch_config_public_ip_disabled.yml +++ b/policies/ecc-aws-364-autoscaling_launch_config_public_ip_disabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-364-autoscaling_launch_config_public_ip_disabled - resource: launch-config - description: | - Auto Scaling launch configuration public ip association is enabled - filters: - - or: - - type: value - key: AssociatePublicIpAddress - value: true - - type: value - key: AssociatePublicIpAddress - value: absent - comment: '0040032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-364-autoscaling_launch_config_public_ip_disabled + comment: '010040032000' + description: | + Auto Scaling launch configuration public ip association is enabled + resource: launch-config + filters: + - or: + - type: value + key: AssociatePublicIpAddress + value: true + - type: value + key: AssociatePublicIpAddress + value: absent diff --git a/policies/ecc-aws-365-glue_connection_passwords_encrypted.yml b/policies/ecc-aws-365-glue_connection_passwords_encrypted.yml index 0e23f754b..fb86c86db 100644 --- a/policies/ecc-aws-365-glue_connection_passwords_encrypted.yml +++ b/policies/ecc-aws-365-glue_connection_passwords_encrypted.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-365-glue_connection_passwords_encrypted - description: | - Glue connection password is not encrypted - resource: aws.glue-catalog - filters: - - type: value - key: DataCatalogEncryptionSettings.ConnectionPasswordEncryption.AwsKmsKeyId - value: absent - comment: '0043052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-365-glue_connection_passwords_encrypted + comment: '010043052000' + description: | + Glue connection password is not encrypted + resource: aws.glue-catalog + filters: + - type: value + key: DataCatalogEncryptionSettings.ConnectionPasswordEncryption.AwsKmsKeyId + value: absent diff --git a/policies/ecc-aws-366-fsx_lustre_logging_enabled.yml b/policies/ecc-aws-366-fsx_lustre_logging_enabled.yml index 2db6da740..1d0c710df 100644 --- a/policies/ecc-aws-366-fsx_lustre_logging_enabled.yml +++ b/policies/ecc-aws-366-fsx_lustre_logging_enabled.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-366-fsx_lustre_logging_enabled - description: | - FSx Lustre file logging is disabled - resource: aws.fsx - filters: - - or: - - type: value - key: LustreConfiguration.LogConfiguration.Level - op: eq - value: DISABLED - - type: value - key: LustreConfiguration.LogConfiguration - value: absent - comment: '0019042000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-366-fsx_lustre_logging_enabled + comment: '010019042000' + description: | + FSx Lustre file logging is disabled + resource: aws.fsx + filters: + - or: + - type: value + key: LustreConfiguration.LogConfiguration.Level + op: eq + value: DISABLED + - type: value + key: LustreConfiguration.LogConfiguration + value: absent diff --git a/policies/ecc-aws-367-ds_directory_not_open_to_large_scope.yml b/policies/ecc-aws-367-ds_directory_not_open_to_large_scope.yml index 9930f5482..6c834b780 100644 --- a/policies/ecc-aws-367-ds_directory_not_open_to_large_scope.yml +++ b/policies/ecc-aws-367-ds_directory_not_open_to_large_scope.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-367-ds_directory_not_open_to_large_scope - description: | - DS directory is open to a large scope - resource: aws.directory - filters: - - type: security-group - key: length(IpPermissions[?(IpRanges[?CidrIp=='0.0.0.0/0'] || Ipv6Ranges[?CidrIpv6=='::/0']) && !UserIdGroupPairs]) - op: ge - value: 1 - comment: '0040002000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-367-ds_directory_not_open_to_large_scope + comment: '010040002000' + description: | + DS directory is open to a large scope + resource: aws.directory + filters: + - type: security-group + key: length(IpPermissions[?(IpRanges[?CidrIp=='0.0.0.0/0'] || Ipv6Ranges[?CidrIpv6=='::/0']) && !UserIdGroupPairs]) + op: ge + value: 1 diff --git a/policies/ecc-aws-368-fsx_lustre_retention_period_set_at_least_to_7_days.yml b/policies/ecc-aws-368-fsx_lustre_retention_period_set_at_least_to_7_days.yml index af7bf585a..2cee3308a 100644 --- a/policies/ecc-aws-368-fsx_lustre_retention_period_set_at_least_to_7_days.yml +++ b/policies/ecc-aws-368-fsx_lustre_retention_period_set_at_least_to_7_days.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-368-fsx_lustre_retention_period_set_at_least_to_7_days - description: | - FSx Lustre file system does not have retention period set at least to 7 days - resource: aws.fsx - filters: - - not: - - type: value - key: LustreConfiguration.AutomaticBackupRetentionDays - op: gte - value: 7 - comment: '0049042000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-368-fsx_lustre_retention_period_set_at_least_to_7_days + comment: '010049042000' + description: | + FSx Lustre file system does not have retention period set at least to 7 days + resource: aws.fsx + filters: + - not: + - type: value + key: LustreConfiguration.AutomaticBackupRetentionDays + op: gte + value: 7 diff --git a/policies/ecc-aws-370-workspaces_maintenance_mode_enabled.yml b/policies/ecc-aws-370-workspaces_maintenance_mode_enabled.yml index 80058552a..a660b5904 100644 --- a/policies/ecc-aws-370-workspaces_maintenance_mode_enabled.yml +++ b/policies/ecc-aws-370-workspaces_maintenance_mode_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-370-workspaces_maintenance_mode_enabled - resource: aws.workspaces-directory - description: | - Workspaces maintenance mode disabled - filters: - - type: value - key: WorkspaceCreationProperties.EnableMaintenanceMode - value: false - comment: '0021120600' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-370-workspaces_maintenance_mode_enabled + comment: '010021120600' + description: | + Workspaces maintenance mode disabled + resource: aws.workspaces-directory + filters: + - type: value + key: WorkspaceCreationProperties.EnableMaintenanceMode + value: false diff --git a/policies/ecc-aws-374-cloudtrail_logs_data_events.yml b/policies/ecc-aws-374-cloudtrail_logs_data_events.yml index c5774c45a..1fe0497d2 100644 --- a/policies/ecc-aws-374-cloudtrail_logs_data_events.yml +++ b/policies/ecc-aws-374-cloudtrail_logs_data_events.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-374-cloudtrail_logs_data_events - resource: aws.cloudtrail - description: | - Data events are not included into Amazon CloudTrail trails configuration - filters: - - type: event-selectors - key: EventSelectors[].DataResources[] - value: empty - comment: '0019012000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-374-cloudtrail_logs_data_events + comment: '010019012000' + description: | + Data events are not included into Amazon CloudTrail trails configuration + resource: aws.cloudtrail + filters: + - type: event-selectors + key: EventSelectors[].DataResources[] + value: empty diff --git a/policies/ecc-aws-375-workspaces_storage_encrypted_with_cmk.yml b/policies/ecc-aws-375-workspaces_storage_encrypted_with_cmk.yml index 2a85235b9..b076d4448 100644 --- a/policies/ecc-aws-375-workspaces_storage_encrypted_with_cmk.yml +++ b/policies/ecc-aws-375-workspaces_storage_encrypted_with_cmk.yml @@ -1,24 +1,24 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-375-workspaces_storage_encrypted_with_cmk - resource: aws.workspaces - description: | - Workspaces storage is not encrypted with KMS CMK - filters: - - or: - - type: value - key: RootVolumeEncryptionEnabled - value: true - - type: value - key: UserVolumeEncryptionEnabled - value: true - - type: kms-key - key: KeyManager - value: AWS - comment: '0043120600' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-375-workspaces_storage_encrypted_with_cmk + comment: '010043120600' + description: | + Workspaces storage is not encrypted with KMS CMK + resource: aws.workspaces + filters: + - or: + - type: value + key: RootVolumeEncryptionEnabled + value: true + - type: value + key: UserVolumeEncryptionEnabled + value: true + - type: kms-key + key: KeyManager + value: AWS diff --git a/policies/ecc-aws-377-ami_without_tag_information.yml b/policies/ecc-aws-377-ami_without_tag_information.yml index d270bbf9f..f5079f8bc 100644 --- a/policies/ecc-aws-377-ami_without_tag_information.yml +++ b/policies/ecc-aws-377-ami_without_tag_information.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-377-ami_without_tag_information - description: | - AMI without tag information - resource: aws.ami - filters: - - type: value - key: Tags - value: empty - comment: '0010032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-377-ami_without_tag_information + comment: '010010032000' + description: | + AMI without tag information + resource: aws.ami + filters: + - type: value + key: Tags + value: empty diff --git a/policies/ecc-aws-378-ebs_without_tag_information.yml b/policies/ecc-aws-378-ebs_without_tag_information.yml index 8298cb244..e744057bb 100644 --- a/policies/ecc-aws-378-ebs_without_tag_information.yml +++ b/policies/ecc-aws-378-ebs_without_tag_information.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-378-ebs_without_tag_information - resource: aws.ebs + comment: '010010042000' description: | EBS volumes without tag information + resource: aws.ebs filters: - type: value key: Tags value: empty - comment: '0010042000' \ No newline at end of file diff --git a/policies/ecc-aws-379-ebs_snapshot_without_tag_information.yml b/policies/ecc-aws-379-ebs_snapshot_without_tag_information.yml index c51e9c2a4..eb5ff156a 100644 --- a/policies/ecc-aws-379-ebs_snapshot_without_tag_information.yml +++ b/policies/ecc-aws-379-ebs_snapshot_without_tag_information.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-379-ebs_snapshot_without_tag_information - resource: aws.ebs-snapshot + comment: '010010042000' description: | EBS snapshot without tag information + resource: aws.ebs-snapshot filters: - type: value key: Tags value: empty - comment: '0010042000' \ No newline at end of file diff --git a/policies/ecc-aws-380-eip_without_tag_information.yml b/policies/ecc-aws-380-eip_without_tag_information.yml index 79c155054..5711bb1b8 100644 --- a/policies/ecc-aws-380-eip_without_tag_information.yml +++ b/policies/ecc-aws-380-eip_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-380-eip_without_tag_information + comment: '010010022000' description: | EIP without tag information resource: elastic-ip @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010022000' \ No newline at end of file diff --git a/policies/ecc-aws-381-eni_without_tag_information.yml b/policies/ecc-aws-381-eni_without_tag_information.yml index d3fbdf2f6..e9ee74eb7 100644 --- a/policies/ecc-aws-381-eni_without_tag_information.yml +++ b/policies/ecc-aws-381-eni_without_tag_information.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-381-eni_without_tag_information - description: | - ENI without tag information - resource: aws.eni - filters: - - type: tag-count - op: eq - count: 0 - comment: '0010022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-381-eni_without_tag_information + comment: '010010022000' + description: | + ENI without tag information + resource: aws.eni + filters: + - type: tag-count + op: eq + count: 0 diff --git a/policies/ecc-aws-382-internet_gateway_without_tag_information.yml b/policies/ecc-aws-382-internet_gateway_without_tag_information.yml index e505b4f86..484347075 100644 --- a/policies/ecc-aws-382-internet_gateway_without_tag_information.yml +++ b/policies/ecc-aws-382-internet_gateway_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-382-internet_gateway_without_tag_information + comment: '010010022000' description: | Amazon Internet Gateway without tag information resource: internet-gateway @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010022000' \ No newline at end of file diff --git a/policies/ecc-aws-383-nat_gateway_without_tag_information.yml b/policies/ecc-aws-383-nat_gateway_without_tag_information.yml index 02a688ac8..3827a294d 100644 --- a/policies/ecc-aws-383-nat_gateway_without_tag_information.yml +++ b/policies/ecc-aws-383-nat_gateway_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-383-nat_gateway_without_tag_information + comment: '010010022000' description: | Amazon Nat Gateway without tag information resource: nat-gateway @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010022000' \ No newline at end of file diff --git a/policies/ecc-aws-384-network_acl_without_tag_information.yml b/policies/ecc-aws-384-network_acl_without_tag_information.yml index 1a7ef0065..9f6656140 100644 --- a/policies/ecc-aws-384-network_acl_without_tag_information.yml +++ b/policies/ecc-aws-384-network_acl_without_tag_information.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-384-network_acl_without_tag_information - resource: aws.network-acl + comment: '010010022000' description: | Amazon Network ACLs without tag information + resource: aws.network-acl filters: - type: tag-count op: eq count: 0 - comment: '0010022000' \ No newline at end of file diff --git a/policies/ecc-aws-385-route_table_without_tag_information.yml b/policies/ecc-aws-385-route_table_without_tag_information.yml index b071ec28d..3ae36d7a4 100644 --- a/policies/ecc-aws-385-route_table_without_tag_information.yml +++ b/policies/ecc-aws-385-route_table_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-385-route_table_without_tag_information + comment: '010010022000' description: | Amazon Route table without tag information resource: aws.route-table @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010022000' \ No newline at end of file diff --git a/policies/ecc-aws-386-security_group_without_tag_information.yml b/policies/ecc-aws-386-security_group_without_tag_information.yml index 8985482a6..71c12cf2e 100644 --- a/policies/ecc-aws-386-security_group_without_tag_information.yml +++ b/policies/ecc-aws-386-security_group_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-386-security_group_without_tag_information + comment: '010010022000' description: | Security group without tag information resource: aws.security-group @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010022000' \ No newline at end of file diff --git a/policies/ecc-aws-387-subnet_without_tag_information.yml b/policies/ecc-aws-387-subnet_without_tag_information.yml index 02439e0b1..e0e0fcf18 100644 --- a/policies/ecc-aws-387-subnet_without_tag_information.yml +++ b/policies/ecc-aws-387-subnet_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-387-subnet_without_tag_information + comment: '010010022000' description: | Amazon Subnet without tag information resource: aws.subnet @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010022000' \ No newline at end of file diff --git a/policies/ecc-aws-388-transit_gateway_without_tag_information.yml b/policies/ecc-aws-388-transit_gateway_without_tag_information.yml index 8d1414fdd..3d644e8b0 100644 --- a/policies/ecc-aws-388-transit_gateway_without_tag_information.yml +++ b/policies/ecc-aws-388-transit_gateway_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-388-transit_gateway_without_tag_information + comment: '010010022000' description: | Amazon Transit gateway without tag information resource: aws.transit-gateway @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010022000' \ No newline at end of file diff --git a/policies/ecc-aws-389-transit_gateway_attachment_without_tag_information.yml b/policies/ecc-aws-389-transit_gateway_attachment_without_tag_information.yml index 03835afb0..9bda2658d 100644 --- a/policies/ecc-aws-389-transit_gateway_attachment_without_tag_information.yml +++ b/policies/ecc-aws-389-transit_gateway_attachment_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-389-transit_gateway_attachment_without_tag_information + comment: '010010022000' description: | Amazon Transit gateway attachment without tag information resource: aws.transit-attachment @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010022000' \ No newline at end of file diff --git a/policies/ecc-aws-390-peering_connection_without_tag_information.yml b/policies/ecc-aws-390-peering_connection_without_tag_information.yml index 0cfb2f825..56b7c899a 100644 --- a/policies/ecc-aws-390-peering_connection_without_tag_information.yml +++ b/policies/ecc-aws-390-peering_connection_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-390-peering_connection_without_tag_information + comment: '010010022000' description: | Amazon peering connection without tag information resource: aws.peering-connection @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010022000' \ No newline at end of file diff --git a/policies/ecc-aws-391-vpc_without_tag_information.yml b/policies/ecc-aws-391-vpc_without_tag_information.yml index 458b3bc76..da2fbaa15 100644 --- a/policies/ecc-aws-391-vpc_without_tag_information.yml +++ b/policies/ecc-aws-391-vpc_without_tag_information.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-391-vpc_without_tag_information - resource: aws.vpc - description: | - VPC without tag information - filters: - - type: tag-count - op: eq - count: 0 - comment: '0010022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-391-vpc_without_tag_information + comment: '010010022000' + description: | + VPC without tag information + resource: aws.vpc + filters: + - type: tag-count + op: eq + count: 0 diff --git a/policies/ecc-aws-392-vpc_endpoint_without_tag_information.yml b/policies/ecc-aws-392-vpc_endpoint_without_tag_information.yml index 31c810856..853643008 100644 --- a/policies/ecc-aws-392-vpc_endpoint_without_tag_information.yml +++ b/policies/ecc-aws-392-vpc_endpoint_without_tag_information.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-392-vpc_endpoint_without_tag_information - resource: aws.vpc-endpoint - description: | - VPC endpoint without tag information - filters: - - type: tag-count - op: eq - count: 0 - comment: '0010022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-392-vpc_endpoint_without_tag_information + comment: '010010022000' + description: | + VPC endpoint without tag information + resource: aws.vpc-endpoint + filters: + - type: tag-count + op: eq + count: 0 diff --git a/policies/ecc-aws-393-acm_without_tag_information.yml b/policies/ecc-aws-393-acm_without_tag_information.yml index 422e4720d..3d9558b0b 100644 --- a/policies/ecc-aws-393-acm_without_tag_information.yml +++ b/policies/ecc-aws-393-acm_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-393-acm_without_tag_information + comment: '010010102000' description: | Amazon ACM without tag information resource: acm-certificate @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010102000' \ No newline at end of file diff --git a/policies/ecc-aws-394-app_flow_without_tag_information.yml b/policies/ecc-aws-394-app_flow_without_tag_information.yml index 91aff7d58..611a0b6d4 100644 --- a/policies/ecc-aws-394-app_flow_without_tag_information.yml +++ b/policies/ecc-aws-394-app_flow_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-394-app_flow_without_tag_information + comment: '010010142000' description: | Amazon AppFlow without tag information resource: aws.app-flow @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010142000' \ No newline at end of file diff --git a/policies/ecc-aws-395-auto_scaling_group_without_tag_information.yml b/policies/ecc-aws-395-auto_scaling_group_without_tag_information.yml index 74118167b..6d037a527 100644 --- a/policies/ecc-aws-395-auto_scaling_group_without_tag_information.yml +++ b/policies/ecc-aws-395-auto_scaling_group_without_tag_information.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-395-auto_scaling_group_without_tag_information - resource: aws.asg + comment: '010010032000' description: | Auto Scaling Group without tag information + resource: aws.asg filters: - type: tag-count op: eq count: 0 - comment: '0010032000' \ No newline at end of file diff --git a/policies/ecc-aws-396-cloudformation_stacks_without_tag_information.yml b/policies/ecc-aws-396-cloudformation_stacks_without_tag_information.yml index dd4984240..17e196f82 100644 --- a/policies/ecc-aws-396-cloudformation_stacks_without_tag_information.yml +++ b/policies/ecc-aws-396-cloudformation_stacks_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-396-cloudformation_stacks_without_tag_information + comment: '010010132000' description: | Amazon cloudformation stacks without tag information resource: aws.cfn @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010132000' \ No newline at end of file diff --git a/policies/ecc-aws-397-cloudfront_distributions_without_tag_information.yml b/policies/ecc-aws-397-cloudfront_distributions_without_tag_information.yml index 5bcc380c8..02ba1498f 100644 --- a/policies/ecc-aws-397-cloudfront_distributions_without_tag_information.yml +++ b/policies/ecc-aws-397-cloudfront_distributions_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-397-cloudfront_distributions_without_tag_information + comment: '010010022001' description: | Cloudfront distributions without tag information resource: distribution @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010022001' \ No newline at end of file diff --git a/policies/ecc-aws-398-cloudtrail_without_tag_information.yml b/policies/ecc-aws-398-cloudtrail_without_tag_information.yml index b06db078c..d778dd6dc 100644 --- a/policies/ecc-aws-398-cloudtrail_without_tag_information.yml +++ b/policies/ecc-aws-398-cloudtrail_without_tag_information.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-398-cloudtrail_without_tag_information - resource: aws.cloudtrail - description: | - Cloudtrail without tag information - filters: - - type: value - key: Tags - value: empty - comment: '0010012000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-398-cloudtrail_without_tag_information + comment: '010010012000' + description: | + Cloudtrail without tag information + resource: aws.cloudtrail + filters: + - type: value + key: Tags + value: empty diff --git a/policies/ecc-aws-399-codebuild_without_tag_information.yml b/policies/ecc-aws-399-codebuild_without_tag_information.yml index f9067ac8b..c9101cc80 100644 --- a/policies/ecc-aws-399-codebuild_without_tag_information.yml +++ b/policies/ecc-aws-399-codebuild_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-399-codebuild_without_tag_information + comment: '010010132000' description: | Amazon Codebuikd without tag information resource: codebuild @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010132000' \ No newline at end of file diff --git a/policies/ecc-aws-400-dax_clusters_without_tag_information.yml b/policies/ecc-aws-400-dax_clusters_without_tag_information.yml index 16b4d4b4a..cf4244218 100644 --- a/policies/ecc-aws-400-dax_clusters_without_tag_information.yml +++ b/policies/ecc-aws-400-dax_clusters_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-400-dax_clusters_without_tag_information + comment: '010010062000' description: | DynamoDB Accelerator clusters without tag information resource: dax @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010062000' \ No newline at end of file diff --git a/policies/ecc-aws-401-dlm_without_tag_information.yml b/policies/ecc-aws-401-dlm_without_tag_information.yml index 4a16803b6..10b941c7c 100644 --- a/policies/ecc-aws-401-dlm_without_tag_information.yml +++ b/policies/ecc-aws-401-dlm_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-401-dlm_without_tag_information + comment: '010010042000' description: | AWS DLM lifecycle policy without tag information resource: aws.dlm-policy @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010042000' \ No newline at end of file diff --git a/policies/ecc-aws-402-dms_without_tag_information.yml b/policies/ecc-aws-402-dms_without_tag_information.yml index bf99e0e01..69079cc22 100644 --- a/policies/ecc-aws-402-dms_without_tag_information.yml +++ b/policies/ecc-aws-402-dms_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-402-dms_without_tag_information + comment: '010010062000' description: | Amazon DMS instance without tag information resource: aws.dms-instance @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010062000' \ No newline at end of file diff --git a/policies/ecc-aws-403-ecs_without_tag_information.yml b/policies/ecc-aws-403-ecs_without_tag_information.yml index 711667981..5e98565f7 100644 --- a/policies/ecc-aws-403-ecs_without_tag_information.yml +++ b/policies/ecc-aws-403-ecs_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-403-ecs_without_tag_information + comment: '010010082000' description: | Amazon ECS cluster without tag information resource: ecs @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010082000' \ No newline at end of file diff --git a/policies/ecc-aws-404-eks_without_tag_information.yml b/policies/ecc-aws-404-eks_without_tag_information.yml index 5d71ab664..790caa876 100644 --- a/policies/ecc-aws-404-eks_without_tag_information.yml +++ b/policies/ecc-aws-404-eks_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-404-eks_without_tag_information + comment: '010010072000' description: | Amazon EKS without tag information resource: eks @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010072000' \ No newline at end of file diff --git a/policies/ecc-aws-405-efs_without_tag_information.yml b/policies/ecc-aws-405-efs_without_tag_information.yml index fb6cb0e98..ec2249894 100644 --- a/policies/ecc-aws-405-efs_without_tag_information.yml +++ b/policies/ecc-aws-405-efs_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-405-efs_without_tag_information + comment: '010010042000' description: | Amazon EFS without tag information resource: efs @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010042000' \ No newline at end of file diff --git a/policies/ecc-aws-406-elasticache_clusters_without_tag_information.yml b/policies/ecc-aws-406-elasticache_clusters_without_tag_information.yml index b4be062f4..3f67ae019 100644 --- a/policies/ecc-aws-406-elasticache_clusters_without_tag_information.yml +++ b/policies/ecc-aws-406-elasticache_clusters_without_tag_information.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-406-elasticache_clusters_without_tag_information - description: | - Elasticache without tag information - resource: cache-cluster - filters: - - type: value - key: Tags - value: empty - comment: '0010062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-406-elasticache_clusters_without_tag_information + comment: '010010062000' + description: | + Elasticache without tag information + resource: cache-cluster + filters: + - type: value + key: Tags + value: empty diff --git a/policies/ecc-aws-407-beanstalk_without_tag_information.yml b/policies/ecc-aws-407-beanstalk_without_tag_information.yml index c2df73fa2..0b6a4cd53 100644 --- a/policies/ecc-aws-407-beanstalk_without_tag_information.yml +++ b/policies/ecc-aws-407-beanstalk_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-407-beanstalk_without_tag_information + comment: '010010032000' description: | Amazon Beanstalk topic without tag information resource: aws.elasticbeanstalk-environment @@ -14,4 +15,3 @@ policies: - type: tag-count op: lt count: 4 - comment: '0010032000' \ No newline at end of file diff --git a/policies/ecc-aws-408-elb_without_tag_information.yml b/policies/ecc-aws-408-elb_without_tag_information.yml index 55e85c5b1..de3ca2573 100644 --- a/policies/ecc-aws-408-elb_without_tag_information.yml +++ b/policies/ecc-aws-408-elb_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-408-elb_without_tag_information + comment: '010010022000' description: | Amazon ELB without tag information resource: elb @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010022000' \ No newline at end of file diff --git a/policies/ecc-aws-409-emr_without_tag_information.yml b/policies/ecc-aws-409-emr_without_tag_information.yml index 77f3f3b28..c72bcc166 100644 --- a/policies/ecc-aws-409-emr_without_tag_information.yml +++ b/policies/ecc-aws-409-emr_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-409-emr_without_tag_information + comment: '010010052000' description: | Amazon EMR clusters without tag information resource: emr @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010052000' \ No newline at end of file diff --git a/policies/ecc-aws-410-elasticsearch_without_tag_information.yml b/policies/ecc-aws-410-elasticsearch_without_tag_information.yml index 3ea3094ba..5d9bc9199 100644 --- a/policies/ecc-aws-410-elasticsearch_without_tag_information.yml +++ b/policies/ecc-aws-410-elasticsearch_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-410-elasticsearch_without_tag_information + comment: '010010052000' description: | Amazon ElasticSearch clusters without tag information resource: elasticsearch @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010052000' \ No newline at end of file diff --git a/policies/ecc-aws-411-fsx_without_tag_information.yml b/policies/ecc-aws-411-fsx_without_tag_information.yml index 6cccae5d1..61dce22e3 100644 --- a/policies/ecc-aws-411-fsx_without_tag_information.yml +++ b/policies/ecc-aws-411-fsx_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-411-fsx_without_tag_information + comment: '010010042000' description: | Amazon FSX without tag information resource: aws.fsx @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010042000' \ No newline at end of file diff --git a/policies/ecc-aws-412-fsx_backup_without_tag_information.yml b/policies/ecc-aws-412-fsx_backup_without_tag_information.yml index 7b6dc5207..6fb819a10 100644 --- a/policies/ecc-aws-412-fsx_backup_without_tag_information.yml +++ b/policies/ecc-aws-412-fsx_backup_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-412-fsx_backup_without_tag_information + comment: '010010042000' description: | Amazon FSX Lustre backup without tag information resource: aws.fsx-backup @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010042000' \ No newline at end of file diff --git a/policies/ecc-aws-413-glacier_without_tag_information.yml b/policies/ecc-aws-413-glacier_without_tag_information.yml index 867b25133..5221cffb7 100644 --- a/policies/ecc-aws-413-glacier_without_tag_information.yml +++ b/policies/ecc-aws-413-glacier_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-413-glacier_without_tag_information + comment: '010010042000' description: | Amazon Glacier without tag information resource: aws.glacier @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010042000' \ No newline at end of file diff --git a/policies/ecc-aws-414-glue_job_without_tag_information.yml b/policies/ecc-aws-414-glue_job_without_tag_information.yml index b83d4570b..ceec378c0 100644 --- a/policies/ecc-aws-414-glue_job_without_tag_information.yml +++ b/policies/ecc-aws-414-glue_job_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-414-glue_job_without_tag_information + comment: '010010052000' description: | Amazon Glue Job without tag information resource: glue-job @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010052000' \ No newline at end of file diff --git a/policies/ecc-aws-415-iam_user_without_tag_information.yml b/policies/ecc-aws-415-iam_user_without_tag_information.yml index 2868f8b11..5785a0d50 100644 --- a/policies/ecc-aws-415-iam_user_without_tag_information.yml +++ b/policies/ecc-aws-415-iam_user_without_tag_information.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-415-iam_user_without_tag_information - resource: iam-user - description: | - IAM User without tag information - filters: - - type: value - key: Tags - value: empty - comment: '0010002001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-415-iam_user_without_tag_information + comment: '010010002001' + description: | + IAM User without tag information + resource: iam-user + filters: + - type: value + key: Tags + value: empty diff --git a/policies/ecc-aws-416-iam_role_without_tag_information.yml b/policies/ecc-aws-416-iam_role_without_tag_information.yml index 1ae8ed266..a4e1e97ee 100644 --- a/policies/ecc-aws-416-iam_role_without_tag_information.yml +++ b/policies/ecc-aws-416-iam_role_without_tag_information.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-416-iam_role_without_tag_information - resource: iam-role - description: | - IAM Role without tag information - filters: - - type: value - key: Tags - value: empty - comment: '0010002001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-416-iam_role_without_tag_information + comment: '010010002001' + description: | + IAM Role without tag information + resource: iam-role + filters: + - type: value + key: Tags + value: empty diff --git a/policies/ecc-aws-417-msk_clusters_without_tag_information.yml b/policies/ecc-aws-417-msk_clusters_without_tag_information.yml index 5c75e5ad6..96dfeb58a 100644 --- a/policies/ecc-aws-417-msk_clusters_without_tag_information.yml +++ b/policies/ecc-aws-417-msk_clusters_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-417-msk_clusters_without_tag_information + comment: '010010052000' description: | Amazon MSK clusters without tag information resource: kafka @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010052000' \ No newline at end of file diff --git a/policies/ecc-aws-418-kinesis_data_stream_without_tag_information.yml b/policies/ecc-aws-418-kinesis_data_stream_without_tag_information.yml index df03d96a8..ed43f3513 100644 --- a/policies/ecc-aws-418-kinesis_data_stream_without_tag_information.yml +++ b/policies/ecc-aws-418-kinesis_data_stream_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-418-kinesis_data_stream_without_tag_information + comment: '010010052000' description: | Amazon Kinesis data stream without tag information resource: aws.kinesis @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010052000' \ No newline at end of file diff --git a/policies/ecc-aws-419-kinesis_video_stream_without_tag_information.yml b/policies/ecc-aws-419-kinesis_video_stream_without_tag_information.yml index ea3611a5f..11bb2413e 100644 --- a/policies/ecc-aws-419-kinesis_video_stream_without_tag_information.yml +++ b/policies/ecc-aws-419-kinesis_video_stream_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-419-kinesis_video_stream_without_tag_information + comment: '010010052000' description: | Amazon Kinesis video stream without tag information resource: kinesis-video @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010052000' \ No newline at end of file diff --git a/policies/ecc-aws-420-kms_key_without_tag_information.yml b/policies/ecc-aws-420-kms_key_without_tag_information.yml index b88415cda..eb7a41e5d 100644 --- a/policies/ecc-aws-420-kms_key_without_tag_information.yml +++ b/policies/ecc-aws-420-kms_key_without_tag_information.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-420-kms_key_without_tag_information - description: | - Customer manages key without tag information - resource: aws.kms-key - filters: - - type: value - key: KeyManager - value: CUSTOMER - - type: tag-count - op: eq - count: 0 - comment: '0010102000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-420-kms_key_without_tag_information + comment: '010010102000' + description: | + Customer manages key without tag information + resource: aws.kms-key + filters: + - type: value + key: KeyManager + value: CUSTOMER + - type: tag-count + op: eq + count: 0 diff --git a/policies/ecc-aws-421-lambda_functions_without_tag_information.yml b/policies/ecc-aws-421-lambda_functions_without_tag_information.yml index 62310ea2c..a0cf5624a 100644 --- a/policies/ecc-aws-421-lambda_functions_without_tag_information.yml +++ b/policies/ecc-aws-421-lambda_functions_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-421-lambda_functions_without_tag_information + comment: '010010032000' description: | Lambda functions without tag information resource: lambda @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010032000' \ No newline at end of file diff --git a/policies/ecc-aws-422-lightsail_instance_without_tag_information.yml b/policies/ecc-aws-422-lightsail_instance_without_tag_information.yml index a37401b4f..a38c53029 100644 --- a/policies/ecc-aws-422-lightsail_instance_without_tag_information.yml +++ b/policies/ecc-aws-422-lightsail_instance_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-422-lightsail_instance_without_tag_information + comment: '010010032000' description: | Amazon Lightsail instance without tag information resource: aws.lightsail-instance @@ -14,4 +15,3 @@ policies: - type: value key: tags value: empty - comment: '0010032000' \ No newline at end of file diff --git a/policies/ecc-aws-423-cloudwatch_log_groups_without_tag_information.yml b/policies/ecc-aws-423-cloudwatch_log_groups_without_tag_information.yml index fe4a8bfc3..5fa04c952 100644 --- a/policies/ecc-aws-423-cloudwatch_log_groups_without_tag_information.yml +++ b/policies/ecc-aws-423-cloudwatch_log_groups_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-423-cloudwatch_log_groups_without_tag_information + comment: '010010012000' description: | Amazon Log group without tag information resource: log-group @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010012000' \ No newline at end of file diff --git a/policies/ecc-aws-424-mq_brokers_without_tag_information.yml b/policies/ecc-aws-424-mq_brokers_without_tag_information.yml index 3585f5674..f84b2baaa 100644 --- a/policies/ecc-aws-424-mq_brokers_without_tag_information.yml +++ b/policies/ecc-aws-424-mq_brokers_without_tag_information.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-424-mq_brokers_without_tag_information - resource: aws.message-broker - description: | - MQ broker without tag information - filters: - - type: value - key: Tags - value: empty - comment: '0010142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-424-mq_brokers_without_tag_information + comment: '010010142000' + description: | + MQ broker without tag information + resource: aws.message-broker + filters: + - type: value + key: Tags + value: empty diff --git a/policies/ecc-aws-425-mwaa_without_tag_information.yml b/policies/ecc-aws-425-mwaa_without_tag_information.yml index a65b94f42..365081c34 100644 --- a/policies/ecc-aws-425-mwaa_without_tag_information.yml +++ b/policies/ecc-aws-425-mwaa_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-425-mwaa_without_tag_information + comment: '010010142000' description: | Amazon MWAA without tag information resource: aws.airflow @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010142000' \ No newline at end of file diff --git a/policies/ecc-aws-426-qldb_ledgers_without_tag_information.yml b/policies/ecc-aws-426-qldb_ledgers_without_tag_information.yml index 312365c3f..7e91f9084 100644 --- a/policies/ecc-aws-426-qldb_ledgers_without_tag_information.yml +++ b/policies/ecc-aws-426-qldb_ledgers_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-426-qldb_ledgers_without_tag_information + comment: '010010062000' description: | Amazon QLDB ledger without tag information resource: qldb @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010062000' \ No newline at end of file diff --git a/policies/ecc-aws-427-rds_cluster_without_tag_information.yml b/policies/ecc-aws-427-rds_cluster_without_tag_information.yml index bb095685a..67b27ec6f 100644 --- a/policies/ecc-aws-427-rds_cluster_without_tag_information.yml +++ b/policies/ecc-aws-427-rds_cluster_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-427-rds_cluster_without_tag_information + comment: '010010062000' description: | RDS cluster without tag information resource: aws.rds-cluster @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010062000' \ No newline at end of file diff --git a/policies/ecc-aws-428-rds_snapshot_without_tag_information.yml b/policies/ecc-aws-428-rds_snapshot_without_tag_information.yml index 36a5d068d..6151d95e1 100644 --- a/policies/ecc-aws-428-rds_snapshot_without_tag_information.yml +++ b/policies/ecc-aws-428-rds_snapshot_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-428-rds_snapshot_without_tag_information + comment: '010010062000' description: | Amazon RDS snapshot without tag information resource: rds-snapshot @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010062000' \ No newline at end of file diff --git a/policies/ecc-aws-429-redshift_clusters_without_tag_information.yml b/policies/ecc-aws-429-redshift_clusters_without_tag_information.yml index 146f65979..23a03f7a5 100644 --- a/policies/ecc-aws-429-redshift_clusters_without_tag_information.yml +++ b/policies/ecc-aws-429-redshift_clusters_without_tag_information.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-429-redshift_clusters_without_tag_information - description: | - Amazon Redshift clusters without tag information - resource: redshift - filters: - - type: value - key: Tags - value: empty - comment: '0010062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-429-redshift_clusters_without_tag_information + comment: '010010062000' + description: | + Amazon Redshift clusters without tag information + resource: redshift + filters: + - type: value + key: Tags + value: empty diff --git a/policies/ecc-aws-430-sagemaker_instances_without_tag_information.yml b/policies/ecc-aws-430-sagemaker_instances_without_tag_information.yml index 933b63c79..00a84cc00 100644 --- a/policies/ecc-aws-430-sagemaker_instances_without_tag_information.yml +++ b/policies/ecc-aws-430-sagemaker_instances_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-430-sagemaker_instances_without_tag_information + comment: '010010052000' description: | Amazon Sagemaker instances without tag information resource: aws.sagemaker-notebook @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010052000' \ No newline at end of file diff --git a/policies/ecc-aws-431-sns_without_tag_information.yml b/policies/ecc-aws-431-sns_without_tag_information.yml index 81b660fd8..c20b72c72 100644 --- a/policies/ecc-aws-431-sns_without_tag_information.yml +++ b/policies/ecc-aws-431-sns_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-431-sns_without_tag_information + comment: '010010142000' description: | Amazon SNS topic without tag information resource: sns @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010142000' \ No newline at end of file diff --git a/policies/ecc-aws-432-sqs_without_tag_information.yml b/policies/ecc-aws-432-sqs_without_tag_information.yml index e6dc9fab2..f4687ce88 100644 --- a/policies/ecc-aws-432-sqs_without_tag_information.yml +++ b/policies/ecc-aws-432-sqs_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-432-sqs_without_tag_information + comment: '010010142000' description: | Amazon SQS without tag information resource: sqs @@ -14,4 +15,3 @@ policies: - type: value key: Tags value: empty - comment: '0010142000' \ No newline at end of file diff --git a/policies/ecc-aws-433-mq_broker_active_deployment_mode.yml b/policies/ecc-aws-433-mq_broker_active_deployment_mode.yml index 6f60be65a..2aa75ab88 100644 --- a/policies/ecc-aws-433-mq_broker_active_deployment_mode.yml +++ b/policies/ecc-aws-433-mq_broker_active_deployment_mode.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-433-mq_broker_active_deployment_mode - resource: aws.message-broker - description: | - MQ broker active deployment not enabled - filters: - - not: - - or: - - type: value - key: DeploymentMode - value: ACTIVE_STANDBY_MULTI_AZ - - type: value - key: DeploymentMode - value: CLUSTER_MULTI_AZ - comment: '0050142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-433-mq_broker_active_deployment_mode + comment: '010050142000' + description: | + MQ broker active deployment not enabled + resource: aws.message-broker + filters: + - not: + - or: + - type: value + key: DeploymentMode + value: ACTIVE_STANDBY_MULTI_AZ + - type: value + key: DeploymentMode + value: CLUSTER_MULTI_AZ diff --git a/policies/ecc-aws-434-mq_broker_latest_version.yml b/policies/ecc-aws-434-mq_broker_latest_version.yml index 2160b04a5..da7844a6d 100644 --- a/policies/ecc-aws-434-mq_broker_latest_version.yml +++ b/policies/ecc-aws-434-mq_broker_latest_version.yml @@ -1,32 +1,32 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-434-mq_broker_latest_version - resource: aws.message-broker - description: | - MQ broker not using latest major version - filters: - - not: - - or: - - and: - - type: value - key: EngineVersion - op: regex - value: 3.10.* - - type: value - key: EngineType - value: RabbitMQ - - and: - - type: value - key: EngineVersion - op: regex - value: 5.17.* - - type: value - key: EngineType - value: ActiveMQ - comment: '0021142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-434-mq_broker_latest_version + comment: '010021142000' + description: | + MQ broker not using latest major version + resource: aws.message-broker + filters: + - not: + - or: + - and: + - type: value + key: EngineVersion + op: regex + value: 3.10.* + - type: value + key: EngineType + value: RabbitMQ + - and: + - type: value + key: EngineVersion + op: regex + value: 5.17.* + - type: value + key: EngineType + value: ActiveMQ diff --git a/policies/ecc-aws-435-mq_broker_encrypted_with_kms_cmk.yml b/policies/ecc-aws-435-mq_broker_encrypted_with_kms_cmk.yml index 145a456ec..c1f7432ad 100644 --- a/policies/ecc-aws-435-mq_broker_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-435-mq_broker_encrypted_with_kms_cmk.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-435-mq_broker_encrypted_with_kms_cmk - resource: aws.message-broker - description: | - MQ broker not encrypted with KMS CMK - filters: - - not: - - type: kms-key - key: KeyManager - value: CUSTOMER - comment: '0043142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-435-mq_broker_encrypted_with_kms_cmk + comment: '010043142000' + description: | + MQ broker not encrypted with KMS CMK + resource: aws.message-broker + filters: + - not: + - type: kms-key + key: KeyManager + value: CUSTOMER diff --git a/policies/ecc-aws-436-kinesis_streams_shard_level_monitoring_enabled.yml b/policies/ecc-aws-436-kinesis_streams_shard_level_monitoring_enabled.yml index d500ffee9..3fa9c6914 100644 --- a/policies/ecc-aws-436-kinesis_streams_shard_level_monitoring_enabled.yml +++ b/policies/ecc-aws-436-kinesis_streams_shard_level_monitoring_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-436-kinesis_streams_shard_level_monitoring_enabled + comment: '010032052000' description: | Kinesis streams shard level monitoring disabled resource: kinesis @@ -16,4 +17,3 @@ policies: op: lt value_type: size value: 7 - comment: '0032052000' \ No newline at end of file diff --git a/policies/ecc-aws-438-qldb_permission_mode_is_standard.yml b/policies/ecc-aws-438-qldb_permission_mode_is_standard.yml index ce173f400..5e7451bf9 100644 --- a/policies/ecc-aws-438-qldb_permission_mode_is_standard.yml +++ b/policies/ecc-aws-438-qldb_permission_mode_is_standard.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-438-qldb_permission_mode_is_standard - description: | - QLDB permission mode is set to 'ALLOW_ALL' - resource: qldb - filters: - - type: value - key: PermissionsMode - value: ALLOW_ALL - comment: '0033062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-438-qldb_permission_mode_is_standard + comment: '010033062000' + description: | + QLDB permission mode is set to 'ALLOW_ALL' + resource: qldb + filters: + - type: value + key: PermissionsMode + value: ALLOW_ALL diff --git a/policies/ecc-aws-439-qldb_deletion_protection_enabled.yml b/policies/ecc-aws-439-qldb_deletion_protection_enabled.yml index 3ed7bd970..a029eff7f 100644 --- a/policies/ecc-aws-439-qldb_deletion_protection_enabled.yml +++ b/policies/ecc-aws-439-qldb_deletion_protection_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-439-qldb_deletion_protection_enabled - description: | - QLDB termination protection not enabled - resource: qldb - filters: - - type: value - key: DeletionProtection - value: false - comment: '0047062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-439-qldb_deletion_protection_enabled + comment: '010047062000' + description: | + QLDB termination protection not enabled + resource: qldb + filters: + - type: value + key: DeletionProtection + value: false diff --git a/policies/ecc-aws-440-appsync_logging_enabled.yml b/policies/ecc-aws-440-appsync_logging_enabled.yml index 39b81a6c4..a00f7045c 100644 --- a/policies/ecc-aws-440-appsync_logging_enabled.yml +++ b/policies/ecc-aws-440-appsync_logging_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-440-appsync_logging_enabled - description: | - Appsync logging disabled - resource: aws.graphql-api - filters: - - type: value - key: logConfig - value: absent - comment: '0019142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-440-appsync_logging_enabled + comment: '010019142000' + description: | + Appsync logging disabled + resource: aws.graphql-api + filters: + - type: value + key: logConfig + value: absent diff --git a/policies/ecc-aws-441-appsync_cache_encrypted_at_rest.yml b/policies/ecc-aws-441-appsync_cache_encrypted_at_rest.yml index 994950d87..8352bb51f 100644 --- a/policies/ecc-aws-441-appsync_cache_encrypted_at_rest.yml +++ b/policies/ecc-aws-441-appsync_cache_encrypted_at_rest.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-441-appsync_cache_encrypted_at_rest + comment: '010043142000' description: | Appsync cache is not encrypted at rest resource: aws.graphql-api filters: - - type: api-cache - key: 'atRestEncryptionEnabled' - value: false - comment: '0043142000' \ No newline at end of file + - type: api-cache + key: 'atRestEncryptionEnabled' + value: false diff --git a/policies/ecc-aws-442-appsync_cache_encrypted_in_transit.yml b/policies/ecc-aws-442-appsync_cache_encrypted_in_transit.yml index f8917a247..827d5fbed 100644 --- a/policies/ecc-aws-442-appsync_cache_encrypted_in_transit.yml +++ b/policies/ecc-aws-442-appsync_cache_encrypted_in_transit.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-442-appsync_cache_encrypted_in_transit + comment: '010044142000' description: | Appsync cache is not encrypted in transit resource: aws.graphql-api filters: - - type: api-cache - key: 'transitEncryptionEnabled' - value: false - comment: '0044142000' \ No newline at end of file + - type: api-cache + key: 'transitEncryptionEnabled' + value: false diff --git a/policies/ecc-aws-443-appsync_protected_by_waf.yml b/policies/ecc-aws-443-appsync_protected_by_waf.yml index c7e617276..6e815628f 100644 --- a/policies/ecc-aws-443-appsync_protected_by_waf.yml +++ b/policies/ecc-aws-443-appsync_protected_by_waf.yml @@ -7,10 +7,10 @@ policies: - name: ecc-aws-443-appsync_protected_by_waf + comment: '010027142000' description: | Appsync is not protected by WAF resource: graphql-api filters: - type: wafv2-enabled state: false - comment: '0027142000' \ No newline at end of file diff --git a/policies/ecc-aws-444-mwaa_dag_processing_logs_set_correctly.yml b/policies/ecc-aws-444-mwaa_dag_processing_logs_set_correctly.yml index e93fe6970..9acfcd675 100644 --- a/policies/ecc-aws-444-mwaa_dag_processing_logs_set_correctly.yml +++ b/policies/ecc-aws-444-mwaa_dag_processing_logs_set_correctly.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-444-mwaa_dag_processing_logs_set_correctly - description: | - Managed Workflows for Apache Airflow dag logs not enabled or set correctly - resource: aws.airflow - filters: - - not: - - type: value - key: LoggingConfiguration.DagProcessingLogs.Enabled - value: true - - type: value - key: LoggingConfiguration.DagProcessingLogs.LogLevel - value: 'DEBUG' - comment: '0019142010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-444-mwaa_dag_processing_logs_set_correctly + comment: '010019142010' + description: | + Managed Workflows for Apache Airflow dag logs not enabled or set correctly + resource: aws.airflow + filters: + - not: + - type: value + key: LoggingConfiguration.DagProcessingLogs.Enabled + value: true + - type: value + key: LoggingConfiguration.DagProcessingLogs.LogLevel + value: 'DEBUG' diff --git a/policies/ecc-aws-445-mwaa_scheduler_logs_set_correctly.yml b/policies/ecc-aws-445-mwaa_scheduler_logs_set_correctly.yml index d60da83f8..652c5156c 100644 --- a/policies/ecc-aws-445-mwaa_scheduler_logs_set_correctly.yml +++ b/policies/ecc-aws-445-mwaa_scheduler_logs_set_correctly.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-445-mwaa_scheduler_logs_set_correctly - description: | - Managed Workflows for Apache Airflow scheduler logs not enabled or set correctly - resource: aws.airflow - filters: - - not: - - type: value - key: LoggingConfiguration.SchedulerLogs.Enabled - value: true - - type: value - key: LoggingConfiguration.SchedulerLogs.LogLevel - value: 'DEBUG' - comment: '0019142010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-445-mwaa_scheduler_logs_set_correctly + comment: '010019142010' + description: | + Managed Workflows for Apache Airflow scheduler logs not enabled or set correctly + resource: aws.airflow + filters: + - not: + - type: value + key: LoggingConfiguration.SchedulerLogs.Enabled + value: true + - type: value + key: LoggingConfiguration.SchedulerLogs.LogLevel + value: 'DEBUG' diff --git a/policies/ecc-aws-446-mwaa_task_logs_set_correctly.yml b/policies/ecc-aws-446-mwaa_task_logs_set_correctly.yml index 92bd01169..14b52533b 100644 --- a/policies/ecc-aws-446-mwaa_task_logs_set_correctly.yml +++ b/policies/ecc-aws-446-mwaa_task_logs_set_correctly.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-446-mwaa_task_logs_set_correctly - description: | - Managed Workflows for Apache Airflow Task logs not enabled or set correctly - resource: aws.airflow - filters: - - not: - - type: value - key: LoggingConfiguration.TaskLogs.Enabled - value: true - - type: value - key: LoggingConfiguration.TaskLogs.LogLevel - value: 'DEBUG' - comment: '0019142010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-446-mwaa_task_logs_set_correctly + comment: '010019142010' + description: | + Managed Workflows for Apache Airflow Task logs not enabled or set correctly + resource: aws.airflow + filters: + - not: + - type: value + key: LoggingConfiguration.TaskLogs.Enabled + value: true + - type: value + key: LoggingConfiguration.TaskLogs.LogLevel + value: 'DEBUG' diff --git a/policies/ecc-aws-447-mwaa_webserver_logs_set_correctly.yml b/policies/ecc-aws-447-mwaa_webserver_logs_set_correctly.yml index 8639b736e..07a603cca 100644 --- a/policies/ecc-aws-447-mwaa_webserver_logs_set_correctly.yml +++ b/policies/ecc-aws-447-mwaa_webserver_logs_set_correctly.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-447-mwaa_webserver_logs_set_correctly - description: | - Managed Workflows for Apache Airflow Webserver logs not enabled or set correctly - resource: aws.airflow - filters: - - not: - - type: value - key: LoggingConfiguration.WebserverLogs.Enabled - value: true - - type: value - key: LoggingConfiguration.WebserverLogs.LogLevel - value: 'DEBUG' - comment: '0019142010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-447-mwaa_webserver_logs_set_correctly + comment: '010019142010' + description: | + Managed Workflows for Apache Airflow Webserver logs not enabled or set correctly + resource: aws.airflow + filters: + - not: + - type: value + key: LoggingConfiguration.WebserverLogs.Enabled + value: true + - type: value + key: LoggingConfiguration.WebserverLogs.LogLevel + value: 'DEBUG' diff --git a/policies/ecc-aws-448-mwaa_worker_logs_set_correctly.yml b/policies/ecc-aws-448-mwaa_worker_logs_set_correctly.yml index cc46bfdc4..4654a356a 100644 --- a/policies/ecc-aws-448-mwaa_worker_logs_set_correctly.yml +++ b/policies/ecc-aws-448-mwaa_worker_logs_set_correctly.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-448-mwaa_worker_logs_set_correctly - description: | - Managed Workflows for Apache Airflow Worker logs not enabled or set correctly - resource: aws.airflow - filters: - - not: - - type: value - key: LoggingConfiguration.WorkerLogs.Enabled - value: true - - type: value - key: LoggingConfiguration.WorkerLogs.LogLevel - value: 'DEBUG' - comment: '0019142010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-448-mwaa_worker_logs_set_correctly + comment: '010019142010' + description: | + Managed Workflows for Apache Airflow Worker logs not enabled or set correctly + resource: aws.airflow + filters: + - not: + - type: value + key: LoggingConfiguration.WorkerLogs.Enabled + value: true + - type: value + key: LoggingConfiguration.WorkerLogs.LogLevel + value: 'DEBUG' diff --git a/policies/ecc-aws-449-redshift_availability_zone_relocation_enabled.yml b/policies/ecc-aws-449-redshift_availability_zone_relocation_enabled.yml index 09be7ce70..b9c7fd2d5 100644 --- a/policies/ecc-aws-449-redshift_availability_zone_relocation_enabled.yml +++ b/policies/ecc-aws-449-redshift_availability_zone_relocation_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-449-redshift_availability_zone_relocation_enabled - description: | - Amazon Redshift clusters availability zone relocation not enabled - resource: redshift - filters: - - type: value - key: AvailabilityZoneRelocationStatus - value: disabled - comment: '0050062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-449-redshift_availability_zone_relocation_enabled + comment: '010050062000' + description: | + Amazon Redshift clusters availability zone relocation not enabled + resource: redshift + filters: + - type: value + key: AvailabilityZoneRelocationStatus + value: disabled diff --git a/policies/ecc-aws-453-elasticache_redis_logs_enabled.yml b/policies/ecc-aws-453-elasticache_redis_logs_enabled.yml index 60f5f9bec..e3ae18e6f 100644 --- a/policies/ecc-aws-453-elasticache_redis_logs_enabled.yml +++ b/policies/ecc-aws-453-elasticache_redis_logs_enabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-453-elasticache_redis_logs_enabled - description: | - Elasticache Redis logs disabled - resource: cache-cluster - filters: - - type: value - key: length(LogDeliveryConfigurations[].[LogType=='slow-log' || LogType=='engine-log'][]) - op: lt - value: 2 - - type: value - key: Engine - value: "redis" - comment: '0019062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-453-elasticache_redis_logs_enabled + comment: '010019062000' + description: | + Elasticache Redis logs disabled + resource: cache-cluster + filters: + - type: value + key: length(LogDeliveryConfigurations[].[LogType=='slow-log' || LogType=='engine-log'][]) + op: lt + value: 2 + - type: value + key: Engine + value: "redis" diff --git a/policies/ecc-aws-454-elasticache_notifications_enabled.yml b/policies/ecc-aws-454-elasticache_notifications_enabled.yml index 2df101861..74cede960 100644 --- a/policies/ecc-aws-454-elasticache_notifications_enabled.yml +++ b/policies/ecc-aws-454-elasticache_notifications_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-454-elasticache_notifications_enabled - description: | - Elasticache notification disabled - resource: cache-cluster - filters: - - type: value - key: NotificationConfiguration - value: absent - comment: '0032062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-454-elasticache_notifications_enabled + comment: '010032062000' + description: | + Elasticache notification disabled + resource: cache-cluster + filters: + - type: value + key: NotificationConfiguration + value: absent diff --git a/policies/ecc-aws-455-emr_termination_protection_enabled.yml b/policies/ecc-aws-455-emr_termination_protection_enabled.yml index c48fad76e..88e724786 100644 --- a/policies/ecc-aws-455-emr_termination_protection_enabled.yml +++ b/policies/ecc-aws-455-emr_termination_protection_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-455-emr_termination_protection_enabled - description: | - EMR termination protection not enabled - resource: emr - filters: - - type: value - key: TerminationProtected - value: false - comment: '0047052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-455-emr_termination_protection_enabled + comment: '010047052000' + description: | + EMR termination protection not enabled + resource: emr + filters: + - type: value + key: TerminationProtected + value: false diff --git a/policies/ecc-aws-456-emr_imdsv1_disabled.yml b/policies/ecc-aws-456-emr_imdsv1_disabled.yml index 4e0d7abe2..97d0c7425 100644 --- a/policies/ecc-aws-456-emr_imdsv1_disabled.yml +++ b/policies/ecc-aws-456-emr_imdsv1_disabled.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-456-emr_imdsv1_disabled - description: | - EMR clusters imdsv1 enabled - resource: aws.emr - filters: - - type: value - key: Status.State - op: in - value: [RUNNING, WAITING] - - not: - - type: security-configuration - key: InstanceMetadataServiceConfiguration.MinimumInstanceMetadataServiceVersion - op: eq - value: 2 - comment: '0024052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-456-emr_imdsv1_disabled + comment: '010024052000' + description: | + EMR clusters imdsv1 enabled + resource: aws.emr + filters: + - type: value + key: Status.State + op: in + value: [RUNNING, WAITING] + - not: + - type: security-configuration + key: InstanceMetadataServiceConfiguration.MinimumInstanceMetadataServiceVersion + op: eq + value: 2 diff --git a/policies/ecc-aws-457-glue_spark_ui_monitoring_enabled.yml b/policies/ecc-aws-457-glue_spark_ui_monitoring_enabled.yml index d79d8477f..316f393cc 100644 --- a/policies/ecc-aws-457-glue_spark_ui_monitoring_enabled.yml +++ b/policies/ecc-aws-457-glue_spark_ui_monitoring_enabled.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-457-glue_spark_ui_monitoring_enabled - description: | - Glue job spark ui disabled - resource: aws.glue-job - filters: - - not: - - type: value - key: DefaultArguments."--enable-spark-ui"=='true' - value: true - comment: '0023052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-457-glue_spark_ui_monitoring_enabled + comment: '010023052000' + description: | + Glue job spark ui disabled + resource: aws.glue-job + filters: + - not: + - type: value + key: DefaultArguments."--enable-spark-ui"=='true' + value: true diff --git a/policies/ecc-aws-458-lambda_functions_enhanced_monitoring_enabled.yml b/policies/ecc-aws-458-lambda_functions_enhanced_monitoring_enabled.yml index 7659cb603..fbe0f48df 100644 --- a/policies/ecc-aws-458-lambda_functions_enhanced_monitoring_enabled.yml +++ b/policies/ecc-aws-458-lambda_functions_enhanced_monitoring_enabled.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-458-lambda_functions_enhanced_monitoring_enabled - description: | - Enhanced Monitoring for Lambda Functions disabled - resource: aws.lambda - filters: - - not: - - type: value - key: contains(keys(@), 'Layers') && join(' ,', Layers[].Arn[]) - value: '.*arn:aws:lambda:.*:[0-9]{12}:layer:LambdaInsightsExtension:[0-9]*.*' - op: regex - comment: '0032032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-458-lambda_functions_enhanced_monitoring_enabled + comment: '010032032000' + description: | + Enhanced Monitoring for Lambda Functions disabled + resource: aws.lambda + filters: + - not: + - type: value + key: contains(keys(@), 'Layers') && join(' ,', Layers[].Arn[]) + value: '.*arn:aws:lambda:.*:[0-9]{12}:layer:LambdaInsightsExtension:[0-9]*.*' + op: regex diff --git a/policies/ecc-aws-460-lambda_environment_variables_encrypted_in_transit.yml b/policies/ecc-aws-460-lambda_environment_variables_encrypted_in_transit.yml index d66cf65b0..250077fb7 100644 --- a/policies/ecc-aws-460-lambda_environment_variables_encrypted_in_transit.yml +++ b/policies/ecc-aws-460-lambda_environment_variables_encrypted_in_transit.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-460-lambda_environment_variables_encrypted_in_transit - description: | - Lambda environment variables are not encrypted in transit - resource: aws.lambda - filters: - - type: value - key: Environment - value: present - - type: value - key: length(Environment.Variables.values(@) | [?!contains(@, 'AQICAH')]) > `0` - value: true - comment: '0044030400' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-460-lambda_environment_variables_encrypted_in_transit + comment: '010044030400' + description: | + Lambda environment variables are not encrypted in transit + resource: aws.lambda + filters: + - type: value + key: Environment + value: present + - type: value + key: length(Environment.Variables.values(@) | [?!contains(@, 'AQICAH')]) > `0` + value: true diff --git a/policies/ecc-aws-461-lambda_latest_runtime_environment_version.yml b/policies/ecc-aws-461-lambda_latest_runtime_environment_version.yml index cd79d63c1..1f9cab497 100644 --- a/policies/ecc-aws-461-lambda_latest_runtime_environment_version.yml +++ b/policies/ecc-aws-461-lambda_latest_runtime_environment_version.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-461-lambda_latest_runtime_environment_version - description: | - Lambda functions not are not using latest runtime environment versions - resource: lambda - filters: - - type: value - key: PackageType - value: Zip - - not: - - type: value - key: Runtime - op: regex - value: '(nodejs18.x|python3.9|java11|dotnetcore3.1|dotnet6|go1.x|ruby2.7)' - comment: '0021032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-461-lambda_latest_runtime_environment_version + comment: '010021032000' + description: | + Lambda functions not are not using latest runtime environment versions + resource: lambda + filters: + - type: value + key: PackageType + value: Zip + - not: + - type: value + key: Runtime + op: regex + value: '(nodejs18.x|python3.9|java11|dotnetcore3.1|dotnet6|go1.x|ruby2.7)' diff --git a/policies/ecc-aws-462-lambda_concurrency_enabled.yml b/policies/ecc-aws-462-lambda_concurrency_enabled.yml index ca9eb090d..fcd21cb62 100644 --- a/policies/ecc-aws-462-lambda_concurrency_enabled.yml +++ b/policies/ecc-aws-462-lambda_concurrency_enabled.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-462-lambda_concurrency_enabled - resource: lambda + comment: '010031032000' description: | Lambda reserved concurrency disabled + resource: lambda filters: - type: reserved-concurrency key: c7n:FunctionInfo.Concurrency.ReservedConcurrentExecutions value: absent - comment: '0031032000' \ No newline at end of file diff --git a/policies/ecc-aws-463-bucket_not_dns_compliant.yml b/policies/ecc-aws-463-bucket_not_dns_compliant.yml index 7e86698c4..76aa0ebfd 100644 --- a/policies/ecc-aws-463-bucket_not_dns_compliant.yml +++ b/policies/ecc-aws-463-bucket_not_dns_compliant.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-463-bucket_not_dns_compliant - description: | - S3 bucket is not DNS compliant - resource: s3 - filters: - - not: - - type: value - key: Name - op: regex - value: '^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$' - comment: '0020042001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-463-bucket_not_dns_compliant + comment: '010020042001' + description: | + S3 bucket is not DNS compliant + resource: s3 + filters: + - not: + - type: value + key: Name + op: regex + value: '^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$' diff --git a/policies/ecc-aws-464-ecs_exec_logging_enabled.yml b/policies/ecc-aws-464-ecs_exec_logging_enabled.yml index ca3d111e7..84925533d 100644 --- a/policies/ecc-aws-464-ecs_exec_logging_enabled.yml +++ b/policies/ecc-aws-464-ecs_exec_logging_enabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-464-ecs_exec_logging_enabled - description: | - ECS Cluster execute command logging is disabled - resource: aws.ecs - filters: - - and: - - type: value - key: configuration.executeCommandConfiguration.logConfiguration.cloudWatchLogGroupName - value: absent - - type: value - key: configuration.executeCommandConfiguration.logConfiguration.s3BucketName - value: absent - comment: '0019082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-464-ecs_exec_logging_enabled + comment: '010019082000' + description: | + ECS Cluster execute command logging is disabled + resource: aws.ecs + filters: + - and: + - type: value + key: configuration.executeCommandConfiguration.logConfiguration.cloudWatchLogGroupName + value: absent + - type: value + key: configuration.executeCommandConfiguration.logConfiguration.s3BucketName + value: absent diff --git a/policies/ecc-aws-465-fsx_daily_automatic_backup_enabled.yml b/policies/ecc-aws-465-fsx_daily_automatic_backup_enabled.yml index b27350d37..d120d3787 100644 --- a/policies/ecc-aws-465-fsx_daily_automatic_backup_enabled.yml +++ b/policies/ecc-aws-465-fsx_daily_automatic_backup_enabled.yml @@ -1,63 +1,63 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-465-fsx_daily_automatic_backup_enabled - description: | - FSx file systems do not have retention period set - resource: aws.fsx - filters: - - or: - - and: - - type: value - key: FileSystemType - value: LUSTRE - - type: value - key: LustreConfiguration.DeploymentType - op: in - value: [PERSISTENT_1, PERSISTENT_2] - - or: - - type: value - key: LustreConfiguration.AutomaticBackupRetentionDays - value: 0 - - type: value - key: LustreConfiguration.AutomaticBackupRetentionDays - value: absent - - and: - - type: value - key: FileSystemType - value: OPENZFS - - or: - - type: value - key: OpenZFSConfiguration.AutomaticBackupRetentionDays - value: 0 - - type: value - key: OpenZFSConfiguration.AutomaticBackupRetentionDays - value: absent - - and: - - type: value - key: FileSystemType - value: ONTAP - - or: - - type: value - key: OntapConfiguration.AutomaticBackupRetentionDays - value: 0 - - type: value - key: OntapConfiguration.AutomaticBackupRetentionDays - value: absent - - and: - - type: value - key: FileSystemType - value: WINDOWS - - or: - - type: value - key: WindowsConfiguration.AutomaticBackupRetentionDays - value: 0 - - type: value - key: WindowsConfiguration.AutomaticBackupRetentionDays - value: absent - comment: '0049042000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-465-fsx_daily_automatic_backup_enabled + comment: '010049042000' + description: | + FSx file systems do not have retention period set + resource: aws.fsx + filters: + - or: + - and: + - type: value + key: FileSystemType + value: LUSTRE + - type: value + key: LustreConfiguration.DeploymentType + op: in + value: [PERSISTENT_1, PERSISTENT_2] + - or: + - type: value + key: LustreConfiguration.AutomaticBackupRetentionDays + value: 0 + - type: value + key: LustreConfiguration.AutomaticBackupRetentionDays + value: absent + - and: + - type: value + key: FileSystemType + value: OPENZFS + - or: + - type: value + key: OpenZFSConfiguration.AutomaticBackupRetentionDays + value: 0 + - type: value + key: OpenZFSConfiguration.AutomaticBackupRetentionDays + value: absent + - and: + - type: value + key: FileSystemType + value: ONTAP + - or: + - type: value + key: OntapConfiguration.AutomaticBackupRetentionDays + value: 0 + - type: value + key: OntapConfiguration.AutomaticBackupRetentionDays + value: absent + - and: + - type: value + key: FileSystemType + value: WINDOWS + - or: + - type: value + key: WindowsConfiguration.AutomaticBackupRetentionDays + value: 0 + - type: value + key: WindowsConfiguration.AutomaticBackupRetentionDays + value: absent diff --git a/policies/ecc-aws-466-fsx_netapp_ontap_multi_az_enabled.yml b/policies/ecc-aws-466-fsx_netapp_ontap_multi_az_enabled.yml index e9dcc5114..1d292eb43 100644 --- a/policies/ecc-aws-466-fsx_netapp_ontap_multi_az_enabled.yml +++ b/policies/ecc-aws-466-fsx_netapp_ontap_multi_az_enabled.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-466-fsx_netapp_ontap_multi_az_enabled - description: | - FSx for NetApp ONTAP file systems do not have Multi-AZ enabled - resource: aws.fsx - filters: - - type: value - key: FileSystemType - value: ONTAP - - type: value - key: OntapConfiguration.DeploymentType - value: SINGLE_AZ_1 - comment: '0050042000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-466-fsx_netapp_ontap_multi_az_enabled + comment: '010050042000' + description: | + FSx for NetApp ONTAP file systems do not have Multi-AZ enabled + resource: aws.fsx + filters: + - type: value + key: FileSystemType + value: ONTAP + - type: value + key: OntapConfiguration.DeploymentType + value: SINGLE_AZ_1 diff --git a/policies/ecc-aws-467-fsx_windows_file_server_multi_az_enabled.yml b/policies/ecc-aws-467-fsx_windows_file_server_multi_az_enabled.yml index e1aebe62b..d61af4b48 100644 --- a/policies/ecc-aws-467-fsx_windows_file_server_multi_az_enabled.yml +++ b/policies/ecc-aws-467-fsx_windows_file_server_multi_az_enabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-467-fsx_windows_file_server_multi_az_enabled - description: | - FSx for for Windows File Server file systems do not have Multi-AZ enabled - resource: aws.fsx - filters: - - type: value - key: FileSystemType - value: WINDOWS - - not: - - type: value - key: WindowsConfiguration.DeploymentType - value: MULTI_AZ_1 - comment: '0050042000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-467-fsx_windows_file_server_multi_az_enabled + comment: '010050042000' + description: | + FSx for for Windows File Server file systems do not have Multi-AZ enabled + resource: aws.fsx + filters: + - type: value + key: FileSystemType + value: WINDOWS + - not: + - type: value + key: WindowsConfiguration.DeploymentType + value: MULTI_AZ_1 diff --git a/policies/ecc-aws-469-alb_desync_mode_check.yml b/policies/ecc-aws-469-alb_desync_mode_check.yml index 60c9eb90b..3c913cf67 100644 --- a/policies/ecc-aws-469-alb_desync_mode_check.yml +++ b/policies/ecc-aws-469-alb_desync_mode_check.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-469-alb_desync_mode_check + comment: '010046022000' description: | Application Load Balancers are not configured with defensive or strictest desync mitigation mode resource: aws.app-elb @@ -14,4 +15,3 @@ policies: - type: attributes key: routing.http.desync_mitigation_mode value: "monitor" - comment: '0046022000' \ No newline at end of file diff --git a/policies/ecc-aws-470-api_gw_endpoint_type_check.yml b/policies/ecc-aws-470-api_gw_endpoint_type_check.yml index d4b1f2613..955aaba92 100644 --- a/policies/ecc-aws-470-api_gw_endpoint_type_check.yml +++ b/policies/ecc-aws-470-api_gw_endpoint_type_check.yml @@ -7,12 +7,12 @@ policies: - name: ecc-aws-470-api_gw_endpoint_type_check + comment: '010039022010' description: | API Gateway endpoint type not set correctly resource: rest-api filters: - not: - - type: value - key: endpointConfiguration.types[0] - value: EDGE - comment: '0039022010' \ No newline at end of file + - type: value + key: endpointConfiguration.types[0] + value: EDGE diff --git a/policies/ecc-aws-471-autoscaling_groups_capacity_rebalancing_enabled.yml b/policies/ecc-aws-471-autoscaling_groups_capacity_rebalancing_enabled.yml index db0ed6693..2a9a69c2f 100644 --- a/policies/ecc-aws-471-autoscaling_groups_capacity_rebalancing_enabled.yml +++ b/policies/ecc-aws-471-autoscaling_groups_capacity_rebalancing_enabled.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-471-autoscaling_groups_capacity_rebalancing_enabled - resource: aws.asg - description: | - Auto Scaling Groups do not use rebalacing capacity - filters: - - not: - - type: value - key: CapacityRebalance - value: true - comment: '0050032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-471-autoscaling_groups_capacity_rebalancing_enabled + comment: '010050032000' + description: | + Auto Scaling Groups do not use rebalacing capacity + resource: aws.asg + filters: + - not: + - type: value + key: CapacityRebalance + value: true diff --git a/policies/ecc-aws-472-autoscaling_launchconfig_requires_imdsv2.yml b/policies/ecc-aws-472-autoscaling_launchconfig_requires_imdsv2.yml index 5963beb0c..5e5f8d156 100644 --- a/policies/ecc-aws-472-autoscaling_launchconfig_requires_imdsv2.yml +++ b/policies/ecc-aws-472-autoscaling_launchconfig_requires_imdsv2.yml @@ -7,9 +7,10 @@ policies: - name: ecc-aws-472-autoscaling_launchconfig_requires_imdsv2 - resource: launch-config + comment: '010024032000' description: | Auto Scaling launch configuration IMDSv1 enabled + resource: launch-config filters: - not: - type: value @@ -18,4 +19,3 @@ policies: - type: value key: MetadataOptions.HttpEndpoint value: enabled - comment: '0024032000' \ No newline at end of file diff --git a/policies/ecc-aws-473-clb_desync_mode_check.yml b/policies/ecc-aws-473-clb_desync_mode_check.yml index bbdda0e6f..aafbfeda3 100644 --- a/policies/ecc-aws-473-clb_desync_mode_check.yml +++ b/policies/ecc-aws-473-clb_desync_mode_check.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-473-clb_desync_mode_check + comment: '010046022000' description: | Classic Load Balancers are not configured with defensive or strictest desync mitigation mode resource: aws.elb @@ -15,4 +16,3 @@ policies: key: AdditionalAttributes[?Key=='elb.http.desyncmitigationmode'].[Value=='monitor'][][] op: contains value: true - comment: '0046022000' \ No newline at end of file diff --git a/policies/ecc-aws-474-clb-multiple_az.yml b/policies/ecc-aws-474-clb-multiple_az.yml index 74ce45a7b..e2648128c 100644 --- a/policies/ecc-aws-474-clb-multiple_az.yml +++ b/policies/ecc-aws-474-clb-multiple_az.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-474-clb-multiple_az + comment: '010050022000' description: | Classic Load Balancers are not configured with multiple Availability Zones resource: aws.elb @@ -14,4 +15,3 @@ policies: - type: value key: AvailabilityZones[1] value: absent - comment: '0050022000' \ No newline at end of file diff --git a/policies/ecc-aws-475-clb_cross_zone_load_balancing_enabled.yml b/policies/ecc-aws-475-clb_cross_zone_load_balancing_enabled.yml index 126ad0776..cb5ee4a27 100644 --- a/policies/ecc-aws-475-clb_cross_zone_load_balancing_enabled.yml +++ b/policies/ecc-aws-475-clb_cross_zone_load_balancing_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-475-clb_cross_zone_load_balancing_enabled + comment: '010050022000' description: | Classic Load Balancers are not configured with cross-zone load balancing. resource: aws.elb @@ -14,4 +15,3 @@ policies: - type: attributes key: CrossZoneLoadBalancing.Enabled value: false - comment: '0050022000' \ No newline at end of file diff --git a/policies/ecc-aws-476-cloudformation_stack_drift_detection_check.yml b/policies/ecc-aws-476-cloudformation_stack_drift_detection_check.yml index 751d0377b..69ae18a91 100644 --- a/policies/ecc-aws-476-cloudformation_stack_drift_detection_check.yml +++ b/policies/ecc-aws-476-cloudformation_stack_drift_detection_check.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-476-cloudformation_stack_drift_detection_check - description: | - CloudFormation Stack has been drifted - resource: aws.cfn - filters: - - not: - - type: value - key: DriftInformation.StackDriftStatus - value: "IN_SYNC" - - type: value - key: StackStatus - op: in - value: ["CREATE_COMPLETE", "UPDATE_COMPLETE", "UPDATE_ROLLBACK_COMPLETE", "UPDATE_ROLLBACK_FAILED"] - comment: '0020132000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-476-cloudformation_stack_drift_detection_check + comment: '010020132000' + description: | + CloudFormation Stack has been drifted + resource: aws.cfn + filters: + - not: + - type: value + key: DriftInformation.StackDriftStatus + value: "IN_SYNC" + - type: value + key: StackStatus + op: in + value: ["CREATE_COMPLETE", "UPDATE_COMPLETE", "UPDATE_ROLLBACK_COMPLETE", "UPDATE_ROLLBACK_FAILED"] diff --git a/policies/ecc-aws-478-cloudfront_sni_enabled.yml b/policies/ecc-aws-478-cloudfront_sni_enabled.yml index 64efa6447..32b5e762c 100644 --- a/policies/ecc-aws-478-cloudfront_sni_enabled.yml +++ b/policies/ecc-aws-478-cloudfront_sni_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-478-cloudfront_sni_enabled + comment: '010023022001' description: | Cloudfront Distribution not uses SNI resource: aws.distribution @@ -21,4 +22,3 @@ policies: - type: value key: ViewerCertificate.CertificateSource value: cloudfront - comment: '0023022001' \ No newline at end of file diff --git a/policies/ecc-aws-479-cloudwatch_log_group_encrypted_with_kms_cmk.yml b/policies/ecc-aws-479-cloudwatch_log_group_encrypted_with_kms_cmk.yml index 3694ceda8..bc45c01ec 100644 --- a/policies/ecc-aws-479-cloudwatch_log_group_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-479-cloudwatch_log_group_encrypted_with_kms_cmk.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-479-cloudwatch_log_group_encrypted_with_kms_cmk + comment: '010043012000' description: | AWS CloudWatch log groups are not encrypted with KMS CMK resource: log-group @@ -15,4 +16,3 @@ policies: - type: kms-key key: KeyManager value: CUSTOMER - comment: '0043012000' \ No newline at end of file diff --git a/policies/ecc-aws-480-codebuild_project_artifact_encryption.yml b/policies/ecc-aws-480-codebuild_project_artifact_encryption.yml index e618327bc..a71c44148 100644 --- a/policies/ecc-aws-480-codebuild_project_artifact_encryption.yml +++ b/policies/ecc-aws-480-codebuild_project_artifact_encryption.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-480-codebuild_project_artifact_encryption - description: | - CodeBuild project artifact encryption disabled - resource: codebuild - filters: - - type: value - key: artifacts.encryptionDisabled - value: true - comment: '0043132000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-480-codebuild_project_artifact_encryption + comment: '010043132000' + description: | + CodeBuild project artifact encryption disabled + resource: codebuild + filters: + - type: value + key: artifacts.encryptionDisabled + value: true diff --git a/policies/ecc-aws-481-codebuild_project_environment_privileged_check.yml b/policies/ecc-aws-481-codebuild_project_environment_privileged_check.yml index 3291e54bd..17e7df478 100644 --- a/policies/ecc-aws-481-codebuild_project_environment_privileged_check.yml +++ b/policies/ecc-aws-481-codebuild_project_environment_privileged_check.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-481-codebuild_project_environment_privileged_check - description: | - CodeBuild project environment privileged mode is set to true - resource: codebuild - filters: - - type: value - key: environment.privilegedMode - value: true - comment: '0023132000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-481-codebuild_project_environment_privileged_check + comment: '010023132000' + description: | + CodeBuild project environment privileged mode is set to true + resource: codebuild + filters: + - type: value + key: environment.privilegedMode + value: true diff --git a/policies/ecc-aws-482-codebuild_project_logging_enabled.yml b/policies/ecc-aws-482-codebuild_project_logging_enabled.yml index 74a0df5e5..f571f1abd 100644 --- a/policies/ecc-aws-482-codebuild_project_logging_enabled.yml +++ b/policies/ecc-aws-482-codebuild_project_logging_enabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-482-codebuild_project_logging_enabled - description: | - CodeBuild project logging in disabled - resource: codebuild - filters: - - or: - - type: value - key: logsConfig.s3Logs.status - value: "DISABLED" - - type: value - key: logsConfig.cloudWatchLogs.status - value: "DISABLED" - comment: '0019132000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-482-codebuild_project_logging_enabled + comment: '010019132000' + description: | + CodeBuild project logging in disabled + resource: codebuild + filters: + - or: + - type: value + key: logsConfig.s3Logs.status + value: "DISABLED" + - type: value + key: logsConfig.cloudWatchLogs.status + value: "DISABLED" diff --git a/policies/ecc-aws-483-codebuild_project_s3_logs_encrypted.yml b/policies/ecc-aws-483-codebuild_project_s3_logs_encrypted.yml index a963078a7..2f5a9e1eb 100644 --- a/policies/ecc-aws-483-codebuild_project_s3_logs_encrypted.yml +++ b/policies/ecc-aws-483-codebuild_project_s3_logs_encrypted.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-483-codebuild_project_s3_logs_encrypted - description: | - CodeBuild S3 logs are not encrypted - resource: aws.codebuild - filters: - - type: value - key: logsConfig.s3Logs.status - value: "ENABLED" - - type: value - key: logsConfig.s3Logs.encryptionDisabled - value: true - comment: '0043132000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-483-codebuild_project_s3_logs_encrypted + comment: '010043132000' + description: | + CodeBuild S3 logs are not encrypted + resource: aws.codebuild + filters: + - type: value + key: logsConfig.s3Logs.status + value: "ENABLED" + - type: value + key: logsConfig.s3Logs.encryptionDisabled + value: true diff --git a/policies/ecc-aws-484-codedeploy_auto_rollback_monitor_enabled.yml b/policies/ecc-aws-484-codedeploy_auto_rollback_monitor_enabled.yml index d87d1d84d..df076747d 100644 --- a/policies/ecc-aws-484-codedeploy_auto_rollback_monitor_enabled.yml +++ b/policies/ecc-aws-484-codedeploy_auto_rollback_monitor_enabled.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-484-codedeploy_auto_rollback_monitor_enabled - description: | - CodeDeploy AutoRollbackConfiguration or AlarmConfiguration has not been configured or is not enabled. - resource: aws.codedeploy-group - filters: - - or: - - not: - - type: value - key: autoRollbackConfiguration.enabled - value: true - - type: value - key: alarmConfiguration.enabled - value: true - comment: '0031132000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-484-codedeploy_auto_rollback_monitor_enabled + comment: '010031132000' + description: | + CodeDeploy AutoRollbackConfiguration or AlarmConfiguration has not been configured or is not enabled. + resource: aws.codedeploy-group + filters: + - or: + - not: + - type: value + key: autoRollbackConfiguration.enabled + value: true + - type: value + key: alarmConfiguration.enabled + value: true diff --git a/policies/ecc-aws-486-codedeploy_lambda_allatonce_traffic_shift_disabled.yml b/policies/ecc-aws-486-codedeploy_lambda_allatonce_traffic_shift_disabled.yml index 9d953543e..46313db96 100644 --- a/policies/ecc-aws-486-codedeploy_lambda_allatonce_traffic_shift_disabled.yml +++ b/policies/ecc-aws-486-codedeploy_lambda_allatonce_traffic_shift_disabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-486-codedeploy_lambda_allatonce_traffic_shift_disabled - description: | - CodeDeploy Lambda AllAtOnce traffic shift disabled - resource: aws.codedeploy-group - filters: - - and: - - type: value - key: deploymentConfigName - value: "CodeDeployDefault.LambdaAllAtOnce" - - type: value - key: computePlatform - value: Lambda - comment: '0020132000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-486-codedeploy_lambda_allatonce_traffic_shift_disabled + comment: '010020132000' + description: | + CodeDeploy Lambda AllAtOnce traffic shift disabled + resource: aws.codedeploy-group + filters: + - and: + - type: value + key: deploymentConfigName + value: "CodeDeployDefault.LambdaAllAtOnce" + - type: value + key: computePlatform + value: Lambda diff --git a/policies/ecc-aws-487-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk.yml b/policies/ecc-aws-487-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk.yml index b6ce5f9a3..f718b8be5 100644 --- a/policies/ecc-aws-487-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk.yml +++ b/policies/ecc-aws-487-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-487-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk - description: | - CodePipeline s3 artifact bucket is not encrypted with KMS CMK - resource: aws.codepipeline - filters: - - not: - - type: value - key: artifactStore.encryptionKey.type - value: KMS - comment: '0043132000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-487-codepipeline_s3_artifact_bucket_encrypted_with_kms_cmk + comment: '010043132000' + description: | + CodePipeline s3 artifact bucket is not encrypted with KMS CMK + resource: aws.codepipeline + filters: + - not: + - type: value + key: artifactStore.encryptionKey.type + value: KMS diff --git a/policies/ecc-aws-488-cloudwatch_log_group_retention_period_check.yml b/policies/ecc-aws-488-cloudwatch_log_group_retention_period_check.yml index e91257a31..3c3304961 100644 --- a/policies/ecc-aws-488-cloudwatch_log_group_retention_period_check.yml +++ b/policies/ecc-aws-488-cloudwatch_log_group_retention_period_check.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-488-cloudwatch_log_group_retention_period_check - description: | - CloudWatch Log Group does not have retention period set correctly - resource: log-group - filters: - - not: - - type: value - key: retentionInDays - op: eq - value: 180 - comment: '0049012010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-488-cloudwatch_log_group_retention_period_check + comment: '010049012010' + description: | + CloudWatch Log Group does not have retention period set correctly + resource: log-group + filters: + - not: + - type: value + key: retentionInDays + op: eq + value: 180 diff --git a/policies/ecc-aws-489-ec2_instance_detailed_monitoring_enabled.yml b/policies/ecc-aws-489-ec2_instance_detailed_monitoring_enabled.yml index 4b02b4b48..bb1089fbe 100644 --- a/policies/ecc-aws-489-ec2_instance_detailed_monitoring_enabled.yml +++ b/policies/ecc-aws-489-ec2_instance_detailed_monitoring_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-489-ec2_instance_detailed_monitoring_enabled + comment: '010032030400' description: | EC2 instances detailed monitoring disabled resource: aws.ec2 @@ -14,4 +15,3 @@ policies: - type: value key: Monitoring.State value: disabled - comment: '0032030400' \ No newline at end of file diff --git a/policies/ecc-aws-490-ec2_token_hop_limit_check.yml b/policies/ecc-aws-490-ec2_token_hop_limit_check.yml index ffca05735..0e9ee97d1 100644 --- a/policies/ecc-aws-490-ec2_token_hop_limit_check.yml +++ b/policies/ecc-aws-490-ec2_token_hop_limit_check.yml @@ -7,12 +7,12 @@ policies: - name: ecc-aws-490-ec2_token_hop_limit_check - resource: aws.ec2 + comment: '010024032010' description: | EC2 instances token hop limit set correctly + resource: aws.ec2 filters: - not: - - type: value - key: MetadataOptions.HttpPutResponseHopLimit - value: 1 - comment: '0024032010' \ No newline at end of file + - type: value + key: MetadataOptions.HttpPutResponseHopLimit + value: 1 diff --git a/policies/ecc-aws-491-ec2_transit_gateway_auto_vpc_attach_disabled.yml b/policies/ecc-aws-491-ec2_transit_gateway_auto_vpc_attach_disabled.yml index c1ac784c1..31b3d4d61 100644 --- a/policies/ecc-aws-491-ec2_transit_gateway_auto_vpc_attach_disabled.yml +++ b/policies/ecc-aws-491-ec2_transit_gateway_auto_vpc_attach_disabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-491-ec2_transit_gateway_auto_vpc_attach_disabled + comment: '010024022000' description: | Transit gateway automatically accept VPC attachment requests resource: aws.transit-gateway @@ -14,4 +15,3 @@ policies: - type: value key: Options.AutoAcceptSharedAttachments value: enable - comment: '0024022000' \ No newline at end of file diff --git a/policies/ecc-aws-492-ecr_private_lifecycle_policy_configured.yml b/policies/ecc-aws-492-ecr_private_lifecycle_policy_configured.yml index b95b4ba5e..e58177cec 100644 --- a/policies/ecc-aws-492-ecr_private_lifecycle_policy_configured.yml +++ b/policies/ecc-aws-492-ecr_private_lifecycle_policy_configured.yml @@ -1,16 +1,16 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-492-ecr_private_lifecycle_policy_configured - description: | - ECR repository does not have any lifecycle policies configured - resource: aws.ecr - filters: - - type: lifecycle-rule - state: False - comment: '0001082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-492-ecr_private_lifecycle_policy_configured + comment: '010001082000' + description: | + ECR repository does not have any lifecycle policies configured + resource: aws.ecr + filters: + - type: lifecycle-rule + state: false diff --git a/policies/ecc-aws-494-ecs_fargate_latest_platform_version.yml b/policies/ecc-aws-494-ecs_fargate_latest_platform_version.yml index 7e911573e..a4815a9de 100644 --- a/policies/ecc-aws-494-ecs_fargate_latest_platform_version.yml +++ b/policies/ecc-aws-494-ecs_fargate_latest_platform_version.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-494-ecs_fargate_latest_platform_version + comment: '010021082000' description: | ECS Fargate not latest platform version resource: ecs-service @@ -15,4 +16,3 @@ policies: - type: value key: platformVersion value: LATEST - comment: '0021082000' \ No newline at end of file diff --git a/policies/ecc-aws-495-ecs_task_definition_memory_hard_limit.yml b/policies/ecc-aws-495-ecs_task_definition_memory_hard_limit.yml index 512e89930..2d133830a 100644 --- a/policies/ecc-aws-495-ecs_task_definition_memory_hard_limit.yml +++ b/policies/ecc-aws-495-ecs_task_definition_memory_hard_limit.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-495-ecs_task_definition_memory_hard_limit - description: | - Amazon ECS task definitions memory hard limit is not set - resource: ecs-task-definition - filters: - - type: value - key: containerDefinitions[].memory - value: empty - comment: '0020082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-495-ecs_task_definition_memory_hard_limit + comment: '010020082000' + description: | + Amazon ECS task definitions memory hard limit is not set + resource: ecs-task-definition + filters: + - type: value + key: containerDefinitions[].memory + value: empty diff --git a/policies/ecc-aws-496-ecs_task_definition_pid_mode_check.yml b/policies/ecc-aws-496-ecs_task_definition_pid_mode_check.yml index 7f97cf315..5e2d08a58 100644 --- a/policies/ecc-aws-496-ecs_task_definition_pid_mode_check.yml +++ b/policies/ecc-aws-496-ecs_task_definition_pid_mode_check.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-496-ecs_task_definition_pid_mode_check - description: | - Amazon ECS task definitions pid mode set to 'host' - resource: ecs-task-definition - filters: - - type: value - key: pidMode - value: host - comment: '0023082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-496-ecs_task_definition_pid_mode_check + comment: '010023082000' + description: | + Amazon ECS task definitions pid mode set to 'host' + resource: ecs-task-definition + filters: + - type: value + key: pidMode + value: host diff --git a/policies/ecc-aws-497-eks_cluster_oldest_supported_version.yml b/policies/ecc-aws-497-eks_cluster_oldest_supported_version.yml index b1f20a6ba..bf2a65c55 100644 --- a/policies/ecc-aws-497-eks_cluster_oldest_supported_version.yml +++ b/policies/ecc-aws-497-eks_cluster_oldest_supported_version.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-497-eks_cluster_oldest_supported_version - description: | - EKS cluster is using unsupported version - resource: aws.eks - filters: - - type: value - key: version - value: "1.21" - op: lt - comment: '0021072000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-497-eks_cluster_oldest_supported_version + comment: '010021072000' + description: | + EKS cluster is using unsupported version + resource: aws.eks + filters: + - type: value + key: version + value: "1.21" + op: lt diff --git a/policies/ecc-aws-498-elbv2_multiple_az.yml b/policies/ecc-aws-498-elbv2_multiple_az.yml index 09e98c7e6..cc7b6bce6 100644 --- a/policies/ecc-aws-498-elbv2_multiple_az.yml +++ b/policies/ecc-aws-498-elbv2_multiple_az.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-498-elbv2_multiple_az + comment: '010050022000' description: | Application, Gateway and Network Load Balancers are not configured with multiple Availability Zones resource: aws.app-elb @@ -14,4 +15,3 @@ policies: - type: value key: AvailabilityZones[1] value: absent - comment: '0050022000' \ No newline at end of file diff --git a/policies/ecc-aws-499-iam_group_has_users_check.yml b/policies/ecc-aws-499-iam_group_has_users_check.yml index 1862b190e..87f3a3838 100644 --- a/policies/ecc-aws-499-iam_group_has_users_check.yml +++ b/policies/ecc-aws-499-iam_group_has_users_check.yml @@ -1,16 +1,16 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-499-iam_group_has_users_check - resource: aws.iam-group - description: | - IAM group doesn't have users - filters: - - type: has-users - value: false - comment: '0018002000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-499-iam_group_has_users_check + comment: '010018002000' + description: | + IAM group doesn't have users + resource: aws.iam-group + filters: + - type: has-users + value: false diff --git a/policies/ecc-aws-500-lambda_vpc_multi_az_check.yml b/policies/ecc-aws-500-lambda_vpc_multi_az_check.yml index 27db0a9bb..f8db9fc77 100644 --- a/policies/ecc-aws-500-lambda_vpc_multi_az_check.yml +++ b/policies/ecc-aws-500-lambda_vpc_multi_az_check.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-500-lambda_vpc_multi_az_check - description: | - Lambda functions are not operate in more than one Availability Zone - resource: aws.lambda - filters: - - type: value - key: VpcConfig - value: present - - type: value - key: VpcConfig.SubnetIds - value_type: size - value: 1 - comment: '0050032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-500-lambda_vpc_multi_az_check + comment: '010050032000' + description: | + Lambda functions are not operate in more than one Availability Zone + resource: aws.lambda + filters: + - type: value + key: VpcConfig + value: present + - type: value + key: VpcConfig.SubnetIds + value_type: size + value: 1 diff --git a/policies/ecc-aws-501-opensearch_access_control_enabled.yml b/policies/ecc-aws-501-opensearch_access_control_enabled.yml index dd3cab730..781397022 100644 --- a/policies/ecc-aws-501-opensearch_access_control_enabled.yml +++ b/policies/ecc-aws-501-opensearch_access_control_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-501-opensearch_access_control_enabled - description: | - Opensearch fine grained access control disabled - resource: elasticsearch - filters: - - type: value - key: AdvancedSecurityOptions.Enabled - value: false - comment: '0037052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-501-opensearch_access_control_enabled + comment: '010037052000' + description: | + Opensearch fine grained access control disabled + resource: elasticsearch + filters: + - type: value + key: AdvancedSecurityOptions.Enabled + value: false diff --git a/policies/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled.yml b/policies/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled.yml index 9f5e288b9..29a6f6234 100644 --- a/policies/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled.yml +++ b/policies/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-502-rds_automatic_minor_version_upgrade_enabled - resource: aws.rds + comment: '010021060300' description: | AUtomatic minor version upgrade is not configured for RDS DB instances + resource: aws.rds filters: - type: value key: AutoMinorVersionUpgrade value: false - comment: '0021060300' \ No newline at end of file diff --git a/policies/ecc-aws-503-rds_cluster_default_admin_check.yml b/policies/ecc-aws-503-rds_cluster_default_admin_check.yml index 9b16895c0..cab9ab25b 100644 --- a/policies/ecc-aws-503-rds_cluster_default_admin_check.yml +++ b/policies/ecc-aws-503-rds_cluster_default_admin_check.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-503-rds_cluster_default_admin_check + comment: '010023062000' description: | Amazon RDS cluster uses default Admin username resource: rds-cluster @@ -18,4 +19,3 @@ policies: - type: value key: MasterUsername value: postgres - comment: '0023062000' \ No newline at end of file diff --git a/policies/ecc-aws-504-rds_instance_default_admin_check.yml b/policies/ecc-aws-504-rds_instance_default_admin_check.yml index 5a065f04a..2ac0a18d5 100644 --- a/policies/ecc-aws-504-rds_instance_default_admin_check.yml +++ b/policies/ecc-aws-504-rds_instance_default_admin_check.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-504-rds_instance_default_admin_check + comment: '010023062000' description: | Amazon RDS instance uses default Admin username resource: rds @@ -18,4 +19,3 @@ policies: - type: value key: MasterUsername value: postgres - comment: '0023062000' \ No newline at end of file diff --git a/policies/ecc-aws-505-redshift_default_admin_check.yml b/policies/ecc-aws-505-redshift_default_admin_check.yml index 65f280811..40c9a3753 100644 --- a/policies/ecc-aws-505-redshift_default_admin_check.yml +++ b/policies/ecc-aws-505-redshift_default_admin_check.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-505-redshift_default_admin_check + comment: '010023062000' description: | Amazon Redshift uses default Admin username resource: redshift @@ -14,4 +15,3 @@ policies: - type: value key: MasterUsername value: awsuser - comment: '0023062000' \ No newline at end of file diff --git a/policies/ecc-aws-506-redshift_default_db_name_check.yml b/policies/ecc-aws-506-redshift_default_db_name_check.yml index 5a5aa3863..3cc4a2e3c 100644 --- a/policies/ecc-aws-506-redshift_default_db_name_check.yml +++ b/policies/ecc-aws-506-redshift_default_db_name_check.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-506-redshift_default_db_name_check + comment: '010023062000' description: | Redshift clusters uses the default database name resource: redshift @@ -14,4 +15,3 @@ policies: - type: value key: DBName value: dev - comment: '0023062000' \ No newline at end of file diff --git a/policies/ecc-aws-507-sns_topic_message_delivery_notification_enabled.yml b/policies/ecc-aws-507-sns_topic_message_delivery_notification_enabled.yml index 8ddd675e8..e81b4d01a 100644 --- a/policies/ecc-aws-507-sns_topic_message_delivery_notification_enabled.yml +++ b/policies/ecc-aws-507-sns_topic_message_delivery_notification_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-507-sns_topic_message_delivery_notification_enabled + comment: '010019142000' description: | Amazon SNS topic message delivery notification is disabled resource: sns @@ -14,4 +15,3 @@ policies: - type: value key: HTTPSuccessFeedbackRoleArn || FirehoseSuccessFeedbackRoleArn || LambdaSuccessFeedbackRoleArn || ApplicationSuccessFeedbackRoleArn || SQSSuccessFeedbackRoleArn value: absent - comment: '0019142000' \ No newline at end of file diff --git a/policies/ecc-aws-508-mwaa_latest_version.yml b/policies/ecc-aws-508-mwaa_latest_version.yml index 615a7fe02..10a7ae96e 100644 --- a/policies/ecc-aws-508-mwaa_latest_version.yml +++ b/policies/ecc-aws-508-mwaa_latest_version.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-508-mwaa_latest_version - description: | - Managed Workflows for Apache Airflow not using latest version - resource: aws.airflow - filters: - - not: - - type: value - key: AirflowVersion - value: '2.4.3' - comment: '0021142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-508-mwaa_latest_version + comment: '010021142000' + description: | + Managed Workflows for Apache Airflow not using latest version + resource: aws.airflow + filters: + - not: + - type: value + key: AirflowVersion + value: '2.4.3' diff --git a/policies/ecc-aws-509-dax_ecnrypted_in_transit.yml b/policies/ecc-aws-509-dax_ecnrypted_in_transit.yml index 842ca0502..ed68c93ef 100644 --- a/policies/ecc-aws-509-dax_ecnrypted_in_transit.yml +++ b/policies/ecc-aws-509-dax_ecnrypted_in_transit.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-509-dax_ecnrypted_in_transit - resource: aws.dax + comment: '010044062000' description: | DynamoDB Accelerator clusters encryption in transit of data is disabled + resource: aws.dax filters: - type: value key: ClusterEndpointEncryptionType value: NONE - comment: '0044062000' \ No newline at end of file diff --git a/policies/ecc-aws-510-unused_efs_filesystem.yml b/policies/ecc-aws-510-unused_efs_filesystem.yml index 5fc76c7cd..c3690478e 100644 --- a/policies/ecc-aws-510-unused_efs_filesystem.yml +++ b/policies/ecc-aws-510-unused_efs_filesystem.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-510-unused_efs_filesystem + comment: '010002042000' description: | Unused Amazon EFS file systems resource: efs @@ -14,4 +15,3 @@ policies: - type: value key: NumberOfMountTargets value: 0 - comment: '0002042000' \ No newline at end of file diff --git a/policies/ecc-aws-511-clb_internet_facing.yml b/policies/ecc-aws-511-clb_internet_facing.yml index 14f1b1aaf..5f24a6dda 100644 --- a/policies/ecc-aws-511-clb_internet_facing.yml +++ b/policies/ecc-aws-511-clb_internet_facing.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-511-clb_internet_facing + comment: '010040022000' description: | Amazon CLB is internet facing resource: aws.elb @@ -14,4 +15,3 @@ policies: - type: value key: Scheme value: "internet-facing" - comment: '0040022000' \ No newline at end of file diff --git a/policies/ecc-aws-512-elb_internet_facing.yml b/policies/ecc-aws-512-elb_internet_facing.yml index 4036675d5..a84a184df 100644 --- a/policies/ecc-aws-512-elb_internet_facing.yml +++ b/policies/ecc-aws-512-elb_internet_facing.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-512-elb_internet_facing + comment: '010040022000' description: | Amazon ELB is internet facing resource: aws.app-elb @@ -14,4 +15,3 @@ policies: - type: value key: Scheme value: "internet-facing" - comment: '0040022000' \ No newline at end of file diff --git a/policies/ecc-aws-513-acm_certificate_not_using_a_minimum_of_2048-bit_key_for_rsa_certificate.yml b/policies/ecc-aws-513-acm_certificate_not_using_a_minimum_of_2048-bit_key_for_rsa_certificate.yml index 16defee36..2763128d9 100644 --- a/policies/ecc-aws-513-acm_certificate_not_using_a_minimum_of_2048-bit_key_for_rsa_certificate.yml +++ b/policies/ecc-aws-513-acm_certificate_not_using_a_minimum_of_2048-bit_key_for_rsa_certificate.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-513-acm_certificate_not_using_a_minimum_of_2048-bit_key_for_rsa_certificate + comment: '010029102000' description: | ACM has certificates minimum rsa key is not 2048 bit resource: acm-certificate @@ -15,4 +16,3 @@ policies: key: KeyAlgorithm op: regex value: RSA-1024 - comment: '0029102000' \ No newline at end of file diff --git a/policies/ecc-aws-514-inactive_iam_access_keys_are_not_deleted.yml b/policies/ecc-aws-514-inactive_iam_access_keys_are_not_deleted.yml index 7622f01e6..1d9fce810 100644 --- a/policies/ecc-aws-514-inactive_iam_access_keys_are_not_deleted.yml +++ b/policies/ecc-aws-514-inactive_iam_access_keys_are_not_deleted.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-514-inactive_iam_access_keys_are_not_deleted - resource: aws.iam-user - description: | - Inactive access keys are not deleted - filters: - - type: credential - key: access_keys.active - value: false - comment: '0018002001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-514-inactive_iam_access_keys_are_not_deleted + comment: '010018002001' + description: | + Inactive access keys are not deleted + resource: aws.iam-user + filters: + - type: credential + key: access_keys.active + value: false diff --git a/policies/ecc-aws-515-security_hub_enabled.yml b/policies/ecc-aws-515-security_hub_enabled.yml index 78416cf84..67d151928 100644 --- a/policies/ecc-aws-515-security_hub_enabled.yml +++ b/policies/ecc-aws-515-security_hub_enabled.yml @@ -7,10 +7,10 @@ policies: - name: ecc-aws-515-security_hub_enabled - resource: aws.account + comment: '010016090300' description: | Security Hub is not enabled + resource: aws.account filters: - - type: securityhub - enabled: false - comment: '0016090300' \ No newline at end of file + - type: securityhub + enabled: false diff --git a/policies/ecc-aws-516-s3_event_notifications_enabled.yml b/policies/ecc-aws-516-s3_event_notifications_enabled.yml index 296ed6fc5..32ed7655f 100644 --- a/policies/ecc-aws-516-s3_event_notifications_enabled.yml +++ b/policies/ecc-aws-516-s3_event_notifications_enabled.yml @@ -7,22 +7,22 @@ policies: - name: ecc-aws-516-s3_event_notifications_enabled + comment: '010019042001' description: | S3 buckets should have event notifications enabled resource: aws.s3 filters: - - not: - - or: - - type: bucket-notification - kind: sns - key: Id - value: present - - type: bucket-notification - kind: sqs - key: Id - value: present - - type: bucket-notification - kind: lambda - key: Id - value: present - comment: '0019042001' \ No newline at end of file + - not: + - or: + - type: bucket-notification + kind: sns + key: Id + value: present + - type: bucket-notification + kind: sqs + key: Id + value: present + - type: bucket-notification + kind: lambda + key: Id + value: present diff --git a/policies/ecc-aws-517-s3_bucket_acl_prohibited.yml b/policies/ecc-aws-517-s3_bucket_acl_prohibited.yml index 2282deb9d..c90b77e3f 100644 --- a/policies/ecc-aws-517-s3_bucket_acl_prohibited.yml +++ b/policies/ecc-aws-517-s3_bucket_acl_prohibited.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-517-s3_bucket_acl_prohibited - description: | - S3 access control lists (ACLs) are used to manage user access to buckets - resource: aws.s3 - filters: - - not: - - type: ownership - value: BucketOwnerEnforced - comment: '0033042001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-517-s3_bucket_acl_prohibited + comment: '010033042001' + description: | + S3 access control lists (ACLs) are used to manage user access to buckets + resource: aws.s3 + filters: + - not: + - type: ownership + value: BucketOwnerEnforced diff --git a/policies/ecc-aws-518-s3_version_lifecycle_policy_check.yml b/policies/ecc-aws-518-s3_version_lifecycle_policy_check.yml index 447b15ce0..3a138a69a 100644 --- a/policies/ecc-aws-518-s3_version_lifecycle_policy_check.yml +++ b/policies/ecc-aws-518-s3_version_lifecycle_policy_check.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-518-s3_version_lifecycle_policy_check - description: | - S3 buckets with versioning enabled do not have lifecycle policies configured - resource: aws.s3 - filters: - - type: value - key: Versioning.Status - value: Enabled - - type: value - key: Lifecycle - value: null - comment: '0001042001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-518-s3_version_lifecycle_policy_check + comment: '010001042001' + description: | + S3 buckets with versioning enabled do not have lifecycle policies configured + resource: aws.s3 + filters: + - type: value + key: Versioning.Status + value: Enabled + - type: value + key: Lifecycle + value: null diff --git a/policies/ecc-aws-519-vpc_vpn_2_tunnels_up.yml b/policies/ecc-aws-519-vpc_vpn_2_tunnels_up.yml index 7167560c4..70420c3e0 100644 --- a/policies/ecc-aws-519-vpc_vpn_2_tunnels_up.yml +++ b/policies/ecc-aws-519-vpc_vpn_2_tunnels_up.yml @@ -1,20 +1,20 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-519-vpc_vpn_2_tunnels_up - description: | - One or both VPN tunnels for an AWS Site-to-Site VPN connection are in DOWN status - resource: aws.vpn-connection - filters: - - type: value - key: State - value: available - - type: value - key: length(VgwTelemetry[?Status=='UP'])==`2` - value: false - comment: '0050022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-519-vpc_vpn_2_tunnels_up + comment: '010050022000' + description: | + One or both VPN tunnels for an AWS Site-to-Site VPN connection are in DOWN status + resource: aws.vpn-connection + filters: + - type: value + key: State + value: available + - type: value + key: length(VgwTelemetry[?Status=='UP'])==`2` + value: false diff --git a/policies/ecc-aws-520-autoscaling_launch_config_hop_limit.yml b/policies/ecc-aws-520-autoscaling_launch_config_hop_limit.yml index 598b0bbdd..50ce973c6 100644 --- a/policies/ecc-aws-520-autoscaling_launch_config_hop_limit.yml +++ b/policies/ecc-aws-520-autoscaling_launch_config_hop_limit.yml @@ -7,12 +7,12 @@ policies: - name: ecc-aws-520-autoscaling_launch_config_hop_limit - resource: launch-config + comment: '010024032000' description: | Auto Scaling launch configuration hop limit is greater than 1 + resource: launch-config filters: - type: value key: MetadataOptions.HttpPutResponseHopLimit op: gt value: 1 - comment: '0024032000' \ No newline at end of file diff --git a/policies/ecc-aws-521-ecs_containers_readonly_access.yml b/policies/ecc-aws-521-ecs_containers_readonly_access.yml index b4ced2a50..e0a7a1830 100644 --- a/policies/ecc-aws-521-ecs_containers_readonly_access.yml +++ b/policies/ecc-aws-521-ecs_containers_readonly_access.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-521-ecs_containers_readonly_access - description: | - ECS container is not limited to read-only access to root file systems - resource: ecs-task-definition - filters: - - not: - - type: value - key: containerDefinitions[0].readonlyRootFilesystem - value: true - comment: '0022082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-521-ecs_containers_readonly_access + comment: '010022082000' + description: | + ECS container is not limited to read-only access to root file systems + resource: ecs-task-definition + filters: + - not: + - type: value + key: containerDefinitions[0].readonlyRootFilesystem + value: true diff --git a/policies/ecc-aws-522-ecs_no_environment_secrets.yml b/policies/ecc-aws-522-ecs_no_environment_secrets.yml index 134d9f9b0..27c771f78 100644 --- a/policies/ecc-aws-522-ecs_no_environment_secrets.yml +++ b/policies/ecc-aws-522-ecs_no_environment_secrets.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-522-ecs_no_environment_secrets + comment: '010048082000' description: | Amazon ECS secrets passed as container environment variables resource: ecs-task-definition @@ -15,4 +16,3 @@ policies: key: containerDefinitions[].environment[?name == 'AWS_ACCESS_KEY_ID' || name == 'ECS_ENGINE_AUTH_DATA' || name == 'AWS_SECRET_ACCESS_KEY'].[starts_with(value, 'arn')][][] op: contains value: false - comment: '0048082000' \ No newline at end of file diff --git a/policies/ecc-aws-523-kms_cmk_not_scheduled_for_deletion.yml b/policies/ecc-aws-523-kms_cmk_not_scheduled_for_deletion.yml index 7e56154c7..c5a43fd50 100644 --- a/policies/ecc-aws-523-kms_cmk_not_scheduled_for_deletion.yml +++ b/policies/ecc-aws-523-kms_cmk_not_scheduled_for_deletion.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-523-kms_cmk_not_scheduled_for_deletion + comment: '010047102000' description: | KMS keys should not be unintentionally deleted resource: aws.kms-key @@ -14,4 +15,3 @@ policies: - type: value key: 'KeyState' value: PendingDeletion - comment: '0047102000' \ No newline at end of file diff --git a/policies/ecc-aws-524-waf_regional_webacl_not_empty.yml b/policies/ecc-aws-524-waf_regional_webacl_not_empty.yml index 06f72bf53..76a3a289b 100644 --- a/policies/ecc-aws-524-waf_regional_webacl_not_empty.yml +++ b/policies/ecc-aws-524-waf_regional_webacl_not_empty.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-524-waf_regional_webacl_not_empty + comment: '010002092000' description: | A WAF Classic Regional web ACL does not have at least one rule or rule group resource: aws.waf-regional @@ -14,4 +15,3 @@ policies: - type: value key: Rules value: empty - comment: '0002092000' \ No newline at end of file diff --git a/policies/ecc-aws-527-waf_global_webacl_not_empty.yml b/policies/ecc-aws-527-waf_global_webacl_not_empty.yml index 7a8e2aa72..b3f90bc5e 100644 --- a/policies/ecc-aws-527-waf_global_webacl_not_empty.yml +++ b/policies/ecc-aws-527-waf_global_webacl_not_empty.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-527-waf_global_webacl_not_empty - description: | - A WAF global web ACL does not have at least one rule or rule group - resource: aws.waf - filters: - - type: value - key: Rules - value: empty - comment: '0002092001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-527-waf_global_webacl_not_empty + comment: '010002092001' + description: | + A WAF global web ACL does not have at least one rule or rule group + resource: aws.waf + filters: + - type: value + key: Rules + value: empty diff --git a/policies/ecc-aws-528-acm_certificate_transparency_logging_enabled.yml b/policies/ecc-aws-528-acm_certificate_transparency_logging_enabled.yml index f7833ba83..97b516273 100644 --- a/policies/ecc-aws-528-acm_certificate_transparency_logging_enabled.yml +++ b/policies/ecc-aws-528-acm_certificate_transparency_logging_enabled.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-528-acm_certificate_transparency_logging_enabled + comment: '010019102000' description: | ACM transparency logging disabled resource: acm-certificate @@ -14,4 +15,3 @@ policies: - type: value key: Options.CertificateTransparencyLoggingPreference value: DISABLED - comment: '0019102000' \ No newline at end of file diff --git a/policies/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled.yml b/policies/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled.yml index 559f7b6ea..1f03ab26e 100644 --- a/policies/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled.yml +++ b/policies/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 ecc Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled - resource: aws.ec2 - description: | - EBS volumes attached to an EC2 instance is not marked for deletion upon instance termination - filters: - - type: value - key: BlockDeviceMappings[].Ebs.DeleteOnTermination - op: contains - value: false - comment: '0002030400' \ No newline at end of file +# Copyright (c) 2023 ecc Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled + comment: '010002030400' + description: | + EBS volumes attached to an EC2 instance is not marked for deletion upon instance termination + resource: aws.ec2 + filters: + - type: value + key: BlockDeviceMappings[].Ebs.DeleteOnTermination + op: contains + value: false diff --git a/policies/ecc-aws-530-cloudfront_encryption_in_transit.yml b/policies/ecc-aws-530-cloudfront_encryption_in_transit.yml index 43ee824c6..8ba2583de 100644 --- a/policies/ecc-aws-530-cloudfront_encryption_in_transit.yml +++ b/policies/ecc-aws-530-cloudfront_encryption_in_transit.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-530-cloudfront_encryption_in_transit - description: | - CloudFront distribution not encrypted in transit - resource: aws.distribution - filters: - - or: - - type: value - key: DefaultCacheBehavior.ViewerProtocolPolicy - value: allow-all - - type: value - key: CacheBehaviors.Items[].ViewerProtocolPolicy - value: allow-all - comment: '0044022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-530-cloudfront_encryption_in_transit + comment: '010044022001' + description: | + CloudFront distribution not encrypted in transit + resource: aws.distribution + filters: + - or: + - type: value + key: DefaultCacheBehavior.ViewerProtocolPolicy + value: allow-all + - type: value + key: CacheBehaviors.Items[].ViewerProtocolPolicy + value: allow-all diff --git a/policies/ecc-aws-531-ebs_default_encryption_enabled.yml b/policies/ecc-aws-531-ebs_default_encryption_enabled.yml index b9a7bf888..9e9afba3f 100644 --- a/policies/ecc-aws-531-ebs_default_encryption_enabled.yml +++ b/policies/ecc-aws-531-ebs_default_encryption_enabled.yml @@ -7,14 +7,14 @@ policies: - name: ecc-aws-531-ebs_default_encryption_enabled - resource: aws.account + comment: '010043040300' description: | EBS volume default encryption disabled + resource: aws.account filters: - - type: default-ebs-encryption - key: - type: value - key: Origin - value: AWS_KMS - state: false - comment: '0043040300' \ No newline at end of file + - type: default-ebs-encryption + key: + type: value + key: Origin + value: AWS_KMS + state: false diff --git a/policies/ecc-aws-532-imported_and_acm_certificates_expire_in_one_month.yml b/policies/ecc-aws-532-imported_and_acm_certificates_expire_in_one_month.yml index d418f334f..305012a51 100644 --- a/policies/ecc-aws-532-imported_and_acm_certificates_expire_in_one_month.yml +++ b/policies/ecc-aws-532-imported_and_acm_certificates_expire_in_one_month.yml @@ -1,19 +1,19 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-532-imported_and_acm_certificates_expire_in_one_month - description: | - Imported and ACM-issued certificates expire in less than a month - resource: aws.acm-certificate - filters: - - type: value - key: NotAfter - value_type: expiration - op: lt - value: 30 - comment: '0029102000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-532-imported_and_acm_certificates_expire_in_one_month + comment: '010029102000' + description: | + Imported and ACM-issued certificates expire in less than a month + resource: aws.acm-certificate + filters: + - type: value + key: NotAfter + value_type: expiration + op: lt + value: 30 diff --git a/policies/ecc-aws-533-key_pair_without_tag_information.yml b/policies/ecc-aws-533-key_pair_without_tag_information.yml index c2db60301..e8b39898c 100644 --- a/policies/ecc-aws-533-key_pair_without_tag_information.yml +++ b/policies/ecc-aws-533-key_pair_without_tag_information.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-533-key_pair_without_tag_information + comment: '010010102000' description: | Amazon Key pair without tag information resource: key-pair @@ -14,4 +15,3 @@ policies: - type: tag-count op: eq count: 0 - comment: '0010102000' \ No newline at end of file diff --git a/policies/ecc-aws-534-autoscaling_launch_template.yml b/policies/ecc-aws-534-autoscaling_launch_template.yml index b4a3aefdb..003968c3f 100644 --- a/policies/ecc-aws-534-autoscaling_launch_template.yml +++ b/policies/ecc-aws-534-autoscaling_launch_template.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-534-autoscaling_launch_template - description: | - EC2 Auto Scaling groups is not using EC2 launch templates - resource: aws.asg - filters: - - type: value - key: LaunchConfigurationName - value: present - comment: '0020032000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-534-autoscaling_launch_template + comment: '010020032000' + description: | + EC2 Auto Scaling groups is not using EC2 launch templates + resource: aws.asg + filters: + - type: value + key: LaunchConfigurationName + value: present diff --git a/policies/ecc-aws-535-clb_acm_certificate_required.yml b/policies/ecc-aws-535-clb_acm_certificate_required.yml index ed5837318..cf9d020e0 100644 --- a/policies/ecc-aws-535-clb_acm_certificate_required.yml +++ b/policies/ecc-aws-535-clb_acm_certificate_required.yml @@ -1,29 +1,29 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-535-clb_acm_certificate_required - description: | - Classic Load Balancers with HTTPS/SSL listeners do not use certificate provided by AWS Certificate Manager - resource: aws.elb - filters: - - or: - - type: value - key: ListenerDescriptions[].Listener.Protocol - value_type: swap - value: HTTPS - op: in - - type: value - key: ListenerDescriptions[].Listener.Protocol - value_type: swap - value: SSL - op: in - - type: value - key: length(ListenerDescriptions[].Listener.SSLCertificateId)>`0` && join(' ,', ListenerDescriptions[].Listener.SSLCertificateId) - op: regex - value: '.*(^|, )arn:aws:iam::[^,]*($|, ).*' - comment: '0044022000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-535-clb_acm_certificate_required + comment: '010044022000' + description: | + Classic Load Balancers with HTTPS/SSL listeners do not use certificate provided by AWS Certificate Manager + resource: aws.elb + filters: + - or: + - type: value + key: ListenerDescriptions[].Listener.Protocol + value_type: swap + value: HTTPS + op: in + - type: value + key: ListenerDescriptions[].Listener.Protocol + value_type: swap + value: SSL + op: in + - type: value + key: length(ListenerDescriptions[].Listener.SSLCertificateId)>`0` && join(' ,', ListenerDescriptions[].Listener.SSLCertificateId) + op: regex + value: '.*(^|, )arn:aws:iam::[^,]*($|, ).*' diff --git a/policies/ecc-aws-536-lambda_function_settings_check.yml b/policies/ecc-aws-536-lambda_function_settings_check.yml index 81d1bc39c..a7a96faf4 100644 --- a/policies/ecc-aws-536-lambda_function_settings_check.yml +++ b/policies/ecc-aws-536-lambda_function_settings_check.yml @@ -1,22 +1,22 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-536-lambda_function_settings_check - description: | - Lambda functions should not use no longer supported runtimes - resource: aws.lambda - filters: - - type: value - key: PackageType - value: Zip - - not: - - type: value - key: Runtime - op: in - value: [nodejs18.x, nodejs16.x, nodejs14.x, nodejs12.x, python3.9, python3.8, python3.7, ruby2.7, java11, java8, java8.al2, go1.x, dotnetcore3.1, dotnet6] - comment: '0028030400' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-536-lambda_function_settings_check + comment: '010028030400' + description: | + Lambda functions should not use no longer supported runtimes + resource: aws.lambda + filters: + - type: value + key: PackageType + value: Zip + - not: + - type: value + key: Runtime + op: in + value: [nodejs18.x, nodejs16.x, nodejs14.x, nodejs12.x, python3.9, python3.8, python3.7, ruby2.7, java11, java8, java8.al2, go1.x, dotnetcore3.1, dotnet6] diff --git a/policies/ecc-aws-537-ecs_containers_nonprivileged.yml b/policies/ecc-aws-537-ecs_containers_nonprivileged.yml index 4723cf5e5..f7fa322ec 100644 --- a/policies/ecc-aws-537-ecs_containers_nonprivileged.yml +++ b/policies/ecc-aws-537-ecs_containers_nonprivileged.yml @@ -1,23 +1,23 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-537-ecs_containers_nonprivileged - description: | - ECS containers should not run in privileged parameter - resource: ecs-task-definition - filters: - - not: - - type: value - key: networkMode - value: host - - type: value - key: containerDefinitions[].privileged - value_type: swap - op: in - value: true - comment: '0022082000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-537-ecs_containers_nonprivileged + comment: '010022082000' + description: | + ECS containers should not run in privileged parameter + resource: ecs-task-definition + filters: + - not: + - type: value + key: networkMode + value: host + - type: value + key: containerDefinitions[].privileged + value_type: swap + op: in + value: true diff --git a/policies/ecc-aws-538-cloudfront_s3_origin_non_existent_bucket.yml b/policies/ecc-aws-538-cloudfront_s3_origin_non_existent_bucket.yml index 4a54deea7..9b4e80972 100644 --- a/policies/ecc-aws-538-cloudfront_s3_origin_non_existent_bucket.yml +++ b/policies/ecc-aws-538-cloudfront_s3_origin_non_existent_bucket.yml @@ -1,16 +1,16 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-538-cloudfront_s3_origin_non_existent_bucket - description: | - CloudFront distributions are pointing to non-existent S3 origins - resource: aws.distribution - filters: - - type: mismatch-s3-origin - check_custom_origins: true - comment: '0023022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-538-cloudfront_s3_origin_non_existent_bucket + comment: '010023022001' + description: | + CloudFront distributions are pointing to non-existent S3 origins + resource: aws.distribution + filters: + - type: mismatch-s3-origin + check_custom_origins: true diff --git a/policies/ecc-aws-539-cloudfront_origin_access_control_enabled.yml b/policies/ecc-aws-539-cloudfront_origin_access_control_enabled.yml index 9a1971ea3..11122b997 100644 --- a/policies/ecc-aws-539-cloudfront_origin_access_control_enabled.yml +++ b/policies/ecc-aws-539-cloudfront_origin_access_control_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-539-cloudfront_origin_access_control_enabled - description: | - CloudFront distributions do not have origin access control enabled - resource: aws.distribution - filters: - - type: value - key: length(Origins.Items[?!CustomOriginConfig && OriginAccessControlId==''])>=`1` - value: true - comment: '0038022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-539-cloudfront_origin_access_control_enabled + comment: '010038022001' + description: | + CloudFront distributions do not have origin access control enabled + resource: aws.distribution + filters: + - type: value + key: length(Origins.Items[?!CustomOriginConfig && OriginAccessControlId==''])>=`1` + value: true diff --git a/policies/ecc-aws-540-glue_job_latest_version.yml b/policies/ecc-aws-540-glue_job_latest_version.yml index 763989f2b..1a287af66 100644 --- a/policies/ecc-aws-540-glue_job_latest_version.yml +++ b/policies/ecc-aws-540-glue_job_latest_version.yml @@ -7,12 +7,12 @@ policies: - name: ecc-aws-540-glue_job_latest_version + comment: '010021052000' description: | Amazon Glue Job not latest version resource: glue-job filters: - not: - - type: value - key: GlueVersion - value: '4.0' - comment: '0021052000' \ No newline at end of file + - type: value + key: GlueVersion + value: '4.0' diff --git a/policies/ecc-aws-541-glue_job_logging_enabled.yml b/policies/ecc-aws-541-glue_job_logging_enabled.yml index 86a97f450..eea673df4 100644 --- a/policies/ecc-aws-541-glue_job_logging_enabled.yml +++ b/policies/ecc-aws-541-glue_job_logging_enabled.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-541-glue_job_logging_enabled - description: | - Glue job logging disabled - resource: aws.glue-job - filters: - - not: - - type: value - key: DefaultArguments."--enable-continuous-cloudwatch-log"=='true' - value: true - comment: '0019052000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-541-glue_job_logging_enabled + comment: '010019052000' + description: | + Glue job logging disabled + resource: aws.glue-job + filters: + - not: + - type: value + key: DefaultArguments."--enable-continuous-cloudwatch-log"=='true' + value: true diff --git a/policies/ecc-aws-542-glue_job_autoscaling_enabled.yml b/policies/ecc-aws-542-glue_job_autoscaling_enabled.yml index 5336667a3..4a0345c38 100644 --- a/policies/ecc-aws-542-glue_job_autoscaling_enabled.yml +++ b/policies/ecc-aws-542-glue_job_autoscaling_enabled.yml @@ -7,15 +7,15 @@ policies: - name: ecc-aws-542-glue_job_autoscaling_enabled + comment: '010005052000' description: | Amazon Glue Job with disabled autoscaling resource: aws.glue-job filters: - or: - - type: value - key: DefaultArguments."--enable-auto-scaling" - value: absent - - type: value - key: DefaultArguments."--enable-auto-scaling" - value: "false" - comment: '0005052000' \ No newline at end of file + - type: value + key: DefaultArguments."--enable-auto-scaling" + value: absent + - type: value + key: DefaultArguments."--enable-auto-scaling" + value: "false" diff --git a/policies/ecc-aws-543-cloudfront_realtime_logging_enabled.yml b/policies/ecc-aws-543-cloudfront_realtime_logging_enabled.yml index 03b8648f0..1436ee3a8 100644 --- a/policies/ecc-aws-543-cloudfront_realtime_logging_enabled.yml +++ b/policies/ecc-aws-543-cloudfront_realtime_logging_enabled.yml @@ -1,21 +1,21 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-543-cloudfront_realtime_logging_enabled - resource: aws.distribution - description: | - CloudFront Realtime logging disabled - filters: - - and: - - type: value - key: DefaultCacheBehavior.RealtimeLogConfigArn - value: absent - - type: value - key: CacheBehaviors.Items[].RealtimeLogConfigArn - value: empty - comment: '0019022001' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-543-cloudfront_realtime_logging_enabled + comment: '010019022001' + description: | + CloudFront Realtime logging disabled + resource: aws.distribution + filters: + - and: + - type: value + key: DefaultCacheBehavior.RealtimeLogConfigArn + value: absent + - type: value + key: CacheBehaviors.Items[].RealtimeLogConfigArn + value: empty diff --git a/policies/ecc-aws-544-cloudtrail_delivery_failing.yml b/policies/ecc-aws-544-cloudtrail_delivery_failing.yml index 1a8d566de..1dcc9d786 100644 --- a/policies/ecc-aws-544-cloudtrail_delivery_failing.yml +++ b/policies/ecc-aws-544-cloudtrail_delivery_failing.yml @@ -7,6 +7,7 @@ policies: - name: ecc-aws-544-cloudtrail_delivery_failing + comment: '010019012000' description: | CloudTrail logs delivery failing resource: aws.cloudtrail @@ -14,4 +15,3 @@ policies: - type: status key: LatestDeliveryError value: present - comment: '0019012000' \ No newline at end of file diff --git a/policies/ecc-aws-545-step_function_state_machine_logging_enabled.yml b/policies/ecc-aws-545-step_function_state_machine_logging_enabled.yml index c0c23ec3c..1d6f56068 100644 --- a/policies/ecc-aws-545-step_function_state_machine_logging_enabled.yml +++ b/policies/ecc-aws-545-step_function_state_machine_logging_enabled.yml @@ -1,17 +1,17 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-545-step_function_state_machine_logging_enabled - description: | - AWS Step Function State Machine logging is disabled - resource: aws.step-machine - filters: - - type: value - key: loggingConfiguration.level - value: 'OFF' - comment: '0019142000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-545-step_function_state_machine_logging_enabled + comment: '010019142000' + description: | + AWS Step Function State Machine logging is disabled + resource: aws.step-machine + filters: + - type: value + key: loggingConfiguration.level + value: 'OFF' diff --git a/policies/ecc-aws-546-kinesis_streams_retention_period_set_correctly.yml b/policies/ecc-aws-546-kinesis_streams_retention_period_set_correctly.yml index f98ab0144..042a0bc8e 100644 --- a/policies/ecc-aws-546-kinesis_streams_retention_period_set_correctly.yml +++ b/policies/ecc-aws-546-kinesis_streams_retention_period_set_correctly.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-546-kinesis_streams_retention_period_set_correctly - resource: aws.kinesis - description: | - Kinesis Stream retention period is not set correctly - filters: - - type: value - key: RetentionPeriodHours - op: lt - value: 2160 - comment: '0049052010' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-546-kinesis_streams_retention_period_set_correctly + comment: '010049052010' + description: | + Kinesis Stream retention period is not set correctly + resource: aws.kinesis + filters: + - type: value + key: RetentionPeriodHours + op: lt + value: 2160 diff --git a/policies/ecc-aws-547-rds_instance_generation.yml b/policies/ecc-aws-547-rds_instance_generation.yml index eab5fa652..5202c5ec8 100644 --- a/policies/ecc-aws-547-rds_instance_generation.yml +++ b/policies/ecc-aws-547-rds_instance_generation.yml @@ -1,18 +1,18 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - - -policies: - - name: ecc-aws-547-rds_instance_generation - description: | - RDS instance is not using last generation classes - resource: rds - filters: - - type: value - key: DBInstanceClass - op: regex - value: 'db.(m1|m2|m3|m4|r3|r4|cr1|t1|t2).[^\s]+' - comment: '0006062000' \ No newline at end of file +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-547-rds_instance_generation + comment: '010006062000' + description: | + RDS instance is not using last generation classes + resource: rds + filters: + - type: value + key: DBInstanceClass + op: regex + value: 'db.(m1|m2|m3|m4|r3|r4|cr1|t1|t2).[^\s]+' diff --git a/policies/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2.yml b/policies/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2.yml index 559081aa2..a496aa135 100644 --- a/policies/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2.yml +++ b/policies/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2.yml @@ -7,11 +7,11 @@ policies: - name: ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2 - resource: aws.ebs + comment: '010007042000' description: | EBS volumes are type of gp2 instead of gp3 + resource: aws.ebs filters: - type: value key: VolumeType value: gp2 - comment: '0007042000' \ No newline at end of file