diff --git a/charts/cloud-controls/Chart.yaml b/charts/cloud-controls/Chart.yaml index 469dff46..fbbf519b 100644 --- a/charts/cloud-controls/Chart.yaml +++ b/charts/cloud-controls/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: cloud-controls description: Cloud Controls Helm Chart -version: 0.0.2 +version: 0.0.3 keywords: - kubernetes - nirmata @@ -28,3 +28,11 @@ dependencies: condition: aws-apigateway-best-practices.enabled version: 0.0.1 repository: file://charts/apigateway + - name: aws-sqs-best-practices + condition: aws-sqs-best-practices.enabled + version: 0.0.1 + repository: file://charts/sqs + - name: aws-rds-best-practices + condition: aws-rds-best-practices.enabled + version: 0.0.1 + repository: file://charts/rds diff --git a/charts/cloud-controls/charts/rds/.helmignore b/charts/cloud-controls/charts/rds/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/cloud-controls/charts/rds/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/cloud-controls/charts/rds/Chart.yaml b/charts/cloud-controls/charts/rds/Chart.yaml new file mode 100644 index 00000000..b149958e --- /dev/null +++ b/charts/cloud-controls/charts/rds/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: aws-rds-best-practices +description: Aws RDS Best Practices CloudController Policy Set +type: application +version: 0.0.1 +keywords: + - kubernetes + - nirmata + - kyverno + - policy + - cloud-controller +maintainers: + - name: Nirmata + url: https://nirmata.com/ diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-cluster-deletion-protection-enabled.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-cluster-deletion-protection-enabled.yaml new file mode 100644 index 00000000..104325bb --- /dev/null +++ b/charts/cloud-controls/charts/rds/templates/check-rds-cluster-deletion-protection-enabled.yaml @@ -0,0 +1,40 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkRdsClusterDeletionProtectionEnabled" }} +{{- $name := "check-rds-cluster-deletion-protection-enabled" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Check RDS Cluster Deletion Protection Enabled + policies.kyverno.io/category: AWS RDS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + Preventing accidental deletion of an RDS database through the AWS Management Console, AWS CLI, or the RDS API is essential for avoiding data loss. + The database can't be deleted when deletion protection is enabled. This ensures an extra layer of protection for your data, preventing + unintended actions from impacting availability or causing data loss. By enabling deletion protection, you ensure that the database + remains intact until deliberate action is taken to disable this setting. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.dBClusterIdentifier + match: + all: + - (metadata.provider): AWS + - (metadata.service): RDS + - (metadata.resource): DBCluster + assert: + all: + - message: >- + RDS Database Deletion Protection must be enabled + check: + payload: + deletionProtection: true +{{- end }} +{{- end }} diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-cluster-encrypted-at-rest.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-cluster-encrypted-at-rest.yaml new file mode 100644 index 00000000..fb3677b0 --- /dev/null +++ b/charts/cloud-controls/charts/rds/templates/check-rds-cluster-encrypted-at-rest.yaml @@ -0,0 +1,41 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkRdsClusterEncryptedAtRest" }} +{{- $name := "check-rds-cluster-encrypted-at-rest" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Check RDS Cluster Encrypted At Rest + policies.kyverno.io/category: AWS RDS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks if an RDS DB cluster is encrypted at rest. The policy fails if an RDS DB cluster isn't encrypted at rest. + Data at rest refers to any data that's stored in persistent, non-volatile storage for any duration. + Encryption helps you protect the confidentiality of such data, reducing the risk that an unauthorized user can access it. + Encrypting your RDS DB clusters protects your data and metadata against unauthorized access. + It also fulfills compliance requirements for data-at-rest encryption of production file systems. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.dBClusterIdentifier + match: + all: + - (metadata.provider): AWS + - (metadata.service): RDS + - (metadata.resource): DBCluster + assert: + all: + - message: >- + RDS DB Clusters should have encryption at-rest enabled + check: + payload: + storageEncrypted: true +{{- end }} +{{- end }} diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-db-proxy-tls.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-db-proxy-tls.yaml new file mode 100644 index 00000000..544f9324 --- /dev/null +++ b/charts/cloud-controls/charts/rds/templates/check-rds-db-proxy-tls.yaml @@ -0,0 +1,40 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkRdsDbProxyTls" }} +{{- $name := "check-rds-db-proxy-tls" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Check RDS DB Proxy TLS + policies.kyverno.io/category: AWS RDS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + RDS Proxy can use security mechanisms such as TLS to add an additional layer of security between client applications and the underlying database. + Database connections often involve sensitive information, such as personally identifiable information (PII), financial data, or confidential business data. + Protecting this data in transit is important to maintain security of the data. + This policy checks if the RDS Proxy is using TLS. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.dBProxyName + match: + all: + - (metadata.provider): AWS + - (metadata.service): RDS + - (metadata.resource): DBProxy + assert: + all: + - message: >- + RDS Database Proxy should use TLS + check: + payload: + requireTLS: true +{{- end }} +{{- end }} diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-enhanced-monitoring-enabled.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-enhanced-monitoring-enabled.yaml new file mode 100644 index 00000000..8900dd45 --- /dev/null +++ b/charts/cloud-controls/charts/rds/templates/check-rds-enhanced-monitoring-enabled.yaml @@ -0,0 +1,51 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkRdsEnhancedMonitoringEnabled" }} +{{- $name := "check-rds-enhanced-monitoring-enabled" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Check RDS Enhanced Monitoring Enabled + policies.kyverno.io/category: AWS RDS Best Practices + policies.kyverno.io/severity: low + policies.kyverno.io/description: >- + This policy checks whether enhanced monitoring is enabled for an Amazon Relational Database Service (Amazon RDS) DB instance. + The policy fails if enhanced monitoring isn't enabled for the instance. If you provide a custom value for the monitoringInterval parameter, + the policy passes only if enhanced monitoring metrics are collected for the instance at the specified interval. + In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. + These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. + An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.dBInstanceIdentifier + match: + all: + - (metadata.provider): AWS + - (metadata.service): RDS + - (metadata.resource): DBInstance + context: + - name: monitoringInterval + variable: + - 1 + - 5 + - 10 + - 15 + - 30 + - 60 + assert: + all: + - message: >- + Enhanced monitoring should be configured for RDS DB instances + check: + payload: + (contains($monitoringInterval, monitoringInterval)): true +{{- end }} +{{- end }} diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-instance-copy-tags-to-snapshots-enabled.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-instance-copy-tags-to-snapshots-enabled.yaml new file mode 100644 index 00000000..4a31dfe7 --- /dev/null +++ b/charts/cloud-controls/charts/rds/templates/check-rds-instance-copy-tags-to-snapshots-enabled.yaml @@ -0,0 +1,41 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkRdsInstanceCopyTagsToSnapshotsEnabled" }} +{{- $name := "check-rds-instance-copy-tags-to-snapshots-enabled" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Check RDS Instance Copy Tags To Snapshots Enabled + policies.kyverno.io/category: AWS RDS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created. + Identification and inventory of your IT assets is a crucial aspect of governance and security. + You need to have visibility of all your RDS DB instances so that you can assess their security posture and take action on + potential areas of weakness. Snapshots should be tagged in the same way as their parent RDS database instances. + Enabling this setting ensures that snapshots inherit the tags of their parent database instances. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.dBInstanceIdentifier + match: + all: + - (metadata.provider): AWS + - (metadata.service): RDS + - (metadata.resource): DBInstance + assert: + all: + - message: >- + RDS DB instances should be configured to copy tags to snapshots + check: + payload: + copyTagsToSnapshot: true +{{- end }} +{{- end }} diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-instance-public-access.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-instance-public-access.yaml new file mode 100644 index 00000000..d94b68fb --- /dev/null +++ b/charts/cloud-controls/charts/rds/templates/check-rds-instance-public-access.yaml @@ -0,0 +1,41 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkRdsInstancePublicAccess" }} +{{- $name := "check-rds-instance-public-access" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Check RDS Instance Public Access + policies.kyverno.io/category: AWS RDS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + The `PubliclyAccessible` value in the RDS instance configuration indicates whether the DB instance is publicly accessible. + When the DB instance is configured with `PubliclyAccessible`, it is an Internet-facing instance with a publicly resolvable DNS name, + which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name + that resolves to a private IP address. Unless you intend for your RDS instance to be publicly accessible, the RDS instance + should not be configured with `PubliclyAccessible` value. Doing so might allow unnecessary traffic to your database instance. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.dBInstanceIdentifier + match: + all: + - (metadata.provider): AWS + - (metadata.service): RDS + - (metadata.resource): DBInstance + assert: + all: + - message: >- + RDS Database Instance should not be publicly accessible + check: + payload: + publiclyAccessible: false +{{- end }} +{{- end }} diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-multi-az-support.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-multi-az-support.yaml new file mode 100644 index 00000000..891cd9c8 --- /dev/null +++ b/charts/cloud-controls/charts/rds/templates/check-rds-multi-az-support.yaml @@ -0,0 +1,40 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkRdsMultiAzSupport" }} +{{- $name := "check-rds-multi-az-support" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Check RDS Multi AZ Support + policies.kyverno.io/category: AWS RDS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks whether high availability is enabled for your RDS DB instances. + RDS DB instances should be configured for multiple Availability Zones (AZs). + This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover + if there is an issue with AZ availability and during regular RDS maintenance. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.dBInstanceIdentifier + match: + all: + - (metadata.provider): AWS + - (metadata.service): RDS + - (metadata.resource): DBInstance + assert: + all: + - message: >- + RDS DB instances should be configured with multiple Availability Zones + check: + payload: + multiAZ: true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-storage-encrypted.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-storage-encrypted.yaml new file mode 100644 index 00000000..a67a1b99 --- /dev/null +++ b/charts/cloud-controls/charts/rds/templates/check-rds-storage-encrypted.yaml @@ -0,0 +1,44 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkRdsStorageEncrypted" }} +{{- $name := "check-rds-storage-encrypted" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Check RDS Storage Encrypted + policies.kyverno.io/category: AWS RDS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks whether storage encryption is enabled for your Amazon RDS DB instances. + For an added layer of security for your sensitive data in RDS DB instances, you should configure your + RDS DB instances to be encrypted at rest. To encrypt your RDS DB instances and snapshots at rest, enable the + encryption option for your RDS DB instances. Data that is encrypted at rest includes the underlying storage + for DB instances, its automated backups, read replicas, and snapshots. RDS encrypted DB instances use the open + standard AES-256 encryption algorithm to encrypt your data on the server that hosts your RDS DB instances. + After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently + with a minimal impact on performance. You do not need to modify your database client applications to use encryption. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.dBInstanceIdentifier + match: + all: + - (metadata.provider): AWS + - (metadata.service): RDS + - (metadata.resource): DBInstance + assert: + all: + - message: >- + RDS DB instances should have encryption at-rest enabled + check: + payload: + storageEncrypted: true +{{- end }} +{{- end }} diff --git a/charts/cloud-controls/charts/sqs/.helmignore b/charts/cloud-controls/charts/sqs/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/cloud-controls/charts/sqs/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/cloud-controls/charts/sqs/Chart.yaml b/charts/cloud-controls/charts/sqs/Chart.yaml new file mode 100644 index 00000000..61fc5ed5 --- /dev/null +++ b/charts/cloud-controls/charts/sqs/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: aws-sqs-best-practices +description: Aws SQS Best Practices CloudController Policy Set +type: application +version: 0.0.1 +keywords: + - kubernetes + - nirmata + - kyverno + - policy + - cloud-controller +maintainers: + - name: Nirmata + url: https://nirmata.com/ diff --git a/charts/cloud-controls/charts/sqs/templates/check-message-retention-period.yaml b/charts/cloud-controls/charts/sqs/templates/check-message-retention-period.yaml new file mode 100644 index 00000000..139623fb --- /dev/null +++ b/charts/cloud-controls/charts/sqs/templates/check-message-retention-period.yaml @@ -0,0 +1,39 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkMessageRetentionPeriod" }} +{{- $name := "check-message-retention-period" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: check-message-retention-period + policies.kyverno.io/category: AWS SQS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks whether Message Retention Period is under 4 Days. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.queueName + match: + all: + - (metadata.provider): "AWS" + - (metadata.service): "SQS" + - (metadata.resource): "Queue" + context: + - name: messageRetentionPeriod + variable: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "messageRetentionPeriod" }}{{ index (index .Values $camelCaseName) "messageRetentionPeriod" }}{{ else }}345600{{ end }}{{ else }}345600{{ end }} + assert: + all: + - message: The MessageRetentionPeriod is more than 4 Days. + check: + payload: + (messageRetentionPeriod <= $messageRetentionPeriod): true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/charts/sqs/templates/check-receive-message-wait-time.yaml b/charts/cloud-controls/charts/sqs/templates/check-receive-message-wait-time.yaml new file mode 100644 index 00000000..d7cfb164 --- /dev/null +++ b/charts/cloud-controls/charts/sqs/templates/check-receive-message-wait-time.yaml @@ -0,0 +1,39 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkReceiveMessageWaitTime" }} +{{- $name := "check-receive-message-wait-time" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: check-receive-message-wait-time + policies.kyverno.io/category: AWS SQS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks whether Receive Message Wait Time is less than 5 sec. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.queueName + match: + all: + - (metadata.provider): "AWS" + - (metadata.service): "SQS" + - (metadata.resource): "Queue" + context: + - name: receiveMessageWaitTimeSeconds + variable: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "receiveMessageWaitTimeSeconds" }}{{ index (index .Values $camelCaseName) "receiveMessageWaitTimeSeconds" }}{{ else }}5{{ end }}{{ else }}5{{ end }} + assert: + all: + - message: The Receive Message Wait Time is less than 5 sec. + check: + payload: + (receiveMessageWaitTimeSeconds >= $receiveMessageWaitTimeSeconds): true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/charts/sqs/templates/check-visiblity-timeout.yaml b/charts/cloud-controls/charts/sqs/templates/check-visiblity-timeout.yaml new file mode 100644 index 00000000..76efb545 --- /dev/null +++ b/charts/cloud-controls/charts/sqs/templates/check-visiblity-timeout.yaml @@ -0,0 +1,39 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkVisiblityTimeout" }} +{{- $name := "check-visiblity-timeout" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: check-visiblity-timeout + policies.kyverno.io/category: AWS SQS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + Check if the VisiblityTimemout is greater than 30 sec or not + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.queueName + match: + all: + - (metadata.provider): "AWS" + - (metadata.service): "SQS" + - (metadata.resource): "Queue" + context: + - name: visibilityTimeout + variable: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "visibilityTimeout" }}{{ index (index .Values $camelCaseName) "visibilityTimeout" }}{{ else }}30{{ end }}{{ else }}30{{ end }} + assert: + all: + - message: The Visiblity Timemout is more than 30 sec. + check: + payload: + (visibilityTimeout <= $visibilityTimeout): true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/values.yaml b/charts/cloud-controls/values.yaml index fc7c77d9..ccab6d7f 100644 --- a/charts/cloud-controls/values.yaml +++ b/charts/cloud-controls/values.yaml @@ -36,6 +36,20 @@ aws-apigateway-best-practices: burstLimit: 1500 rateLimit: 2000 +aws-sqs-best-practices: + failureAction: Audit + enabled: true + scanner: true + admission: true + disabledPolicies: [] + +aws-rds-best-practices: + failureAction: Audit + enabled: true + scanner: true + admission: true + disabledPolicies: [] + global: policyKind: ValidatingPolicy apiVersion: nirmata.io/v1alpha1