Merge pull request #139 from nirmata/tf-policies

Add TF policies

tf-config-ecs-best-practices/check-aws-vpc-network-mode.yaml

@@ -0,0 +1,32 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-awsvpc-network-mode
+  labels:
+    ecs.aws.network.kyverno.io: awsvpc
+  annotations:
+    policies.kyverno.io/title: Check awsvpc network mode
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      The awsvpc network mode restricts the flow of traffic between different 
+      tasks or between your tasks and other services that run within your Amazon VPC.
+      The awsvpc network mode provides task-level network isolation for tasks 
+      that run on Amazon EC2.
+spec:
+  rules:
+    - name: check-awsvpc-network-mode
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (resource.aws_ecs_task_definition && length(resource.aws_ecs_task_definition) > `0`): true
+      assert:
+        all:
+        - message: ECS services and tasks are required to use awsvpc network mode.
+          check:
+            resource:
+              ~.(aws_ecs_task_definition):
+                ~.(@):
+                  network_mode: awsvpc

tf-config-ecs-best-practices/validate-ecs-container-insights-enabled.yaml

@@ -0,0 +1,29 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-container-insights-enabled
+  annotations:
+    policies.kyverno.io/title: Validate ECS container insights are enabled
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This Policy ensures that ECS clusters have container
+      insights enabled.
+spec:
+  rules:
+    - name: container-insights
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (resource.aws_ecs_cluster && length(resource.aws_ecs_cluster) > `0`): true
+      assert:
+        all:
+        - message: ECS container insights are not enabled
+          check:
+            resource:
+              ~.(aws_ecs_cluster):
+                ~.(@):
+                  (setting[?name == 'containerInsights']):
+                    - value: enabled

tf-config-s3-best-practices/disable-s3-acl.yaml

@@ -0,0 +1,30 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: disable-s3-access-control-list
+  annotations:
+    policies.kyverno.io/title: Disable S3 Access Control List 
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      S3 Object Ownership is an Amazon S3 bucket-level setting that
+      you can use to control ownership of objects uploaded to your bucket 
+      and to disable or enable ACLs. By default, Object Ownership is set to
+      the Bucket owner enforced setting and all ACLs are disabled. 
+      When ACLs are disabled, the bucket owner owns all the objects in the bucket
+      and manages access to data exclusively using access management policies.
+spec:
+  rules:
+    - name: disable-s3-access-control-list
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (planned_values.root_module.resources[?type=='aws_s3_bucket_ownership_controls' || type=='aws_s3_bucket'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Access Control List(ACL) should be disabled for an S3 Bucket
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_ownership_controls'].values.rule[]):
+                  object_ownership: BucketOwnerEnforced 

tf-config-s3-best-practices/enable-lifecycle-configuration.yaml

@@ -0,0 +1,30 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: s3-lifecycle-configuration
+  annotations:
+    policies.kyverno.io/title: s3-lifecycle-configuration 
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      S3 Lifecycle manage your objects so that they are stored cost effectively
+      throughout their lifecycle. This policy ensures the lifecycle_configuration
+      is set when creating an S3 bucket.
+spec:
+  rules:
+    - name: check-s3-lifecycle-configuration
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Use the `aws_s3_bucket_lifecycle_configuration` resource to enable lifecycle configuration.
+          check:
+            (planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration'] | length(@) > `0`): true
+        - message: S3 Bucket Lifecycle Configuration 'status' needs to be set to 'Enabled'
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration']):
+              (values.rule[?status=='Enabled'] | length(@) > `0`): true

tf-config-s3-best-practices/enable-server-access-logging.yaml

@@ -0,0 +1,29 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: enable-s3-server-access-logging
+  annotations:
+    policies.kyverno.io/title: enable-s3-server-access-logging
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Server access logging provides detailed records for the
+      requests that are made to an Amazon S3 bucket. Server access
+      logs are useful for many applications. For example, access
+      log information can be useful in security and access audits.
+      This information can also help you learn about your customer
+      base and understand your Amazon S3 bill.
+spec:
+  rules:
+    - name: enable-s3-server-access-logging
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Use the aws_s3_bucket_logging resource to enable server access logging
+          check:
+            (planned_values.root_module.resources[?type=='aws_s3_bucket_logging'] | length(@) > `0`): true

tf-config-s3-best-practices/s3-cross-region-replication.yaml

@@ -0,0 +1,33 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: enable-s3-cross-region-replication
+  annotations:
+    policies.kyverno.io/title: enable-s3-cross-region-replication
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Replication enables automatic, asynchronous copying of objects
+      across Amazon S3 buckets. Buckets that are configured for object
+      replication can be owned by the same AWS account or by different
+      accounts. You can replicate objects to a single destination bucket
+      or to multiple destination buckets. The destination buckets can be
+      in different AWS Regions or within the same Region as the source bucket.
+spec:
+  rules:
+    - name: check-s3-cross-region-replication
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Use the `aws_s3_bucket_replication_configuration` resource to set the status to Enabled
+          check:
+            (planned_values.root_module.resources[?type=='aws_s3_bucket_replication_configuration'] | length(@) > `0`): true
+        - message:  Set S3 Bucket Cross Region Replication status to 'Enabled'
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_replication_configuration']):
+              (values.rule[?status=='Enabled'] | length(@) > `0`): true

tf-config-s3-best-practices/s3-enable-versioning.yaml

@@ -0,0 +1,33 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: enable-s3-versioning
+  annotations:
+    policies.kyverno.io/title: enable-s3-versioning 
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Versioning in Amazon S3 is a means of keeping multiple variants of an object 
+      in the same bucket. You can use the S3 Versioning feature to preserve, retrieve,
+      and restore every version of every object stored in your buckets. With versioning 
+      you can recover more easily from both unintended user actions and application 
+      failures. After versioning is enabled for a bucket, if Amazon S3 receives multiple
+      write requests for the same object simultaneously, it stores all of those objects.
+spec:
+  rules:
+    - name: check-s3-versioning-setting
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Use the `aws_s3_bucket_versioning` resource to enable versioning.
+          check:
+            (planned_values.root_module.resources[?type=='aws_s3_bucket_versioning'] | length(@) > `0`): true
+        - message: S3 Bucket Versioning needs to be set to 'Enabled'
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_versioning']):
+              (values.versioning_configuration[?status=='Enabled'] | length(@) > `0`): true