diff --git a/charts/best-practices-ecs-tf-config/Chart.yaml b/charts/best-practices-ecs-tf-config/Chart.yaml index be642e19..84527953 100644 --- a/charts/best-practices-ecs-tf-config/Chart.yaml +++ b/charts/best-practices-ecs-tf-config/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: best-practices-ecs-tf-config description: Best practices ECS terraform config policy set type: application -version: 0.1.0 -appVersion: 0.1.0 +version: 0.1.1 +appVersion: 0.1.1 keywords: - kubernetes - nirmata diff --git a/charts/best-practices-ecs-tf-config/pols/check-aws-vpc-network-mode.yaml b/charts/best-practices-ecs-tf-config/pols/check-aws-vpc-network-mode.yaml index 70a77637..3efd3d25 100644 --- a/charts/best-practices-ecs-tf-config/pols/check-aws-vpc-network-mode.yaml +++ b/charts/best-practices-ecs-tf-config/pols/check-aws-vpc-network-mode.yaml @@ -18,15 +18,11 @@ spec: - name: check-awsvpc-network-mode match: all: - - ($analyzer): - resource: - type: terraform-config - - (resource.aws_ecs_task_definition && length(resource.aws_ecs_task_definition) > `0`): true + - ($analyzer.resource.type): terraform-config + - (resource.aws_ecs_task_definition != null): true assert: all: - message: ECS services and tasks are required to use awsvpc network mode. check: - resource: - ~.(aws_ecs_task_definition): - ~.(@): - network_mode: awsvpc \ No newline at end of file + ~.(resource.aws_ecs_task_definition.values(@)[]): + network_mode: awsvpc diff --git a/charts/best-practices-ecs-tf-config/pols/validate-ecs-container-insights-enabled.yaml b/charts/best-practices-ecs-tf-config/pols/validate-ecs-container-insights-enabled.yaml index 4749754d..c57a8479 100644 --- a/charts/best-practices-ecs-tf-config/pols/validate-ecs-container-insights-enabled.yaml +++ b/charts/best-practices-ecs-tf-config/pols/validate-ecs-container-insights-enabled.yaml @@ -11,19 +11,16 @@ metadata: insights enabled. spec: rules: - - name: container-insights + - name: validate-ecs-container-insights-enabled match: all: - - ($analyzer): - resource: - type: terraform-config - - (resource.aws_ecs_cluster && length(resource.aws_ecs_cluster) > `0`): true + - ($analyzer.resource.type): terraform-config + - (resource.aws_ecs_cluster != null): true assert: all: - message: ECS container insights are not enabled check: - resource: - ~.(aws_ecs_cluster): - ~.(@): - (setting[?name == 'containerInsights']): - - value: enabled \ No newline at end of file + ~.(resource.aws_ecs_cluster.values(@)[]): + ~.(setting || `[{}]`): + value: enabled + diff --git a/charts/best-practices-ecs-tf-config/pols/validate-ecs-task-definition-pid-mode-check.yaml b/charts/best-practices-ecs-tf-config/pols/validate-ecs-task-definition-pid-mode-check.yaml new file mode 100644 index 00000000..1f5a98ac --- /dev/null +++ b/charts/best-practices-ecs-tf-config/pols/validate-ecs-task-definition-pid-mode-check.yaml @@ -0,0 +1,25 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-definition-pid-mode-check + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS task definition PID mode check + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that ECS task definitions do not share the host's process namespace +spec: + rules: + - name: validate-ecs-task-definition-pid-mode-check + match: + all: + - ($analyzer.resource.type): terraform-config + - (resource.aws_ecs_task_definition != null): true + assert: + all: + - message: ECS task definitions shares the host's process namespace + check: + ~.(resource.aws_ecs_task_definition.values(@)[]): + (pid_mode || 'task'): task diff --git a/charts/best-practices-ecs-tf-config/pols/validate-ecs-task-public-ip.yaml b/charts/best-practices-ecs-tf-config/pols/validate-ecs-task-public-ip.yaml new file mode 100644 index 00000000..1b763e1c --- /dev/null +++ b/charts/best-practices-ecs-tf-config/pols/validate-ecs-task-public-ip.yaml @@ -0,0 +1,28 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-public-ip + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS Task Public IP + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + ECS tasks with public IP address enabled, are easily reachable from the internet. + This policy validates whether public IP address is enabled on the ECS task +spec: + rules: + - name: validate-ecs-task-public-ip + match: + all: + - ($analyzer.resource.type): terraform-config + - (resource.aws_ecs_service != null): true + assert: + any: + - message: Public IP address should not be enabled + check: + ~.(resource.aws_ecs_service.values(@)[]): + ~.(network_configuration[?assign_public_ip] || `[]`): + assign_public_ip: false + diff --git a/charts/best-practices-ecs-tf-config/pols/validate-efs-volume-encryption.yaml b/charts/best-practices-ecs-tf-config/pols/validate-efs-volume-encryption.yaml new file mode 100644 index 00000000..1b763e1c --- /dev/null +++ b/charts/best-practices-ecs-tf-config/pols/validate-efs-volume-encryption.yaml @@ -0,0 +1,28 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-public-ip + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS Task Public IP + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + ECS tasks with public IP address enabled, are easily reachable from the internet. + This policy validates whether public IP address is enabled on the ECS task +spec: + rules: + - name: validate-ecs-task-public-ip + match: + all: + - ($analyzer.resource.type): terraform-config + - (resource.aws_ecs_service != null): true + assert: + any: + - message: Public IP address should not be enabled + check: + ~.(resource.aws_ecs_service.values(@)[]): + ~.(network_configuration[?assign_public_ip] || `[]`): + assign_public_ip: false + diff --git a/charts/best-practices-s3-tf-config/Chart.yaml b/charts/best-practices-s3-tf-config/Chart.yaml index 920296fd..377784b0 100644 --- a/charts/best-practices-s3-tf-config/Chart.yaml +++ b/charts/best-practices-s3-tf-config/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: best-practices-s3-tf-config description: Best practices S3 terraform-config type: application -version: 0.1.0 -appVersion: 0.1.0 +version: 0.1.1 +appVersion: 0.1.1 keywords: - kubernetes - nirmata diff --git a/charts/best-practices-s3-tf-config/pols/abort-incomplete-uploads.yaml b/charts/best-practices-s3-tf-config/pols/abort-incomplete-uploads.yaml new file mode 100644 index 00000000..1b763e1c --- /dev/null +++ b/charts/best-practices-s3-tf-config/pols/abort-incomplete-uploads.yaml @@ -0,0 +1,28 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-public-ip + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS Task Public IP + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + ECS tasks with public IP address enabled, are easily reachable from the internet. + This policy validates whether public IP address is enabled on the ECS task +spec: + rules: + - name: validate-ecs-task-public-ip + match: + all: + - ($analyzer.resource.type): terraform-config + - (resource.aws_ecs_service != null): true + assert: + any: + - message: Public IP address should not be enabled + check: + ~.(resource.aws_ecs_service.values(@)[]): + ~.(network_configuration[?assign_public_ip] || `[]`): + assign_public_ip: false + diff --git a/charts/best-practices-s3-tf-config/pols/disable-s3-acl.yaml b/charts/best-practices-s3-tf-config/pols/disable-s3-acl.yaml index 9d057641..eb970428 100644 --- a/charts/best-practices-s3-tf-config/pols/disable-s3-acl.yaml +++ b/charts/best-practices-s3-tf-config/pols/disable-s3-acl.yaml @@ -18,13 +18,13 @@ spec: - name: disable-s3-access-control-list match: all: - - ($analyzer): - resource: - type: terraform-config - - (planned_values.root_module.resources[?type=='aws_s3_bucket_ownership_controls' || type=='aws_s3_bucket'] | length(@) > `0`): true + - ($analyzer.resource.type): terraform-config + - (resource.aws_s3_bucket_ownership_controls != null): true assert: all: - message: Access Control List(ACL) should be disabled for an S3 Bucket check: - ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_ownership_controls'].values.rule[]): - object_ownership: BucketOwnerEnforced \ No newline at end of file + ~.(resource.aws_s3_bucket_ownership_controls.values(@)[]): + ~.(rule): + object_ownership: BucketOwnerEnforced + diff --git a/charts/best-practices-s3-tf-config/pols/enable-aws-cloudtrail.yaml b/charts/best-practices-s3-tf-config/pols/enable-aws-cloudtrail.yaml new file mode 100644 index 00000000..7479ac54 --- /dev/null +++ b/charts/best-practices-s3-tf-config/pols/enable-aws-cloudtrail.yaml @@ -0,0 +1,27 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: enable-aws-cloudtrail + annotations: + policies.kyverno.io/title: enable-aws-cloudtrail + policies.kyverno.io/category: AWS S3 Security Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + CloudTrail stores Amazon S3 data event logs in an S3 bucket of your choosing. + Consider using a bucket in a separate AWS account to better organize events from + multiple buckets that you might own into a central place for easier querying and + analysis. AWS Organizations helps you create an AWS account that is linked to + the account that owns the bucket that you're monitoring. +spec: + rules: + - name: check-aws-cloudtrail-logging + match: + all: + - ($analyzer.resource.type): terraform-config + - (resource.aws_cloudtrail != null): true + assert: + all: + - message: Set the enable_logging argument in aws_cloudtrail resource to true + check: + ~.(resource.aws_cloudtrail.values(@)[]): + (!contains(keys(@), 'enable_logging') || enable_logging == `true`): true diff --git a/charts/best-practices-s3-tf-config/pols/enable-kms-encryption.yaml b/charts/best-practices-s3-tf-config/pols/enable-kms-encryption.yaml new file mode 100644 index 00000000..51e34031 --- /dev/null +++ b/charts/best-practices-s3-tf-config/pols/enable-kms-encryption.yaml @@ -0,0 +1,32 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: s3-enable-kms-encryption + annotations: + policies.kyverno.io/title: s3-enable-kms-encryption + policies.kyverno.io/category: AWS S3 Security Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + All Amazon S3 buckets have encryption configured by default, + and all new objects that are uploaded to an S3 bucket are automatically + encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) + is the default encryption configuration for every bucket in Amazon S3. To use a + different type of encryption, you can either specify the type of server-side encryption + to use in your S3 PUT requests, or you can set the default encryption configuration in + the destination bucket. +spec: + rules: + - name: check-encryption-setting + match: + all: + - ($analyzer.resource.type): terraform-config + - (resource.aws_s3_bucket_server_side_encryption_configuration != null): true + assert: + all: + - message: S3 server side encryption is not set to KMS + check: + ~.(resource.aws_s3_bucket_server_side_encryption_configuration.values(@)[]): + ~.(rule): + ~.(apply_server_side_encryption_by_default || `[{}]`): + (sse_algorithm == 'aws:kms'): true + diff --git a/charts/best-practices-s3-tf-config/pols/enable-lifecycle-configuration.yaml b/charts/best-practices-s3-tf-config/pols/enable-lifecycle-configuration.yaml index bb885f84..507a134f 100644 --- a/charts/best-practices-s3-tf-config/pols/enable-lifecycle-configuration.yaml +++ b/charts/best-practices-s3-tf-config/pols/enable-lifecycle-configuration.yaml @@ -15,16 +15,13 @@ spec: - name: check-s3-lifecycle-configuration match: all: - - ($analyzer): - resource: - type: terraform-config - - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true + - ($analyzer.resource.type): terraform-config + - (resource.aws_s3_bucket_lifecycle_configuration != null): true assert: all: - - message: Use the `aws_s3_bucket_lifecycle_configuration` resource to enable lifecycle configuration. - check: - (planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration'] | length(@) > `0`): true - message: S3 Bucket Lifecycle Configuration 'status' needs to be set to 'Enabled' check: - ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration']): - (values.rule[?status=='Enabled'] | length(@) > `0`): true + ~.(resource.aws_s3_bucket_lifecycle_configuration.values(@)[]): + ~.(rule): + status: Enabled + diff --git a/charts/best-practices-s3-tf-config/pols/enable-server-access-logging.yaml b/charts/best-practices-s3-tf-config/pols/enable-server-access-logging.yaml deleted file mode 100644 index 79d94d46..00000000 --- a/charts/best-practices-s3-tf-config/pols/enable-server-access-logging.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: json.kyverno.io/v1alpha1 -kind: ValidatingPolicy -metadata: - name: enable-s3-server-access-logging - annotations: - policies.kyverno.io/title: enable-s3-server-access-logging - policies.kyverno.io/category: AWS S3 Security Best Practices - policies.kyverno.io/severity: medium - policies.kyverno.io/description: >- - Server access logging provides detailed records for the - requests that are made to an Amazon S3 bucket. Server access - logs are useful for many applications. For example, access - log information can be useful in security and access audits. - This information can also help you learn about your customer - base and understand your Amazon S3 bill. -spec: - rules: - - name: enable-s3-server-access-logging - match: - all: - - ($analyzer): - resource: - type: terraform-config - - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true - assert: - all: - - message: Use the aws_s3_bucket_logging resource to enable server access logging - check: - (planned_values.root_module.resources[?type=='aws_s3_bucket_logging'] | length(@) > `0`): true diff --git a/charts/best-practices-s3-tf-config/pols/s3-cross-region-replication.yaml b/charts/best-practices-s3-tf-config/pols/s3-cross-region-replication.yaml deleted file mode 100644 index 3adbd275..00000000 --- a/charts/best-practices-s3-tf-config/pols/s3-cross-region-replication.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: json.kyverno.io/v1alpha1 -kind: ValidatingPolicy -metadata: - name: enable-s3-cross-region-replication - annotations: - policies.kyverno.io/title: enable-s3-cross-region-replication - policies.kyverno.io/category: AWS S3 Security Best Practices - policies.kyverno.io/severity: medium - policies.kyverno.io/description: >- - Replication enables automatic, asynchronous copying of objects - across Amazon S3 buckets. Buckets that are configured for object - replication can be owned by the same AWS account or by different - accounts. You can replicate objects to a single destination bucket - or to multiple destination buckets. The destination buckets can be - in different AWS Regions or within the same Region as the source bucket. -spec: - rules: - - name: check-s3-cross-region-replication - match: - all: - - ($analyzer): - resource: - type: terraform-config - - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true - assert: - all: - - message: Use the `aws_s3_bucket_replication_configuration` resource to set the status to Enabled - check: - (planned_values.root_module.resources[?type=='aws_s3_bucket_replication_configuration'] | length(@) > `0`): true - - message: Set S3 Bucket Cross Region Replication status to 'Enabled' - check: - ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_replication_configuration']): - (values.rule[?status=='Enabled'] | length(@) > `0`): true diff --git a/charts/best-practices-s3-tf-config/pols/s3-enable-versioning.yaml b/charts/best-practices-s3-tf-config/pols/s3-enable-versioning.yaml deleted file mode 100644 index e270d560..00000000 --- a/charts/best-practices-s3-tf-config/pols/s3-enable-versioning.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: json.kyverno.io/v1alpha1 -kind: ValidatingPolicy -metadata: - name: enable-s3-versioning - annotations: - policies.kyverno.io/title: enable-s3-versioning - policies.kyverno.io/category: AWS S3 Security Best Practices - policies.kyverno.io/severity: medium - policies.kyverno.io/description: >- - Versioning in Amazon S3 is a means of keeping multiple variants of an object - in the same bucket. You can use the S3 Versioning feature to preserve, retrieve, - and restore every version of every object stored in your buckets. With versioning - you can recover more easily from both unintended user actions and application - failures. After versioning is enabled for a bucket, if Amazon S3 receives multiple - write requests for the same object simultaneously, it stores all of those objects. -spec: - rules: - - name: check-s3-versioning-setting - match: - all: - - ($analyzer): - resource: - type: terraform-config - - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true - assert: - all: - - message: Use the `aws_s3_bucket_versioning` resource to enable versioning. - check: - (planned_values.root_module.resources[?type=='aws_s3_bucket_versioning'] | length(@) > `0`): true - - message: S3 Bucket Versioning needs to be set to 'Enabled' - check: - ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_versioning']): - (values.versioning_configuration[?status=='Enabled'] | length(@) > `0`): true diff --git a/terraform/config/s3-best-practices/enable-aws-cloudtrail/enable-aws-cloudtrail.yaml b/terraform/config/s3-best-practices/enable-aws-cloudtrail/enable-aws-cloudtrail.yaml index 1766384b..7479ac54 100644 --- a/terraform/config/s3-best-practices/enable-aws-cloudtrail/enable-aws-cloudtrail.yaml +++ b/terraform/config/s3-best-practices/enable-aws-cloudtrail/enable-aws-cloudtrail.yaml @@ -25,4 +25,3 @@ spec: check: ~.(resource.aws_cloudtrail.values(@)[]): (!contains(keys(@), 'enable_logging') || enable_logging == `true`): true - \ No newline at end of file