diff --git a/charts/cloud-controls/Chart.yaml b/charts/cloud-controls/Chart.yaml index ecf70918..469dff46 100644 --- a/charts/cloud-controls/Chart.yaml +++ b/charts/cloud-controls/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: cloud-controls description: Cloud Controls Helm Chart -version: 0.0.1 +version: 0.0.2 keywords: - kubernetes - nirmata @@ -24,3 +24,7 @@ dependencies: condition: aws-lambda-best-practices.enabled version: 0.0.1 repository: file://charts/lambda + - name: aws-apigateway-best-practices + condition: aws-apigateway-best-practices.enabled + version: 0.0.1 + repository: file://charts/apigateway diff --git a/charts/cloud-controls/charts/apigateway/.helmignore b/charts/cloud-controls/charts/apigateway/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/cloud-controls/charts/apigateway/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/cloud-controls/charts/apigateway/Chart.yaml b/charts/cloud-controls/charts/apigateway/Chart.yaml new file mode 100644 index 00000000..fed84256 --- /dev/null +++ b/charts/cloud-controls/charts/apigateway/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: aws-apigateway-best-practices +description: Aws ApiGateway Best Practices CloudController Policy Set +type: application +version: 0.0.1 +keywords: + - kubernetes + - nirmata + - kyverno + - policy + - cloud-controller +maintainers: + - name: Nirmata + url: https://nirmata.com/ diff --git a/charts/cloud-controls/charts/apigateway/templates/check-api-protocol.yaml b/charts/cloud-controls/charts/apigateway/templates/check-api-protocol.yaml new file mode 100644 index 00000000..3495b176 --- /dev/null +++ b/charts/cloud-controls/charts/apigateway/templates/check-api-protocol.yaml @@ -0,0 +1,39 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkApiProtocol" }} +{{- $name := "check-api-protocol" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Ensure API has Correct ProtocolType + policies.kyverno.io/category: ApiGateway Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + APIs can use either the HTTP or WebSocket protocol. HTTP is generally more cost-effective as + it is stateless and suitable for typical client-server interactions. WebSocket, while ideal for real-time, + low-latency communication, requires persistent connections, which can increase costs. For cost-effectiveness, + choose HTTP unless real-time communication is critical to your application. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.name + match: + all: + - (metadata.provider): AWS + - (metadata.service): ApiGatewayV2 + - (metadata.resource): Api + assert: + all: + - message: "Ensure API has Correct ProtocolType." + check: + payload: + protocolType: {{ if hasKey .Values $camelCaseName }}{{ $protocolType := index (index .Values $camelCaseName) "protocolType" }}{{ if or (eq $protocolType "HTTP") (eq $protocolType "WEBSOCKET") }}{{ $protocolType }}{{ else }}"HTTP"{{ end }}{{ else }}"HTTP"{{ end }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/charts/apigateway/templates/check-method-caching-enabled.yaml b/charts/cloud-controls/charts/apigateway/templates/check-method-caching-enabled.yaml new file mode 100644 index 00000000..cf968f82 --- /dev/null +++ b/charts/cloud-controls/charts/apigateway/templates/check-method-caching-enabled.yaml @@ -0,0 +1,38 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkMethodCachingEnabled" }} +{{- $name := "check-method-caching-enabled" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Ensure API Gateway has Caching Enabled in Method Settings. + policies.kyverno.io/category: ApiGateway Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that caching is enabled in API Gateway method settings, + which helps improve performance, reduce latency, and lower operational costs by minimizing redundant + requests to the backend services. Enforcing this best practice enhances the efficiency and reliability of your API. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.stageName + match: + all: + - (metadata.provider): AWS + - (metadata.service): ApiGateway + - (metadata.resource): Stage + assert: + all: + - message: "Ensure API Gateway has Caching Enabled in Method Settings." + check: + payload: + (contains(keys(@), 'methodSettings') && !contains(methodSettings[*].cachingEnabled, `false`)): true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/charts/apigateway/templates/check-method-caching-encryption-enabled.yaml b/charts/cloud-controls/charts/apigateway/templates/check-method-caching-encryption-enabled.yaml new file mode 100644 index 00000000..37c3c789 --- /dev/null +++ b/charts/cloud-controls/charts/apigateway/templates/check-method-caching-encryption-enabled.yaml @@ -0,0 +1,38 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkMethodCachingEncryptionEnabled" }} +{{- $name := "check-method-caching-encryption-enabled" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Ensure API Gateway has Caching Encryption Enabled in Method Settings. + policies.kyverno.io/category: ApiGateway Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that caching encryption is enabled in API Gateway method settings, + safeguarding sensitive data stored in the cache. Enforcing this practice enhances the security + and compliance of your API by preventing unauthorized access to cached data. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.stageName + match: + all: + - (metadata.provider): AWS + - (metadata.service): ApiGateway + - (metadata.resource): Stage + assert: + all: + - message: "Ensure API Gateway has Caching Encryption Enabled in Method Settings." + check: + payload: + (contains(keys(@), 'methodSettings') && !contains(methodSettings[?cachingEnabled == `true`].cacheDataEncrypted, `false`)): true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/charts/apigateway/templates/check-method-data-tracing-disabled.yaml b/charts/cloud-controls/charts/apigateway/templates/check-method-data-tracing-disabled.yaml new file mode 100644 index 00000000..8a537be4 --- /dev/null +++ b/charts/cloud-controls/charts/apigateway/templates/check-method-data-tracing-disabled.yaml @@ -0,0 +1,37 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkMethodDataTracingDisabled" }} +{{- $name := "check-method-data-tracing-disabled" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Ensure API Gateway has Caching Enabled in Method Settings. + policies.kyverno.io/category: ApiGateway Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that data tracing is disabled in API Gateway method settings to prevent sensitive data from being logged. + Enforcing this practice helps enhance security, protect user privacy, and reduce the risk of exposing sensitive information in logs. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.stageName + match: + all: + - (metadata.provider): AWS + - (metadata.service): ApiGateway + - (metadata.resource): Stage + assert: + all: + - message: "Ensure API Gateway has Caching Enabled in Method Settings." + check: + payload: + (contains(keys(@), 'methodSettings') && !contains(methodSettings[*].dataTraceEnabled, `true`)): true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/charts/apigateway/templates/check-method-throttling-limit.yaml b/charts/cloud-controls/charts/apigateway/templates/check-method-throttling-limit.yaml new file mode 100644 index 00000000..7b26eb1d --- /dev/null +++ b/charts/cloud-controls/charts/apigateway/templates/check-method-throttling-limit.yaml @@ -0,0 +1,48 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkMethodThrottlingLimit" }} +{{- $name := "check-method-throttling-limit" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Ensure API Gateway has Throttling Limit Set in Method Settings. + policies.kyverno.io/category: ApiGateway Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that throttling limits, including ThrottlingBurstLimit and ThrottlingRateLimit, + are properly configured in API Gateway method settings. Enforcing this practice prevents resource overuse, + enhances API reliability, and ensures fair usage by controlling the request rates to backend services. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.stageName + match: + all: + - (metadata.provider): AWS + - (metadata.service): ApiGateway + - (metadata.resource): Stage + context: + - name: burstLimit + variable: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "burstLimit" }}{{ index (index .Values $camelCaseName) "burstLimit" }}{{ else }}1500{{ end }}{{ else }}1500{{ end }} + - name: rateLimit + variable: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "rateLimit" }}{{ index (index .Values $camelCaseName) "rateLimit" }}{{ else }}2000{{ end }}{{ else }}2000{{ end }} + assert: + all: + - message: "Ensure ThrottlingBurstLimit is configured properly" + check: + payload: + (contains(keys(@), 'methodSettings') && (length(methodSettings[?throttlingBurstLimit > $burstLimit]) == `0`)): true + + - message: "Ensure ThrottlingRateLimit is configured properly" + check: + payload: + (contains(keys(@), 'methodSettings') && (length(methodSettings[?throttlingRateLimit > $rateLimit]) == `0`)): true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/charts/apigateway/templates/check-stage-access-logging-enabled.yaml b/charts/cloud-controls/charts/apigateway/templates/check-stage-access-logging-enabled.yaml new file mode 100644 index 00000000..96831ca6 --- /dev/null +++ b/charts/cloud-controls/charts/apigateway/templates/check-stage-access-logging-enabled.yaml @@ -0,0 +1,38 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkStageAccessLoggingEnabled" }} +{{- $name := "check-stage-access-logging-enabled" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Ensure API Gateway has Access Logging enabled + policies.kyverno.io/category: ApiGateway Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that access logging is enabled in API Gateway stages, + which is critical for monitoring and auditing API activity. Enforcing this practice improves observability, + aids in troubleshooting issues, and enhances security by maintaining a detailed record of API access and usage. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.stageName + match: + all: + - (metadata.provider): AWS + - (metadata.service): ApiGateway + - (metadata.resource): Stage + assert: + all: + - message: "Ensure API Gateway has Access Logging enabled" + check: + payload: + (contains(keys(@), 'accessLogSetting') && accessLogSetting != `{}`): true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/charts/apigateway/templates/check-stage-cache-cluster-enabled.yaml b/charts/cloud-controls/charts/apigateway/templates/check-stage-cache-cluster-enabled.yaml new file mode 100644 index 00000000..04bcaa99 --- /dev/null +++ b/charts/cloud-controls/charts/apigateway/templates/check-stage-cache-cluster-enabled.yaml @@ -0,0 +1,38 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkStageCacheClusterEnabled" }} +{{- $name := "check-stage-cache-cluster-enabled" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Ensure API Gateway caching is enabled + policies.kyverno.io/category: ApiGateway Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that caching is enabled for API Gateway stages, + which enhances performance by reducing backend load and improving response times. + Enforcing this best practice helps optimize resource utilization and provides a better user experience for API consumers. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.stageName + match: + all: + - (metadata.provider): AWS + - (metadata.service): ApiGateway + - (metadata.resource): Stage + assert: + all: + - message: "Ensure API Gateway caching is enabled" + check: + payload: + cacheClusterEnabled: true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/charts/apigateway/templates/check-stage-xray-tracing-enabled.yaml b/charts/cloud-controls/charts/apigateway/templates/check-stage-xray-tracing-enabled.yaml new file mode 100644 index 00000000..dcee83ec --- /dev/null +++ b/charts/cloud-controls/charts/apigateway/templates/check-stage-xray-tracing-enabled.yaml @@ -0,0 +1,39 @@ +{{- if .Values.enabled }} +{{- $camelCaseName := "checkStageXrayTracingEnabled" }} +{{- $name := "check-stage-xray-tracing-enabled" }} +{{- if not (has $name .Values.disabledPolicies) }} +apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }} +kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }} +metadata: + name: {{ $name }} + annotations: + policies.kyverno.io/title: Check Stage Xray Tracing Enabled + policies.kyverno.io/category: ApiGateway Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that X-Ray tracing is enabled for API Gateway stages, + allowing you to trace and analyze request paths through your applications. + Enforcing this practice improves observability, helps identify bottlenecks, + and enhances debugging capabilities, ensuring better performance and reliability of your APIs. + labels: + app: kyverno +spec: + failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }} + scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }} + admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }} + rules: + - name: {{ $name }} + identifier: payload.stageName + match: + all: + - (metadata.provider): AWS + - (metadata.service): ApiGateway + - (metadata.resource): Stage + assert: + all: + - message: "Ensure API Gateway has X-Ray Tracing enabled" + check: + payload: + tracingEnabled: true +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/cloud-controls/values.yaml b/charts/cloud-controls/values.yaml index 8cb0dd2e..fc7c77d9 100644 --- a/charts/cloud-controls/values.yaml +++ b/charts/cloud-controls/values.yaml @@ -24,6 +24,18 @@ aws-lambda-best-practices: admission: true disabledPolicies: [] +aws-apigateway-best-practices: + failureAction: Audit + enabled: true + scanner: true + admission: true + disabledPolicies: [] + checkApiProtocol: + protocolType: HTTP + checkMethodThrottlingLimit: + burstLimit: 1500 + rateLimit: 2000 + global: policyKind: ValidatingPolicy apiVersion: nirmata.io/v1alpha1