Merge pull request #724 from turbot/release/v0.81

Release/v0.81

CHANGELOG.md

@@ -1,3 +1,16 @@
+## v0.81 [2023-10-20]
+
+_Enhancements_
+
+- Added the following controls to the `All Controls` benchmark: ([#722](https://github.com/turbot/steampipe-mod-aws-compliance/pull/722))
+  - `athena_workgroup_enforce_configuration_enabled`
+  - `iam_inline_policy_no_administrative_privileges`
+
+_Bug fixes_
+
+- Fixed README to include correct reference to the `All Controls` benchmark. ([#721](https://github.com/turbot/steampipe-mod-aws-compliance/pull/721)) (Thanks [@vil02](https://github.com/vil02) for the contribution!)
+- Fixed typos in several compliance control descriptions. ([#719](https://github.com/turbot/steampipe-mod-aws-compliance/pull/719)) (Thanks [@pdecat](https://github.com/pdecat) for the contribution!)
+
 ## v0.80 [2023-09-15]
 
 _Bug fixes_

README.md

@@ -9,6 +9,7 @@ Or in a terminal:
 ![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v140_console.png)
 
 Includes support for:
+* [All Controls](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.all_controls)
 * [AWS CIS Controls v8 IG1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_controls_v8_ig1) 🚀 New!
 * [AWS CIS v1.2.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v120)
 * [AWS CIS v1.3.0](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.cis_v130)
@@ -30,7 +31,6 @@ Includes support for:
 * [NIST 800-53 Revision 4](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_4)
 * [NIST 800-53 Revision 5](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_800_53_rev_5)
 * [NIST Cybersecurity Framework (CSF)](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.nist_csf)
-* [Other Compliance Checks](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.other)
 * [PCI DSS v3.2.1](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.pci_dss_v321)
 * [Reserve Bank of India (RBI) Cyber Security Framework](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.rbi_cyber_security)
 * [SOC 2](https://hub.steampipe.io/mods/turbot/aws_compliance/controls/benchmark.soc_2)

all_controls/athena.sp

@@ -8,7 +8,8 @@ benchmark "all_controls_athena" {
   title       = "Athena"
   description = "This section contains recommendations for configuring Athena resources."
   children = [
-    control.athena_workgroup_encryption_at_rest_enabled
+    control.athena_workgroup_encryption_at_rest_enabled,
+    control.athena_workgroup_enforce_configuration_enabled
   ]
 
   tags = merge(local.all_controls_athena_common_tags, {

all_controls/iam.sp

@@ -23,6 +23,7 @@ benchmark "all_controls_iam" {
     control.iam_custom_policy_unattached_no_star_star,
     control.iam_group_not_empty,
     control.iam_group_user_role_no_inline_policies,
+    control.iam_inline_policy_no_administrative_privileges,
     control.iam_managed_policy_attached_to_role,
     control.iam_password_policy_expire_90,
     control.iam_policy_all_attached_no_star_star,

cis_v200/docs/cis_v200_5_1.md

@@ -1,6 +1,6 @@
 ## Description
 
-The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`, using either the TDP (6), UDP (17) or ALL (-1) protocols.
+The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`, using either the TCP (6), UDP (17) or ALL (-1) protocols.
 
 Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.
 
@@ -17,4 +17,4 @@ Perform the following:
     - Click the `Inbound Rules` tab.
     - Click `Edit inbound rules`.
     - Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click `Delete` to remove the offending inbound rule.
-    - Click `Save`.
+    - Click `Save`.

cis_v200/docs/cis_v200_5_2.md

@@ -1,6 +1,6 @@
 ## Description
 
-Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`, using either the TDP (6), UDP (17) or ALL (-1) protocols.
+Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port `22` and RDP to port `3389`, using either the TCP (6), UDP (17) or ALL (-1) protocols.
 
 Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.
 

cis_v200/section_5.sp

@@ -24,7 +24,7 @@ benchmark "cis_v200_5" {
 
 control "cis_v200_5_1" {
   title         = "5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports"
-  description   = "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TDP (6), UDP (17) or ALL (-1) protocols."
+  description   = "The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols."
   query         = query.vpc_network_acl_remote_administration
   documentation = file("./cis_v200/docs/cis_v200_5_1.md")
 
@@ -38,7 +38,7 @@ control "cis_v200_5_1" {
 
 control "cis_v200_5_2" {
   title         = "5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports"
-  description   = "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TDP (6), UDP (17) or ALL (-1) protocols."
+  description   = "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols."
   query         = query.vpc_security_group_remote_administration_ipv4
   documentation = file("./cis_v200/docs/cis_v200_5_2.md")
 

conformance_pack/acm.sp

@@ -5,7 +5,7 @@ locals {
 }
 
 control "acm_certificate_expires_30_days" {
-  title       = "ACM certificates should be set to expire within 30 days"
+  title       = "ACM certificates should not expire within 30 days"
   description = "Ensure network integrity is protected by ensuring X509 certificates are issued by AWS ACM."
   query       = query.acm_certificate_expires_30_days
 

conformance_pack/athena.sp

@@ -12,6 +12,14 @@ control "athena_workgroup_encryption_at_rest_enabled" {
   tags = local.conformance_pack_athena_common_tags
 }
 
+control "athena_workgroup_enforce_configuration_enabled" {
+  title       = "Athena workgroups should enforce configuration"
+  description = "This control checks if an Athena workgroup enforces configuration. The control fails if an Athena workgroup doesn't enforce configuration."
+  query       = query.athena_workgroup_enforce_configuration_enabled
+
+  tags = local.conformance_pack_athena_common_tags
+}
+
 query "athena_workgroup_encryption_at_rest_enabled" {
   sql = <<-EOQ
     select
@@ -29,3 +37,21 @@ query "athena_workgroup_encryption_at_rest_enabled" {
       aws_athena_workgroup;
   EOQ
 }
+
+query "athena_workgroup_enforce_configuration_enabled" {
+  sql = <<-EOQ
+    select
+      name as resource,
+      case
+        when enforce_workgroup_configuration then 'ok'
+        else 'alarm'
+      end as status,
+      case
+        when enforce_workgroup_configuration then name || ' has enforce workgroup configuration enabled.'
+        else name || ' has enforce workgroup configuration disabled.'
+      end as reason
+      ${local.common_dimensions_sql}
+    from
+      aws_athena_workgroup;
+  EOQ
+}

conformance_pack/iam.sp

@@ -663,6 +663,14 @@ control "iam_policy_custom_no_permissive_role_assumption" {
   tags = local.conformance_pack_iam_common_tags
 }
 
+control "iam_inline_policy_no_administrative_privileges" {
+  title       = "IAM inline policy should not have administrative privileges"
+  description = "Ensure that no inline IAM policies exist that allow administrative privileges."
+  query       = query.iam_inline_policy_no_administrative_privileges
+
+  tags = local.conformance_pack_iam_common_tags
+}
+
 query "iam_account_password_policy_strong_min_reuse_24" {
   sql = <<-EOQ
     select
@@ -2158,3 +2166,75 @@ query "iam_policy_custom_no_permissive_role_assumption" {
         not is_aws_managed;
   EOQ
 }
+
+query "iam_inline_policy_no_administrative_privileges" {
+  sql = <<-EOQ
+    with full_administrative_privilege_policies as (
+      select
+        arn,
+        inline_policies_std,
+        name,
+        account_id,
+        region,
+        _ctx,
+        'iam_user' as type
+      from
+        aws_iam_user
+      union
+      select
+        arn,
+        inline_policies_std,
+        name,
+        account_id,
+        region,
+        _ctx,
+        'iam_role' as type
+      from
+        aws_iam_role
+      union
+      select
+        arn,
+        inline_policies_std,
+        name,
+        account_id,
+        region,
+        _ctx,
+        'iam_group' as type
+      from
+        aws_iam_group
+    ),
+    bad_policies as (
+      select
+        arn,
+        count(*) as statements_num
+      from
+        full_administrative_privilege_policies,
+        jsonb_array_elements(inline_policies_std) as policy_std,
+        jsonb_array_elements(policy_std -> 'PolicyDocument' -> 'Statement') as s,
+        jsonb_array_elements_text(s -> 'Resource') as resource,
+        jsonb_array_elements_text(s -> 'Action') as action
+      where
+        s ->> 'Effect' = 'Allow'
+        and resource = '*'
+        and (
+          (action = '*'
+          or action = '*:*'
+          )
+        )
+      group by
+        arn
+    )
+    select
+      p.arn as resource,
+      case
+        when bad.arn is null then 'ok'
+        else 'alarm'
+      end status,
+      p.name || ' contains ' || coalesce(bad.statements_num,0)  ||
+        ' statements that allow action "*" on resource "*".' as reason
+      ${replace(local.common_dimensions_qualifier_global_sql, "__QUALIFIER__", "p.")}
+    from
+      full_administrative_privilege_policies as p
+      left join bad_policies as bad on p.arn = bad.arn;
+  EOQ
+}

conformance_pack/vpc.sp

@@ -39,7 +39,7 @@ control "vpc_security_group_remote_administration" {
 
 control "vpc_security_group_remote_administration_ipv4" {
   title       = "Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports"
-  description = "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TDP (6), UDP (17) or ALL (-1) protocols."
+  description = "Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389, using either the TCP (6), UDP (17) or ALL (-1) protocols."
   query       = query.vpc_security_group_remote_administration_ipv4
 
   tags = local.conformance_pack_vpc_common_tags
@@ -1740,4 +1740,3 @@ query "vpc_subnet_public_and_private" {
       aws_vpc as v;
   EOQ
 }
-