🧹 Updating AWS Policies to Align with Recent Developments #385

HRouhani · 2024-04-17T14:37:29Z

No description provided.

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

…t level Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

…3 Buckets Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

…concurrent execution limits Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

…ances are configured for deletion on instance termination Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

…ion protection enabled Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

…h Encryption-at-Rest Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

…ide encryption KMS & SageMaker test Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

mm-weber

Generally it's a good idea to update the checks to keep in line with the new developments, but there's a problem with changing the asset_filters: of existing checks to other assets.

Many checks have been moved from the single asset, to the cluster asset, which 1) isn't the direction we're moving with checks in general and 2) more importantly, existing customers might have already worked with the single asset checks.

Would be great if we can keep the asset_filter scopes and just update the checks as needed.

core/mondoo-aws-security.mql.yaml

…ion-level concurrent execution limits Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

…Management Service Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

…onfigured for deletion on instance Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

mm-weber

Thanks for the changes to the checks @HRouhani . Those all look good.

We need to double check and most likely remove all filters: asset.platform == "aws" at group level as those will never allow any of the single asset level variants: to run.

core/mondoo-aws-security.mql.yaml

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

HRouhani · 2024-04-20T08:48:43Z

@mm-weber It should be fine now, I did it exactly like what we did in Azure, using asset.runtime. You can test all variant using following script:

#!/bin/bash

# List of AWS resource types to check
resource_types=(
  "ssm-instances"
  "ssm-instances-api"
  "ecr"
  "ecs"
  "s3-buckets"
  "cloudtrail-trails"
  "rds-dbinstances"
  "rds-dbclusters"
  "vpcs"
  "security-groups"
  "iam-users"
  "iam-groups"
  "cloudwatch-loggroups"
  "lambda-functions"
  "dynamodb-tables"
  "redshift-clusters"
  "ec2-volumes"
  "ec2-snapshots"
  "efs-filesystems"
  "gateway-restapis"
  "elb-loadbalancers"
  "es-domains"
  "kms-keys"
  "sagemaker-notebookinstances"
  "accounts"
  "ec2-instances-api"
  "instances"
)

# Path to the cnspec binary and the MQL file
cnspec_path="/home/.../cnspec"
bundle="/home/....mondoo-aws-security.mql.yaml"

# Loop over each resource type and execute the scan
for resource in "${resource_types[@]}"; do
  echo "********Discovering the $resource  resources and Starting to scan it respectively.....*********"
  $cnspec_path scan aws -f $bundle --discover "$resource"
done

echo "Scanning completed."

Change the cnspec path to your binary as well as the bundle path.

mm-weber

Good stuff @HRouhani !
Thank you.

HRouhani added 9 commits April 18, 2024 10:34

first step adding filters

3a2f834

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Improving Ensure no root user account access key exists

a77b50b

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Improving Ensure MFA is enabled for the root user account

de691bf

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Improving Ensure strong account password policy requirements are used

59c2d79

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Improving several more

ca8c07b

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Improving Ensure public access to S3 buckets is blocked at the accoun…

e45c7ca

…t level Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Improving Verify Bucket-Level Public Access restrictions for Amazon S…

873c1e9

…3 Buckets Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Improving Ensure EC2 instances use IMDSv2

ef48427

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Improving Ensure VPC flow logging is enabled in all VPCs

2a54d6a

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

HRouhani force-pushed the hossein/aws-Upgrade branch from e51f99b to 2a54d6a Compare April 18, 2024 09:53

HRouhani added 2 commits April 18, 2024 12:06

Improving Ensure Lambda functions are configured with function-level …

0702975

…concurrent execution limits Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>

Improving Ensure all RDS instances are not publicly accessible

89e7621

Signed-off-by: Hossein Rouhani <h_rouhani@hotmail.com>