Skip to content

Commit

Permalink
feat(CG-1286): add storage rules support
Browse files Browse the repository at this point in the history
  • Loading branch information
@james-zhou-inspire11
james-zhou-inspire11 committed Oct 31, 2022
1 parent 4e80389 commit 0934441
Show file tree
Hide file tree
Showing 10 changed files with 951 additions and 1 deletion.
8 changes: 7 additions & 1 deletion src/aws/cis-1.5.0/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,4 +57,10 @@ Policy Pack based on the [AWS Foundations 1.5.0](https://drive.google.com/file/d

| Rule | Description |
| ------------- | --------------------------------------------------------------------------------------------------------------------------- |

| AWS CIS 2.1.1 | Ensure all S3 buckets employ encryption-at-rest |
| AWS CIS 2.1.2 | Ensure S3 Bucket Policy allows HTTPS requests |
| AWS CIS 2.1.3 | Ensure MFA Delete is enable on S3 buckets |
| AWS CIS 2.1.4 | Ensure all data in Amazon S3 has been discovered, classified and secured when required. |
| AWS CIS 2.1.5 | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' |
| AWS CIS 2.2.1 | Ensure EBS volume encryption is enabled |
| AWS CIS 2.3.1 | Ensure that encryption is enabled for RDS Instances |
91 changes: 91 additions & 0 deletions src/aws/cis-1.5.0/rules/aws-cis-1.5.0-2.1.1.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
// AWS NIST 800-53-rev4 Rule equivalent 4.5
export default {
id: 'aws-cis-1.5.0-2.1.1',
title: 'AWS CIS 2.1.1 Ensure all S3 buckets employ encryption-at-rest',

description: 'Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.',

audit: `**From Console:**
1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
2. Select the Check box next to the Bucket.
3. Click on 'Properties'.
4. Verify that Default Encryption displays either AES-256 or AWS-KMS.
5. Repeat for all the buckets in your AWS account.
**From Command Line:**
1. Run command to list buckets
aws s3 ls
2. For each bucket, run
aws s3api get-bucket-encryption --bucket <bucket name>
3. Verify that either
"SSEAlgorithm": "AES256"
or
"SSEAlgorithm": "aws:kms" is displayed.`,

rationale: 'Encrypting data at rest reduces the likelihood that it is unintentionally exposed and can nullify the impact of disclosure if the encryption remains unbroken.',

remediation: `**From Console:**
1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
2. Select the Check box next to the Bucket.
3. Click on 'Properties'.
4. Click on Default Encryption.
5. Select either AES-256 or AWS-KMS
6. Click Save
7. Repeat for all the buckets in your AWS account lacking encryption.
**From Command Line:**
Run either
aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "AES256"}}]}'
or
aws s3api put-bucket-encryption --bucket <bucket name> --server-side-encryption-configuration '{"Rules": [{"ApplyServerSideEncryptionByDefault": {"SSEAlgorithm": "aws:kms","KMSMasterKeyID": "aws/s3"}}]}'
**Note:** the KMSMasterKeyID can be set to the master key of your choosing; aws/s3 is an AWS preconfigured default.`,

references: [
'https://docs.aws.amazon.com/AmazonS3/latest/user-guide/default-bucket-encryption.html',
'https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html#bucket-encryption-related-resources',
],
gql: `{
queryawsS3 {
id
arn
accountId
__typename
encrypted
encryptionRules {
sseAlgorithm
}
}
}`,
resource: 'queryawsS3[*]',
severity: 'high',
conditions: {
and: [
{
path: '@.encrypted',
equal: 'Yes',
},
{
path: '@.encryptionRules',
array_any: {
path: '[*].sseAlgorithm',
in: ['AES256', 'aws:kms'],
},
},
],
},
}
119 changes: 119 additions & 0 deletions src/aws/cis-1.5.0/rules/aws-cis-1.5.0-2.1.2.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
export default {
id: 'aws-cis-1.5.0-2.1.2',
title: 'AWS CIS 2.1.2 Ensure S3 Bucket Policy is set to deny HTTP requests',

description: 'At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.',

audit: `To allow access to HTTPS you can use a condition that checks for the key "aws:SecureTransport: true". This means that the request is sent through HTTPS but that HTTP can still be used. So to make sure you do not allow HTTP access confirm that there is a bucket policy that explicitly denies access for HTTP requests and that it contains the key "aws:SecureTransport": "false".
**From Console:**
1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
2. Select the Check box next to the Bucket.
3. Click on 'Permissions', then Click on Bucket Policy.
4. Ensure that a policy is listed that matches:
{
"Sid": <optional>,
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
<optional> and <bucket_name> will be specific to your account
5. Repeat for all the buckets in your AWS account.
**From Command Line:**
1. List all of the S3 Buckets
aws s3 ls
2. Using the list of buckets run this command on each of them:
aws s3api get-bucket-policy --bucket <bucket_name> | grep aws:SecureTransport
3. Confirm that aws:SecureTransport is set to false aws:SecureTransport:false
4. Confirm that the policy line has Effect set to Deny 'Effect:Deny'`,

rationale: 'By default, Amazon S3 allows both HTTP and HTTPS requests. To achieve only allowing access to Amazon S3 objects through HTTPS you also have to explicitly deny access to HTTP requests. Bucket policies that allow HTTPS requests without explicitly denying HTTP requests will not comply with this recommendation.',

remediation: `**From Console:**
1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
2. Select the Check box next to the Bucket.
3. Click on 'Permissions'.
4. Click 'Bucket Policy'
5. Add this to the existing policy filling in the required information
{
"Sid": <optional>,
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
6. Save
7. Repeat for all the buckets in your AWS account that contain sensitive data.
**From Console**
using AWS Policy Generator:
1. Repeat steps 1-4 above.
2. Click on Policy Generator at the bottom of the Bucket Policy Editor
3. Select Policy Type S3 Bucket Policy
4. Add Statements
Effect = Deny
Principal = *
AWS Service = Amazon S3
Actions = GetObject
Amazon Resource Name =
5. Generate Policy
6. Copy the text and add it to the Bucket Policy.
**From Command Line:**
1. Export the bucket policy to a json file.
aws s3api get-bucket-policy --bucket <bucket_name> --query Policy --output text > policy.json
2. Modify the policy.json file by adding in this statement:
{
"Sid": <optional>,
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
3. Apply this modified policy back to the S3 bucket:
aws s3api put-bucket-policy --bucket <bucket_name> --policy file://policy.json`,

references: [
'https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/',
'https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/',
'https://awscli.amazonaws.com/v2/documentation/api/latest/reference/s3api/get-bucket-policy.html',
],

severity: 'medium',
}
75 changes: 75 additions & 0 deletions src/aws/cis-1.5.0/rules/aws-cis-1.5.0-2.1.3.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
export default {
id: 'aws-cis-1.5.0-2.1.3',
title: 'AWS CIS 2.1.3 Ensure MFA Delete is enable on S3 buckets',

description: 'Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.',

audit: `Perform the steps below to confirm MFA delete is configured on an S3 Bucket
**From Console:**
1. Login to the S3 console at https://console.aws.amazon.com/s3/
2. Click the _Check_ box next to the Bucket name you want to confirm
3. In the window under _Properties_
4. Confirm that Versioning is _Enabled_
5. Confirm that MFA Delete is _Enabled_
**From Command Line:**
1. Run the get-bucket-versioning
aws s3api get-bucket-versioning --bucket my-bucket
Output example:
<VersioningConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Status>Enabled</Status>
<MfaDelete>Enabled</MfaDelete>
</VersioningConfiguration>
If the Console or the CLI output does not show Versioning and MFA Delete enabled refer to the remediation below.`,

rationale: 'Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete and object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted.',

remediation: `Perform the steps below to enable MFA delete on an S3 bucket.
Note:
-You cannot enable MFA Delete using the AWS Management Console. You must use the AWS CLI or API.
-You must use your 'root' account to enable MFA Delete on S3 buckets.
**From Command line:**
1. Run the s3api put-bucket-versioning command
aws s3api put-bucket-versioning --profile my-root-profile --bucket Bucket_Name --versioning-configuration Status=Enabled,MFADelete=Enabled`,

references: [
'https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html#MultiFactorAuthenticationDelete',
'https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingMFADelete.html',
'https://aws.amazon.com/blogs/security/securing-access-to-aws-using-mfa-part-3/',
'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_lost-or-broken.html',
],
gql: `{
queryawsS3 {
id
arn
accountId
__typename
versioning
mfa
}
}`,
resource: 'queryawsS3[*]',
severity: 'high',
conditions: {
and: [
{
path: '@.versioning',
equal: 'Enabled',
},
{
path: '@.mfa',
equal: 'Enabled',
},
],
},
}
65 changes: 65 additions & 0 deletions src/aws/cis-1.5.0/rules/aws-cis-1.5.0-2.1.4.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
export default {
id: 'aws-cis-1.5.0-2.1.4',
title: 'AWS CIS 2.1.4 Ensure all data in Amazon S3 has been discovered, classified and secured when required',

description: 'Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.',

audit: `Perform the following steps to determine if Macie is running:
**From Console:**
1. Login to the Macie console at https://console.aws.amazon.com/macie/
2. In the left hand pane click on By job under findings.
3. Confirm that you have a Job setup for your S3 Buckets
When you log into the Macie console if you aren't taken to the summary page and you don't have a job setup and running then refer to the remediation procedure below. If you are using a 3rd Party tool to manage and protect your s3 data you meet this recommendation.`,

rationale: `Using a Cloud service or 3rd Party software to continuously monitor and automate the process of data discovery and classification for S3 buckets using machine learning and pattern matching is a strong defense in protecting that information.
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.`,

remediation: `Perform the steps below to enable and configure Amazon Macie
**From Console:**
1. Log on to the Macie console at https://console.aws.amazon.com/macie/
2. Click Get started.
3. Click Enable Macie.
Setup a repository for sensitive data discovery results
1. In the Left pane, under Settings, click Discovery results.
2. Make sure Create bucket is selected.
3. Create a bucket, enter a name for the bucket. The name must be unique across all S3 buckets. In addition, the name must start with a lowercase letter or a number.
4. Click on Advanced.
5. Block all public access, make sure Yes is selected.
6. KMS encryption, specify the AWS KMS key that you want to use to encrypt the results. The key must be a symmetric, customer master key (CMK) that's in the same Region as the S3 bucket.
7. Click on Save
Create a job to discover sensitive data
1. In the left pane, click S3 buckets. Macie displays a list of all the S3 buckets for your account.
2. Select the check box for each bucket that you want Macie to analyze as part of the job
3. Click Create job.
4. Click Quick create.
5. For the Name and description step, enter a name and, optionally, a description of the job.
6. Then click Next.
7. For the Review and create step, click Submit.
Review your findings
1. In the left pane, click Findings.
2. To view the details of a specific finding, choose any field other than the check box for the finding.
If you are using a 3rd Party tool to manage and protect your s3 data, follow the Vendor documentation for implementing and configuring that tool.`,

references: [
'https://aws.amazon.com/macie/getting-started/',
'https://docs.aws.amazon.com/workspaces/latest/adminguide/data-protection.html',
'https://docs.aws.amazon.com/macie/latest/user/data-classification.html',
],

severity: 'high',
}
Loading

0 comments on commit 0934441

Please sign in to comment.