diff --git a/go.mod b/go.mod index dffe6982b..ea53117c6 100644 --- a/go.mod +++ b/go.mod @@ -15,7 +15,7 @@ require ( github.com/zclconf/go-cty v1.2.1 go.uber.org/zap v1.9.1 golang.org/x/net v0.0.0-20200625001655-4c5254603344 // indirect - golang.org/x/tools v0.0.0-20200811215021-48a8ffc5b207 // indirect + golang.org/x/tools v0.0.0-20200812231640-9176cd30088c // indirect golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect gopkg.in/yaml.v2 v2.3.0 honnef.co/go/tools v0.0.1-2020.1.5 // indirect diff --git a/go.sum b/go.sum index 8aee93936..b2eeab546 100644 --- a/go.sum +++ b/go.sum @@ -447,6 +447,8 @@ golang.org/x/tools v0.0.0-20200809012840-6f4f008689da h1:ml5G98G4/tdKT1XNq+ky5iS golang.org/x/tools v0.0.0-20200809012840-6f4f008689da/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200811215021-48a8ffc5b207 h1:8Kg+JssU1jBZs8GIrL5pl4nVyaqyyhdmHAR4D1zGErg= golang.org/x/tools v0.0.0-20200811215021-48a8ffc5b207/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.0.0-20200812231640-9176cd30088c h1:ZSTOUQugXA1i88foZV5ck1FrcnEYhGmlpiPXgDWmhG0= +golang.org/x/tools v0.0.0-20200812231640-9176cd30088c/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= diff --git a/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0407.json b/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0407.json index e2f3a8a84..87a931b83 100755 --- a/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0407.json +++ b/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0407.json @@ -1,13 +1,12 @@ { - "ruleName": "cloudfrontNoHTTPSTraffic", + "name": "cloudfrontNoHTTPSTraffic", "file": "cloudfrontNoHTTPSTraffic.rego", - "ruleTemplate": "cloudfrontNoHTTPSTraffic", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": "Use encrypted connection between CloudFront and origin server", - "ruleReferenceId": "AWS.CloudFront.EncryptionandKeyManagement.High.0407", + "referenceId": "AWS.CloudFront.EncryptionandKeyManagement.High.0407", "category": "Encryption and Key Management", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0408.json b/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0408.json index 3ee435f99..417d50dcd 100755 --- a/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0408.json +++ b/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0408.json @@ -1,13 +1,12 @@ { - "ruleName": "cloudfrontNoSecureCiphers", + "name": "cloudfrontNoSecureCiphers", "file": "cloudfrontNoSecureCiphers.rego", - "ruleTemplate": "cloudfrontNoSecureCiphers", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": "Secure ciphers are not used in CloudFront distribution", - "ruleReferenceId": "AWS.CloudFront.EncryptionandKeyManagement.High.0408", + "referenceId": "AWS.CloudFront.EncryptionandKeyManagement.High.0408", "category": "Encryption and Key Management", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.Logging.Medium.0567.json b/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.Logging.Medium.0567.json index a20956e92..2d26be5a4 100755 --- a/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.Logging.Medium.0567.json +++ b/pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.Logging.Medium.0567.json @@ -1,13 +1,12 @@ { - "ruleName": "cloudfrontNoLogging", + "name": "cloudfrontNoLogging", "file": "cloudfrontNoLogging.rego", - "ruleTemplate": "cloudfrontNoLogging", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "MEDIUM", "description": "Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).", - "ruleReferenceId": "AWS.CloudFront.Logging.Medium.0567", + "referenceId": "AWS.CloudFront.Logging.Medium.0567", "category": "Logging", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.High.0399.json b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.High.0399.json index 8c070cbad..ba033e951 100755 --- a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.High.0399.json +++ b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.High.0399.json @@ -1,13 +1,12 @@ { - "ruleName": "cloudTrailLogNotEncrypted", + "name": "cloudTrailLogNotEncrypted", "file": "cloudTrailLogNotEncrypted.rego", - "ruleTemplate": "cloudTrailLogNotEncrypted", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": "Cloud Trail Log Not Enabled", - "ruleReferenceId": "AWS.CloudTrail.Logging.High.0399", + "referenceId": "AWS.CloudTrail.Logging.High.0399", "category": "Logging", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.0559.json b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.0559.json index 9fcf02b5f..8ff0317d1 100755 --- a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.0559.json +++ b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.0559.json @@ -1,13 +1,12 @@ { - "ruleName": "reme_enableSNSTopic", + "name": "reme_enableSNSTopic", "file": "enableSNSTopic.rego", - "ruleTemplate": "enableSNSTopic", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "reme_" }, "severity": "MEDIUM", "description": "Ensure appropriate subscribers to each SNS topic", - "ruleReferenceId": "AWS.CloudTrail.Logging.Low.0559", + "referenceId": "AWS.CloudTrail.Logging.Low.0559", "category": "Logging", - "version": 0 + "version": 1 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.0460.json b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.0460.json index ec9b6b080..52e43d7ca 100755 --- a/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.0460.json +++ b/pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.0460.json @@ -1,13 +1,12 @@ { - "ruleName": "cloudTrailMultiRegionNotCreated", + "name": "cloudTrailMultiRegionNotCreated", "file": "cloudTrailMultiRegionNotCreated.rego", - "ruleTemplate": "cloudTrailMultiRegionNotCreated", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "MEDIUM", "description": "Cloud Trail Multi Region not enabled", - "ruleReferenceId": "AWS.CloudTrail.Logging.Medium.0460", + "referenceId": "AWS.CloudTrail.Logging.Medium.0460", "category": "Logging", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/.json b/pkg/policies/opa/rego/aws/aws_db_instance/.json deleted file mode 100755 index 06c786984..000000000 --- a/pkg/policies/opa/rego/aws/aws_db_instance/.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "ruleName": "rdsPubliclyAccessible", - "file": "rdsPubliclyAccessible.rego", - "ruleTemplate": "rdsPubliclyAccessible", - "ruleTemplateArgs": { - "prefix": "" - }, - "severity": "HIGH", - "description": "RDS Instance publicly_accessible flag is true", - "ruleReferenceId": "", - "category": "Data Security", - "version": 2 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_db_instance/rdsPubliclyAccessible.rego b/pkg/policies/opa/rego/aws/aws_db_instance/rdsPubliclyAccessible.rego deleted file mode 100755 index 601e8c85e..000000000 --- a/pkg/policies/opa/rego/aws/aws_db_instance/rdsPubliclyAccessible.rego +++ /dev/null @@ -1,9 +0,0 @@ -package accurics - -{{.prefix}}rdsPubliclyAccessible[retVal] { - db := input.aws_db_instance[_] - db.config.publicly_accessible == true - traverse = "publicly_accessible" - retVal := { "Id": db.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "publicly_accessible", "AttributeDataType": "bool", "Expected": false, "Actual": db.config.publicly_accessible } -} - diff --git a/pkg/policies/opa/rego/aws/aws_iam_access_key/AWS.IamUser.IAM.High.0390.json b/pkg/policies/opa/rego/aws/aws_iam_access_key/AWS.IamUser.IAM.High.0390.json index 2e0b4d321..8846f55b0 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_access_key/AWS.IamUser.IAM.High.0390.json +++ b/pkg/policies/opa/rego/aws/aws_iam_access_key/AWS.IamUser.IAM.High.0390.json @@ -1,13 +1,12 @@ { - "ruleName": "noAccessKeyForRootAccount", + "name": "noAccessKeyForRootAccount", "file": "noAccessKeyForRootAccount.rego", - "ruleTemplate": "noAccessKeyForRootAccount", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": "The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged.", - "ruleReferenceId": "AWS.IamUser.IAM.High.0390", + "referenceId": "AWS.IamUser.IAM.High.0390", "category": "Identity and Access Management", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Low.0540.json b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Low.0540.json index 40b2ad60c..b9df1d00a 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Low.0540.json +++ b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Low.0540.json @@ -1,14 +1,13 @@ { - "ruleName": "passwordRotateEvery90Days", + "name": "passwordRotateEvery90Days", "file": "passwordRotateEvery90Days.rego", - "ruleTemplate": "passwordRotateEvery90Days", - "ruleTemplateArgs": { + "templateArgs": { "name": "passwordRotateEvery90Days", "prefix": "" }, "severity": "LOW", "description": "Reducing the password lifetime increases account resiliency against brute force login attempts", - "ruleReferenceId": "AWS.Iam.IAM.Low.0540", + "referenceId": "AWS.Iam.IAM.Low.0540", "category": "IAM", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0454.json b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0454.json index 0be97abb7..3fc67b062 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0454.json +++ b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0454.json @@ -1,15 +1,14 @@ { - "ruleName": "passwordRequireLowerCase", + "name": "passwordRequireLowerCase", "file": "passwordPolicyRequirement.rego", - "ruleTemplate": "passwordRequireLowerCase", - "ruleTemplateArgs": { + "templateArgs": { "name": "passwordRequireLowerCase", "prefix": "", "required_parameter": "require_lowercase_characters" }, "severity": "MEDIUM", "description": "Lower case alphabet not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack", - "ruleReferenceId": "AWS.Iam.IAM.Medium.0454", + "referenceId": "AWS.Iam.IAM.Medium.0454", "category": "IAM", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0455.json b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0455.json index 30595871b..e35773b24 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0455.json +++ b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0455.json @@ -1,15 +1,14 @@ { - "ruleName": "passwordRequireNumber", + "name": "passwordRequireNumber", "file": "passwordPolicyRequirement.rego", - "ruleTemplate": "passwordRequireNumber", - "ruleTemplateArgs": { + "templateArgs": { "name": "passwordRequireNumber", "prefix": "", "required_parameter": "require_numbers" }, "severity": "MEDIUM", "description": "Number not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack", - "ruleReferenceId": "AWS.Iam.IAM.Medium.0455", + "referenceId": "AWS.Iam.IAM.Medium.0455", "category": "IAM", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0456.json b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0456.json index a4e46cc3b..a3fa77f15 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0456.json +++ b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0456.json @@ -1,15 +1,14 @@ { - "ruleName": "passwordRequireSymbol", + "name": "passwordRequireSymbol", "file": "passwordPolicyRequirement.rego", - "ruleTemplate": "passwordRequireSymbol", - "ruleTemplateArgs": { + "templateArgs": { "name": "passwordRequireSymbol", "prefix": "", "required_parameter": "require_symbols" }, "severity": "MEDIUM", "description": "Special symbols not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack", - "ruleReferenceId": "AWS.Iam.IAM.Medium.0456", + "referenceId": "AWS.Iam.IAM.Medium.0456", "category": "IAM", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0457.json b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0457.json index dae9c9fb6..a05fa6b48 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0457.json +++ b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0457.json @@ -1,15 +1,14 @@ { - "ruleName": "passwordRequireUpperCase", + "name": "passwordRequireUpperCase", "file": "passwordPolicyRequirement.rego", - "ruleTemplate": "passwordRequireUpperCase", - "ruleTemplateArgs": { + "templateArgs": { "name": "passwordRequireUpperCase", "prefix": "", "required_parameter": "require_uppercase_characters" }, "severity": "MEDIUM", "description": "Upper case alphabet not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack", - "ruleReferenceId": "AWS.Iam.IAM.Medium.0457", + "referenceId": "AWS.Iam.IAM.Medium.0457", "category": "IAM", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0458.json b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0458.json index 46c09c988..f7099f01a 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0458.json +++ b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0458.json @@ -1,8 +1,7 @@ { - "ruleName": "passwordRequireMinLength14", + "name": "passwordRequireMinLength14", "file": "passwordMinLength.rego", - "ruleTemplate": "passwordRequireMinLength14", - "ruleTemplateArgs": { + "templateArgs": { "name": "passwordRequireMinLength14", "parameter": "minimum_password_length", "prefix": "", @@ -10,7 +9,7 @@ }, "severity": "MEDIUM", "description": "Setting a lengthy password increases account resiliency against brute force loginĀ attempts", - "ruleReferenceId": "AWS.Iam.IAM.Medium.0458", + "referenceId": "AWS.Iam.IAM.Medium.0458", "category": "IAM", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0495.json b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0495.json index b5aa69d69..6247989fd 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0495.json +++ b/pkg/policies/opa/rego/aws/aws_iam_account_password_policy/AWS.Iam.IAM.Medium.0495.json @@ -1,8 +1,7 @@ { - "ruleName": "passwordRequireMinLength", + "name": "passwordRequireMinLength", "file": "passwordMinLength.rego", - "ruleTemplate": "passwordRequireMinLength", - "ruleTemplateArgs": { + "templateArgs": { "name": "passwordRequireMinLength", "parameter": "minimum_password_length", "prefix": "", @@ -10,7 +9,7 @@ }, "severity": "MEDIUM", "description": "Setting a lengthy password increases account resiliency against brute force loginĀ attempts", - "ruleReferenceId": "AWS.Iam.IAM.Medium.0495", + "referenceId": "AWS.Iam.IAM.Medium.0495", "category": "IAM", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_iam_group_policy/AWS.IamPolicy.IAM.High.0392.json b/pkg/policies/opa/rego/aws/aws_iam_group_policy/AWS.IamPolicy.IAM.High.0392.json index ece948f53..04116e916 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_group_policy/AWS.IamPolicy.IAM.High.0392.json +++ b/pkg/policies/opa/rego/aws/aws_iam_group_policy/AWS.IamPolicy.IAM.High.0392.json @@ -1,13 +1,12 @@ { - "ruleName": "iamGrpPolicyWithFullAdminCntrl", + "name": "iamGrpPolicyWithFullAdminCntrl", "file": "iamGrpPolicyWithFullAdminCntrl.rego", - "ruleTemplate": "iamGrpPolicyWithFullAdminCntrl", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": "It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges.", - "ruleReferenceId": "AWS.IamPolicy.IAM.High.0392", + "referenceId": "AWS.IamPolicy.IAM.High.0392", "category": "Identity and Access Management", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_iam_policy/AWS.IamPolicy.IAM.High.0392.json b/pkg/policies/opa/rego/aws/aws_iam_policy/AWS.IamPolicy.IAM.High.0392.json index d0f99213c..1680636e0 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_policy/AWS.IamPolicy.IAM.High.0392.json +++ b/pkg/policies/opa/rego/aws/aws_iam_policy/AWS.IamPolicy.IAM.High.0392.json @@ -1,13 +1,12 @@ { - "ruleName": "reme_iamPolicyWithFullAdminControl", + "name": "reme_iamPolicyWithFullAdminControl", "file": "iamPolicyWithFullAdminControl.rego", - "ruleTemplate": "iamPolicyWithFullAdminControl", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "reme_" }, "severity": "HIGH", "description": "It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges.", - "ruleReferenceId": "AWS.IamPolicy.IAM.High.0392", + "referenceId": "AWS.IamPolicy.IAM.High.0392", "category": "Identity and Access Management", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_iam_user_policy/AWS.IamUser.IAM.High.0387.json b/pkg/policies/opa/rego/aws/aws_iam_user_policy/AWS.IamUser.IAM.High.0387.json index 706366e9f..cdee7d311 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_user_policy/AWS.IamUser.IAM.High.0387.json +++ b/pkg/policies/opa/rego/aws/aws_iam_user_policy/AWS.IamUser.IAM.High.0387.json @@ -1,13 +1,12 @@ { - "ruleName": "rootUserNotContainMfaTypeHardware", + "name": "rootUserNotContainMfaTypeHardware", "file": "rootUserNotContainMfaTypeHardware.rego", - "ruleTemplate": "rootUserNotContainMfaTypeHardware", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": "Ensure Hardware MFA device is enabled for the \"root\" account", - "ruleReferenceId": "AWS.IamUser.IAM.High.0387", + "referenceId": "AWS.IamUser.IAM.High.0387", "category": "Identity and Access Management", - "version": 0 + "version": 1 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_iam_user_policy/AWS.IamUser.IAM.High.0388.json b/pkg/policies/opa/rego/aws/aws_iam_user_policy/AWS.IamUser.IAM.High.0388.json index 31623a9b5..4a6c74079 100755 --- a/pkg/policies/opa/rego/aws/aws_iam_user_policy/AWS.IamUser.IAM.High.0388.json +++ b/pkg/policies/opa/rego/aws/aws_iam_user_policy/AWS.IamUser.IAM.High.0388.json @@ -1,13 +1,12 @@ { - "ruleName": "rootUserNotContainMfaTypeVirtual", + "name": "rootUserNotContainMfaTypeVirtual", "file": "rootUserNotContainMfaTypeVirtual.rego", - "ruleTemplate": "rootUserNotContainMfaTypeVirtual", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": "Ensure Virtual MFA device is enabled for the \"root\" account", - "ruleReferenceId": "AWS.IamUser.IAM.High.0388", + "referenceId": "AWS.IamUser.IAM.High.0388", "category": "Identity and Access Management", - "version": 0 + "version": 1 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_instance/AWS.Instance.NetworkSecurity.Medium.0506.json b/pkg/policies/opa/rego/aws/aws_instance/AWS.Instance.NetworkSecurity.Medium.0506.json index 9b05b3442..c38981ff7 100755 --- a/pkg/policies/opa/rego/aws/aws_instance/AWS.Instance.NetworkSecurity.Medium.0506.json +++ b/pkg/policies/opa/rego/aws/aws_instance/AWS.Instance.NetworkSecurity.Medium.0506.json @@ -1,13 +1,12 @@ { - "ruleName": "instanceWithNoVpc", + "name": "instanceWithNoVpc", "file": "instanceWithNoVpc.rego", - "ruleTemplate": "instanceWithNoVpc", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "MEDIUM", "description": "Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations.", - "ruleReferenceId": "AWS.Instance.NetworkSecurity.Medium.0506", + "referenceId": "AWS.Instance.NetworkSecurity.Medium.0506", "category": "Network Security", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_kinesis_stream/AWS.Kinesis.EncryptionandKeyManagement.High.0412.json b/pkg/policies/opa/rego/aws/aws_kinesis_stream/AWS.Kinesis.EncryptionandKeyManagement.High.0412.json index 2d4242f06..05a0a7ba5 100755 --- a/pkg/policies/opa/rego/aws/aws_kinesis_stream/AWS.Kinesis.EncryptionandKeyManagement.High.0412.json +++ b/pkg/policies/opa/rego/aws/aws_kinesis_stream/AWS.Kinesis.EncryptionandKeyManagement.High.0412.json @@ -1,13 +1,12 @@ { - "ruleName": "kinesisNotEncryptedWithKms", + "name": "kinesisNotEncryptedWithKms", "file": "aws_kinesis_stream.rego", - "ruleTemplate": "kinesisNotEncryptedWithKms", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": "Kinesis Streams and metadata are not protected", - "ruleReferenceId": "AWS.Kinesis.EncryptionandKeyManagement.High.0412", + "referenceId": "AWS.Kinesis.EncryptionandKeyManagement.High.0412", "category": "Encryption and Key Management", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_kms_key/AWS.KMS.Logging.High.0400.json b/pkg/policies/opa/rego/aws/aws_kms_key/AWS.KMS.Logging.High.0400.json index b4074468f..8a7440114 100755 --- a/pkg/policies/opa/rego/aws/aws_kms_key/AWS.KMS.Logging.High.0400.json +++ b/pkg/policies/opa/rego/aws/aws_kms_key/AWS.KMS.Logging.High.0400.json @@ -1,13 +1,12 @@ { - "ruleName": "kmsKeyRotationDisabled", + "name": "kmsKeyRotationDisabled", "file": "kmsKeyRotationDisabled.rego", - "ruleTemplate": "kmsKeyRotationDisabled", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": "Ensure rotation for customer created CMKs is enabled", - "ruleReferenceId": "AWS.KMS.Logging.High.0400", + "referenceId": "AWS.KMS.Logging.High.0400", "category": "Logging", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_launch_configuration/AWS.LaunchConfiguration.DataSecurity.High.0102.json b/pkg/policies/opa/rego/aws/aws_launch_configuration/AWS.LaunchConfiguration.DataSecurity.High.0102.json index d5c4b6dd5..c72437096 100755 --- a/pkg/policies/opa/rego/aws/aws_launch_configuration/AWS.LaunchConfiguration.DataSecurity.High.0102.json +++ b/pkg/policies/opa/rego/aws/aws_launch_configuration/AWS.LaunchConfiguration.DataSecurity.High.0102.json @@ -1,13 +1,12 @@ { - "ruleName": "hardCodedKey", + "name": "hardCodedKey", "file": "hardCodedKey.rego", - "ruleTemplate": "hardCodedKey", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": "Avoid using base64 encoded private keys as part of config", - "ruleReferenceId": "AWS.LaunchConfiguration.DataSecurity.High.0102", + "referenceId": "AWS.LaunchConfiguration.DataSecurity.High.0102", "category": "Data Security", "version": 1 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.EncryptionandKeyManagement.High.0405.json b/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.EncryptionandKeyManagement.High.0405.json deleted file mode 100755 index a758e0b44..000000000 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.EncryptionandKeyManagement.High.0405.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "ruleName": "noS3BucketSseRules", - "file": "noS3BucketSseRules.rego", - "ruleTemplate": "noS3BucketSseRules", - "ruleTemplateArgs": { - "prefix": "" - }, - "severity": "HIGH", - "description": "Ensure that S3 Buckets have server side encryption at rest enabled to protect sensitive data.", - "ruleReferenceId": "AWS.S3Bucket.EncryptionandKeyManagement.High.0405", - "category": "Encryption and Key Management", - "version": 2 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0370.json b/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0370.json deleted file mode 100755 index 1a38cf231..000000000 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0370.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "ruleName": "s3VersioningMfaFalse", - "file": "s3VersioningMfaFalse.rego", - "ruleTemplate": "s3VersioningMfaFalse", - "ruleTemplateArgs": { - "prefix": "" - }, - "severity": "HIGH", - "description": "Enabling MFA delete for versioning is a good way to add extra protection to sensitive files stored in buckets.aws s3api put-bucket-versioning --bucket bucketname --versioning-configuration Status=Enabled,MFADelete=Enabled --mfa your-mfa-serial-number mfa-code", - "ruleReferenceId": "AWS.S3Bucket.IAM.High.0370", - "category": "IAM", - "version": 2 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0377.json b/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0377.json deleted file mode 100755 index 4a008b21e..000000000 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0377.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "ruleName": "allUsersReadAccess", - "file": "s3AclGrants.rego", - "ruleTemplate": "allUsersReadAccess", - "ruleTemplateArgs": { - "access": "public-read", - "name": "allUsersReadAccess", - "prefix": "" - }, - "severity": "HIGH", - "description": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion", - "ruleReferenceId": "AWS.S3Bucket.IAM.High.0377", - "category": "IAM", - "version": 2 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0378.json b/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0378.json deleted file mode 100755 index b9b8584ed..000000000 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0378.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "ruleName": "authUsersReadAccess", - "file": "s3AclGrants.rego", - "ruleTemplate": "authUsersReadAccess", - "ruleTemplateArgs": { - "access": "authenticated-read", - "name": "authUsersReadAccess", - "prefix": "" - }, - "severity": "HIGH", - "description": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion", - "ruleReferenceId": "AWS.S3Bucket.IAM.High.0378", - "category": "IAM", - "version": 2 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0379.json b/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0379.json deleted file mode 100755 index a8286931b..000000000 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0379.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "ruleName": "allUsersWriteAccess", - "file": "s3AclGrants.rego", - "ruleTemplate": "allUsersWriteAccess", - "ruleTemplateArgs": { - "access": "public-read-write", - "name": "allUsersWriteAccess", - "prefix": "" - }, - "severity": "HIGH", - "description": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion", - "ruleReferenceId": "AWS.S3Bucket.IAM.High.0379", - "category": "IAM", - "version": 2 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0381.json b/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0381.json deleted file mode 100755 index e413dd20e..000000000 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.IAM.High.0381.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "ruleName": "allUsersReadWriteAccess", - "file": "s3AclGrants.rego", - "ruleTemplate": "allUsersReadWriteAccess", - "ruleTemplateArgs": { - "access": "public-read-write", - "name": "allUsersReadWriteAccess", - "prefix": "" - }, - "severity": "HIGH", - "description": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion", - "ruleReferenceId": "AWS.S3Bucket.IAM.High.0381", - "category": "IAM", - "version": 2 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.NetworkSecurity.High.0417.json b/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.NetworkSecurity.High.0417.json deleted file mode 100755 index 1bc2de912..000000000 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket/AWS.S3Bucket.NetworkSecurity.High.0417.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "ruleName": "s3BucketNoWebsiteIndexDoc", - "file": "s3BucketNoWebsiteIndexDoc.rego", - "ruleTemplate": "s3BucketNoWebsiteIndexDoc", - "ruleTemplateArgs": { - "prefix": "" - }, - "severity": "HIGH", - "description": "Ensure that there are not any static websites being hosted on buckets you aren't aware of", - "ruleReferenceId": "AWS.S3Bucket.NetworkSecurity.High.0417", - "category": "Network Security", - "version": 2 -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket/noS3BucketSseRules.rego b/pkg/policies/opa/rego/aws/aws_s3_bucket/noS3BucketSseRules.rego deleted file mode 100755 index 2661fa0a9..000000000 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket/noS3BucketSseRules.rego +++ /dev/null @@ -1,9 +0,0 @@ -package accurics - -{{.prefix}}noS3BucketSseRules[retVal] { - bucket := input.aws_s3_bucket[_] - bucket.config.server_side_encryption_configuration == [] - rc = "ewogICJzZXJ2ZXJfc2lkZV9lbmNyeXB0aW9uX2NvbmZpZ3VyYXRpb24iOiB7CiAgICAicnVsZSI6IHsKICAgICAgImFwcGx5X3NlcnZlcl9zaWRlX2VuY3J5cHRpb25fYnlfZGVmYXVsdCI6IHsKICAgICAgICAic3NlX2FsZ29yaXRobSI6ICJBRVMyNTYiCiAgICAgIH0KICAgIH0KICB9Cn0=" - traverse = "" - retVal := { "Id": bucket.id, "ReplaceType": "add", "CodeType": "block", "Traverse": traverse, "Attribute": "server_side_encryption_configuration", "AttributeDataType": "base64", "Expected": rc, "Actual": null } -} diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket/s3AclGrants.rego b/pkg/policies/opa/rego/aws/aws_s3_bucket/s3AclGrants.rego deleted file mode 100755 index fc83f4a0f..000000000 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket/s3AclGrants.rego +++ /dev/null @@ -1,8 +0,0 @@ -package accurics - -{{.prefix}}{{.name}}[retVal] { - bucket := input.aws_s3_bucket[_] - bucket.config.acl == "{{.access}}" - traverse = "acl" - retVal := { "Id": bucket.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "acl", "AttributeDataType": "string", "Expected": "private", "Actual": bucket.config.acl } -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket/s3BucketNoWebsiteIndexDoc.rego b/pkg/policies/opa/rego/aws/aws_s3_bucket/s3BucketNoWebsiteIndexDoc.rego deleted file mode 100755 index 7ee714f1e..000000000 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket/s3BucketNoWebsiteIndexDoc.rego +++ /dev/null @@ -1,8 +0,0 @@ -package accurics - -{{.prefix}}s3BucketNoWebsiteIndexDoc[retVal] { - bucket := input.aws_s3_bucket[_] - count(bucket.config.website) > 0 - traverse = "website" - retVal := { "Id": bucket.id, "ReplaceType": "delete", "CodeType": "block", "Traverse": traverse, "Attribute": "website", "AttributeDataType": "block", "Expected": null, "Actual": null } -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket/s3VersioningMfaFalse.rego b/pkg/policies/opa/rego/aws/aws_s3_bucket/s3VersioningMfaFalse.rego deleted file mode 100755 index d2c28b5b5..000000000 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket/s3VersioningMfaFalse.rego +++ /dev/null @@ -1,10 +0,0 @@ -package accurics - -{{.prefix}}s3VersioningMfaFalse[retVal] { - bucket := input.aws_s3_bucket[_] - some i - mfa := bucket.config.versioning[i] - mfa.mfa_delete == false - traverse := sprintf("versioning[%d].mfa_delete", [i]) - retVal := { "Id": bucket.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "versioning.mfa_delete", "AttributeDataType": "bool", "Expected": true, "Actual": mfa.mfa_delete } -} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.IamPolicy.IAM.High.0374.json b/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.IamPolicy.IAM.High.0374.json index 2f36ad689..497176f1a 100755 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.IamPolicy.IAM.High.0374.json +++ b/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.IamPolicy.IAM.High.0374.json @@ -1,15 +1,14 @@ { - "ruleName": "allowListActionFromAllPrncpls", + "name": "allowListActionFromAllPrncpls", "file": "actionsFromAllPrincipals.rego", - "ruleTemplate": "allowListActionFromAllPrncpls", - "ruleTemplateArgs": { + "templateArgs": { "Action": "s3:List", "name": "allowListActionFromAllPrncpls", "prefix": "" }, "severity": "HIGH", "description": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion", - "ruleReferenceId": "AWS.IamPolicy.IAM.High.0374", + "referenceId": "AWS.IamPolicy.IAM.High.0374", "category": "Identity and Access Management", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.S3Bucket.IAM.High.0371.json b/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.S3Bucket.IAM.High.0371.json index e6cf3edc3..23beecd9f 100755 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.S3Bucket.IAM.High.0371.json +++ b/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.S3Bucket.IAM.High.0371.json @@ -1,13 +1,12 @@ { - "ruleName": "allowActionsFromAllPrincipals", + "name": "allowActionsFromAllPrincipals", "file": "allowActionsFromAllPrincipals.rego", - "ruleTemplate": "allowActionsFromAllPrincipals", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion", - "ruleReferenceId": "AWS.S3Bucket.IAM.High.0371", + "referenceId": "AWS.S3Bucket.IAM.High.0371", "category": "Identity and Access Management", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.S3Bucket.IAM.High.0372.json b/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.S3Bucket.IAM.High.0372.json index bf5b87e94..d56acd755 100755 --- a/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.S3Bucket.IAM.High.0372.json +++ b/pkg/policies/opa/rego/aws/aws_s3_bucket_policy/AWS.S3Bucket.IAM.High.0372.json @@ -1,15 +1,14 @@ { - "ruleName": "allowDeleteActionFromAllPrncpls", + "name": "allowDeleteActionFromAllPrncpls", "file": "actionsFromAllPrincipals.rego", - "ruleTemplate": "allowDeleteActionFromAllPrncpls", - "ruleTemplateArgs": { + "templateArgs": { "Action": "s3:Delete", "name": "allowDeleteActionFromAllPrncpls", "prefix": "" }, "severity": "HIGH", "description": "Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion", - "ruleReferenceId": "AWS.S3Bucket.IAM.High.0372", + "referenceId": "AWS.S3Bucket.IAM.High.0372", "category": "Identity and Access Management", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_security_group/AWS.SecurityGroup.NetworkSecurity.High.0094.json b/pkg/policies/opa/rego/aws/aws_security_group/AWS.SecurityGroup.NetworkSecurity.High.0094.json index e53f8c6d9..bc83db676 100755 --- a/pkg/policies/opa/rego/aws/aws_security_group/AWS.SecurityGroup.NetworkSecurity.High.0094.json +++ b/pkg/policies/opa/rego/aws/aws_security_group/AWS.SecurityGroup.NetworkSecurity.High.0094.json @@ -1,13 +1,12 @@ { - "ruleName": "unrestrictedIngressAccess", + "name": "unrestrictedIngressAccess", "file": "unrestrictedIngressAccess.rego", - "ruleTemplate": "unrestrictedIngressAccess", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "HIGH", "description": " It is recommended that no security group allows unrestricted ingress access", - "ruleReferenceId": "AWS.SecurityGroup.NetworkSecurity.High.0094", + "referenceId": "AWS.SecurityGroup.NetworkSecurity.High.0094", "category": "Network Ports Security", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0470.json b/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0470.json index d44940e99..cae0c8b4b 100755 --- a/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0470.json +++ b/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0470.json @@ -1,13 +1,12 @@ { - "ruleName": "vpcFlowLogsNotEnabled", + "name": "vpcFlowLogsNotEnabled", "file": "vpcFlowLogsNotEnabled.rego", - "ruleTemplate": "vpcFlowLogsNotEnabled", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "MEDIUM", "description": "Ensure VPC flow logging is enabled in all VPCs", - "ruleReferenceId": "AWS.VPC.Logging.Medium.0470", + "referenceId": "AWS.VPC.Logging.Medium.0470", "category": "Logging", "version": 2 } \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0471.json b/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0471.json index 8c22bcc45..d731e86b3 100755 --- a/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0471.json +++ b/pkg/policies/opa/rego/aws/aws_vpc/AWS.VPC.Logging.Medium.0471.json @@ -1,13 +1,12 @@ { - "ruleName": "defaultVpcExist", + "name": "defaultVpcExist", "file": "defaultVpcExist.rego", - "ruleTemplate": "defaultVpcExist", - "ruleTemplateArgs": { + "templateArgs": { "prefix": "" }, "severity": "MEDIUM", "description": "Avoid creating resources in default VPC", - "ruleReferenceId": "AWS.VPC.Logging.Medium.0471", + "referenceId": "AWS.VPC.Logging.Medium.0471", "category": "Logging", "version": 1 } \ No newline at end of file diff --git a/pkg/policy/interface.go b/pkg/policy/interface.go index c74a79886..30162b724 100644 --- a/pkg/policy/interface.go +++ b/pkg/policy/interface.go @@ -16,22 +16,11 @@ package policy -// Manager Policy Manager interface -type Manager interface { - Import() error - Export() error - CreateManager() error -} - // Engine Policy Engine interface type Engine interface { Init(string) error Configure() error Evaluate(EngineInput) (EngineOutput, error) - GetResults() error + GetResults() EngineOutput Release() error } - -// EngineFactory creates policy engine instances based on iac/cloud type -type EngineFactory struct { -} diff --git a/pkg/policy/opa/engine.go b/pkg/policy/opa/engine.go index f490d1ad5..9d6e23304 100644 --- a/pkg/policy/opa/engine.go +++ b/pkg/policy/opa/engine.go @@ -28,6 +28,9 @@ import ( "sort" "strings" "text/template" + "time" + + "github.com/accurics/terrascan/pkg/iac-providers/output" "github.com/accurics/terrascan/pkg/policy" @@ -112,8 +115,8 @@ func (e *Engine) LoadRegoFiles(policyPath string) error { return fmt.Errorf("no directories found for path %s", policyPath) } - e.RegoFileMap = make(map[string][]byte) - e.RegoDataMap = make(map[string]*RegoData) + e.regoFileMap = make(map[string][]byte) + e.regoDataMap = make(map[string]*RegoData) // Load rego data files from each dir // First, we read the metadata file, which contains info about the associated rego rule. The .rego file data is @@ -157,7 +160,7 @@ func (e *Engine) LoadRegoFiles(policyPath string) error { } // Read in raw rego data from associated rego files - if err = e.loadRawRegoFilesIntoMap(dirList[i], regoDataList, &e.RegoFileMap); err != nil { + if err = e.loadRawRegoFilesIntoMap(dirList[i], regoDataList, &e.regoFileMap); err != nil { zap.S().Debug("error loading raw rego data", zap.String("dir", dirList[i])) continue } @@ -171,23 +174,23 @@ func (e *Engine) LoadRegoFiles(policyPath string) error { // Apply templates if available var templateData bytes.Buffer t := template.New("opa") - _, err = t.Parse(string(e.RegoFileMap[templateFile])) + _, err = t.Parse(string(e.regoFileMap[templateFile])) if err != nil { - zap.S().Debug("unable to parse template", zap.String("template", regoDataList[j].Metadata.RuleTemplate)) + zap.S().Debug("unable to parse template", zap.String("template", regoDataList[j].Metadata.File)) continue } - if err = t.Execute(&templateData, regoDataList[j].Metadata.RuleTemplateArgs); err != nil { - zap.S().Debug("unable to execute template", zap.String("template", regoDataList[j].Metadata.RuleTemplate)) + if err = t.Execute(&templateData, regoDataList[j].Metadata.TemplateArgs); err != nil { + zap.S().Debug("unable to execute template", zap.String("template", regoDataList[j].Metadata.File)) continue } regoDataList[j].RawRego = templateData.Bytes() - e.RegoDataMap[regoDataList[j].Metadata.RuleName] = regoDataList[j] + e.regoDataMap[regoDataList[j].Metadata.Name] = regoDataList[j] } } - e.stats.ruleCount = len(e.RegoDataMap) - e.stats.regoFileCount = len(e.RegoFileMap) + e.stats.ruleCount = len(e.regoDataMap) + e.stats.regoFileCount = len(e.regoFileMap) zap.S().Debugf("loaded %d Rego rules from %d rego files (%d metadata files).", e.stats.ruleCount, e.stats.regoFileCount, e.stats.metadataFileCount) return err @@ -195,30 +198,30 @@ func (e *Engine) LoadRegoFiles(policyPath string) error { // CompileRegoFiles Compiles rego files for faster evaluation func (e *Engine) CompileRegoFiles() error { - for k := range e.RegoDataMap { + for k := range e.regoDataMap { compiler, err := ast.CompileModules(map[string]string{ - e.RegoDataMap[k].Metadata.RuleName: string(e.RegoDataMap[k].RawRego), + e.regoDataMap[k].Metadata.Name: string(e.regoDataMap[k].RawRego), }) if err != nil { - zap.S().Error("error compiling rego files", zap.String("rule", e.RegoDataMap[k].Metadata.RuleName), - zap.String("raw rego", string(e.RegoDataMap[k].RawRego)), zap.Error(err)) + zap.S().Error("error compiling rego files", zap.String("rule", e.regoDataMap[k].Metadata.Name), + zap.String("raw rego", string(e.regoDataMap[k].RawRego)), zap.Error(err)) return err } r := rego.New( - rego.Query(RuleQueryBase+"."+e.RegoDataMap[k].Metadata.RuleName), + rego.Query(RuleQueryBase+"."+e.regoDataMap[k].Metadata.Name), rego.Compiler(compiler), ) // Create a prepared query that can be evaluated. - query, err := r.PrepareForEval(e.Context) + query, err := r.PrepareForEval(e.context) if err != nil { - zap.S().Error("error creating prepared query", zap.String("rule", e.RegoDataMap[k].Metadata.RuleName), - zap.String("raw rego", string(e.RegoDataMap[k].RawRego)), zap.Error(err)) + zap.S().Error("error creating prepared query", zap.String("rule", e.regoDataMap[k].Metadata.Name), + zap.String("raw rego", string(e.regoDataMap[k].RawRego)), zap.Error(err)) return err } - e.RegoDataMap[k].PreparedQuery = &query + e.regoDataMap[k].PreparedQuery = &query } return nil @@ -227,7 +230,7 @@ func (e *Engine) CompileRegoFiles() error { // Init initializes the Opa engine // Handles loading all rules, filtering, compiling, and preparing for evaluation func (e *Engine) Init(policyPath string) error { - e.Context = context.Background() + e.context = context.Background() if err := e.LoadRegoFiles(policyPath); err != nil { zap.S().Error("error loading rego files", zap.String("policy path", policyPath)) @@ -241,7 +244,7 @@ func (e *Engine) Init(policyPath string) error { } // initialize ViolationStore - e.Results.ViolationStore = results.NewViolationStore() + e.results.ViolationStore = results.NewViolationStore() return nil } @@ -252,8 +255,8 @@ func (e *Engine) Configure() error { } // GetResults Fetches results from OPA engine policy evaluation -func (e *Engine) GetResults() error { - return nil +func (e *Engine) GetResults() policy.EngineOutput { + return e.results } // Release Performs any tasks required to free resources @@ -261,60 +264,106 @@ func (e *Engine) Release() error { return nil } -// Evaluate Executes compiled OPA queries against the input JSON data -func (e *Engine) Evaluate(engineInput policy.EngineInput) (policy.EngineOutput, error) { +// reportViolation Add a violation for a given resource +func (e *Engine) reportViolation(regoData *RegoData, resource *output.ResourceConfig) { + violation := results.Violation{ + RuleName: regoData.Metadata.Name, + Description: regoData.Metadata.Description, + RuleID: regoData.Metadata.ReferenceID, + Severity: regoData.Metadata.Severity, + Category: regoData.Metadata.Category, + RuleData: regoData.RawRego, + ResourceName: resource.Name, + ResourceType: resource.Type, + ResourceData: resource.Config, + File: resource.Source, + LineNumber: resource.Line, + } - sortedKeys := make([]string, len(e.RegoDataMap)) - x := 0 - for k := range e.RegoDataMap { - sortedKeys[x] = k - x++ + severity := regoData.Metadata.Severity + if strings.ToLower(severity) == "high" { + e.results.ViolationStore.Count.HighCount++ + } else if strings.ToLower(severity) == "medium" { + e.results.ViolationStore.Count.MediumCount++ + } else if strings.ToLower(severity) == "low" { + e.results.ViolationStore.Count.LowCount++ + } else { + zap.S().Warn("invalid severity found in rule definition", + zap.String("rule id", violation.RuleID), zap.String("severity", severity)) } - sort.Strings(sortedKeys) + e.results.ViolationStore.Count.TotalCount++ + + e.results.ViolationStore.AddResult(&violation) +} + +// Evaluate Executes compiled OPA queries against the input JSON data +func (e *Engine) Evaluate(engineInput policy.EngineInput) (policy.EngineOutput, error) { + // Keep track of how long it takes to evaluate the policies + start := time.Now() - for _, k := range sortedKeys { + // Evaluate the policy against each resource type + for k := range e.regoDataMap { // Execute the prepared query. - rs, err := e.RegoDataMap[k].PreparedQuery.Eval(e.Context, rego.EvalInput(engineInput.InputData)) - // rs, err := r.Eval(o.Context) + rs, err := e.regoDataMap[k].PreparedQuery.Eval(e.context, rego.EvalInput(engineInput.InputData)) if err != nil { zap.S().Warn("failed to run prepared query", zap.String("rule", "'"+k+"'")) continue } - if len(rs) > 0 { - res := rs[0].Expressions[0].Value.([]interface{}) - if len(res) > 0 { - // @TODO: Take line number + file info and add to violation - regoData := e.RegoDataMap[k] - violation := results.Violation{ - Name: regoData.Metadata.RuleName, - Description: regoData.Metadata.Description, - RuleID: regoData.Metadata.RuleReferenceID, - Severity: regoData.Metadata.Severity, - Category: regoData.Metadata.Category, - RuleData: regoData.RawRego, - InputFile: "", - InputData: res, - LineNumber: 0, + if len(rs) == 0 || len(rs[0].Expressions) == 0 { + continue + } + + resourceViolations := rs[0].Expressions[0].Value.([]interface{}) + if len(resourceViolations) == 0 { + continue + } + + // Report a violation for each resource returned by the policy evaluation + for i := range resourceViolations { + var resourceID string + + // The return values come in two categories--either a map[string]interface{} type, where the "Id" key + // contains the resource ID, or a string type which is the resource ID. This resource ID is where a + // violation was found + switch res := resourceViolations[i].(type) { + case map[string]interface{}: + _, ok := res["Id"] + if !ok { + zap.S().Warn("no Id key found in resource map", zap.Any("resource", res)) + continue } - severity := regoData.Metadata.Severity - if strings.ToLower(severity) == "high" { - e.Results.ViolationStore.Count.HighCount++ - } else if strings.ToLower(severity) == "medium" { - e.Results.ViolationStore.Count.MediumCount++ - } else if strings.ToLower(severity) == "low" { - e.Results.ViolationStore.Count.LowCount++ - } else { - zap.S().Warn("invalid severity found in rule definition", - zap.String("rule id", violation.RuleID), zap.String("severity", severity)) + _, ok = res["Id"].(string) + if !ok { + zap.S().Warn("id key was invalid", zap.Any("resource", res)) + continue } - e.Results.ViolationStore.Count.TotalCount++ - e.Results.ViolationStore.AddResult(&violation) + resourceID = res["Id"].(string) + case string: + resourceID = res + default: + zap.S().Warn("resource ID format was invalid", zap.Any("resource", res)) continue } + + // Locate the resource details within the input map + var resource *output.ResourceConfig + resource, err = utils.FindResourceByID(resourceID, engineInput.InputData) + if err != nil { + zap.S().Error(err) + continue + } + if resource == nil { + zap.S().Warn("resource was not found", zap.String("resource id", resourceID)) + continue + } + + // Report the violation + e.reportViolation(e.regoDataMap[k], resource) } } - return e.Results, nil + e.stats.runTime = time.Since(start) + return e.results, nil } diff --git a/pkg/policy/opa/types.go b/pkg/policy/opa/types.go index 980d3b53e..d4aea3d6e 100644 --- a/pkg/policy/opa/types.go +++ b/pkg/policy/opa/types.go @@ -18,6 +18,7 @@ package opa import ( "context" + "time" "github.com/accurics/terrascan/pkg/policy" @@ -26,15 +27,14 @@ import ( // RegoMetadata The rego metadata struct which is read and saved from disk type RegoMetadata struct { - RuleName string `json:"ruleName"` - File string `json:"file"` - RuleTemplate string `json:"ruleTemplate"` - RuleTemplateArgs map[string]interface{} `json:"ruleTemplateArgs"` - Severity string `json:"severity"` - Description string `json:"description"` - RuleReferenceID string `json:"ruleReferenceId"` - Category string `json:"category"` - Version int `json:"version"` + Name string `json:"name"` + File string `json:"file"` + TemplateArgs map[string]interface{} `json:"templateArgs"` + Severity string `json:"severity"` + Description string `json:"description"` + ReferenceID string `json:"referenceId"` + Category string `json:"category"` + Version int `json:"version"` } // RegoData Stores all information needed to evaluate and report on a rego rule @@ -50,13 +50,14 @@ type EngineStats struct { regoFileCount int metadataFileCount int metadataCount int + runTime time.Duration } // Engine Implements the policy engine interface type Engine struct { - Context context.Context - RegoFileMap map[string][]byte - RegoDataMap map[string]*RegoData - Results policy.EngineOutput + results policy.EngineOutput + context context.Context + regoFileMap map[string][]byte + regoDataMap map[string]*RegoData stats EngineStats } diff --git a/pkg/results/types.go b/pkg/results/types.go index 3cac12d18..a2600e23c 100644 --- a/pkg/results/types.go +++ b/pkg/results/types.go @@ -18,15 +18,17 @@ package results // Violation Contains data for each violation type Violation struct { - Name string `json:"name" yaml:"name" xml:"name,attr"` - Description string `json:"description" yaml:"description" xml:"description,attr"` - RuleID string `json:"rule" yaml:"rule" xml:"rule,attr"` - Severity string `json:"severity" yaml:"severity" xml:"severity,attr"` - Category string `json:"category" yaml:"category" xml:"category,attr"` - RuleData interface{} `json:"-" yaml:"-" xml:"-"` - InputFile string `json:"-" yaml:"-" xml:"-"` - InputData interface{} `json:"-" yaml:"-" xml:"-"` - LineNumber int `json:"line" yaml:"line" xml:"line,attr"` + RuleName string `json:"ruleName" yaml:"ruleName" xml:"ruleName,attr"` + Description string `json:"description" yaml:"description" xml:"description,attr"` + RuleID string `json:"rule" yaml:"rule" xml:"rule,attr"` + Severity string `json:"severity" yaml:"severity" xml:"severity,attr"` + Category string `json:"category" yaml:"category" xml:"category,attr"` + RuleData interface{} `json:"-" yaml:"-" xml:"-"` + ResourceName string `json:"resourceName" yaml:"resourceName" xml:"resourceName,attr"` + ResourceType string `json:"resourceType" yaml:"resourceType" xml:"resourceType,attr"` + ResourceData interface{} `json:"-" yaml:"-" xml:"-"` + File string `json:"-" yaml:"-" xml:"-"` + LineNumber int `json:"line" yaml:"line" xml:"line,attr"` } // ViolationStats Contains stats related to the violation data diff --git a/pkg/utils/resource.go b/pkg/utils/resource.go new file mode 100644 index 000000000..2d271e493 --- /dev/null +++ b/pkg/utils/resource.go @@ -0,0 +1,35 @@ +package utils + +import ( + "fmt" + "strings" + + "github.com/accurics/terrascan/pkg/iac-providers/output" +) + +// FindResourceByID Finds a given resource within the resource map and returns a reference to that resource +func FindResourceByID(resourceID string, normalizedResources *output.AllResourceConfigs) (*output.ResourceConfig, error) { + resTypeName := strings.Split(resourceID, ".") + if len(resTypeName) < 2 { + return nil, fmt.Errorf("resource ID has an invalid format %s", resourceID) + } + + resourceType := resTypeName[0] + + found := false + var resource output.ResourceConfig + resourceTypeList := (*normalizedResources)[resourceType] + for i := range resourceTypeList { + if resourceTypeList[i].ID == resourceID { + resource = resourceTypeList[i] + found = true + break + } + } + + if !found { + return nil, nil + } + + return &resource, nil +}