adds rego for insecure cors config

tenable · Oct 19, 2020 · 5530d27 · 5530d27
1 parent 8ac4d82
commit 5530d27
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/...cies/opa/rego/aws/aws_apigatewayv2_api/AWS.ApiGatewayV2Api.AccessControl.Medium.0630.json b/...cies/opa/rego/aws/aws_apigatewayv2_api/AWS.ApiGatewayV2Api.AccessControl.Medium.0630.json
@@ -0,0 +1,10 @@
+{
+    "name": "apiGatewayMiconfiguredCors",
+    "file": "apiGatewayMiconfiguredCors.rego",
+    "template_args": null,
+    "severity": "Medium",
+    "description": "Insecure Cross-Origin Resource Sharing Configuration allowing all domains",
+    "reference_id": "AWS.ApiGatewayV2Api.AccessControl.High.0630",
+    "category": "AccessControl",
+    "version": 2
+}
diff --git a/pkg/policies/opa/rego/aws/aws_apigatewayv2_api/apiGatewayMiconfiguredCors.rego b/pkg/policies/opa/rego/aws/aws_apigatewayv2_api/apiGatewayMiconfiguredCors.rego
@@ -0,0 +1,8 @@
+package accurics
+
+apiGatewayMiconfiguredCors[api.id] {
+  api := input.aws_apigatewayv2_api[_]
+  cors := api.config.cors_configuration[_]
+  origins := cors.allow_origins[_]
+  not origins == ["*"]
+}