Examples (Code-Based)
Terraform examples
Basic Query - One Attribute Block
---
metadata:
name: "Check that all resources are tagged with the key - env"
guidelines: "Tags Governance - in case of the matched condition below -> add a tag of env with one of the values: prod/dev1/dev2/test/stage"
category: "general"
severity: "critical"
scope:
provider: "aws"
definition:
cond_type: "attribute"
resource_types: "all"
attribute: "tags.env"
operator: "exists"
AND at Top Level - Two Attribute Blocks
---
metadata:
name: "Org's compute instances should not be t3.micro or t3.nano"
guidelines: "In order to avoid compute issues in this account - change manually instances to be at least from type t3.small"
category: "networking"
severity: "high"
scope:
provider: "aws"
definition:
and:
- cond_type: "attribute"
resource_types:
- "aws_instance"
attribute: "instance_type"
operator: "not_equals"
value: "t3.micro"
- cond_type: "attribute"
resource_types:
- "aws_instance"
attribute: "instance_type"
operator: "not_equals"
value: "t3.nano"
---
metadata:
name: "AWS Security rule check"
guidelines: "AWS Security rule check"
category: "general"
severity: "critical"
scope:
provider: "aws"
definition:
and:
- cond_type: "attribute"
resource_types:
- "aws_security_group"
attribute: "ingress[?(@.to_port == 22 & @.from_port == 22)].cidr_blocks[*]"
operator: "jsonpath_equals"
value: 0.0.0.0/0
- cond_type: "attribute"
resource_types:
- "aws_security_group"
attribute: "ingress[?(@.to_port == 443 & @.from_port == 443)].cidr_blocks[?(@ == '8.0.4.19/92')]"
operator: "jsonpath_equals"
value: 8.0.4.19/92
OR Logic - Attribute Block
---
metadata:
name: "Check that all encrypted RDS clusters are tagged with encrypted: true"
guidelines: "Tags Governance - in case of the matched condition below -> add/modify a tag of encrypted:true"
category: "secrets"
severity: "critical"
scope:
provider: "aws"
definition:
and:
- cond_type: "attribute"
resource_types:
- "aws_rds_cluster"
attribute: "tags.encrypted"
operator: "equals"
value: "true"
- or:
- cond_type: "attribute"
resource_types:
- "aws_rds_cluster"
attribute: "kms_key_id"
operator: "exists"
- cond_type: "attribute"
resource_types:
- "aws_rds_cluster"
attribute: "storage_encrypted"
operator: "equals"
value: "true"
OR - Multiple Attribute Blocks
---
metadata:
name: "Ensure all AWS databases have Backup Policy"
guidelines: "In case of non-compliant resource - add a backup policy configuration for the resource"
category: "storage"
severity: "medium"
scope:
provider: "aws"
definition:
or:
- cond_type: "attribute"
resource_types:
- "aws_rds_cluster"
- "aws_db_instance"
attribute: "backup_retention_period"
operator: "not_exists"
- cond_type: "attribute"
resource_types:
- "aws_rds_cluster"
- "aws_db_instance"
attribute: "backup_retention_period"
operator: "not_equals"
value: "0"
- cond_type: "attribute"
resource_types:
- "aws_redshift_cluster"
attribute: "automated_snapshot_retention_period"
operator: "not_equals"
value: "0"
- cond_type: "attribute"
resource_types:
- "aws_dynamodb_table"
attribute: "point_in_time_recovery"
operator: "not_equals"
value: "false"
- cond_type: "attribute"
resource_types:
- "aws_dynamodb_table"
attribute: "point_in_time_recovery"
operator: "exists"
Simple Connection State Block and Filter and Attribute Blocks
---
metadata:
name: "Ensure all EC2s are connected only to encrypted EBS volumes"
guidelines: "In case of non-compliant resource - change attached EBS volume's attribute into encrypted=true"
category: "storage"
severity: "high"
scope:
provider: "aws"
definition:
and:
- cond_type: "attribute"
resource_types:
- "aws_ebs_volume"
attribute: "encrypted"
operator: "equals"
value: "true"
- cond_type: "connection"
resource_types:
- "aws_volume_attachment"
connected_resource_types:
- "aws_ebs_volume"
operator: "exists"
- cond_type: "filter"
attribute: "resource_type"
value:
- "aws_ebs_volume"
operator: "within"
Complex Definition - Connection State Block and Filter and Attribute Blocks - Example 1
---
metadata:
name: "Ensure all ALBs are connected only to HTTPS listeners"
guidelines: "In case of non-compliant resource - change the definition of the listener/listener_rul protocol value into HTTPS"
category: "networking"
severity: "high"
scope:
provider: "aws"
definition:
and:
- cond_type: "filter"
value:
- "aws_lb"
attribute: "resource_type"
operator: "within"
- cond_type: "attribute"
resource_types:
- "aws_lb"
attribute: "load_balancer_type"
operator: "equals"
value: "application"
- or:
- cond_type: "connection"
resource_types:
- "aws_lb"
connected_resource_types:
- "aws_lb_listener"
operator: "not_exists"
- and:
- cond_type: "connection"
resource_types:
- "aws_lb"
connected_resource_types:
- "aws_lb_listener"
operator: "exists"
- cond_type: "attribute"
resource_types:
- "aws_lb_listener"
attribute: "certificate_arn"
operator: "exists"
- cond_type: "attribute"
resource_types:
- "aws_lb_listener"
attribute: "ssl_policy"
operator: "exists"
- cond_type: "attribute"
resource_types:
- "aws_lb_listener"
attribute: "protocol"
operator: "equals"
value: "HTTPS"
- or:
- cond_type: "attribute"
resource_types:
- "aws_lb_listener"
attribute: "default_action.redirect.protocol"
operator: "equals"
value: "HTTPS"
- cond_type: "attribute"
resource_types:
- "aws_lb_listener"
attribute: "default_action.redirect.protocol"
operator: "not_exists"
- or:
- cond_type: "connection"
resource_types:
- "aws_lb_listener_rule"
connected_resource_types:
- "aws_lb_listener"
operator: "not_exists"
- and:
- cond_type: "connection"
resource_types:
- "aws_lb_listener_rule"
connected_resource_types:
- "aws_lb_listener"
operator: "exists"
- or:
- cond_type: "attribute"
resource_types:
- "aws_lb_listener_rule"
attribute: "default_action.redirect.protocol"
operator: "equals"
value: "HTTPS"
- cond_type: "attribute"
resource_types:
- "aws_lb_listener_rule"
attribute: "default_action.redirect.protocol"
operator: "not_exists"
Complex Definition - Connection State Block and Filter and Attribute Blocks - Example 2
---
metadata:
name: "Ensure resources allows encrypted ingress communication (SSH)"
guidelines: "In case of non-compliant resource - change the definition of the security groups protocol into 22"
category: "networking"
severity: "critical"
scope:
provider: "aws"
definition:
and:
- cond_type: "filter"
attribute: "resource_type"
value:
- "aws_instance"
- "aws_elb"
- "aws_lb"
- "aws_db_instance"
- "aws_elasticache_cluster"
- "aws_emr_cluster"
- "aws_redshift_cluster"
- "aws_elasticsearch_domain"
- "aws_rds_cluster"
- "aws_efs_mount_target"
- "aws_efs_file_system"
- "aws_ecs_service"
operator: "within"
- cond_type: "connection"
resource_types:
- "aws_instance"
- "aws_elb"
- "aws_lb"
- "aws_db_instance"
- "aws_elasticache_cluster"
- "aws_emr_cluster"
- "aws_redshift_cluster"
- "aws_elasticsearch_domain"
- "aws_rds_cluster"
- "aws_efs_mount_target"
- "aws_efs_file_system"
- "aws_ecs_service"
connected_resource_types:
- "aws_security_group"
- "aws_default_security_group"
operator: "exists"
- or:
- cond_type: "attribute"
resource_types:
- "aws_security_group"
- "aws_default_security_group"
attribute: "ingress.from_port"
operator: "equals"
value: "22"
- cond_type: "attribute"
resource_types:
- "aws_security_group"
- "aws_default_security_group"
value: "22"
operator: "equals"
attribute: "ingress.to_port"
- or:
- cond_type: "connection"
resource_types:
- "aws_security_group_rule"
connected_resource_types:
- "aws_security_group"
- "aws_default_security_group"
operator: "not_exists"
- and:
- cond_type: "connection"
resource_types:
- "aws_security_group_rule"
connected_resource_types:
- "aws_security_group"
- "aws_default_security_group"
operator: "exists"
- cond_type: "attribute"
resource_types:
- "aws_security_group_rule"
attribute: "type"
operator: "equals"
value: "ingress"
- or:
- cond_type: "attribute"
resource_types:
- "aws_security_group_rule"
attribute: "to_port"
operator: "equals"
value: "22"
- cond_type: "attribute"
resource_types:
- "aws_security_group_rule"
attribute: "from_port"
operator: "equals"
value: "22"
Array example
In addition to creating Policies with multiple rules (as described above), you can create a Policy that checks multiple entries, of the same type, within an array.
Let’s consider this example. You want to scan all the Ingress CIDR blocks for this resource to determine if any = 0.0.0.0/0.
---
metadata:
name: "Ensure security groups do not allow traffic from all IPs"
guidelines: "..."
category: "networking"
severity: "critical"
scope:
provider: "aws"
definition:
cond_type: "attribute"
resource_types:
- "aws_security_group"
attribute: "ingress.*.cidr_blocks"
operator: "not_cotains"
value: "0.0.0.0/0"
CloudFormation examples
Basic Query - One Attribute Block
---
metadata:
name: "Ensure MSK Cluster logging is enabled"
guidelines: "..."
category: "logging"
severity: "critical"
scope:
provider: "aws"
definition:
cond_type: attribute
attribute: KmsKeyId
operator: exists
resource_types:
- AWS::SageMaker::NotebookInstance
OR at Top Level - Three Attribute Blocks
---
metadata:
name: "Ensure MSK Cluster logging is enabled"
guidelines: "..."
category: "logging"
severity: "critical"
scope:
provider: "aws"
definition:
or:
- cond_type: attribute
attribute: LoggingInfo.BrokerLogs.S3.Enabled
operator: equals
value: true
resource_types:
- "AWS::MSK::Cluster"
- cond_type: attribute
attribute: LoggingInfo.BrokerLogs.Firehose.Enabled
operator: equals
value: true
resource_types:
- "AWS::MSK::Cluster"
- cond_type: attribute
attribute: LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled
operator: equals
value: true
resource_types:
- "AWS::MSK::Cluster"
Connection State Block and Filter and Attribute Blocks - Example 1
---
metadata:
name: "Ensure that ALB redirects HTTP requests into HTTPS ones"
guidelines: "..."
category: "networking"
severity: "critical"
scope:
provider: "aws"
definition:
and:
- cond_type: filter
value:
- AWS::ElasticLoadBalancingV2::LoadBalancer
operator: within
attribute: resource_type
- or:
- cond_type: connection
operator: not_exists
resource_types:
- AWS::ElasticLoadBalancingV2::LoadBalancer
connected_resource_types:
- AWS::ElasticLoadBalancingV2::Listener
- and:
- cond_type: connection
operator: exists
resource_types:
- AWS::ElasticLoadBalancingV2::LoadBalancer
connected_resource_types:
- AWS::ElasticLoadBalancingV2::Listener
- or:
- and:
- cond_type: attribute
attribute: Port
operator: not_equals
value: "80"
resource_types:
- AWS::ElasticLoadBalancingV2::Listener
- cond_type: attribute
attribute: Protocol
operator: not_equals
value: HTTP
resource_types:
- AWS::ElasticLoadBalancingV2::Listener
- and:
- cond_type: attribute
attribute: Port
operator: equals
value: "80"
resource_types:
- AWS::ElasticLoadBalancingV2::Listener
- cond_type: attribute
attribute: Protocol
operator: equals
value: "HTTP"
resource_types:
- AWS::ElasticLoadBalancingV2::Listener
- cond_type: attribute
attribute: DefaultActions.Type
operator: equals
value: "redirect"
resource_types:
- AWS::ElasticLoadBalancingV2::Listener
- cond_type: attribute
attribute: DefaultActions.RedirectConfig.Port
operator: equals
value: "443"
resource_types:
- AWS::ElasticLoadBalancingV2::Listener
- cond_type: attribute
attribute: DefaultActions.RedirectConfig.Protocol
operator: equals
value: "HTTPS"
resource_types:
- AWS::ElasticLoadBalancingV2::Listener
Updated about 1 year ago