Examples (Code-Based)

Terraform examples

Basic Query - One Attribute Block

---
metadata:
 name: "Check that all resources are tagged with the key - env"
 guidelines: "Tags Governance - in case of the matched condition below -> add a tag of env with one of the values: prod/dev1/dev2/test/stage"
 category: "general"
 severity: "critical"
scope:
  provider: "aws"
definition:
       cond_type: "attribute"
       resource_types: "all"
       attribute: "tags.env"
       operator: "exists"

AND at Top Level - Two Attribute Blocks

---
metadata:
 name: "Org's compute instances should not be t3.micro or t3.nano"
 guidelines: "In order to avoid compute issues in this account - change manually instances to be at least from type t3.small"
 category: "networking"
 severity: "high"
scope:
 provider: "aws"
definition:
 and:
 - cond_type: "attribute"
   resource_types:
    - "aws_instance"
   attribute: "instance_type"
   operator: "not_equals"
   value: "t3.micro"
 - cond_type: "attribute"
   resource_types:
   - "aws_instance"
   attribute: "instance_type"
   operator: "not_equals"
   value: "t3.nano"
---
metadata:
 name: "AWS Security rule check"
 guidelines: "AWS Security rule check"
 category: "general"
 severity: "critical"
scope:
  provider: "aws"
definition:
  and:
    - cond_type: "attribute"
      resource_types:
        - "aws_security_group"
      attribute: "ingress[?(@.to_port == 22 & @.from_port == 22)].cidr_blocks[*]"
      operator: "jsonpath_equals"
      value: 0.0.0.0/0
    - cond_type: "attribute"
      resource_types:
        - "aws_security_group"
      attribute: "ingress[?(@.to_port == 443 & @.from_port == 443)].cidr_blocks[?(@ == '8.0.4.19/92')]"
      operator: "jsonpath_equals"
      value: 8.0.4.19/92

OR Logic - Attribute Block

---
metadata:
 name: "Check that all encrypted RDS clusters are tagged with encrypted: true"
 guidelines: "Tags Governance - in case of the matched condition below -> add/modify a tag of encrypted:true"
 category: "secrets"
 severity: "critical"
scope:
  provider: "aws"
definition:
 and:
     - cond_type: "attribute"
       resource_types:
       - "aws_rds_cluster"
       attribute: "tags.encrypted"
       operator: "equals"
       value: "true"
     - or:
         - cond_type: "attribute"
           resource_types:
           - "aws_rds_cluster"
           attribute: "kms_key_id"
           operator: "exists"
         - cond_type: "attribute"
           resource_types:
           - "aws_rds_cluster"
           attribute: "storage_encrypted"
           operator: "equals"
           value: "true"

OR - Multiple Attribute Blocks

---
metadata:
 name: "Ensure all AWS databases have Backup Policy"
 guidelines: "In case of non-compliant resource - add a backup policy configuration for the resource"
 category: "storage"
 severity: "medium"
scope:
  provider: "aws"
definition:
 or:
   - cond_type: "attribute"
     resource_types:
     - "aws_rds_cluster"
     - "aws_db_instance"
     attribute: "backup_retention_period"
     operator: "not_exists"
   - cond_type: "attribute"
     resource_types:
     - "aws_rds_cluster"
     - "aws_db_instance"
     attribute: "backup_retention_period"
     operator: "not_equals"
     value: "0"
   - cond_type: "attribute"
     resource_types:
     - "aws_redshift_cluster"
     attribute: "automated_snapshot_retention_period"
     operator: "not_equals"
     value: "0"
   - cond_type: "attribute"
     resource_types:
     - "aws_dynamodb_table"
     attribute: "point_in_time_recovery"
     operator: "not_equals"
     value: "false"
   - cond_type: "attribute"
     resource_types:
     - "aws_dynamodb_table"
     attribute: "point_in_time_recovery"
     operator: "exists"

Simple Connection State Block and Filter and Attribute Blocks

---
metadata:
 name: "Ensure all EC2s are connected only to encrypted EBS volumes"
 guidelines: "In case of non-compliant resource - change attached EBS volume's attribute into encrypted=true"
 category: "storage"
 severity: "high"
scope:
  provider: "aws"
definition:
    and:
        - cond_type: "attribute"
          resource_types:
          - "aws_ebs_volume"
          attribute: "encrypted"
          operator: "equals"
          value: "true"
        - cond_type: "connection"
          resource_types:
          - "aws_volume_attachment"
          connected_resource_types:
          - "aws_ebs_volume"
          operator: "exists"
        - cond_type: "filter"
          attribute: "resource_type"
          value:
           - "aws_ebs_volume"
          operator: "within"

Complex Definition - Connection State Block and Filter and Attribute Blocks - Example 1

---
metadata:
  name: "Ensure all ALBs are connected only to HTTPS listeners"
  guidelines: "In case of non-compliant resource - change the definition of the listener/listener_rul protocol value into HTTPS"
  category: "networking"
  severity: "high"
scope:
  provider: "aws"
definition:
  and:
  - cond_type: "filter"
    value:
    - "aws_lb"
    attribute: "resource_type"
    operator: "within"
  - cond_type: "attribute"
    resource_types:
    - "aws_lb"    
    attribute: "load_balancer_type"
    operator: "equals"
    value: "application"
  - or:
    - cond_type: "connection"
      resource_types:
      - "aws_lb"
      connected_resource_types:
      - "aws_lb_listener"
      operator: "not_exists"
    - and:
      - cond_type: "connection"
        resource_types:
        - "aws_lb"
        connected_resource_types:
        - "aws_lb_listener"
        operator: "exists"
      - cond_type: "attribute"
        resource_types:
        - "aws_lb_listener"
        attribute: "certificate_arn"
        operator: "exists"
      - cond_type: "attribute"
        resource_types:
        - "aws_lb_listener"
        attribute: "ssl_policy"
        operator: "exists"
      - cond_type: "attribute"
        resource_types:
        - "aws_lb_listener"
        attribute: "protocol"
        operator: "equals"
        value: "HTTPS"
      - or:
        - cond_type: "attribute"
          resource_types:
          - "aws_lb_listener"
          attribute: "default_action.redirect.protocol"
          operator: "equals"
          value: "HTTPS"
        - cond_type: "attribute"
          resource_types:
          - "aws_lb_listener"
          attribute: "default_action.redirect.protocol"
          operator: "not_exists"
      - or:
        - cond_type: "connection"
          resource_types:
          - "aws_lb_listener_rule"
          connected_resource_types:
          - "aws_lb_listener"
          operator: "not_exists"
        - and:
          - cond_type: "connection"
            resource_types:
            - "aws_lb_listener_rule"
            connected_resource_types:
            - "aws_lb_listener"
            operator: "exists"
          - or:
            - cond_type: "attribute"
              resource_types:
              - "aws_lb_listener_rule"
              attribute: "default_action.redirect.protocol"
              operator: "equals"
              value: "HTTPS"
            - cond_type: "attribute"
              resource_types:
              - "aws_lb_listener_rule"
              attribute: "default_action.redirect.protocol"
              operator: "not_exists"

Complex Definition - Connection State Block and Filter and Attribute Blocks - Example 2

---
metadata:
  name: "Ensure resources allows encrypted ingress communication (SSH)"
  guidelines: "In case of non-compliant resource - change the definition of the security groups protocol into 22"
  category: "networking"
  severity: "critical"
scope:
  provider: "aws"
definition:
  and:
  - cond_type: "filter"
    attribute: "resource_type"
    value:
    - "aws_instance"
    - "aws_elb"
    - "aws_lb"
    - "aws_db_instance"
    - "aws_elasticache_cluster"
    - "aws_emr_cluster"
    - "aws_redshift_cluster"
    - "aws_elasticsearch_domain"
    - "aws_rds_cluster"
    - "aws_efs_mount_target"
    - "aws_efs_file_system"
    - "aws_ecs_service"
    operator: "within"
  - cond_type: "connection"
    resource_types:
    - "aws_instance"
    - "aws_elb"
    - "aws_lb"
    - "aws_db_instance"
    - "aws_elasticache_cluster"
    - "aws_emr_cluster"
    - "aws_redshift_cluster"
    - "aws_elasticsearch_domain"
    - "aws_rds_cluster"
    - "aws_efs_mount_target"
    - "aws_efs_file_system"
    - "aws_ecs_service"
    connected_resource_types:
    - "aws_security_group"
    - "aws_default_security_group"
    operator: "exists"
  - or:
    - cond_type: "attribute"
      resource_types:
      - "aws_security_group"
      - "aws_default_security_group"
      attribute: "ingress.from_port"
      operator: "equals"
      value: "22"
    - cond_type: "attribute"
      resource_types:
      - "aws_security_group"
      - "aws_default_security_group"
      value: "22"
      operator: "equals"
      attribute: "ingress.to_port"
  - or:
    - cond_type: "connection"
      resource_types:
      - "aws_security_group_rule"
      connected_resource_types:
      - "aws_security_group"
      - "aws_default_security_group"
      operator: "not_exists"
    - and:
      - cond_type: "connection"
        resource_types:
        - "aws_security_group_rule"
        connected_resource_types:
        - "aws_security_group"
        - "aws_default_security_group"
        operator: "exists"
      - cond_type: "attribute"
        resource_types:
        - "aws_security_group_rule"
        attribute: "type"
        operator: "equals"
        value: "ingress"
      - or:
        - cond_type: "attribute"
          resource_types:
          - "aws_security_group_rule"
          attribute: "to_port"
          operator: "equals"
          value: "22"
        - cond_type: "attribute"
          resource_types:
          - "aws_security_group_rule"
          attribute: "from_port"
          operator: "equals"
          value: "22"

Array example

In addition to creating Policies with multiple rules (as described above), you can create a Policy that checks multiple entries, of the same type, within an array.

Let’s consider this example. You want to scan all the Ingress CIDR blocks for this resource to determine if any = 0.0.0.0/0.

---
metadata:
  name: "Ensure security groups do not allow traffic from all IPs"
  guidelines: "..."
  category: "networking"
  severity: "critical"
scope:
  provider: "aws"
definition:
  cond_type: "attribute"
  resource_types:
  	- "aws_security_group"
  attribute: "ingress.*.cidr_blocks"
  operator: "not_cotains"
  value: "0.0.0.0/0"

CloudFormation examples

Basic Query - One Attribute Block

---
metadata:
  name: "Ensure MSK Cluster logging is enabled"
  guidelines: "..."
  category: "logging"
  severity: "critical"
scope:
  provider: "aws"
definition:
    cond_type: attribute
    attribute: KmsKeyId
    operator: exists
    resource_types:
      - AWS::SageMaker::NotebookInstance

OR at Top Level - Three Attribute Blocks

---
metadata:
  name: "Ensure MSK Cluster logging is enabled"
  guidelines: "..."
  category: "logging"
  severity: "critical"
scope:
  provider: "aws"
definition:
  or:
    - cond_type: attribute
      attribute: LoggingInfo.BrokerLogs.S3.Enabled
      operator: equals
      value: true
      resource_types:
        - "AWS::MSK::Cluster"
    - cond_type: attribute
      attribute: LoggingInfo.BrokerLogs.Firehose.Enabled
      operator: equals
      value: true
      resource_types:
        - "AWS::MSK::Cluster"
    - cond_type: attribute
      attribute: LoggingInfo.BrokerLogs.CloudWatchLogs.Enabled
      operator: equals
      value: true
      resource_types:
        - "AWS::MSK::Cluster"

Connection State Block and Filter and Attribute Blocks - Example 1

---
metadata:
  name: "Ensure that ALB redirects HTTP requests into HTTPS ones"
  guidelines: "..."
  category: "networking"
  severity: "critical"
scope:
  provider: "aws"
definition:
    and:
    - cond_type: filter
      value:
        - AWS::ElasticLoadBalancingV2::LoadBalancer
      operator: within
      attribute: resource_type
    - or:
      - cond_type: connection
        operator: not_exists
        resource_types:
         - AWS::ElasticLoadBalancingV2::LoadBalancer
        connected_resource_types:
         - AWS::ElasticLoadBalancingV2::Listener
      - and:
        - cond_type: connection
          operator: exists
          resource_types:
            - AWS::ElasticLoadBalancingV2::LoadBalancer
          connected_resource_types:
            - AWS::ElasticLoadBalancingV2::Listener
        - or:
          - and:
            - cond_type: attribute
              attribute: Port
              operator: not_equals
              value: "80"
              resource_types:
                - AWS::ElasticLoadBalancingV2::Listener
            - cond_type: attribute
              attribute: Protocol
              operator: not_equals
              value: HTTP
              resource_types:
                - AWS::ElasticLoadBalancingV2::Listener
          - and:
              - cond_type: attribute
                attribute: Port
                operator: equals
                value: "80"
                resource_types:
                  - AWS::ElasticLoadBalancingV2::Listener
              - cond_type: attribute
                attribute: Protocol
                operator: equals
                value: "HTTP"
                resource_types:
                  - AWS::ElasticLoadBalancingV2::Listener
              - cond_type: attribute
                attribute: DefaultActions.Type
                operator: equals
                value: "redirect"
                resource_types:
                  - AWS::ElasticLoadBalancingV2::Listener
              - cond_type: attribute
                attribute: DefaultActions.RedirectConfig.Port
                operator: equals
                value: "443"
                resource_types:
                  - AWS::ElasticLoadBalancingV2::Listener
              - cond_type: attribute
                attribute: DefaultActions.RedirectConfig.Protocol
                operator: equals
                value: "HTTPS"
                resource_types:
                  - AWS::ElasticLoadBalancingV2::Listener