Updated in PCS-24.4.1

CHANGELOG.md

@@ -1,5 +1,49 @@
 # Changelog
 
+## PCS-24.4.1 - 2024-4-11
+
+### Added
+
+#### 10 new policies
+
+- AWS Athena Workgroup data encryption at rest not configured
+- AWS DMS replication instance is publicly accessible
+- AWS EC2 Auto Scaling Launch Configuration is not using encrypted EBS volumes
+- AWS Glue Job not encrypted by Customer Managed Key (CMK)
+- AWS RDS cluster encryption in transit is not configured
+- AWS root account activity detected in last 14 days
+- AWS SageMaker endpoint data encryption at rest not configured
+- AWS Secrets Manager secret not encrypted by Customer Managed Key (CMK)
+- Azure Storage Sync Service configured with overly permissive network acce
+- GCP Storage Bucket encryption not configured with Customer-Managed Encryption Key (CMEK)
+
+#### 2 new policies for the IAM Security module
+
+- Publicly Writable Lambda
+- Publicly Readable Lambda
+
+### Changed
+
+#### 5 policies updated
+
+- AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) on Admin ports 22/3389
+- AWS MFA is not enabled on Root account
+- AWS S3 bucket encrypted using Customer Managed Key (CMK) with overly permissive policy
+- Azure Virtual Machine that is internet reachable with unrestricted access (0.0.0.0/0) on Admin ports 22/3389
+- GCP VM instance that is internet reachable with unrestricted access (0.0.0.0/0) on Admin ports 22/3389
+
+#### 2 policies updated for the IAM Security module
+
+- AWS cross-account resource access through IAM policies
+- Publicly Executable Lambda
+
+### Removed
+
+#### 1 policy deleted from the IAM Security module
+
+- Azure Managed Identity with permissions to other subscriptions
+
+
 ## PCS-24.3.2 - 2024-3-28
 
 ### Added

policies/AWS-Athena-Workgroup-data-encryption-at-rest-not-configured.json

@@ -0,0 +1,17 @@
+{
+  "policyUpi": "PC-AWS-ATN-1130",
+  "policyId": "5405e934-1c52-450a-84d4-0b84c5eb2fa8",
+  "policyType": "config",
+  "cloudType": "aws",
+  "severity": "low",
+  "name": "AWS Athena Workgroup data encryption at rest not configured",
+  "description": "This policy identifies AWS Athena workgroups not configured with data encryption at rest.\n\nAWS Athena workgroup enables you to isolate queries for you or your group of users from other queries in the same account, to set the query results location and the encryption configuration. By default, Athena workgroup query run results are not encrypted at rest and client side settings can override the workgroup settings. Encrypting workgroups and preventing overrides from the client side helps in protecting the integrity and confidentiality of the data stored on Athena.\n\nIt is recommended to set encryption at rest and enable 'override client-side settings' to mitigate the risk of unauthorized access and potential data breaches.",
+  "rule.criteria": "62a0db03-89fd-4618-9ae5-895f1009ee7c",
+  "searchModel.query": "config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-athena-workgroup' AND json.rule = WorkGroup.State equal ignore case enabled and (WorkGroup.Configuration.ResultConfiguration.EncryptionConfiguration does not exist or (WorkGroup.Configuration.EngineVersion.EffectiveEngineVersion contains Athena and WorkGroup.Configuration.EnforceWorkGroupConfiguration is false))",
+  "recommendation": "To enable encryption at rest for the Athena workgroup, follow the below steps:\n\n1. Sign in to the AWS Management Console and open the Amazon Athena console.\n2. Under the navigation bar, click on Workgroups.\n3. Select the alerted workgroup. Click on 'Edit'.\n4. For Athena-based engines, under 'Query result configuration', enable 'Encrypt query results'.\n5. Select 'Encryption type' based on the requirements. Make sure to set 'Minimum encryption'.\n6. Under 'Settings', enable 'Override client-side settings'.\n7. For Apache Spark-based engines, under 'Calculation result settings', enable 'Encrypt query results'.\n8. Select 'Encryption type' based on the requirements.\n9. Click on 'Save changes'.",
+  "remediable": false,
+  "remediation.cliScriptTemplate": "",
+  "remediation.description": "",
+  "remediation.impact": "",
+  "compliance.standard": ""
+}

policies/AWS-DMS-replication-instance-is-publicly-accessible.json

@@ -0,0 +1,17 @@
+{
+  "policyUpi": "PC-AWS-DMS-1131",
+  "policyId": "a1497898-ea75-4d3b-b806-b9cae5442771",
+  "policyType": "config",
+  "cloudType": "aws",
+  "severity": "low",
+  "name": "AWS DMS replication instance is publicly accessible",
+  "description": "This policy identifies AWS DMS (Database Migration Service) replication instances with public accessibility enabled.\n\nA DMS replication instance is used to connect and read the source data and prepare it for consumption by the target data store. When AWS DMS replication instances are publicly accessible, it increases the risk of unauthorized access, data breaches, and potentially malicious activities.\n\nIt is recommended to disable the public accessibility of DMS replication instances to decrease the attack surface.",
+  "rule.criteria": "b6085a88-3c26-466d-9039-c225d754c5ae",
+  "searchModel.query": "config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-dms-replication-instance' AND json.rule = replicationInstanceStatus is not member of ('creating','deleted','deleting') and publiclyAccessible is true",
+  "recommendation": "Public accessibility can be disabled only at the time of creation, please follow the below steps to create a new DMS replication instance:\n\n1. Sign in to the AWS Management Console and navigate to the AWS DMS console.\n2. In the navigation pane, choose 'Replication instances' and then click the 'Create replication instance' button.\n3. Under the 'Connectivity and security' section, Leave the 'Publicly accessible' option unchecked to ensure that the replication instance does not have public IP addresses or DNS names.\n4. Configure other settings based on your requirements.\n5. Click the 'Create replication instance' button to create the replication instance.\n\nTo delete the reported AWS DMS replication instance, Please follow the below steps:\n\n1. Sign in to the AWS Management Console and navigate to the AWS DMS console.\n2. In the navigation pane, choose 'Replication instances' to see a list of your existing replication instances.\n3. Select the replication instance that you want to delete from the list.\n4. After selecting the replication instance, choose 'Actions' and then 'Delete' from the menu.\n5. A confirmation dialog box will appear. Review the details and confirm that you want to delete the replication instance by selecting the 'Delete' button.",
+  "remediable": false,
+  "remediation.cliScriptTemplate": "",
+  "remediation.description": "",
+  "remediation.impact": "",
+  "compliance.standard": ""
+}

policies/AWS-EC2-Auto-Scaling-Launch-Configuration-is-not-using-encrypted-EBS-volumes.json

@@ -0,0 +1,17 @@
+{
+  "policyUpi": "PC-AWS-ASG-1138",
+  "policyId": "d4cb69d1-c09d-4b7e-beb0-8c43adad117d",
+  "policyType": "config",
+  "cloudType": "aws",
+  "severity": "informational",
+  "name": "AWS EC2 Auto Scaling Launch Configuration is not using encrypted EBS volumes",
+  "description": "This policy identifies AWS EC2 Auto Scaling Launch Configurations that are not using encrypted EBS volumes.\n\nA launch configuration defines an instance configuration template that an Auto Scaling group uses to launch EC2 instances. Amazon Elastic Block Store (EBS) volumes allow you to create encrypted launch configurations when creating EC2 instances and auto scaling groups. When the entire EBS volume is encrypted, data stored at rest, in-transit, and snapshots are encrypted. This protects the data from unauthorized access.\n\nAs a security best practice for data protection, enable encryption for all EBS volumes at auto scaling launch configuration.",
+  "rule.criteria": "b22e16a9-69a5-4d5b-b59c-4dc34fcd9d57",
+  "searchModel.query": "config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-autoscaling-launch-configuration' AND json.rule = blockDeviceMappings[*].ebs exists AND blockDeviceMappings[?any(ebs.encrypted is false)] exists",
+  "recommendation": "Once Auto Scaling Launch Configuration is created you can not modify the encryption for the EBS volumes. To reslove this alert you need copy the reported launch configuration, create new launch template using copied launch configuration data and select the encryption option for EBS vloumes. Later delete the reported launch configuration.\n\nTo create a new launch template,\n1. Log in to AWS console\n2. Navigate to the Amazon EC2 dashboard\n3. Under 'Auto Scaling' section, select the 'Auto Scaling groups'\n4. Click on 'Launch Templates'\n5. On 'Launch Templates' page, click on 'Create launch template'\n6. Create new lauch template by mentioning all data same as reported launch configuration.\n7. Under 'Storage (volumes)', make sure 'Encrypted' set for all EBS volumes you added.",
+  "remediable": false,
+  "remediation.cliScriptTemplate": "",
+  "remediation.description": "",
+  "remediation.impact": "",
+  "compliance.standard": ""
+}

policies/AWS-EC2-instance-that-is-internet-reachable-with-unrestricted-access-0.0.0.0-0-to-Admin-ports.json → policies/AWS-EC2-instance-that-is-internet-reachable-with-unrestricted-access-0.0.0.0-0-on-Admin-ports-22-3389.json

@@ -4,7 +4,7 @@
   "policyType": "network",
   "cloudType": "aws",
   "severity": "high",
-  "name": "AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) to Admin ports",
+  "name": "AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0) on Admin ports 22/3389",
   "description": "This policy identifies AWS EC2 instances that are internet reachable with unrestricted access (0.0.0.0/0) to Admin ports (22 / 3389). EC2 instances with unrestricted access to the internet for admin ports may enable bad actors to use brute force on a system to gain unauthorized access to the entire network. As a best practice, restrict traffic from unknown IP addresses and limit access to known hosts, services, or specific entities.",
   "rule.criteria": "2a69fea0-3867-47f9-a253-af35de0f522e",
   "searchModel.query": "config from network where source.network = '0.0.0.0/0' and address.match.criteria = 'full_match' and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS' and dest.resource.state = 'Active' and protocol.ports in ( 'tcp/22', 'tcp/3389' )",

policies/AWS-Glue-Job-not-encrypted-by-Customer-Managed-Key-CMK.json

@@ -0,0 +1,17 @@
+{
+  "policyUpi": "PC-AWS-GLU-1137",
+  "policyId": "d7aa057f-cf60-46b0-bb6a-de9c4e338337",
+  "policyType": "config",
+  "cloudType": "aws",
+  "severity": "medium",
+  "name": "AWS Glue Job not encrypted by Customer Managed Key (CMK)",
+  "description": "This policy identifies AWS Glue jobs that are encrypted using the default KMS key instead of CMK (Customer Managed Key) or using the CMK that is disabled.\n\nAWS Glue allows you to specify whether the data processed by the job should be encrypted when stored in data storage locations such as Amazon S3. To protect sensitive data from unauthorized access, users can specify CMK to get enhanced security, and control over the encryption key and also comply with any regulatory requirements.\n\nIt is recommended to use a CMK to encrypt the AWS Glue job data as it provides complete control over the encrypted data.",
+  "rule.criteria": "5a103a44-8f80-4a5f-84ad-299c0206d43b",
+  "searchModel.query": "config from cloud.resource where api.name = 'aws-glue-job' as X; config from cloud.resource where api.name = 'aws-glue-security-configuration' as Y; config from cloud.resource where api.name = 'aws-kms-get-key-rotation-status' AND json.rule = keyMetadata.keyManager does not equal CUSTOMER or (keyMetadata.keyManager equals CUSTOMER and keyMetadata.keyState equals Disabled) as Z; filter '$.X.SecurityConfiguration does not exist or ( $.X.SecurityConfiguration equals $.Y.name and ($.Y.encryptionConfiguration.s3Encryption[*].s3EncryptionMode does not equal \"SSE-KMS\" or ($.Y.encryptionConfiguration.s3Encryption[*].kmsKeyArn exists and $.Y.encryptionConfiguration.s3Encryption[*].kmsKeyArn equals $.Z.keyMetadata.arn)))' ; show X;",
+  "recommendation": "To encrypt data processed by AWS Glue jobs, configure encryption settings within the security configuration of the Glue job. Security configurations cannot be edited from the console, so we need to create a new security configuration with the necessary settings and attach it to the existing Glue job.\n\nTo add a security configuration using the AWS Glue console,\n\n1. Sign in to the AWS Management Console: Go to the AWS Management Console at https://console.aws.amazon.com/.\n2. Navigate to the reported resource region by selecting the region from the dropdown in the top right corner.\n3. Navigate to AWS Glue: In the \"Find Services\" search box, type \"Glue\" and select \"AWS Glue\" from the search results.\n4. To add a security configuration using the AWS Glue console, choose 'Security Configurations' in the navigation pane.\n5. Choose 'Add security configuration'.\n6. on the Security configuration properties, Enter a unique security configuration name in the name text box.\n7. To Enable S3 encryption, select the checkbox under the 'Enable S3 encryption' section.\n8. Select the 'SSE-KMS' option in the 'Encryption mode' and choose an AWS KMS CMK key, or choose Enter a key ARN of the CMK and provide the ARN for the key that you are managing according to your business requirements.\n9. Click 'Create' to create a security configuration.\n\n\nTo add a security configuration to the existing glue job.\n\n1. Sign in to the AWS Management Console: Go to the AWS Management Console at https://console.aws.amazon.com/.\n2. Navigate to the reported resource region by selecting the region from the dropdown in the top right corner.\n3. Navigate to AWS Glue: In the \"Find Services\" search box, type \"Glue\" and select \"AWS Glue\" from the search results.\n4. Choose the ETL jobs in the navigation pane.\n5. select the reported job under the Your Jobs section.\n6. select the Job details tab.\n7. select the newly created security configuration from the dropdown in the 'Security configuration' section under the 'Advance properties' dropdown.\n8. Click 'Save'.\n\nTo enable the KMS CMK key, please refer to the below link.\nhttps://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html#enabling-keys-console",
+  "remediable": false,
+  "remediation.cliScriptTemplate": "",
+  "remediation.description": "",
+  "remediation.impact": "",
+  "compliance.standard": ""
+}

policies/AWS-MFA-is-not-enabled-on-Root-account.json

@@ -7,7 +7,7 @@
   "name": "AWS MFA is not enabled on Root account",
   "description": "This policy identifies root account which has MFA enabled. Root accounts have privileged access to all AWS services. Without MFA, if the root credentials are compromised, unauthorized users will get full access to your account.\n\nNOTE: This policy does not apply to AWS GovCloud Accounts. As you cannot enable an MFA device for AWS GovCloud (US) account root user. For more details refer: https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-console.html",
   "rule.criteria": "478434a1-ff6c-492e-b411-c427c06291d9",
-  "searchModel.query": "config from cloud.resource where cloud.type = 'aws' AND cloud.service = 'IAM' AND api.name = 'aws-iam-get-credential-report' AND json.rule = 'user equals \"<root_account>\" and mfa_active is false and arn does not contain gov:'",
+  "searchModel.query": "config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-iam-get-credential-report' AND json.rule = 'user equals \"<root_account>\" and mfa_active is false and arn does not contain gov:'",
   "recommendation": "1. Sign in to the 'AWS Console' using Root credentials.\n2. Navigate to the 'IAM' service.\n3. On the dashboard, click on 'Activate MFA on your root account', click on 'Manage MFA' and follow the steps to configure MFA for the root account.",
   "remediable": false,
   "remediation.cliScriptTemplate": "",