diff --git a/Makefile b/Makefile index 91d8678..7561ff5 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,8 @@ md-update-deps: cd docGen && go get github.com/aquasecurity/defsec \ && go mod tidy -md-build: +md-build: misconfig-docs + cd test && go test -v ./... cd docGen && go build -o ../generator . md-test: @@ -73,4 +74,16 @@ build-all: md-clean md-build md-clone-all sync-all md-generate hugo-generate cop echo "Build Done, navigate to http://localhost:9011/ to browse" compile-theme-sass: - cd themes/aquablank/static/sass && sass avdblank.scss:../css/avdblank.css && sass avdblank.scss:../css/avdblank.min.css --style compressed \ No newline at end of file + cd themes/aquablank/static/sass && sass avdblank.scss:../css/avdblank.css && sass avdblank.scss:../css/avdblank.min.css --style compressed + +.PHONY: id +id: + cd cmd/new-policy-id-generator && go run -v main.go + +.PHONY: misconfig-docs +misconfig-docs: + cd cmd/trivy-policies-generator && go run -v main.go + +.PHONY: misconfig-docs-test +misconfig-docs-test: + cd cmd/trivy-policies-generator && go test -v ./... \ No newline at end of file diff --git a/cmd/new-policy-id-generator/go.mod b/cmd/new-policy-id-generator/go.mod new file mode 100644 index 0000000..957e024 --- /dev/null +++ b/cmd/new-policy-id-generator/go.mod @@ -0,0 +1,56 @@ +module github.com/aquasecurity/avd-generator/new-policy-id-generator + +go 1.21.4 + +require github.com/aquasecurity/defsec v0.93.1 + +require ( + github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/OneOfOne/xxhash v1.2.8 // indirect + github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4 // indirect + github.com/acomagu/bufpipe v1.0.3 // indirect + github.com/agext/levenshtein v1.2.3 // indirect + github.com/agnivade/levenshtein v1.1.1 // indirect + github.com/alecthomas/chroma v0.10.0 // indirect + github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect + github.com/cloudflare/circl v1.3.3 // indirect + github.com/dlclark/regexp2 v1.4.0 // indirect + github.com/emirpasic/gods v1.18.1 // indirect + github.com/ghodss/yaml v1.0.0 // indirect + github.com/go-git/gcfg v1.5.0 // indirect + github.com/go-git/go-billy/v5 v5.4.0 // indirect + github.com/go-git/go-git/v5 v5.5.2 // indirect + github.com/gobwas/glob v0.2.3 // indirect + github.com/google/uuid v1.3.0 // indirect + github.com/hashicorp/hcl/v2 v2.17.0 // indirect + github.com/imdario/mergo v0.3.13 // indirect + github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect + github.com/kevinburke/ssh_config v1.2.0 // indirect + github.com/liamg/iamgo v0.0.9 // indirect + github.com/liamg/jfather v0.0.7 // indirect + github.com/mitchellh/go-wordwrap v1.0.1 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/open-policy-agent/opa v0.44.1-0.20220927105354-00e835a7cc15 // indirect + github.com/owenrumney/squealer v1.1.1 // indirect + github.com/pjbgf/sha1cd v0.2.3 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect + github.com/sergi/go-diff v1.1.0 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/skeema/knownhosts v1.1.0 // indirect + github.com/tchap/go-patricia/v2 v2.3.1 // indirect + github.com/xanzy/ssh-agent v0.3.3 // indirect + github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect + github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect + github.com/yashtewari/glob-intersection v0.1.0 // indirect + github.com/zclconf/go-cty v1.13.0 // indirect + golang.org/x/crypto v0.11.0 // indirect + golang.org/x/mod v0.10.0 // indirect + golang.org/x/net v0.10.0 // indirect + golang.org/x/sys v0.10.0 // indirect + golang.org/x/text v0.11.0 // indirect + golang.org/x/tools v0.8.0 // indirect + gopkg.in/warnings.v0 v0.1.2 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) diff --git a/cmd/new-policy-id-generator/go.sum b/cmd/new-policy-id-generator/go.sum new file mode 100644 index 0000000..e798e83 --- /dev/null +++ b/cmd/new-policy-id-generator/go.sum @@ -0,0 +1,252 @@ +github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= +github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= +github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= +github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4 h1:ra2OtmuW0AE5csawV4YXMNGNQQXvLRps3z2Z59OPO+I= +github.com/ProtonMail/go-crypto v0.0.0-20221026131551-cf6655e29de4/go.mod h1:UBYPn8k0D56RtnR8RFQMjmh4KrZzWJ5o7Z9SYjossQ8= +github.com/acomagu/bufpipe v1.0.3 h1:fxAGrHZTgQ9w5QqVItgzwj235/uYZYgbXitB+dLupOk= +github.com/acomagu/bufpipe v1.0.3/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4= +github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= +github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= +github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= +github.com/alecthomas/chroma v0.10.0 h1:7XDcGkCQopCNKjZHfYrNLraA+M7e0fMiJ/Mfikbfjek= +github.com/alecthomas/chroma v0.10.0/go.mod h1:jtJATyUxlIORhUOFNA9NZDWGAQ8wpxQQqNSB4rjA/1s= +github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= +github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= +github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= +github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= +github.com/aquasecurity/defsec v0.93.1 h1:y4XgRknjs2M58XVLANBT1wulO7N6Rz1oyfwNuzID+h4= +github.com/aquasecurity/defsec v0.93.1/go.mod h1:i80K4WRNbcIWDOQDWnTHkutBwplzw/uZD4laKbhu4sE= +github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= +github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= +github.com/bytecodealliance/wasmtime-go v1.0.0 h1:9u9gqaUiaJeN5IoD1L7egD8atOnTGyJcNp8BhkL9cUU= +github.com/bytecodealliance/wasmtime-go v1.0.0/go.mod h1:jjlqQbWUfVSbehpErw3UoWFndBXRRMvfikYH6KsCwOg= +github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I= +github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= +github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgraph-io/badger/v3 v3.2103.2 h1:dpyM5eCJAtQCBcMCZcT4UBZchuTJgCywerHHgmxfxM8= +github.com/dgraph-io/badger/v3 v3.2103.2/go.mod h1:RHo4/GmYcKKh5Lxu63wLEMHJ70Pac2JqZRYGhlyAo2M= +github.com/dgraph-io/ristretto v0.1.0 h1:Jv3CGQHp9OjuMBSne1485aDpUkTKEcUqF+jm/LuerPI= +github.com/dgraph-io/ristretto v0.1.0/go.mod h1:fux0lOrBhrVCJd3lcTHsIJhq1T2rokOu6v9Vcb3Q9ug= +github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= +github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= +github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E= +github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc= +github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= +github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= +github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= +github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= +github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897 h1:E52jfcE64UG42SwLmrW0QByONfGynWuzBvm86BoB9z8= +github.com/foxcpp/go-mockdns v0.0.0-20210729171921-fb145fc6f897/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= +github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY= +github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4= +github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4= +github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E= +github.com/go-git/go-billy/v5 v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0= +github.com/go-git/go-billy/v5 v5.4.0 h1:Vaw7LaSTRJOUric7pe4vnzBSgyuf2KrLsu2Y4ZpQBDE= +github.com/go-git/go-billy/v5 v5.4.0/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg= +github.com/go-git/go-git-fixtures/v4 v4.3.1 h1:y5z6dd3qi8Hl+stezc8p3JxDkoTRqMAlKnXHuzrfjTQ= +github.com/go-git/go-git-fixtures/v4 v4.3.1/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo= +github.com/go-git/go-git/v5 v5.5.2 h1:v8lgZa5k9ylUw+OR/roJHTxR4QItsNFI5nKtAXFuynw= +github.com/go-git/go-git/v5 v5.5.2/go.mod h1:BE5hUJ5yaV2YMxhmaP4l6RBQ08kMxKSPD4BlxtH7OjI= +github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v1.0.0 h1:nfP3RFugxnNRyKgeWd4oI1nYvXpxrx8ck8ZrcizshdQ= +github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= +github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= +github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/hashicorp/hcl/v2 v2.17.0 h1:z1XvSUyXd1HP10U4lrLg5e0JMVz6CPaJvAgxM0KNZVY= +github.com/hashicorp/hcl/v2 v2.17.0/go.mod h1:gJyW2PTShkJqQBKpAmPO3yxMxIuoXkOF2TpqXzrQyx4= +github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk= +github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= +github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4= +github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= +github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= +github.com/klauspost/compress v1.16.0 h1:iULayQNOReoYUe+1qtKOqw9CwJv3aNQu8ivo7lw1HU4= +github.com/klauspost/compress v1.16.0/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348 h1:MtvEpTB6LX3vkb4ax0b5D2DHbNAUsen0Gx5wZoq3lV4= +github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k= +github.com/liamg/iamgo v0.0.9 h1:tADGm3xVotyRJmuKKaH4+zsBn7LOcvgdpuF3WsSKW3c= +github.com/liamg/iamgo v0.0.9/go.mod h1:Kk6ZxBF/GQqG9nnaUjIi6jf+WXNpeOTyhwc6gnguaZQ= +github.com/liamg/jfather v0.0.7 h1:Xf78zS263yfT+xr2VSo6+kyAy4ROlCacRqJG7s5jt4k= +github.com/liamg/jfather v0.0.7/go.mod h1:xXBGiBoiZ6tmHhfy5Jzw8sugzajwYdi6VosIpB3/cPM= +github.com/liamg/memoryfs v1.4.3 h1:+ChjcuPRYpjJSulD13PXDNR3JeJ5HUYKjLHyWVK0bqU= +github.com/liamg/memoryfs v1.4.3/go.mod h1:z7mfqXFQS8eSeBBsFjYLlxYRMRyiPktytvYCYTb3BSk= +github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A= +github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= +github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/open-policy-agent/opa v0.44.1-0.20220927105354-00e835a7cc15 h1:B+LGzLaQBMXiNFO89jTFmr8PnZE383kVqNOJsV9WFII= +github.com/open-policy-agent/opa v0.44.1-0.20220927105354-00e835a7cc15/go.mod h1:/OnsYljNEWJ6DXeFOOnoGn8CvwZGMUS4iRqzYdJvmBI= +github.com/owenrumney/squealer v1.1.1 h1:e+fg29IxdNARSc4s7CbYnqVSepm9eOqErLNNNR5XbAs= +github.com/owenrumney/squealer v1.1.1/go.mod h1:Q5ekVoyFSG2FlnCVIBGsyk/FSMA/ATv8PtwKIVX7t/o= +github.com/pjbgf/sha1cd v0.2.3 h1:uKQP/7QOzNtKYH7UTohZLcjF5/55EnTw0jO/Ru4jZwI= +github.com/pjbgf/sha1cd v0.2.3/go.mod h1:HOK9QrgzdHpbc2Kzip0Q1yi3M2MFGPADtR6HjG65m5M= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.15.0 h1:5fCgGYogn0hFdhyhLbw7hEsWxufKtY9klyvdNfFlFhM= +github.com/prometheus/client_golang v1.15.0/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= +github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4= +github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w= +github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM= +github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= +github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI= +github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY= +github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 h1:MkV+77GLUNo5oJ0jf870itWm3D0Sjh7+Za9gazKc5LQ= +github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/skeema/knownhosts v1.1.0 h1:Wvr9V0MxhjRbl3f9nMnKnFfiWTJmtECJ9Njkea3ysW0= +github.com/skeema/knownhosts v1.1.0/go.mod h1:sKFq3RD6/TKZkSWn8boUbDC7Qkgcv+8XXijpFO6roag= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= +github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= +github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/yashtewari/glob-intersection v0.1.0 h1:6gJvMYQlTDOL3dMsPF6J0+26vwX9MB8/1q3uAdhmTrg= +github.com/yashtewari/glob-intersection v0.1.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zclconf/go-cty v1.13.0 h1:It5dfKTTZHe9aeppbNOda3mN7Ag7sg6QkBNm6TkyFa0= +github.com/zclconf/go-cty v1.13.0/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA= +golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= +golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E= +golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA= +golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= +golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c= +golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4= +golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y= +golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= +google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/cmd/new-policy-id-generator/main.go b/cmd/new-policy-id-generator/main.go new file mode 100644 index 0000000..c557788 --- /dev/null +++ b/cmd/new-policy-id-generator/main.go @@ -0,0 +1,52 @@ +package main + +import ( + "fmt" + "os" + "sort" + "strconv" + "strings" + + "github.com/aquasecurity/defsec/pkg/framework" + + _ "github.com/aquasecurity/defsec/pkg/rego" + "github.com/aquasecurity/defsec/pkg/rules" +) + +func main() { + + // organise existing rules by provider + keyMap := make(map[string][]string) + for _, rule := range rules.GetRegistered(framework.ALL) { + id := rule.Rule().AVDID + if id == "" { + continue + } + parts := strings.Split(id, "-") + if len(parts) != 3 { + continue + } + keyMap[parts[1]] = append(keyMap[parts[1]], parts[2]) + } + + fmt.Print("\nThe following IDs are free - choose the one for the service you are targeting.\n\n") + + var freeIDs []string + for key := range keyMap { + sort.Strings(keyMap[key]) + all := keyMap[key] + max := all[len(all)-1] + i, err := strconv.Atoi(max) + if err != nil { + _, _ = fmt.Fprintf(os.Stderr, "Error, invalid AVD ID: AVD-%s-%s\n", key, max) + } + free := fmt.Sprintf("AVD-%s-%04d", key, i+1) + freeIDs = append(freeIDs, fmt.Sprintf("%16s: %s", key, free)) + } + + sort.Slice(freeIDs, func(i, j int) bool { + return strings.TrimSpace(freeIDs[i]) < strings.TrimSpace(freeIDs[j]) + }) + fmt.Println(strings.Join(freeIDs, "\n")) + +} diff --git a/cmd/trivy-policies-generator/avd_docs/aws/accessanalyzer/AVD-AWS-0175/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/accessanalyzer/AVD-AWS-0175/docs.md new file mode 100644 index 0000000..d5316ab --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/accessanalyzer/AVD-AWS-0175/docs.md @@ -0,0 +1,21 @@ + + +AWS IAM Access Analyzer helps you identify the resources in your organization and +accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity. +This lets you identify unintended access to your resources and data. Access Analyzer +identifies resources that are shared with external principals by using logic-based reasoning +to analyze the resource-based policies in your AWS environment. IAM Access Analyzer +continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service) +keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues. + + +### Impact +Reduced visibility of externally shared resources. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/CloudFormation.md new file mode 100644 index 0000000..56f55d9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/CloudFormation.md @@ -0,0 +1,21 @@ + +Enable logging for API Gateway stages + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of ApiGateway +Resources: + GoodApi: + Type: AWS::ApiGatewayV2::Api + GoodApiStage: + Type: AWS::ApiGatewayV2::Stage + Properties: + AccessLogSettings: + DestinationArn: gateway-logging + Format: json + ApiId: !Ref GoodApi + StageName: GoodApiStage + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/Terraform.md new file mode 100644 index 0000000..9c22063 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/Terraform.md @@ -0,0 +1,30 @@ + +Enable logging for API Gateway stages + +```hcl + resource "aws_apigatewayv2_stage" "good_example" { + api_id = aws_apigatewayv2_api.example.id + name = "example-stage" + + access_log_settings { + destination_arn = "arn:aws:logs:region:0123456789:log-group:access_logging" + format = "json" + } + } + + resource "aws_api_gateway_stage" "good_example" { + deployment_id = aws_api_gateway_deployment.example.id + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = "example" + + access_log_settings { + destination_arn = "arn:aws:logs:region:0123456789:log-group:access_logging" + format = "json" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage#access_log_settings + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/docs.md new file mode 100644 index 0000000..77db11c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0001/docs.md @@ -0,0 +1,13 @@ + +API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages. + +### Impact +Logging provides vital information about access and usage + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0002/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0002/Terraform.md new file mode 100644 index 0000000..6d0a04e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0002/Terraform.md @@ -0,0 +1,30 @@ + +Enable cache encryption + +```hcl + resource "aws_api_gateway_rest_api" "example" { + + } + + resource "aws_api_gateway_stage" "example" { + + } + + resource "aws_api_gateway_method_settings" "good_example" { + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = aws_api_gateway_stage.example.stage_name + method_path = "path1/GET" + + settings { + metrics_enabled = true + logging_level = "INFO" + caching_enabled = true + cache_data_encrypted = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_data_encrypted + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0002/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0002/docs.md new file mode 100644 index 0000000..0aa2613 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0002/docs.md @@ -0,0 +1,10 @@ + +Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception + +### Impact +Data stored in the cache that is unencrypted may be vulnerable to compromise + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0003/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0003/Terraform.md new file mode 100644 index 0000000..0feb273 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0003/Terraform.md @@ -0,0 +1,20 @@ + +Enable tracing + +```hcl + resource "aws_api_gateway_rest_api" "test" { + + } + + resource "aws_api_gateway_stage" "good_example" { + stage_name = "prod" + rest_api_id = aws_api_gateway_rest_api.test.id + deployment_id = aws_api_gateway_deployment.test.id + xray_tracing_enabled = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#xray_tracing_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0003/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0003/docs.md new file mode 100644 index 0000000..6054dbd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0003/docs.md @@ -0,0 +1,10 @@ + +X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests. + +### Impact +Without full tracing enabled it is difficult to trace the flow of logs + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0004/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0004/Terraform.md new file mode 100644 index 0000000..102ec3c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0004/Terraform.md @@ -0,0 +1,59 @@ + +Use and authorization method or require API Key + +```hcl + resource "aws_api_gateway_rest_api" "MyDemoAPI" { + + } + + resource "aws_api_gateway_resource" "MyDemoResource" { + rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id + } + + resource "aws_api_gateway_method" "good_example" { + rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id + resource_id = aws_api_gateway_resource.MyDemoResource.id + http_method = "GET" + authorization = "AWS_IAM" + } + +``` +```hcl + resource "aws_api_gateway_rest_api" "MyDemoAPI" { + + } + + resource "aws_api_gateway_resource" "MyDemoResource" { + rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id + } + + resource "aws_api_gateway_method" "good_example" { + rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id + resource_id = aws_api_gateway_resource.MyDemoResource.id + http_method = "GET" + authorization = "NONE" + api_key_required = true + } + +``` +```hcl + resource "aws_api_gateway_rest_api" "MyDemoAPI" { + + } + + resource "aws_api_gateway_resource" "MyDemoResource" { + rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id + } + + resource "aws_api_gateway_method" "good_example" { + rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id + resource_id = aws_api_gateway_resource.MyDemoResource.id + http_method = "OPTION" + authorization = "NONE" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method#authorization + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0004/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0004/docs.md new file mode 100644 index 0000000..fd42760 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0004/docs.md @@ -0,0 +1,10 @@ + +API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization + +### Impact +API gateway methods can be accessed without authorization. + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0005/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0005/Terraform.md new file mode 100644 index 0000000..e7cd3ef --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0005/Terraform.md @@ -0,0 +1,13 @@ + +Use the most modern TLS/SSL policies available + +```hcl + resource "aws_api_gateway_domain_name" "good_example" { + security_policy = "TLS_1_2" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_domain_name#security_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0005/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0005/docs.md new file mode 100644 index 0000000..6a83ec5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0005/docs.md @@ -0,0 +1,13 @@ + +You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. + +### Impact +Outdated SSL policies increase exposure to known vulnerabilities + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0190/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0190/Terraform.md new file mode 100644 index 0000000..f8cca0c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0190/Terraform.md @@ -0,0 +1,29 @@ + +Enable cache + +```hcl + resource "aws_api_gateway_rest_api" "example" { + + } + + resource "aws_api_gateway_stage" "example" { + + } + + resource "aws_api_gateway_method_settings" "good_example" { + rest_api_id = aws_api_gateway_rest_api.example.id + stage_name = aws_api_gateway_stage.example.stage_name + method_path = "path1/GET" + + settings { + metrics_enabled = true + logging_level = "INFO" + caching_enabled = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0190/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0190/docs.md new file mode 100644 index 0000000..77e73ce --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/apigateway/AVD-AWS-0190/docs.md @@ -0,0 +1,13 @@ + +A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API. + +### Impact +Reduce the number of calls made to your API endpoint and also improve the latency of requests to your API with response caching. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0006/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0006/CloudFormation.md new file mode 100644 index 0000000..8fbe3d3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0006/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable encryption at rest for Athena databases and workgroup configurations + +```yaml--- +Resources: + GoodExample: + Properties: + Name: goodExample + WorkGroupConfiguration: + ResultConfiguration: + EncryptionConfiguration: + EncryptionOption: SSE_KMS + Type: AWS::Athena::WorkGroup + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0006/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0006/Terraform.md new file mode 100644 index 0000000..b59ec1c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0006/Terraform.md @@ -0,0 +1,39 @@ + +Enable encryption at rest for Athena databases and workgroup configurations + +```hcl + resource "aws_athena_database" "good_example" { + name = "database_name" + bucket = aws_s3_bucket.hoge.bucket + + encryption_configuration { + encryption_option = "SSE_KMS" + kms_key_arn = aws_kms_key.example.arn + } + } + + resource "aws_athena_workgroup" "good_example" { + name = "example" + + configuration { + enforce_workgroup_configuration = true + publish_cloudwatch_metrics_enabled = true + + result_configuration { + output_location = "s3://${aws_s3_bucket.example.bucket}/output/" + + encryption_configuration { + encryption_option = "SSE_KMS" + kms_key_arn = aws_kms_key.example.arn + } + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup#encryption_configuration + + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database#encryption_configuration + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0006/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0006/docs.md new file mode 100644 index 0000000..50b0475 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0006/docs.md @@ -0,0 +1,13 @@ + +Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection. + +### Impact +Data can be read if the Athena Database is compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/athena/latest/ug/encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0007/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0007/CloudFormation.md new file mode 100644 index 0000000..be71571 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0007/CloudFormation.md @@ -0,0 +1,18 @@ + +Enforce the configuration to prevent client overrides + +```yaml--- +Resources: + GoodExample: + Properties: + Name: goodExample + WorkGroupConfiguration: + EnforceWorkGroupConfiguration: true + ResultConfiguration: + EncryptionConfiguration: + EncryptionOption: SSE_KMS + Type: AWS::Athena::WorkGroup + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0007/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0007/Terraform.md new file mode 100644 index 0000000..4da01fe --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0007/Terraform.md @@ -0,0 +1,27 @@ + +Enforce the configuration to prevent client overrides + +```hcl + resource "aws_athena_workgroup" "good_example" { + name = "example" + + configuration { + enforce_workgroup_configuration = true + publish_cloudwatch_metrics_enabled = true + + result_configuration { + output_location = "s3://${aws_s3_bucket.example.bucket}/output/" + + encryption_configuration { + encryption_option = "SSE_KMS" + kms_key_arn = aws_kms_key.example.arn + } + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup#configuration + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0007/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0007/docs.md new file mode 100644 index 0000000..17753ac --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/athena/AVD-AWS-0007/docs.md @@ -0,0 +1,13 @@ + +Athena workgroup configuration should be enforced to prevent client side changes to disable encryption settings. + +### Impact +Clients can ignore encryption requirements + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/athena/latest/ug/manage-queries-control-costs-with-workgroups.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0010/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0010/CloudFormation.md new file mode 100644 index 0000000..51f56f9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0010/CloudFormation.md @@ -0,0 +1,22 @@ + +Enable logging for CloudFront distributions + +```yaml--- +Resources: + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + Type: AWS::CloudFront::Distribution + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0010/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0010/Terraform.md new file mode 100644 index 0000000..ae92e53 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0010/Terraform.md @@ -0,0 +1,18 @@ + +Enable logging for CloudFront distributions + +```hcl + resource "aws_cloudfront_distribution" "good_example" { + // other config + logging_config { + include_cookies = false + bucket = "mylogs.s3.amazonaws.com" + prefix = "myprefix" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#logging_config + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0010/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0010/docs.md new file mode 100644 index 0000000..a9ee896 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0010/docs.md @@ -0,0 +1,13 @@ + +You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives + +### Impact +Logging provides vital information about access and usage + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0011/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0011/CloudFormation.md new file mode 100644 index 0000000..044d621 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0011/CloudFormation.md @@ -0,0 +1,23 @@ + +Enable WAF for the CloudFront distribution + +```yaml--- +Resources: + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + WebACLId: waf_id + Type: AWS::CloudFront::Distribution + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0011/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0011/Terraform.md new file mode 100644 index 0000000..d9558fc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0011/Terraform.md @@ -0,0 +1,36 @@ + +Enable WAF for the CloudFront distribution + +```hcl + resource "aws_cloudfront_distribution" "good_example" { + + origin { + domain_name = aws_s3_bucket.primary.bucket_regional_domain_name + origin_id = "primaryS3" + + s3_origin_config { + origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path + } + } + + origin { + domain_name = aws_s3_bucket.failover.bucket_regional_domain_name + origin_id = "failoverS3" + + s3_origin_config { + origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path + } + } + + default_cache_behavior { + target_origin_id = "groupS3" + } + + web_acl_id = "waf_id" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#web_acl_id + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0011/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0011/docs.md new file mode 100644 index 0000000..0cc85bd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0011/docs.md @@ -0,0 +1,13 @@ + +You should configure a Web Application Firewall in front of your CloudFront distribution. This will mitigate many types of attacks on your web application. + +### Impact +Complex web application attacks can more easily be performed without a WAF + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0012/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0012/CloudFormation.md new file mode 100644 index 0000000..6e8bc87 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0012/CloudFormation.md @@ -0,0 +1,23 @@ + +Only allow HTTPS for CloudFront distribution communication + +```yaml--- +Resources: + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + WebACLId: waf_id + Type: AWS::CloudFront::Distribution + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0012/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0012/Terraform.md new file mode 100644 index 0000000..3387e8e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0012/Terraform.md @@ -0,0 +1,15 @@ + +Only allow HTTPS for CloudFront distribution communication + +```hcl + resource "aws_cloudfront_distribution" "good_example" { + default_cache_behavior { + viewer_protocol_policy = "redirect-to-https" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#viewer_protocol_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0012/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0012/docs.md new file mode 100644 index 0000000..f6d4222 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0012/docs.md @@ -0,0 +1,15 @@ + +Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth. + +You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic. + +### Impact +CloudFront is available through an unencrypted connection + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-s3-origin.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0013/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0013/CloudFormation.md new file mode 100644 index 0000000..9702ba0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0013/CloudFormation.md @@ -0,0 +1,24 @@ + +Use the most modern TLS/SSL policies available + +```yaml--- +Resources: + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + ViewerCertificate: + MinimumProtocolVersion: TLSv1.2_2021 + Type: AWS::CloudFront::Distribution + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0013/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0013/Terraform.md new file mode 100644 index 0000000..9815140 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0013/Terraform.md @@ -0,0 +1,16 @@ + +Use the most modern TLS/SSL policies available + +```hcl + resource "aws_cloudfront_distribution" "good_example" { + viewer_certificate { + cloudfront_default_certificate = aws_acm_certificate.example.arn + minimum_protocol_version = "TLSv1.2_2021" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#minimum_protocol_version + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md new file mode 100644 index 0000000..fc83dff --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md @@ -0,0 +1,19 @@ + +You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. + +Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name) and *ssl_support_method* is *sni-only*. +If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. +The only option when using the cloudfront.net domain name is to ignore this rule. + +### Impact +Outdated SSL policies increase exposure to known vulnerabilities + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html + +- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesGeneral + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md new file mode 100644 index 0000000..6f69815 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable Cloudtrail in all regions + +```yaml--- +Resources: + BadExample: + Type: AWS::CloudTrail::Trail + Properties: + IsLogging: true + IsMultiRegionTrail: true + S3BucketName: "CloudtrailBucket" + S3KeyPrefix: "/trailing" + TrailName: "Cloudtrail" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0014/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0014/Terraform.md new file mode 100644 index 0000000..254aa7d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0014/Terraform.md @@ -0,0 +1,23 @@ + +Enable Cloudtrail in all regions + +```hcl + resource "aws_cloudtrail" "good_example" { + is_multi_region_trail = true + + event_selector { + read_write_type = "All" + include_management_events = true + + data_resource { + type = "AWS::S3::Object" + values = ["${data.aws_s3_bucket.important-bucket.arn}/"] + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#is_multi_region_trail + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0014/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0014/docs.md new file mode 100644 index 0000000..c7964a2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0014/docs.md @@ -0,0 +1,13 @@ + +When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in. + +### Impact +Activity could be happening in your account in a different region + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md new file mode 100644 index 0000000..b17b69f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md @@ -0,0 +1,18 @@ + +Enable encryption at rest + +```yaml--- +Resources: + BadExample: + Type: AWS::CloudTrail::Trail + Properties: + IsLogging: true + IsMultiRegionTrail: true + KmsKeyId: "alias/CloudtrailKey" + S3BucketName: "CloudtrailBucket" + S3KeyPrefix: "/trailing" + TrailName: "Cloudtrail" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md new file mode 100644 index 0000000..befbea4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md @@ -0,0 +1,25 @@ + +Enable encryption at rest + +```hcl + resource "aws_cloudtrail" "good_example" { + is_multi_region_trail = true + enable_log_file_validation = true + kms_key_id = var.kms_id + + event_selector { + read_write_type = "All" + include_management_events = true + + data_resource { + type = "AWS::S3::Object" + values = ["${data.aws_s3_bucket.important-bucket.arn}/"] + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#kms_key_id + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md new file mode 100644 index 0000000..5f8bc94 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0015/docs.md @@ -0,0 +1,13 @@ + +Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach. + +### Impact +Data can be freely read if compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md new file mode 100644 index 0000000..bb9a815 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md @@ -0,0 +1,18 @@ + +Turn on log validation for Cloudtrail + +```yaml--- +Resources: + BadExample: + Type: AWS::CloudTrail::Trail + Properties: + IsLogging: true + IsMultiRegionTrail: true + EnableLogFileValidation: true + S3BucketName: "CloudtrailBucket" + S3KeyPrefix: "/trailing" + TrailName: "Cloudtrail" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0016/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0016/Terraform.md new file mode 100644 index 0000000..f5e1c89 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0016/Terraform.md @@ -0,0 +1,24 @@ + +Turn on log validation for Cloudtrail + +```hcl + resource "aws_cloudtrail" "good_example" { + is_multi_region_trail = true + enable_log_file_validation = true + + event_selector { + read_write_type = "All" + include_management_events = true + + data_resource { + type = "AWS::S3::Object" + values = ["${data.aws_s3_bucket.important-bucket.arn}/"] + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#enable_log_file_validation + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0016/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0016/docs.md new file mode 100644 index 0000000..b33a20a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0016/docs.md @@ -0,0 +1,13 @@ + +Log validation should be activated on Cloudtrail logs to prevent the tampering of the underlying data in the S3 bucket. It is feasible that a rogue actor compromising an AWS account might want to modify the log data to remove trace of their actions. + +### Impact +Illicit activity could be removed from the logs + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0161/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0161/CloudFormation.md new file mode 100644 index 0000000..7648107 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0161/CloudFormation.md @@ -0,0 +1,20 @@ + +Restrict public access to the S3 bucket + +```yaml--- +Resources: + GoodExampleTrail: + Type: AWS::CloudTrail::Trail + Properties: + IsLogging: true + S3BucketName: "my-bucket" + TrailName: "Cloudtrail" + GoodExampleBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: "my-bucket" + AccessControl: Private + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0161/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0161/Terraform.md new file mode 100644 index 0000000..bc14a87 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0161/Terraform.md @@ -0,0 +1,29 @@ + +Restrict public access to the S3 bucket + +```hcl + resource "aws_cloudtrail" "good_example" { + is_multi_region_trail = true + s3_bucket_name = "abcdefgh" + + event_selector { + read_write_type = "All" + include_management_events = true + + data_resource { + type = "AWS::S3::Object" + values = ["${data.aws_s3_bucket.important-bucket.arn}/"] + } + } + } + +resource "aws_s3_bucket" "good_example" { + bucket = "abcdefgh" + acl = "private" +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#is_multi_region_trail + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0161/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0161/docs.md new file mode 100644 index 0000000..6285a1b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0161/docs.md @@ -0,0 +1,15 @@ + + +CloudTrail logs a record of every API call made in your account. These log files are stored in an S3 bucket. CIS recommends that the S3 bucket policy, or access control list (ACL), applied to the S3 bucket that CloudTrail logs to prevents public access to the CloudTrail logs. Allowing public access to CloudTrail log content might aid an adversary in identifying weaknesses in the affected account's use or configuration. + + +### Impact +CloudTrail logs will be publicly exposed, potentially containing sensitive information + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/configuring-block-public-access-bucket.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0162/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0162/CloudFormation.md new file mode 100644 index 0000000..e7e2089 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0162/CloudFormation.md @@ -0,0 +1,14 @@ + +Enable logging to CloudWatch + +```yaml--- +Resources: + GoodExampleTrail: + Type: AWS::CloudTrail::Trail + Properties: + TrailName: "Cloudtrail" + CloudWatchLogsLogGroupArn: "arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:*" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0162/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0162/Terraform.md new file mode 100644 index 0000000..493ed0d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0162/Terraform.md @@ -0,0 +1,29 @@ + +Enable logging to CloudWatch + +```hcl + resource "aws_cloudtrail" "good_example" { + is_multi_region_trail = true + cloud_watch_logs_group_arn = "${aws_cloudwatch_log_group.example.arn}:*" + + + event_selector { + read_write_type = "All" + include_management_events = true + + data_resource { + type = "AWS::S3::Object" + values = ["${data.aws_s3_bucket.important-bucket.arn}/"] + } + } + } + +resource "aws_cloudwatch_log_group" "example" { + name = "Example" +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0162/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0162/docs.md new file mode 100644 index 0000000..f525622 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0162/docs.md @@ -0,0 +1,19 @@ + + +CloudTrail is a web service that records AWS API calls made in a given account. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. + +CloudTrail uses Amazon S3 for log file storage and delivery, so log files are stored durably. In addition to capturing CloudTrail logs in a specified Amazon S3 bucket for long-term analysis, you can perform real-time analysis by configuring CloudTrail to send logs to CloudWatch Logs. + +For a trail that is enabled in all Regions in an account, CloudTrail sends log files from all those Regions to a CloudWatch Logs log group. + + +### Impact +Realtime log analysis is not available without enabling CloudWatch logging + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/send-cloudtrail-events-to-cloudwatch-logs.html#send-cloudtrail-events-to-cloudwatch-logs-console + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0163/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0163/CloudFormation.md new file mode 100644 index 0000000..4fcfa13 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0163/CloudFormation.md @@ -0,0 +1,22 @@ + +Enable access logging on the bucket + +```yaml--- +Resources: + GoodExampleTrail: + Type: AWS::CloudTrail::Trail + Properties: + IsLogging: true + S3BucketName: "my-bucket" + TrailName: "Cloudtrail" + GoodExampleBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: "my-bucket" + LoggingConfiguration: + DestinationBucketName: logging-bucket + LogFilePrefix: accesslogs/ + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0163/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0163/Terraform.md new file mode 100644 index 0000000..3fff0e5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0163/Terraform.md @@ -0,0 +1,31 @@ + +Enable access logging on the bucket + +```hcl + resource "aws_cloudtrail" "good_example" { + is_multi_region_trail = true + s3_bucket_name = "abcdefgh" + + event_selector { + read_write_type = "All" + include_management_events = true + + data_resource { + type = "AWS::S3::Object" + values = ["${data.aws_s3_bucket.important-bucket.arn}/"] + } + } + } + +resource "aws_s3_bucket" "good_example" { + bucket = "abcdefgh" + logging { + target_bucket = "target-bucket" + } +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail#is_multi_region_trail + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0163/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0163/docs.md new file mode 100644 index 0000000..78adcba --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudtrail/AVD-AWS-0163/docs.md @@ -0,0 +1,18 @@ + +Amazon S3 bucket access logging generates a log that contains access records for each request made to your S3 bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. + +CIS recommends that you enable bucket access logging on the CloudTrail S3 bucket. + +By enabling S3 bucket logging on target S3 buckets, you can capture all events that might affect objects in a target bucket. Configuring logs to be placed in a separate bucket enables access to log information, which can be useful in security and incident response workflows. + + +### Impact +There is no way to determine the access to this bucket + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0017/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0017/CloudFormation.md new file mode 100644 index 0000000..51028be --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0017/CloudFormation.md @@ -0,0 +1,15 @@ + +Enable CMK encryption of CloudWatch Log Groups + +```yaml--- +Resources: + GoodExample: + Type: AWS::Logs::LogGroup + Properties: + KmsKeyId: "arn:aws:kms:us-west-2:111122223333:key/lambdalogging" + LogGroupName: "aws/lambda/goodExample" + RetentionInDays: 30 + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0017/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0017/Terraform.md new file mode 100644 index 0000000..1909e47 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0017/Terraform.md @@ -0,0 +1,15 @@ + +Enable CMK encryption of CloudWatch Log Groups + +```hcl + resource "aws_cloudwatch_log_group" "good_example" { + name = "good_example" + + kms_key_id = aws_kms_key.log_key.arn + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group#kms_key_id + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0017/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0017/docs.md new file mode 100644 index 0000000..6608c42 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0017/docs.md @@ -0,0 +1,13 @@ + +CloudWatch log groups are encrypted by default, however, to get the full benefit of controlling key rotation and other KMS aspects a KMS CMK should be used. + +### Impact +Log data may be leaked if the logs are compromised. No auditing of who have viewed the logs. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0147/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0147/docs.md new file mode 100644 index 0000000..7548c99 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0147/docs.md @@ -0,0 +1,15 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. + +CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact. + +### Impact +Unauthorized API Calls may be attempted without being notified. CloudTrail logs these actions but without the alarm you aren't actively notified. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0148/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0148/docs.md new file mode 100644 index 0000000..4cf5214 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0148/docs.md @@ -0,0 +1,15 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. + + CIS recommends that you create a metric filter and alarm console logins that aren't protected by MFA. Monitoring for single-factor console logins increases visibility into accounts that aren't protected by MFA. + +### Impact +Not alerting on logins with no MFA allows the risk to go un-notified. + + +{{ remediationActions }} + +### Links +- https://aws.amazon.com/iam/features/mfa/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0149/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0149/docs.md new file mode 100644 index 0000000..ff5cd98 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0149/docs.md @@ -0,0 +1,15 @@ + + You can do real-time monitoring of API calls directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. + +CIS recommends that you create a metric filter and alarm for root user login attempts. Monitoring for root user logins provides visibility into the use of a fully privileged account and an opportunity to reduce the use of it. + +### Impact +The root user has significant permissions and should not be used for day to day tasks. + + +{{ remediationActions }} + +### Links +- https://aws.amazon.com/iam/features/mfa/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0150/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0150/docs.md new file mode 100644 index 0000000..d23d750 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0150/docs.md @@ -0,0 +1,15 @@ + + You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. + +CIS recommends that you create a metric filter and alarm for changes made to IAM policies. Monitoring these changes helps ensure that authentication and authorization controls remain intact. + +### Impact +IAM Policy changes could lead to excessive permissions and may have been performed maliciously. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0151/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0151/docs.md new file mode 100644 index 0000000..9e09ee7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0151/docs.md @@ -0,0 +1,15 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. + +CIS recommends that you create a metric filter and alarm for changes to CloudTrail configuration settings. Monitoring these changes helps ensure sustained visibility to activities in the account. + +### Impact +CloudTrail tracks all changes through the API, attempts to change the configuration may indicate malicious activity. Without alerting on changes, visibility of this activity is reduced. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0152/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0152/docs.md new file mode 100644 index 0000000..6def5fa --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0152/docs.md @@ -0,0 +1,15 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. + +CIS recommends that you create a metric filter and alarm for failed console authentication attempts. Monitoring failed console logins might decrease lead time to detect an attempt to brute-force a credential, which might provide an indicator, such as source IP, that you can use in other event correlations. + +### Impact +Failed attempts to log into the Management console may indicate an attempt to maliciously access an account. Failure to alert reduces visibility of this activity. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0153/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0153/docs.md new file mode 100644 index 0000000..99b9286 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0153/docs.md @@ -0,0 +1,15 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. + + CIS recommends that you create a metric filter and alarm for customer managed keys that have changed state to disabled or scheduled deletion. Data encrypted with disabled or deleted keys is no longer accessible. + +### Impact +CloudTrail tracks all changes through the API, attempts to change the configuration may indicate malicious activity. Without alerting on changes, visibility of this activity is reduced. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0154/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0154/docs.md new file mode 100644 index 0000000..99c3801 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0154/docs.md @@ -0,0 +1,15 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. + +CIS recommends that you create a metric filter and alarm for changes to S3 bucket policies. Monitoring these changes might reduce time to detect and correct permissive policies on sensitive S3 buckets. + +### Impact +Misconfigured policies on S3 buckets could lead to data leakage, without alerting visibility of this is reduced. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0155/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0155/docs.md new file mode 100644 index 0000000..6d66e63 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0155/docs.md @@ -0,0 +1,15 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. + +CIS recommends that you create a metric filter and alarm for changes to AWS Config configuration settings. Monitoring these changes helps ensure sustained visibility of configuration items in the account. + +### Impact +Changes to the configuration of AWS Config may indicate malicious activity. Without alerting on changes, visibility of this activity is reduced. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0156/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0156/docs.md new file mode 100644 index 0000000..920219f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0156/docs.md @@ -0,0 +1,16 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. +Security groups are a stateful packet filter that controls ingress and egress traffic in a VPC. + +CIS recommends that you create a metric filter and alarm for changes to security groups. Monitoring these changes helps ensure that resources and services aren't unintentionally exposed. + +### Impact +Security groups control the ingress and egress, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0157/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0157/docs.md new file mode 100644 index 0000000..dc46db6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0157/docs.md @@ -0,0 +1,16 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. +NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC. + +CIS recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed. + +### Impact +Network ACLs control the ingress and egress, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0158/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0158/docs.md new file mode 100644 index 0000000..1d7efd6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0158/docs.md @@ -0,0 +1,16 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. +Network gateways are required to send and receive traffic to a destination outside a VPC. + +CIS recommends that you create a metric filter and alarm for changes to network gateways. Monitoring these changes helps ensure that all ingress and egress traffic traverses the VPC border via a controlled path. + +### Impact +Network gateways control the ingress and egress, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0159/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0159/docs.md new file mode 100644 index 0000000..0f0b72a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0159/docs.md @@ -0,0 +1,16 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. +Routing tables route network traffic between subnets and to network gateways. + +CIS recommends that you create a metric filter and alarm for changes to route tables. Monitoring these changes helps ensure that all VPC traffic flows through an expected path. + +### Impact +Route tables control the flow of network traffic, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0160/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0160/docs.md new file mode 100644 index 0000000..cfa5a41 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0160/docs.md @@ -0,0 +1,16 @@ + +You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms. +You can have more than one VPC in an account, and you can create a peer connection between two VPCs, enabling network traffic to route between VPCs. + +CIS recommends that you create a metric filter and alarm for changes to VPCs. Monitoring these changes helps ensure that authentication and authorization controls remain intact. + +### Impact +Route tables control the flow of network traffic, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0174/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0174/docs.md new file mode 100644 index 0000000..7a298f5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/cloudwatch/AVD-AWS-0174/docs.md @@ -0,0 +1,19 @@ + + +Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or +intentional modifications that may lead to unauthorized access or other security breaches. +This monitoring technique helps you to ensure that any unexpected changes performed +within your AWS Organizations can be investigated and any unwanted changes can be +rolled back. + + +### Impact +Lack of observability into critical organisation changes + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/organizations/latest/userguide/orgs_security_incident-response.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/codebuild/AVD-AWS-0018/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/codebuild/AVD-AWS-0018/CloudFormation.md new file mode 100644 index 0000000..6217701 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/codebuild/AVD-AWS-0018/CloudFormation.md @@ -0,0 +1,32 @@ + +Enable encryption for CodeBuild project artifacts + +```yaml--- +Resources: + GoodProject: + Type: AWS::CodeBuild::Project + Properties: + Artifacts: + ArtifactIdentifier: "String" + EncryptionDisabled: false + Location: "String" + Name: "String" + NamespaceType: "String" + OverrideArtifactName: false + Packaging: "String" + Path: "String" + Type: "String" + SecondaryArtifacts: + - ArtifactIdentifier: "String" + EncryptionDisabled: false + Location: "String" + Name: "String" + NamespaceType: "String" + OverrideArtifactName: false + Packaging: "String" + Path: "String" + Type: "String" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/codebuild/AVD-AWS-0018/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/codebuild/AVD-AWS-0018/Terraform.md new file mode 100644 index 0000000..71dc0d7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/codebuild/AVD-AWS-0018/Terraform.md @@ -0,0 +1,41 @@ + +Enable encryption for CodeBuild project artifacts + +```hcl + resource "aws_codebuild_project" "good_example" { + // other config + + artifacts { + // other artifacts config + + encryption_disabled = false + } + } + + resource "aws_codebuild_project" "good_example" { + // other config + + artifacts { + // other artifacts config + } + } + + resource "aws_codebuild_project" "codebuild" { + // other config + + secondary_artifacts { + // other artifacts config + + encryption_disabled = false + } + + secondary_artifacts { + // other artifacts config + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/codebuild_project#encryption_disabled + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/codebuild/AVD-AWS-0018/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/codebuild/AVD-AWS-0018/docs.md new file mode 100644 index 0000000..6129552 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/codebuild/AVD-AWS-0018/docs.md @@ -0,0 +1,15 @@ + +All artifacts produced by your CodeBuild project pipeline should always be encrypted + +### Impact +CodeBuild project artifacts are unencrypted + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-artifacts.html + +- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-codebuild-project.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/config/AVD-AWS-0019/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/config/AVD-AWS-0019/CloudFormation.md new file mode 100644 index 0000000..542908c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/config/AVD-AWS-0019/CloudFormation.md @@ -0,0 +1,25 @@ + +Set the aggregator to cover all regions + +```yaml--- +Resources: + GoodExample: + Type: AWS::Config::ConfigurationAggregator + Properties: + AccountAggregationSources: + - AllAwsRegions: true + ConfigurationAggregatorName: "GoodAccountLevelAggregation" + +``` +```yaml--- +Resources: + GoodExample: + Type: AWS::Config::ConfigurationAggregator + Properties: + OrganizationAggregationSource: + AllAwsRegions: true + ConfigurationAggregatorName: "GoodAccountLevelAggregation" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/config/AVD-AWS-0019/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/config/AVD-AWS-0019/Terraform.md new file mode 100644 index 0000000..a7539df --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/config/AVD-AWS-0019/Terraform.md @@ -0,0 +1,18 @@ + +Set the aggregator to cover all regions + +```hcl + resource "aws_config_configuration_aggregator" "good_example" { + name = "example" + + account_aggregation_source { + account_ids = ["123456789012"] + all_regions = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_aggregator#all_regions + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/config/AVD-AWS-0019/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/config/AVD-AWS-0019/docs.md new file mode 100644 index 0000000..4a4ce16 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/config/AVD-AWS-0019/docs.md @@ -0,0 +1,15 @@ + +The configuration aggregator should be configured with all_regions for the source. + +This will help limit the risk of any unmonitored configuration in regions that are thought to be unused. + +### Impact +Sources that aren't covered by the aggregator are not include in the configuration + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0020/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0020/CloudFormation.md new file mode 100644 index 0000000..5881978 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0020/CloudFormation.md @@ -0,0 +1,28 @@ + +Enable export logs + +```yaml--- +Resources: + GoodExample: + Type: "AWS::DocDB::DBCluster" + Properties: + BackupRetentionPeriod : 8 + DBClusterIdentifier : "sample-cluster" + DBClusterParameterGroupName : "default.docdb3.6" + KmsKeyId : "your-kms-key-id" + EnableCloudwatchLogsExports: + - audit + - profiler + InstanceInstanceExample: + Type: "AWS::DocDB::DBInstance" + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: "us-east-1c" + DBClusterIdentifier: "sample-cluster" + DBInstanceClass: "db.r5.large" + DBInstanceIdentifier: "sample-cluster-instance-0" + PreferredMaintenanceWindow: "sat:06:54-sat:07:24" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0020/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0020/Terraform.md new file mode 100644 index 0000000..d93f170 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0020/Terraform.md @@ -0,0 +1,20 @@ + +Enable export logs + +```hcl + resource "aws_docdb_cluster" "good_example" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + enabled_cloudwatch_logs_exports = "audit" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0020/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0020/docs.md new file mode 100644 index 0000000..f6f1053 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0020/docs.md @@ -0,0 +1,13 @@ + +Document DB does not have auditing by default. To ensure that you are able to accurately audit the usage of your DocumentDB cluster you should enable export logs. + +### Impact +Limited visibility of audit trail for changes to the DocumentDB + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/documentdb/latest/developerguide/event-auditing.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0021/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0021/CloudFormation.md new file mode 100644 index 0000000..921fd35 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0021/CloudFormation.md @@ -0,0 +1,29 @@ + +Enable storage encryption + +```yaml--- +Resources: + GoodExample: + Type: "AWS::DocDB::DBCluster" + Properties: + BackupRetentionPeriod : 8 + DBClusterIdentifier : "sample-cluster" + DBClusterParameterGroupName : "default.docdb3.6" + KmsKeyId : "your-kms-key-id" + StorageEncrypted: true + EnableCloudwatchLogsExports: + - audit + - profiler + InstanceInstanceExample: + Type: "AWS::DocDB::DBInstance" + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: "us-east-1c" + DBClusterIdentifier: "sample-cluster" + DBInstanceClass: "db.r5.large" + DBInstanceIdentifier: "sample-cluster-instance-0" + PreferredMaintenanceWindow: "sat:06:54-sat:07:24" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0021/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0021/Terraform.md new file mode 100644 index 0000000..71cd4c0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0021/Terraform.md @@ -0,0 +1,20 @@ + +Enable storage encryption + +```hcl + resource "aws_docdb_cluster" "good_example" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + storage_encrypted = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#storage_encrypted + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0021/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0021/docs.md new file mode 100644 index 0000000..28798f3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0021/docs.md @@ -0,0 +1,13 @@ + +Encryption of the underlying storage used by DocumentDB ensures that if their is compromise of the disks, the data is still protected. + +### Impact +Unencrypted sensitive data is vulnerable to compromise. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0022/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0022/CloudFormation.md new file mode 100644 index 0000000..695177a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0022/CloudFormation.md @@ -0,0 +1,28 @@ + +Enable encryption using customer managed keys + +```yaml--- +Resources: + GoodExample: + Type: "AWS::DocDB::DBCluster" + Properties: + BackupRetentionPeriod : 8 + DBClusterIdentifier : "sample-cluster" + DBClusterParameterGroupName : "default.docdb3.6" + KmsKeyId : "your-kms-key-id" + EnableCloudwatchLogsExports: + - audit + - profiler + InstanceInstanceExample: + Type: "AWS::DocDB::DBInstance" + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: "us-east-1c" + DBClusterIdentifier: "sample-cluster" + DBInstanceClass: "db.r5.large" + DBInstanceIdentifier: "sample-cluster-instance-0" + PreferredMaintenanceWindow: "sat:06:54-sat:07:24" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0022/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0022/Terraform.md new file mode 100644 index 0000000..3014572 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0022/Terraform.md @@ -0,0 +1,24 @@ + +Enable encryption using customer managed keys + +```hcl + resource "aws_kms_key" "docdb_encryption" { + enable_key_rotation = true + } + + resource "aws_docdb_cluster" "docdb" { + cluster_identifier = "my-docdb-cluster" + engine = "docdb" + master_username = "foo" + master_password = "mustbeeightchars" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + kms_key_id = aws_kms_key.docdb_encryption.arn + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#kms_key_id + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0022/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0022/docs.md new file mode 100644 index 0000000..c013e4d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/documentdb/AVD-AWS-0022/docs.md @@ -0,0 +1,13 @@ + +Encryption using AWS keys provides protection for your DocumentDB underlying storage. To increase control of the encryption and manage factors like rotation use customer managed keys. + +### Impact +Using AWS managed keys does not allow for fine grained control + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.ssl.public-key.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md new file mode 100644 index 0000000..558e673 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md @@ -0,0 +1,19 @@ + +Enable encryption at rest for DAX Cluster + +```yaml--- +Resources: + daxCluster: + Type: AWS::DAX::Cluster + Properties: + ClusterName: "MyDAXCluster" + NodeType: "dax.r3.large" + ReplicationFactor: 1 + IAMRoleARN: "arn:aws:iam::111122223333:role/DaxAccess" + Description: "DAX cluster created with CloudFormation" + SSESpecification: + SSEEnabled: true + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0023/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0023/Terraform.md new file mode 100644 index 0000000..23355ed --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0023/Terraform.md @@ -0,0 +1,17 @@ + +Enable encryption at rest for DAX Cluster + +```hcl + resource "aws_dax_cluster" "good_example" { + // other DAX config + + server_side_encryption { + enabled = true // enabled server side encryption + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dax_cluster#server_side_encryption + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0023/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0023/docs.md new file mode 100644 index 0000000..72d8cbf --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0023/docs.md @@ -0,0 +1,15 @@ + +Amazon DynamoDB Accelerator (DAX) encryption at rest provides an additional layer of data protection by helping secure your data from unauthorized access to the underlying storage. + +### Impact +Data can be freely read if compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAXEncryptionAtRest.html + +- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dax-cluster.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0024/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0024/Terraform.md new file mode 100644 index 0000000..9a5811f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0024/Terraform.md @@ -0,0 +1,26 @@ + +Enable point in time recovery + +```hcl + resource "aws_dynamodb_table" "good_example" { + name = "example" + hash_key = "TestTableHashKey" + billing_mode = "PAY_PER_REQUEST" + stream_enabled = true + stream_view_type = "NEW_AND_OLD_IMAGES" + + attribute { + name = "TestTableHashKey" + type = "S" + } + + point_in_time_recovery { + enabled = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#point_in_time_recovery + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0024/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0024/docs.md new file mode 100644 index 0000000..0623a53 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0024/docs.md @@ -0,0 +1,15 @@ + +DynamoDB tables should be protected against accidentally or malicious write/delete actions by ensuring that there is adequate protection. + +By enabling point-in-time-recovery you can restore to a known point in the event of loss of data. + +### Impact +Accidental or malicious writes and deletes can't be rolled back + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/PointInTimeRecovery.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0025/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0025/Terraform.md new file mode 100644 index 0000000..843a790 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0025/Terraform.md @@ -0,0 +1,39 @@ + +Enable server side encryption with a customer managed key + +```hcl + resource "aws_kms_key" "dynamo_db_kms" { + enable_key_rotation = true + } + + resource "aws_dynamodb_table" "good_example" { + name = "example" + hash_key = "TestTableHashKey" + billing_mode = "PAY_PER_REQUEST" + stream_enabled = true + stream_view_type = "NEW_AND_OLD_IMAGES" + + attribute { + name = "TestTableHashKey" + type = "S" + } + + replica { + region_name = "us-east-2" + } + + replica { + region_name = "us-west-2" + } + + server_side_encryption { + enabled = true + kms_key_arn = aws_kms_key.dynamo_db_kms.key_id + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/dynamodb_table#server_side_encryption + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0025/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0025/docs.md new file mode 100644 index 0000000..d9bde7a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/dynamodb/AVD-AWS-0025/docs.md @@ -0,0 +1,13 @@ + +DynamoDB tables are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key. + +### Impact +Using AWS managed keys does not allow for fine grained control + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0008/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0008/CloudFormation.md new file mode 100644 index 0000000..8439a5f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0008/CloudFormation.md @@ -0,0 +1,18 @@ + +Turn on encryption for all block devices + +```yaml--- +Resources: + GoodExample: + Properties: + BlockDeviceMappings: + - DeviceName: root + Ebs: + Encrypted: true + ImageId: ami-123456 + InstanceType: t2.small + Type: AWS::AutoScaling::LaunchConfiguration + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0008/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0008/Terraform.md new file mode 100644 index 0000000..89f8ee1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0008/Terraform.md @@ -0,0 +1,15 @@ + +Turn on encryption for all block devices + +```hcl + resource "aws_launch_configuration" "good_example" { + root_block_device { + encrypted = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs-ephemeral-and-root-block-devices + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0008/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0008/docs.md new file mode 100644 index 0000000..3d9ac8d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0008/docs.md @@ -0,0 +1,13 @@ + +Block devices should be encrypted to ensure sensitive data is held securely at rest. + +### Impact +The block device could be compromised and read from + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0009/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0009/CloudFormation.md new file mode 100644 index 0000000..0292fee --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0009/CloudFormation.md @@ -0,0 +1,14 @@ + +Set the instance to not be publicly accessible + +```yaml--- +Resources: + GoodExample: + Properties: + ImageId: ami-123456 + InstanceType: t2.small + Type: AWS::AutoScaling::LaunchConfiguration + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0009/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0009/Terraform.md new file mode 100644 index 0000000..14eb280 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0009/Terraform.md @@ -0,0 +1,15 @@ + +Set the instance to not be publicly accessible + +```hcl + resource "aws_launch_configuration" "good_example" { + associate_public_ip_address = false + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#associate_public_ip_address + + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#associate_public_ip_address + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0009/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0009/docs.md new file mode 100644 index 0000000..5500d14 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0009/docs.md @@ -0,0 +1,13 @@ + +You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. + +### Impact +The instance or configuration is publicly accessible + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0026/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0026/CloudFormation.md new file mode 100644 index 0000000..f0378b7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0026/CloudFormation.md @@ -0,0 +1,16 @@ + +Enable encryption of EBS volumes + +```yaml--- +Resources: + GoodExample: + Type: AWS::EC2::Volume + Properties: + Size: 100 + Encrypted: true + KmsKeyId: "alias/volumeEncrypt" + DeletionPolicy: Snapshot + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0026/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0026/Terraform.md new file mode 100644 index 0000000..43891b7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0026/Terraform.md @@ -0,0 +1,19 @@ + +Enable encryption of EBS volumes + +```hcl + resource "aws_ebs_volume" "good_example" { + availability_zone = "us-west-2a" + size = 40 + + tags = { + Name = "HelloWorld" + } + encrypted = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0026/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0026/docs.md new file mode 100644 index 0000000..eb61bd6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0026/docs.md @@ -0,0 +1,13 @@ + +By enabling encryption on EBS volumes you protect the volume, the disk I/O and any derived snapshots from compromise if intercepted. + +### Impact +Unencrypted sensitive data is vulnerable to compromise. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0027/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0027/CloudFormation.md new file mode 100644 index 0000000..00ad680 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0027/CloudFormation.md @@ -0,0 +1,27 @@ + +Enable encryption using customer managed keys + +```yaml--- +Resources: + GoodExample: + Type: AWS::EC2::Volume + Properties: + Size: 100 + Encrypted: true + KmsKeyId: "alias/volumeEncrypt" + DeletionPolicy: Snapshot + +``` +```yaml--- +Resources: + GoodExample: + Type: AWS::EC2::Volume + Properties: + Size: 100 + Encrypted: true + KmsKeyId: !ImportValue "MyStack:Key" + DeletionPolicy: Snapshot + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0027/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0027/Terraform.md new file mode 100644 index 0000000..42977ae --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0027/Terraform.md @@ -0,0 +1,24 @@ + +Enable encryption using customer managed keys + +```hcl + resource "aws_kms_key" "ebs_encryption" { + enable_key_rotation = true + } + + resource "aws_ebs_volume" "example" { + availability_zone = "us-west-2a" + size = 40 + + kms_key_id = aws_kms_key.ebs_encryption.arn + + tags = { + Name = "HelloWorld" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#kms_key_id + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0027/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0027/docs.md new file mode 100644 index 0000000..f2f509b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0027/docs.md @@ -0,0 +1,13 @@ + +Encryption using AWS keys provides protection for your EBS volume. To increase control of the encryption and manage factors like rotation use customer managed keys. + +### Impact +Using AWS managed keys does not allow for fine grained control + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0028/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0028/Terraform.md new file mode 100644 index 0000000..7b323dc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0028/Terraform.md @@ -0,0 +1,17 @@ + +Enable HTTP token requirement for IMDS + +```hcl + resource "aws_instance" "good_example" { + ami = "ami-005e54dee72cc1d00" + instance_type = "t2.micro" + metadata_options { + http_tokens = "required" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0028/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0028/docs.md new file mode 100644 index 0000000..9ecb426 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0028/docs.md @@ -0,0 +1,17 @@ + + +IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS. +By default aws_instance resource sets IMDS session auth tokens to be optional. +To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required. + + +### Impact +Instance metadata service can be interacted with freely + + +{{ remediationActions }} + +### Links +- https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0029/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0029/CloudFormation.md new file mode 100644 index 0000000..361b833 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0029/CloudFormation.md @@ -0,0 +1,24 @@ + +Remove sensitive data from the EC2 instance user-data + +```yaml--- +Resources: + GoodExample: + Type: AWS::EC2::Instance + Properties: + ImageId: "ami-79fd7eee" + KeyName: "testkey" + UserData: export SSM_PATH=/database/creds + BlockDeviceMappings: + - DeviceName: "/dev/sdm" + Ebs: + VolumeType: "io1" + Iops: "200" + DeleteOnTermination: "false" + VolumeSize: "20" + - DeviceName: "/dev/sdk" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0029/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0029/Terraform.md new file mode 100644 index 0000000..8136496 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0029/Terraform.md @@ -0,0 +1,24 @@ + +Remove sensitive data from the EC2 instance user-data + +```hcl + resource "aws_iam_instance_profile" "good_example" { + // ... + } + + resource "aws_instance" "good_example" { + ami = "ami-12345667" + instance_type = "t2.small" + + iam_instance_profile = aws_iam_instance_profile.good_profile.arn + + user_data = < +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md new file mode 100644 index 0000000..c9599eb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md @@ -0,0 +1,18 @@ + +Add descriptions for all security groups + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of group description +Resources: + GoodSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupEgress: + - CidrIp: 127.0.0.1/32 + IpProtocol: "-1" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0099/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0099/Terraform.md new file mode 100644 index 0000000..fc950bc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0099/Terraform.md @@ -0,0 +1,24 @@ + +Add descriptions for all security groups + +```hcl + resource "aws_security_group" "good_example" { + name = "http" + description = "Allow inbound HTTP traffic" + + ingress { + description = "HTTP from VPC" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group + + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0099/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0099/docs.md new file mode 100644 index 0000000..9f7c227 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0099/docs.md @@ -0,0 +1,15 @@ + +Security groups should include a description for auditing purposes. + +Simplifies auditing, debugging, and managing security groups. + +### Impact +Descriptions provide context for the firewall rule reasons + + +{{ remediationActions }} + +### Links +- https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0101/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0101/Terraform.md new file mode 100644 index 0000000..f760a25 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0101/Terraform.md @@ -0,0 +1,11 @@ + +Create a non-default vpc for resources to be created in + +```hcl + # no aws default vpc present + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0101/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0101/docs.md new file mode 100644 index 0000000..ba54aa4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0101/docs.md @@ -0,0 +1,13 @@ + +Default VPC does not have a lot of the critical security features that standard VPC comes with, new resources should not be created in the default VPC and it should not be present in the Terraform. + +### Impact +The default VPC does not have critical security features applied + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0102/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0102/CloudFormation.md new file mode 100644 index 0000000..17a05b6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0102/CloudFormation.md @@ -0,0 +1,23 @@ + +Set specific allowed ports + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of excessive ports +Resources: + NetworkACL: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: "something" + RuleAction: "allow" + Rule: + Type: AWS::EC2::NetworkAclEntry + Properties: + RuleAction: "allow" + NetworkAclId: + Ref: NetworkACL + Protocol: 6 + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0102/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0102/Terraform.md new file mode 100644 index 0000000..e3fa624 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0102/Terraform.md @@ -0,0 +1,18 @@ + +Set specific allowed ports + +```hcl + resource "aws_network_acl_rule" "good_example" { + egress = false + protocol = "tcp" + from_port = 22 + to_port = 22 + rule_action = "allow" + cidr_block = "0.0.0.0/0" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#to_port + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0102/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0102/docs.md new file mode 100644 index 0000000..05ba9ce --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0102/docs.md @@ -0,0 +1,13 @@ + +Ensure access to specific required ports is allowed, and nothing else. + +### Impact +All ports exposed for ingressing/egressing data + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0104/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0104/CloudFormation.md new file mode 100644 index 0000000..95ca059 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0104/CloudFormation.md @@ -0,0 +1,18 @@ + +Set a more restrictive cidr range + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of egress rule +Resources: + BadSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupEgress: + - CidrIp: 127.0.0.1/32 + IpProtocol: "6" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0104/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0104/Terraform.md new file mode 100644 index 0000000..286b989 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0104/Terraform.md @@ -0,0 +1,15 @@ + +Set a more restrictive cidr range + +```hcl + resource "aws_security_group" "good_example" { + egress { + cidr_blocks = ["1.2.3.4/32"] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0104/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0104/docs.md new file mode 100644 index 0000000..a0c6194 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0104/docs.md @@ -0,0 +1,13 @@ + +Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. + +### Impact +Your port is egressing data to the internet + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0105/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0105/CloudFormation.md new file mode 100644 index 0000000..456412e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0105/CloudFormation.md @@ -0,0 +1,23 @@ + +Set a more restrictive cidr range + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Godd example of excessive ports +Resources: + NetworkACL: + Type: AWS::EC2::NetworkAcl + Properties: + VpcId: "something" + Rule: + Type: AWS::EC2::NetworkAclEntry + Properties: + NetworkAclId: + Ref: NetworkACL + Protocol: 6 + CidrBlock: 10.0.0.0/8 + RuleAction: allow + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0105/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0105/Terraform.md new file mode 100644 index 0000000..62d3cb4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0105/Terraform.md @@ -0,0 +1,18 @@ + +Set a more restrictive cidr range + +```hcl + resource "aws_network_acl_rule" "good_example" { + egress = false + protocol = "tcp" + from_port = 22 + to_port = 22 + rule_action = "allow" + cidr_block = "10.0.0.0/16" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule#cidr_block + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0105/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0105/docs.md new file mode 100644 index 0000000..86d50b2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0105/docs.md @@ -0,0 +1,13 @@ + +Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible. + +### Impact +The ports are exposed for ingressing data to the internet + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md new file mode 100644 index 0000000..d4d6114 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md @@ -0,0 +1,18 @@ + +Set a more restrictive cidr range + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of ingress rule +Resources: + BadSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupIngress: + - CidrIp: 127.0.0.1/32 + IpProtocol: "6" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0107/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0107/Terraform.md new file mode 100644 index 0000000..4f72892 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0107/Terraform.md @@ -0,0 +1,28 @@ + +Set a more restrictive cidr range + +```hcl + resource "aws_security_group_rule" "good_example" { + type = "ingress" + cidr_blocks = ["10.0.0.0/16"] + } + +``` +```hcl +resource "aws_security_group_rule" "allow_partner_rsync" { + type = "ingress" + security_group_id = aws_security_group.….id + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [ + "1.2.3.4/32", + "4.5.6.7/32", + ] +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#cidr_blocks + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0107/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0107/docs.md new file mode 100644 index 0000000..d1542f4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0107/docs.md @@ -0,0 +1,13 @@ + +Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible. + +### Impact +Your port exposed to the internet + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0122/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0122/Terraform.md new file mode 100644 index 0000000..b2a67c8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0122/Terraform.md @@ -0,0 +1,27 @@ + +Don't use sensitive data in user data + +```hcl + resource "aws_launch_configuration" "as_conf" { + name = "web_config" + image_id = data.aws_ami.ubuntu.id + instance_type = "t2.micro" + user_data = < +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md new file mode 100644 index 0000000..c358b87 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md @@ -0,0 +1,19 @@ + +Add descriptions for all security groups rules + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of SGR description +Resources: + GoodSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupEgress: + - CidrIp: 127.0.0.1/32 + Description: "Can connect to loopback" + IpProtocol: "-1" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0124/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0124/Terraform.md new file mode 100644 index 0000000..d6718d6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0124/Terraform.md @@ -0,0 +1,24 @@ + +Add descriptions for all security groups rules + +```hcl + resource "aws_security_group" "good_example" { + name = "http" + description = "Allow inbound HTTP traffic" + + ingress { + description = "HTTP from VPC" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = [aws_vpc.main.cidr_block] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group + + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0124/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0124/docs.md new file mode 100644 index 0000000..fbb2785 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0124/docs.md @@ -0,0 +1,15 @@ + +Security group rules should include a description for auditing purposes. + +Simplifies auditing, debugging, and managing security groups. + +### Impact +Descriptions provide context for the firewall rule reasons + + +{{ remediationActions }} + +### Links +- https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0129/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0129/CloudFormation.md new file mode 100644 index 0000000..fa69076 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0129/CloudFormation.md @@ -0,0 +1,34 @@ + +Remove sensitive data from the EC2 instance user-data generated by launch templates + +```yaml--- +Resources: + InstanceProfile: + Type: AWS::IAM::InstanceProfile + Properties: + InstanceProfileName: MyIamInstanceProfile + Path: "/" + Roles: + - MyAdminRole + GoodExample: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateName: MyLaunchTemplate + LaunchTemplateData: + IamInstanceProfile: + Arn: !GetAtt + - MyIamInstanceProfile + - Arn + DisableApiTermination: true + ImageId: ami-04d5cc9b88example + UserData: export SSM_PATH=/database/creds + InstanceType: t2.micro + KeyName: MyKeyPair + MetadataOptions: + - HttpTokens: required + SecurityGroupIds: + - sg-083cd3bfb8example + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0129/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0129/Terraform.md new file mode 100644 index 0000000..c9d9865 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0129/Terraform.md @@ -0,0 +1,25 @@ + +Remove sensitive data from the EC2 instance user-data generated by launch templates + +```hcl + resource "aws_iam_instance_profile" "good_example" { + // ... + } + + resource "aws_launch_template" "good_example" { + image_id = "ami-12345667" + instance_type = "t2.small" + + iam_instance_profile { + name = aws_iam_instance_profile.good_profile.arn + } + user_data = < +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-add-user-data.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0130/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0130/CloudFormation.md new file mode 100644 index 0000000..7cd3654 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0130/CloudFormation.md @@ -0,0 +1,15 @@ + +Enable HTTP token requirement for IMDS + +```yaml--- +Resources: + GoodExample: + Type: AWS::AutoScaling::LaunchConfiguration + Properties: + MetadataOptions: + HttpTokens: required + HttpEndpoint: enabled + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0130/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0130/Terraform.md new file mode 100644 index 0000000..714c1c1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0130/Terraform.md @@ -0,0 +1,17 @@ + +Enable HTTP token requirement for IMDS + +```hcl + resource "aws_launch_template" "good_example" { + image_id = "ami-005e54dee72cc1d00" + instance_type = "t2.micro" + metadata_options { + http_tokens = "required" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#metadata-options + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0130/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0130/docs.md new file mode 100644 index 0000000..9ecb426 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0130/docs.md @@ -0,0 +1,17 @@ + + +IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS. +By default aws_instance resource sets IMDS session auth tokens to be optional. +To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required. + + +### Impact +Instance metadata service can be interacted with freely + + +{{ remediationActions }} + +### Links +- https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0131/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0131/CloudFormation.md new file mode 100644 index 0000000..8db6bf7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0131/CloudFormation.md @@ -0,0 +1,24 @@ + +Turn on encryption for all block devices + +```yaml--- +Resources: + GoodExample: + Type: AWS::EC2::Instance + Properties: + ImageId: "ami-79fd7eee" + KeyName: "testkey" + UserData: export SSM_PATH=/database/creds + BlockDeviceMappings: + - DeviceName: "/dev/sdm" + Ebs: + Encrypted: True + VolumeType: "io1" + Iops: "200" + DeleteOnTermination: "false" + VolumeSize: "20" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0131/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0131/Terraform.md new file mode 100644 index 0000000..9e316c8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0131/Terraform.md @@ -0,0 +1,26 @@ + +Turn on encryption for all block devices + +```hcl +resource "aws_instance" "good_example" { + ami = "ami-7f89a64f" + instance_type = "t1.micro" + + root_block_device { + encrypted = true + } + + ebs_block_device { + device_name = "/dev/sdg" + volume_size = 5 + volume_type = "gp2" + delete_on_termination = false + encrypted = true + } +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#ebs-ephemeral-and-root-block-devices + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0131/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0131/docs.md new file mode 100644 index 0000000..3d9ac8d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0131/docs.md @@ -0,0 +1,13 @@ + +Block devices should be encrypted to ensure sensitive data is held securely at rest. + +### Impact +The block device could be compromised and read from + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0164/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0164/CloudFormation.md new file mode 100644 index 0000000..3593a59 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0164/CloudFormation.md @@ -0,0 +1,13 @@ + +Set the instance to not be publicly accessible + +```yaml--- +Resources: + GoodExample: + Properties: + VpcId: vpc-123456 + Type: AWS::EC2::Subnet + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0164/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0164/Terraform.md new file mode 100644 index 0000000..c51b0e2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0164/Terraform.md @@ -0,0 +1,14 @@ + +Set the instance to not be publicly accessible + +```hcl + resource "aws_subnet" "good_example" { + vpc_id = "vpc-123456" + map_public_ip_on_launch = false + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0164/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0164/docs.md new file mode 100644 index 0000000..2efd40e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0164/docs.md @@ -0,0 +1,13 @@ + +You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. + +### Impact +The instance is publicly accessible + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0173/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0173/docs.md new file mode 100644 index 0000000..3b6d4ca --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0173/docs.md @@ -0,0 +1,17 @@ + + +Configuring all VPC default security groups to restrict all traffic will encourage least +privilege security group development and mindful placement of AWS resources into +security groups which will in-turn reduce the exposure of those resources. + + +### Impact +Easier to accidentally expose resources - goes against principle of least privilege + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/default-custom-security-groups.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0178/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0178/docs.md new file mode 100644 index 0000000..775832f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ec2/AVD-AWS-0178/docs.md @@ -0,0 +1,13 @@ + +VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows. + +### Impact +Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0030/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0030/CloudFormation.md new file mode 100644 index 0000000..a1d034a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0030/CloudFormation.md @@ -0,0 +1,19 @@ + +Enable ECR image scanning + +```yaml--- +Resources: + GoodExample: + Type: AWS::ECR::Repository + Properties: + RepositoryName: "test-repository" + ImageTagImmutability: IMMUTABLE + ImageScanningConfiguration: + ScanOnPush: True + EncryptionConfiguration: + EncryptionType: KMS + KmsKey: "alias/ecr-key" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0030/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0030/Terraform.md new file mode 100644 index 0000000..0e23e9a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0030/Terraform.md @@ -0,0 +1,18 @@ + +Enable ECR image scanning + +```hcl + resource "aws_ecr_repository" "good_example" { + name = "bar" + image_tag_mutability = "MUTABLE" + + image_scanning_configuration { + scan_on_push = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0030/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0030/docs.md new file mode 100644 index 0000000..cacc98e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0030/docs.md @@ -0,0 +1,13 @@ + +Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible. + +### Impact +The ability to scan images is not being used and vulnerabilities will not be highlighted + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0031/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0031/CloudFormation.md new file mode 100644 index 0000000..842d1c7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0031/CloudFormation.md @@ -0,0 +1,19 @@ + +Only use immutable images in ECR + +```yaml--- +Resources: + GoodExample: + Type: AWS::ECR::Repository + Properties: + RepositoryName: "test-repository" + ImageTagMutability: IMMUTABLE + ImageScanningConfiguration: + ScanOnPush: false + EncryptionConfiguration: + EncryptionType: KMS + KmsKey: "alias/ecr-key" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0031/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0031/Terraform.md new file mode 100644 index 0000000..5ef303e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0031/Terraform.md @@ -0,0 +1,18 @@ + +Only use immutable images in ECR + +```hcl + resource "aws_ecr_repository" "good_example" { + name = "bar" + image_tag_mutability = "IMMUTABLE" + + image_scanning_configuration { + scan_on_push = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0031/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0031/docs.md new file mode 100644 index 0000000..f7d3079 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0031/docs.md @@ -0,0 +1,15 @@ + +ECR images should be set to IMMUTABLE to prevent code injection through image mutation. + +This can be done by setting image_tab_mutability to IMMUTABLE + +### Impact +Image tags could be overwritten with compromised images + + +{{ remediationActions }} + +### Links +- https://sysdig.com/blog/toctou-tag-mutability/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0032/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0032/CloudFormation.md new file mode 100644 index 0000000..08fb123 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0032/CloudFormation.md @@ -0,0 +1,36 @@ + +Do not allow public access in the policy + +```yaml--- +Resources: + GoodExample: + Type: AWS::ECR::Repository + Properties: + RepositoryName: "test-repository" + ImageTagImmutability: IMMUTABLE + ImageScanningConfiguration: + ScanOnPush: false + EncryptionConfiguration: + EncryptionType: KMS + KmsKey: "alias/ecr-key" + RepositoryPolicyText: + Version: "2012-10-17" + Statement: + - + Sid: AllowPushPull + Effect: Allow + Principal: + AWS: + - "arn:aws:iam::123456789012:user/Alice" + Action: + - "ecr:GetDownloadUrlForLayer" + - "ecr:BatchGetImage" + - "ecr:BatchCheckLayerAvailability" + - "ecr:PutImage" + - "ecr:InitiateLayerUpload" + - "ecr:UploadLayerPart" + - "ecr:CompleteLayerUpload" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0032/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0032/Terraform.md new file mode 100644 index 0000000..8cd602b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0032/Terraform.md @@ -0,0 +1,46 @@ + +Do not allow public access in the policy + +```hcl + resource "aws_ecr_repository" "foo" { + name = "bar" + } + + resource "aws_ecr_repository_policy" "foopolicy" { + repository = aws_ecr_repository.foo.name + + policy = < +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonECR/latest/public/public-repository-policies.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0033/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0033/CloudFormation.md new file mode 100644 index 0000000..23bf080 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0033/CloudFormation.md @@ -0,0 +1,19 @@ + +Use customer managed keys + +```yaml--- +Resources: + GoodExample: + Type: AWS::ECR::Repository + Properties: + RepositoryName: "test-repository" + ImageTagImmutability: IMMUTABLE + ImageScanningConfiguration: + ScanOnPush: false + EncryptionConfiguration: + EncryptionType: KMS + KmsKey: "alias/ecr-key" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0033/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0033/Terraform.md new file mode 100644 index 0000000..072c594 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0033/Terraform.md @@ -0,0 +1,27 @@ + +Use customer managed keys + +```hcl + resource "aws_kms_key" "ecr_kms" { + enable_key_rotation = true + } + + resource "aws_ecr_repository" "good_example" { + name = "bar" + image_tag_mutability = "MUTABLE" + + image_scanning_configuration { + scan_on_push = true + } + + encryption_configuration { + encryption_type = "KMS" + kms_key = aws_kms_key.ecr_kms.key_id + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0033/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0033/docs.md new file mode 100644 index 0000000..a6e1af2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecr/AVD-AWS-0033/docs.md @@ -0,0 +1,13 @@ + +Images in the ECR repository are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key. + +### Impact +Using AWS managed keys does not allow for fine grained control + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0034/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0034/CloudFormation.md new file mode 100644 index 0000000..def3d7a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0034/CloudFormation.md @@ -0,0 +1,16 @@ + +Enable Container Insights + +```yaml--- +Resources: + GoodExample: + Type: 'AWS::ECS::Cluster' + Properties: + ClusterName: MyCluster + ClusterSettings: + - Name: containerInsights + Value: enabled + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0034/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0034/Terraform.md new file mode 100644 index 0000000..2f33103 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0034/Terraform.md @@ -0,0 +1,18 @@ + +Enable Container Insights + +```hcl + resource "aws_ecs_cluster" "good_example" { + name = "services-cluster" + + setting { + name = "containerInsights" + value = "enabled" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster#setting + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0034/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0034/docs.md new file mode 100644 index 0000000..82f02fb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0034/docs.md @@ -0,0 +1,13 @@ + +Cloudwatch Container Insights provide more metrics and logs for container based applications and micro services. + +### Impact +Not all metrics and logs may be gathered for containers when Container Insights isn't enabled + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0035/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0035/CloudFormation.md new file mode 100644 index 0000000..4530960 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0035/CloudFormation.md @@ -0,0 +1,43 @@ + +Enable in transit encryption when using efs + +```yaml--- +Resources: + GoodExample: + Type: 'AWS::ECS::Cluster' + Properties: + ClusterName: MyCluster + ClusterSettings: + - Name: containerInsights + Value: enabled + GoodTask: + Type: AWS::ECS::TaskDefinition + Properties: + Family: "CFSec scan" + Cpu: 512 + Memory: 1024 + NetworkMode: awsvpc + RequiresCompatibilities: + - FARGATE + - EC2 + ContainerDefinitions: + - Name: cfsec + Image: cfsec/cfsec:latest + MountPoints: + - SourceVolume: src + ContainerPath: /src + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: "cfsec-logs" + awslogs-region: !Ref AWS::Region + awslogs-stream-prefix: "cfsec" + Volumes: + - Name: jenkins-home + EFSVolumeConfiguration: + FilesystemId: "fs1" + TransitEncryption: ENABLED + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0035/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0035/Terraform.md new file mode 100644 index 0000000..319cb1b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0035/Terraform.md @@ -0,0 +1,29 @@ + +Enable in transit encryption when using efs + +```hcl + resource "aws_ecs_task_definition" "good_example" { + family = "service" + container_definitions = file("task-definitions/service.json") + + volume { + name = "service-storage" + + efs_volume_configuration { + file_system_id = aws_efs_file_system.fs.id + root_directory = "/opt/data" + transit_encryption = "ENABLED" + transit_encryption_port = 2999 + authorization_config { + access_point_id = aws_efs_access_point.test.id + iam = "ENABLED" + } + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#transit_encryption + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0035/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0035/docs.md new file mode 100644 index 0000000..14a27cd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0035/docs.md @@ -0,0 +1,15 @@ + +ECS task definitions that have volumes using EFS configuration should explicitly enable in transit encryption to prevent the risk of data loss due to interception. + +### Impact +Intercepted traffic to and from EFS may lead to data loss + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonECS/latest/userguide/efs-volumes.html + +- https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0036/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0036/CloudFormation.md new file mode 100644 index 0000000..f0c7454 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0036/CloudFormation.md @@ -0,0 +1,43 @@ + +Use secrets for the task definition + +```yaml--- +Resources: + GoodExample: + Type: 'AWS::ECS::Cluster' + Properties: + ClusterName: MyCluster + ClusterSettings: + - Name: containerInsights + Value: enabled + GoodTask: + Type: AWS::ECS::TaskDefinition + Properties: + Family: "CFSec scan" + Cpu: 512 + Memory: 1024 + NetworkMode: awsvpc + RequiresCompatibilities: + - FARGATE + - EC2 + ContainerDefinitions: + - Name: cfsec + Image: cfsec/cfsec:latest + MountPoints: + - SourceVolume: src + ContainerPath: /src + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: "cfsec-logs" + awslogs-region: !Ref AWS::Region + awslogs-stream-prefix: "cfsec" + Volumes: + - Name: jenkins-home + EFSVolumeConfiguration: + FilesystemId: "fs1" + TransitEncryption: ENABLED + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0036/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0036/Terraform.md new file mode 100644 index 0000000..e031cfc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ecs/AVD-AWS-0036/Terraform.md @@ -0,0 +1,25 @@ + +Use secrets for the task definition + +```hcl + resource "aws_ecs_task_definition" "good_example" { + container_definitions = < +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/systems-manager/latest/userguide/integration-ps-secretsmanager.html + +- https://www.vaultproject.io/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/efs/AVD-AWS-0037/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/efs/AVD-AWS-0037/CloudFormation.md new file mode 100644 index 0000000..33e73a0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/efs/AVD-AWS-0037/CloudFormation.md @@ -0,0 +1,19 @@ + +Enable encryption for EFS + +```yaml--- +Resources: + GoodExample: + Type: AWS::EFS::FileSystem + Properties: + BackupPolicy: + Status: ENABLED + LifecyclePolicies: + - TransitionToIA: AFTER_60_DAYS + PerformanceMode: generalPurpose + Encrypted: true + ThroughputMode: bursting + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/efs/AVD-AWS-0037/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/efs/AVD-AWS-0037/Terraform.md new file mode 100644 index 0000000..ec6dadc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/efs/AVD-AWS-0037/Terraform.md @@ -0,0 +1,14 @@ + +Enable encryption for EFS + +```hcl + resource "aws_efs_file_system" "good_example" { + name = "bar" + encrypted = true + kms_key_id = "my_kms_key" + } +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/efs/AVD-AWS-0037/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/efs/AVD-AWS-0037/docs.md new file mode 100644 index 0000000..c4667a4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/efs/AVD-AWS-0037/docs.md @@ -0,0 +1,13 @@ + +If your organization is subject to corporate or regulatory policies that require encryption of data and metadata at rest, we recommend creating a file system that is encrypted at rest, and mounting your file system using encryption of data in transit. + +### Impact +Data can be read from the EFS if compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/efs/latest/ug/encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0038/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0038/Terraform.md new file mode 100644 index 0000000..f2c7b51 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0038/Terraform.md @@ -0,0 +1,26 @@ + +Enable logging for the EKS control plane + +```hcl + resource "aws_eks_cluster" "good_example" { + encryption_config { + resources = [ "secrets" ] + provider { + key_arn = var.kms_arn + } + } + + enabled_cluster_log_types = ["api", "authenticator", "audit", "scheduler", "controllerManager"] + + name = "good_example_cluster" + role_arn = var.cluster_arn + vpc_config { + endpoint_public_access = false + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabled_cluster_log_types + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0038/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0038/docs.md new file mode 100644 index 0000000..79bc0e0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0038/docs.md @@ -0,0 +1,13 @@ + +By default cluster control plane logging is not turned on. Logging is available for audit, api, authenticator, controllerManager and scheduler. All logging should be turned on for cluster control plane. + +### Impact +Logging provides valuable information about access and usage + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0039/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0039/CloudFormation.md new file mode 100644 index 0000000..e03a495 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0039/CloudFormation.md @@ -0,0 +1,27 @@ + +Enable encryption of EKS secrets + +```yaml--- +Resources: + GoodExample: + Type: 'AWS::EKS::Cluster' + Properties: + Name: goodExample + Version: '1.14' + RoleArn: >- + arn:aws:iam::012345678910:role/eks-service-role-good-example + EncryptionConfig: + Provider: + KeyArn: alias/eks-kms + Resources: + - secrets + ResourcesVpcConfig: + SecurityGroupIds: + - sg-6979fe18 + SubnetIds: + - subnet-6782e71e + - subnet-e7e761ac + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0039/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0039/Terraform.md new file mode 100644 index 0000000..9a499ea --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0039/Terraform.md @@ -0,0 +1,24 @@ + +Enable encryption of EKS secrets + +```hcl + resource "aws_eks_cluster" "good_example" { + encryption_config { + resources = [ "secrets" ] + provider { + key_arn = var.kms_arn + } + } + + name = "good_example_cluster" + role_arn = var.cluster_arn + vpc_config { + endpoint_public_access = false + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#encryption_config + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0039/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0039/docs.md new file mode 100644 index 0000000..de61dab --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0039/docs.md @@ -0,0 +1,13 @@ + +EKS cluster resources should have the encryption_config block set with protection of the secrets resource. + +### Impact +EKS secrets could be read if compromised + + +{{ remediationActions }} + +### Links +- https://aws.amazon.com/about-aws/whats-new/2020/03/amazon-eks-adds-envelope-encryption-for-secrets-with-aws-kms/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0040/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0040/Terraform.md new file mode 100644 index 0000000..71e4ed0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0040/Terraform.md @@ -0,0 +1,19 @@ + +Don't enable public access to EKS Clusters + +```hcl + resource "aws_eks_cluster" "good_example" { + // other config + + name = "good_example_cluster" + role_arn = var.cluster_arn + vpc_config { + endpoint_public_access = false + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#endpoint_public_access + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0040/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0040/docs.md new file mode 100644 index 0000000..b4464df --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0040/docs.md @@ -0,0 +1,13 @@ + +EKS clusters are available publicly by default, this should be explicitly disabled in the vpc_config of the EKS cluster resource. + +### Impact +EKS can be access from the internet + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0041/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0041/Terraform.md new file mode 100644 index 0000000..74a497a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0041/Terraform.md @@ -0,0 +1,20 @@ + +Don't enable public access to EKS Clusters + +```hcl + resource "aws_eks_cluster" "good_example" { + // other config + + name = "good_example_cluster" + role_arn = var.cluster_arn + vpc_config { + endpoint_public_access = true + public_access_cidrs = ["10.2.0.0/8"] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#vpc_config + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0041/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0041/docs.md new file mode 100644 index 0000000..19a023a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/eks/AVD-AWS-0041/docs.md @@ -0,0 +1,13 @@ + +EKS Clusters have public access cidrs set to 0.0.0.0/0 by default which is wide open to the internet. This should be explicitly set to a more specific private CIDR range + +### Impact +EKS can be accessed from the internet + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/eks/latest/userguide/create-public-private-vpc.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0045/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0045/Terraform.md new file mode 100644 index 0000000..7cfe095 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0045/Terraform.md @@ -0,0 +1,16 @@ + +Enable at-rest encryption for replication group + +```hcl + resource "aws_elasticache_replication_group" "good_example" { + replication_group_id = "foo" + replication_group_description = "my foo cluster" + + at_rest_encryption_enabled = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#at_rest_encryption_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0045/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0045/docs.md new file mode 100644 index 0000000..fa4c7ad --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0045/docs.md @@ -0,0 +1,13 @@ + +Data stored within an Elasticache replication node should be encrypted to ensure sensitive data is kept private. + +### Impact +At-rest data in the Replication Group could be compromised if accessed. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/at-rest-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0049/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0049/CloudFormation.md new file mode 100644 index 0000000..d3f2cf4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0049/CloudFormation.md @@ -0,0 +1,23 @@ + +Add descriptions for all security groups and rules + +```yaml--- +Resources: + GoodExampleCacheGroup: + Type: AWS::ElastiCache::SecurityGroup + Properties: + Description: Some description + GoodExampleEc2SecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupName: GoodExample + GroupDescription: Good Elasticache Security Group + GoodSecurityGroupIngress: + Type: AWS::ElastiCache::SecurityGroupIngress + Properties: + CacheSecurityGroupName: GoodExampleCacheGroup + EC2SecurityGroupName: GoodExampleEc2SecurityGroup + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0049/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0049/Terraform.md new file mode 100644 index 0000000..6260223 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0049/Terraform.md @@ -0,0 +1,19 @@ + +Add descriptions for all security groups and rules + +```hcl +resource "aws_security_group" "bar" { + name = "security-group" +} + +resource "aws_elasticache_security_group" "good_example" { + name = "elasticache-security-group" + security_group_names = [aws_security_group.bar.name] + description = "something" +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_security_group#description + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0049/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0049/docs.md new file mode 100644 index 0000000..fc7e319 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0049/docs.md @@ -0,0 +1,15 @@ + +Security groups and security group rules should include a description for auditing purposes. + +Simplifies auditing, debugging, and managing security groups. + +### Impact +Descriptions provide context for the firewall rule reasons + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonElastiCache/latest/mem-ug/SecurityGroups.Creating.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0050/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0050/CloudFormation.md new file mode 100644 index 0000000..15d4092 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0050/CloudFormation.md @@ -0,0 +1,21 @@ + +Configure snapshot retention for redis cluster + +```yaml--- +Resources: + GoodExample: + Type: AWS::ElastiCache::CacheCluster + Properties: + AZMode: cross-az + CacheNodeType: cache.m3.medium + Engine: redis + NumCacheNodes: '3' + SnapshotRetentionLimit: 7 + PreferredAvailabilityZones: + - us-west-2a + - us-west-2a + - us-west-2b + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0050/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0050/Terraform.md new file mode 100644 index 0000000..06fde6d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0050/Terraform.md @@ -0,0 +1,21 @@ + +Configure snapshot retention for redis cluster + +```hcl + resource "aws_elasticache_cluster" "good_example" { + cluster_id = "cluster-example" + engine = "redis" + node_type = "cache.m4.large" + num_cache_nodes = 1 + parameter_group_name = "default.redis3.2" + engine_version = "3.2.10" + port = 6379 + + snapshot_retention_limit = 5 + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_cluster#snapshot_retention_limit + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0050/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0050/docs.md new file mode 100644 index 0000000..06f2494 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0050/docs.md @@ -0,0 +1,13 @@ + +Redis clusters should have a snapshot retention time to ensure that they are backed up and can be restored if required. + +### Impact +Without backups of the redis cluster recovery is made difficult + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/backups-automatic.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0051/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0051/CloudFormation.md new file mode 100644 index 0000000..7d204cd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0051/CloudFormation.md @@ -0,0 +1,27 @@ + +Enable in transit encryption for replication group + +```yaml--- +Resources: + GoodExample: + Type: 'AWS::ElastiCache::ReplicationGroup' + Properties: + AutomaticFailoverEnabled: true + CacheNodeType: cache.r3.large + CacheSubnetGroupName: !Ref CacheSubnetGroup + Engine: redis + EngineVersion: '3.2' + NumNodeGroups: '2' + ReplicasPerNodeGroup: '3' + Port: 6379 + PreferredMaintenanceWindow: 'sun:05:00-sun:09:00' + ReplicationGroupDescription: A sample replication group + SecurityGroupIds: + - !Ref ReplicationGroupSG + SnapshotRetentionLimit: 5 + SnapshotWindow: '10:00-12:00' + TransitEncryptionEnabled: true + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0051/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0051/Terraform.md new file mode 100644 index 0000000..73c0f94 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0051/Terraform.md @@ -0,0 +1,15 @@ + +Enable in transit encryption for replication group + +```hcl + resource "aws_elasticache_replication_group" "good_example" { + replication_group_id = "foo" + replication_group_description = "my foo cluster" + transit_encryption_enabled = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_replication_group#transit_encryption_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0051/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0051/docs.md new file mode 100644 index 0000000..4c2394a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticache/AVD-AWS-0051/docs.md @@ -0,0 +1,13 @@ + +Traffic flowing between Elasticache replication nodes should be encrypted to ensure sensitive data is kept private. + +### Impact +In transit data in the Replication Group could be read if intercepted + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0042/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0042/CloudFormation.md new file mode 100644 index 0000000..99e1bef --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0042/CloudFormation.md @@ -0,0 +1,32 @@ + +Enable logging for ElasticSearch domains + +```yaml--- +Resources: + GoodExample: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: 'test' + ElasticsearchVersion: '7.10' + EncryptionAtRestOptions: + Enabled: true + KmsKeyId: alias/kmskey + LogPublishingOptions: + AUDIT_LOGS: + Enabled: true + ElasticsearchClusterConfig: + DedicatedMasterEnabled: true + InstanceCount: '2' + ZoneAwarenessEnabled: true + InstanceType: 'm3.medium.elasticsearch' + DedicatedMasterType: 'm3.medium.elasticsearch' + DedicatedMasterCount: '3' + EBSOptions: + EBSEnabled: true + Iops: '0' + VolumeSize: '20' + VolumeType: 'gp2' + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0042/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0042/Terraform.md new file mode 100644 index 0000000..05d4bcc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0042/Terraform.md @@ -0,0 +1,20 @@ + +Enable logging for ElasticSearch domains + +```hcl + resource "aws_elasticsearch_domain" "good_example" { + domain_name = "example" + elasticsearch_version = "1.5" + + log_publishing_options { + cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn + log_type = "AUDIT_LOGS" + enabled = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#log_type + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0042/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0042/docs.md new file mode 100644 index 0000000..fafcead --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0042/docs.md @@ -0,0 +1,19 @@ + +Amazon ES exposes four Elasticsearch logs through Amazon CloudWatch Logs: error logs, search slow logs, index slow logs, and audit logs. + +Search slow logs, index slow logs, and error logs are useful for troubleshooting performance and stability issues. + +Audit logs track user activity for compliance purposes. + +All the logs are disabled by default. + +### Impact +Logging provides vital information about access and usage + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-createdomain-configure-slow-logs.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0043/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0043/CloudFormation.md new file mode 100644 index 0000000..4b71c5a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0043/CloudFormation.md @@ -0,0 +1,31 @@ + +Enable encrypted node to node communication + +```yaml--- +Resources: + GoodExample: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: 'test' + ElasticsearchVersion: '7.10' + EncryptionAtRestOptions: + Enabled: true + KmsKeyId: alias/kmskey + ElasticsearchClusterConfig: + DedicatedMasterEnabled: true + InstanceCount: '2' + ZoneAwarenessEnabled: true + InstanceType: 'm3.medium.elasticsearch' + DedicatedMasterType: 'm3.medium.elasticsearch' + DedicatedMasterCount: '3' + EBSOptions: + EBSEnabled: true + Iops: '0' + VolumeSize: '20' + VolumeType: 'gp2' + NodeToNodeEncryptionOptions: + Enabled: true + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0043/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0043/Terraform.md new file mode 100644 index 0000000..6514328 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0043/Terraform.md @@ -0,0 +1,17 @@ + +Enable encrypted node to node communication + +```hcl + resource "aws_elasticsearch_domain" "good_example" { + domain_name = "domain-foo" + + node_to_node_encryption { + enabled = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#encrypt_at_rest + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0043/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0043/docs.md new file mode 100644 index 0000000..bd7481b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0043/docs.md @@ -0,0 +1,13 @@ + +Traffic flowing between Elasticsearch nodes should be encrypted to ensure sensitive data is kept private. + +### Impact +In transit data between nodes could be read if intercepted + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/ntn.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0046/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0046/CloudFormation.md new file mode 100644 index 0000000..f26427a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0046/CloudFormation.md @@ -0,0 +1,32 @@ + +Enforce the use of HTTPS for ElasticSearch + +```yaml--- +Resources: + GoodExample: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: 'test' + DomainEndpointOptions: + EnforceHTTPS: true + + ElasticsearchVersion: '7.10' + EncryptionAtRestOptions: + Enabled: true + KmsKeyId: alias/kmskey + ElasticsearchClusterConfig: + DedicatedMasterEnabled: true + InstanceCount: '2' + ZoneAwarenessEnabled: true + InstanceType: 'm3.medium.elasticsearch' + DedicatedMasterType: 'm3.medium.elasticsearch' + DedicatedMasterCount: '3' + EBSOptions: + EBSEnabled: true + Iops: '0' + VolumeSize: '20' + VolumeType: 'gp2' + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0046/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0046/Terraform.md new file mode 100644 index 0000000..a4b9fd6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0046/Terraform.md @@ -0,0 +1,17 @@ + +Enforce the use of HTTPS for ElasticSearch + +```hcl + resource "aws_elasticsearch_domain" "good_example" { + domain_name = "domain-foo" + + domain_endpoint_options { + enforce_https = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#enforce_https + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0046/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0046/docs.md new file mode 100644 index 0000000..a34dc26 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0046/docs.md @@ -0,0 +1,15 @@ + +Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth. + +You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic. + +### Impact +HTTP traffic can be intercepted and the contents read + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-data-protection.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0048/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0048/CloudFormation.md new file mode 100644 index 0000000..66839d5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0048/CloudFormation.md @@ -0,0 +1,29 @@ + +Enable ElasticSearch domain encryption + +```yaml--- +Resources: + GoodExample: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: 'test' + ElasticsearchVersion: '7.10' + EncryptionAtRestOptions: + Enabled: true + KmsKeyId: alias/kmskey + ElasticsearchClusterConfig: + DedicatedMasterEnabled: true + InstanceCount: '2' + ZoneAwarenessEnabled: true + InstanceType: 'm3.medium.elasticsearch' + DedicatedMasterType: 'm3.medium.elasticsearch' + DedicatedMasterCount: '3' + EBSOptions: + EBSEnabled: true + Iops: '0' + VolumeSize: '20' + VolumeType: 'gp2' + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0048/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0048/Terraform.md new file mode 100644 index 0000000..416021d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0048/Terraform.md @@ -0,0 +1,17 @@ + +Enable ElasticSearch domain encryption + +```hcl + resource "aws_elasticsearch_domain" "good_example" { + domain_name = "domain-foo" + + encrypt_at_rest { + enabled = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#encrypt_at_rest + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0048/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0048/docs.md new file mode 100644 index 0000000..1543c1e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0048/docs.md @@ -0,0 +1,13 @@ + +You should ensure your Elasticsearch data is encrypted at rest to help prevent sensitive information from being read by unauthorised users. + +### Impact +Data will be readable if compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/encryption-at-rest.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0126/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0126/CloudFormation.md new file mode 100644 index 0000000..41ad3cf --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0126/CloudFormation.md @@ -0,0 +1,31 @@ + +Use the most modern TLS/SSL policies available + +```yaml--- +Resources: + GoodExample: + Type: AWS::Elasticsearch::Domain + Properties: + DomainName: 'test' + ElasticsearchVersion: '7.10' + DomainEndpointOptions: + TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07 + EncryptionAtRestOptions: + Enabled: true + KmsKeyId: alias/kmskey + ElasticsearchClusterConfig: + DedicatedMasterEnabled: true + InstanceCount: '2' + ZoneAwarenessEnabled: true + InstanceType: 'm3.medium.elasticsearch' + DedicatedMasterType: 'm3.medium.elasticsearch' + DedicatedMasterCount: '3' + EBSOptions: + EBSEnabled: true + Iops: '0' + VolumeSize: '20' + VolumeType: 'gp2' + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0126/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0126/Terraform.md new file mode 100644 index 0000000..95e2476 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0126/Terraform.md @@ -0,0 +1,18 @@ + +Use the most modern TLS/SSL policies available + +```hcl + resource "aws_elasticsearch_domain" "good_example" { + domain_name = "domain-foo" + + domain_endpoint_options { + enforce_https = true + tls_security_policy = "Policy-Min-TLS-1-2-2019-07" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticsearch_domain#tls_security_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0126/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0126/docs.md new file mode 100644 index 0000000..93fda8d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elasticsearch/AVD-AWS-0126/docs.md @@ -0,0 +1,13 @@ + +You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. + +### Impact +Outdated SSL policies increase exposure to known vulnerabilities + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-data-protection.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0047/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0047/Terraform.md new file mode 100644 index 0000000..c3e9fec --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0047/Terraform.md @@ -0,0 +1,14 @@ + +Use a more recent TLS/SSL policy for the load balancer + +```hcl + resource "aws_alb_listener" "good_example" { + ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06" + protocol = "HTTPS" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0047/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0047/docs.md new file mode 100644 index 0000000..0c16233 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0047/docs.md @@ -0,0 +1,10 @@ + +You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. + +### Impact +The SSL policy is outdated and has known vulnerabilities + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0052/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0052/Terraform.md new file mode 100644 index 0000000..d12b662 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0052/Terraform.md @@ -0,0 +1,23 @@ + +Set drop_invalid_header_fields to true + +```hcl + resource "aws_alb" "good_example" { + name = "good_alb" + internal = false + load_balancer_type = "application" + + access_logs { + bucket = aws_s3_bucket.lb_logs.bucket + prefix = "test-lb" + enabled = true + } + + drop_invalid_header_fields = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#drop_invalid_header_fields + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0052/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0052/docs.md new file mode 100644 index 0000000..b89221e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0052/docs.md @@ -0,0 +1,15 @@ + +Passing unknown or invalid headers through to the target poses a potential risk of compromise. + +By setting drop_invalid_header_fields to true, anything that doe not conform to well known, defined headers will be removed by the load balancer. + +### Impact +Invalid headers being passed through to the target of the load balance may exploit vulnerabilities + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0053/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0053/Terraform.md new file mode 100644 index 0000000..d463fed --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0053/Terraform.md @@ -0,0 +1,13 @@ + +Switch to an internal load balancer or add a tfsec ignore + +```hcl + resource "aws_alb" "good_example" { + internal = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0053/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0053/docs.md new file mode 100644 index 0000000..f298784 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0053/docs.md @@ -0,0 +1,10 @@ + +There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. + +### Impact +The load balancer is exposed on the internet + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0054/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0054/Terraform.md new file mode 100644 index 0000000..1aa76bd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0054/Terraform.md @@ -0,0 +1,13 @@ + +Switch to HTTPS to benefit from TLS security features + +```hcl + resource "aws_alb_listener" "good_example" { + protocol = "HTTPS" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0054/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0054/docs.md new file mode 100644 index 0000000..b5ec5a8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/elb/AVD-AWS-0054/docs.md @@ -0,0 +1,15 @@ + +Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth. + +You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic. + +### Impact +Your traffic is not protected + + +{{ remediationActions }} + +### Links +- https://www.cloudflare.com/en-gb/learning/ssl/why-is-http-not-secure/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/emr/AVD-AWS-0137/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/emr/AVD-AWS-0137/Terraform.md new file mode 100644 index 0000000..87b8221 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/emr/AVD-AWS-0137/Terraform.md @@ -0,0 +1,30 @@ + +Enable at-rest encryption for EMR cluster + +```hcl + resource "aws_emr_security_configuration" "good_example" { + name = "emrsc_other" + + configuration = < +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_800-171.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/emr/AVD-AWS-0138/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/emr/AVD-AWS-0138/Terraform.md new file mode 100644 index 0000000..68fe7a6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/emr/AVD-AWS-0138/Terraform.md @@ -0,0 +1,30 @@ + +Enable in-transit encryption for EMR cluster + +```hcl + resource "aws_emr_security_configuration" "good_example" { + name = "emrsc_other" + + configuration = < +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_800-171.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/emr/AVD-AWS-0139/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/emr/AVD-AWS-0139/Terraform.md new file mode 100644 index 0000000..b48b12b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/emr/AVD-AWS-0139/Terraform.md @@ -0,0 +1,30 @@ + +Enable local-disk encryption for EMR cluster + +```hcl + resource "aws_emr_security_configuration" "good_example" { + name = "emrsc_other" + + configuration = < +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist_800-171.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0056/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0056/Terraform.md new file mode 100644 index 0000000..6b43b45 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0056/Terraform.md @@ -0,0 +1,15 @@ + +Prevent password reuse in the policy + +```hcl + resource "aws_iam_account_password_policy" "good_example" { + # ... + password_reuse_prevention = 5 + # ... + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0056/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0056/docs.md new file mode 100644 index 0000000..5e4f661 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0056/docs.md @@ -0,0 +1,15 @@ + +IAM account password policies should prevent the reuse of passwords. + +The account password policy should be set to prevent using any of the last five used passwords. + +### Impact +Password reuse increase the risk of compromised passwords being abused + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md new file mode 100644 index 0000000..a838173 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0057/CloudFormation.md @@ -0,0 +1,22 @@ + +Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of policy +Resources: + GoodPolicy: + Type: 'AWS::IAM::Policy' + Properties: + PolicyName: CFNUsers + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - 's3:ListBuckets' + Resource: 'specific-bucket' + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md new file mode 100644 index 0000000..d9ef5b2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0057/Terraform.md @@ -0,0 +1,44 @@ + +Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + +```hcl + resource "aws_iam_role_policy" "test_policy" { + name = "test_policy" + role = aws_iam_role.test_role.id + + policy = data.aws_iam_policy_document.s3_policy.json + } + + resource "aws_iam_role" "test_role" { + name = "test_role" + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "s3.amazonaws.com" + } + }, + ] + }) + } + + data "aws_iam_policy_document" "s3_policy" { + statement { + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + actions = ["s3:GetObject"] + resources = [aws_s3_bucket.example.arn] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0057/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0057/docs.md new file mode 100644 index 0000000..6aa472c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0057/docs.md @@ -0,0 +1,13 @@ + +You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. + +### Impact +Overly permissive policies may grant access to sensitive resources + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0058/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0058/Terraform.md new file mode 100644 index 0000000..0d57b61 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0058/Terraform.md @@ -0,0 +1,14 @@ + +Enforce longer, more complex passwords in the policy + +```hcl + resource "aws_iam_account_password_policy" "good_example" { + # ... + require_lowercase_characters = true + # ... + } +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0058/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0058/docs.md new file mode 100644 index 0000000..dc348ac --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0058/docs.md @@ -0,0 +1,13 @@ + +IAM account password policies should ensure that passwords content including at least one lowercase character. + +### Impact +Short, simple passwords are easier to compromise + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0059/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0059/Terraform.md new file mode 100644 index 0000000..ad45c06 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0059/Terraform.md @@ -0,0 +1,15 @@ + +Enforce longer, more complex passwords in the policy + +```hcl + resource "aws_iam_account_password_policy" "good_example" { + # ... + require_numbers = true + # ... + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0059/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0059/docs.md new file mode 100644 index 0000000..c05bb09 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0059/docs.md @@ -0,0 +1,13 @@ + +IAM account password policies should ensure that passwords content including at least one number. + +### Impact +Short, simple passwords are easier to compromise + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0060/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0060/Terraform.md new file mode 100644 index 0000000..9a7bfc9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0060/Terraform.md @@ -0,0 +1,15 @@ + +Enforce longer, more complex passwords in the policy + +```hcl + resource "aws_iam_account_password_policy" "good_example" { + # ... + require_symbols = true + # ... + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0060/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0060/docs.md new file mode 100644 index 0000000..59c8fd4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0060/docs.md @@ -0,0 +1,13 @@ + +IAM account password policies should ensure that passwords content including a symbol. + +### Impact +Short, simple passwords are easier to compromise + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0061/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0061/Terraform.md new file mode 100644 index 0000000..0194aef --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0061/Terraform.md @@ -0,0 +1,15 @@ + +Enforce longer, more complex passwords in the policy + +```hcl + resource "aws_iam_account_password_policy" "good_example" { + # ... + require_uppercase_characters = true + # ... + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0061/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0061/docs.md new file mode 100644 index 0000000..5060939 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0061/docs.md @@ -0,0 +1,14 @@ + +, +IAM account password policies should ensure that passwords content including at least one uppercase character. + +### Impact +Short, simple passwords are easier to compromise + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0062/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0062/Terraform.md new file mode 100644 index 0000000..a0b04ea --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0062/Terraform.md @@ -0,0 +1,12 @@ + +Limit the password duration with an expiry in the policy + +```hcl +resource "aws_iam_account_password_policy" "good_example" { + max_password_age = 90 +} +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0062/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0062/docs.md new file mode 100644 index 0000000..605e4c5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0062/docs.md @@ -0,0 +1,15 @@ + +IAM account password policies should have a maximum age specified. + +The account password policy should be set to expire passwords after 90 days or less. + +### Impact +Long life password increase the likelihood of a password eventually being compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0063/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0063/Terraform.md new file mode 100644 index 0000000..b61b23c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0063/Terraform.md @@ -0,0 +1,13 @@ + +Enforce longer, more complex passwords in the policy + +```hcl +resource "aws_iam_account_password_policy" "good_example" { + minimum_password_length = 14 +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0063/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0063/docs.md new file mode 100644 index 0000000..747afab --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0063/docs.md @@ -0,0 +1,15 @@ + +IAM account password policies should ensure that passwords have a minimum length. + +The account password policy should be set to enforce minimum password length of at least 14 characters. + +### Impact +Short, simple passwords are easier to compromise + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md new file mode 100644 index 0000000..c1ac8a8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0123/Terraform.md @@ -0,0 +1,128 @@ + +Use terraform-module/enforce-mfa/aws to ensure that MFA is enforced + +```hcl +resource "aws_iam_group" "support" { + name = "support" +} +resource aws_iam_group_policy mfa { + + group = aws_iam_group.support.name + policy = < +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html#password-policy-details + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0140/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0140/docs.md new file mode 100644 index 0000000..d030b51 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0140/docs.md @@ -0,0 +1,15 @@ + + +The root user has unrestricted access to all services and resources in an AWS account. We highly recommend that you avoid using the root user for daily tasks. Minimizing the use of the root user and adopting the principle of least privilege for access management reduce the risk of accidental changes and unintended disclosure of highly privileged credentials. + + +### Impact +Compromise of the root account compromises the entire AWS account and all resources within it. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0141/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0141/Terraform.md new file mode 100644 index 0000000..0a9c0dd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0141/Terraform.md @@ -0,0 +1,13 @@ + +Use lower privileged accounts instead, so only required privileges are available. + +```hcl +resource "aws_iam_access_key" "good_example" { + user = "lowprivuser" +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0141/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0141/docs.md new file mode 100644 index 0000000..8ce07d0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0141/docs.md @@ -0,0 +1,15 @@ + + +CIS recommends that all access keys be associated with the root user be removed. Removing access keys associated with the root user limits vectors that the account can be compromised by. Removing the root user access keys also encourages the creation and use of role-based accounts that are least privileged. + + +### Impact +Compromise of the root account compromises the entire AWS account and all resources within it. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0142/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0142/docs.md new file mode 100644 index 0000000..564eb97 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0142/docs.md @@ -0,0 +1,17 @@ + + +MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. + +When you use virtual MFA for the root user, CIS recommends that the device used is not a personal device. Instead, use a dedicated mobile device (tablet or phone) that you manage to keep charged and secured independent of any individual personal devices. This lessens the risks of losing access to the MFA due to device loss, device trade-in, or if the individual owning the device is no longer employed at the company. + + +### Impact +Compromise of the root account compromises the entire AWS account and all resources within it. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-cis-controls.html#securityhub-cis-controls-1.14 + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0143/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0143/Terraform.md new file mode 100644 index 0000000..2215dea --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0143/Terraform.md @@ -0,0 +1,48 @@ + +Grant policies at the group level instead. + +```hcl +resource "aws_iam_group" "developers" { + name = "developers" + path = "/users/" +} + +resource "aws_iam_user" "jim" { + name = "jim" +} + +resource "aws_iam_group_membership" "devteam" { + name = "developers-team" + + users = [ + aws_iam_user.jim.name, + ] + + group = aws_iam_group.developers.name +} + +resource "aws_iam_group_policy" "ec2policy" { + name = "test" + group = aws_iam_group.developers.name + + policy = < +{{ remediationActions }} + +### Links +- https://console.aws.amazon.com/iam/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0144/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0144/docs.md new file mode 100644 index 0000000..a8c7b46 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0144/docs.md @@ -0,0 +1,15 @@ + + +CIS recommends that you remove or deactivate all credentials that have been unused in 90 days or more. Disabling or removing unnecessary credentials reduces the window of opportunity for credentials associated with a compromised or abandoned account to be used. + + +### Impact +Leaving unused credentials active widens the scope for compromise. + + +{{ remediationActions }} + +### Links +- https://console.aws.amazon.com/iam/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0145/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0145/docs.md new file mode 100644 index 0000000..7296acd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0145/docs.md @@ -0,0 +1,15 @@ + + +IAM user accounts should be protected with multi factor authentication to add safe guards to password compromise. + + +### Impact +User accounts are more vulnerable to compromise without multi factor authentication activated + + +{{ remediationActions }} + +### Links +- https://console.aws.amazon.com/iam/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0146/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0146/docs.md new file mode 100644 index 0000000..cd5c026 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0146/docs.md @@ -0,0 +1,15 @@ + + +Regularly rotating your IAM credentials helps prevent a compromised set of IAM access keys from accessing components in your AWS account. + + +### Impact +Compromised keys are more likely to be used to compromise the account + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys-at-scale-with-aws-organizations-and-aws-secrets-manager.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0165/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0165/docs.md new file mode 100644 index 0000000..d8c6497 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0165/docs.md @@ -0,0 +1,15 @@ + + +Hardware MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they're prompted for their user name and password and for an authentication code from their AWS MFA device. + + +### Impact +Compromise of the root account compromises the entire AWS account and all resources within it. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_physical.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0166/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0166/docs.md new file mode 100644 index 0000000..cd7ff83 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0166/docs.md @@ -0,0 +1,15 @@ + + +Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used. + + +### Impact +Leaving unused credentials active widens the scope for compromise. + + +{{ remediationActions }} + +### Links +- https://console.aws.amazon.com/iam/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0167/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0167/docs.md new file mode 100644 index 0000000..12d6f6c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0167/docs.md @@ -0,0 +1,15 @@ + + +Multiple active access keys widens the scope for compromise. + + +### Impact +Widened scope for compromise. + + +{{ remediationActions }} + +### Links +- https://console.aws.amazon.com/iam/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0168/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0168/docs.md new file mode 100644 index 0000000..503c7d0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0168/docs.md @@ -0,0 +1,18 @@ + + +Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be +deployed accidentally to a resource such as AWS Elastic Load Balancer (ELB), which can +damage the credibility of the application/website behind the ELB. As a best practice, it is +recommended to delete expired certificates. + + +### Impact +Risk of misconfiguration and damage to credibility + + +{{ remediationActions }} + +### Links +- https://console.aws.amazon.com/iam/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0169/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0169/docs.md new file mode 100644 index 0000000..e65af62 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0169/docs.md @@ -0,0 +1,16 @@ + + +By implementing least privilege for access control, an IAM Role will require an appropriate +IAM Policy to allow Support Center Access in order to manage Incidents with AWS Support. + + +### Impact +Incident management is not possible without a support role. + + +{{ remediationActions }} + +### Links +- https://console.aws.amazon.com/iam/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0342/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0342/docs.md new file mode 100644 index 0000000..ff507cd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/iam/AVD-AWS-0342/docs.md @@ -0,0 +1,13 @@ + +Ensures any IAM pass role attched to roles are flagged and warned. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/kinesis/AVD-AWS-0064/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/kinesis/AVD-AWS-0064/CloudFormation.md new file mode 100644 index 0000000..96b99c9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/kinesis/AVD-AWS-0064/CloudFormation.md @@ -0,0 +1,22 @@ + +Enable in transit encryption + +```yaml--- +Resources: + GoodExample: + Type: AWS::Kinesis::Stream + Properties: + Name: GoodExample + RetentionPeriodHours: 168 + ShardCount: 3 + StreamEncryption: + EncryptionType: KMS + KeyId: alis/key + Tags: + - + Key: Environment + Value: Production + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/kinesis/AVD-AWS-0064/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/kinesis/AVD-AWS-0064/Terraform.md new file mode 100644 index 0000000..c770c57 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/kinesis/AVD-AWS-0064/Terraform.md @@ -0,0 +1,14 @@ + +Enable in transit encryption + +```hcl + resource "aws_kinesis_stream" "good_example" { + encryption_type = "KMS" + kms_key_id = "my/special/key" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/kinesis/AVD-AWS-0064/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/kinesis/AVD-AWS-0064/docs.md new file mode 100644 index 0000000..91aeaec --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/kinesis/AVD-AWS-0064/docs.md @@ -0,0 +1,13 @@ + +Kinesis streams should be encrypted to ensure sensitive data is kept private. Additionally, non-default KMS keys should be used so granularity of access control can be ensured. + +### Impact +Intercepted data can be read in transit + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/kms/AVD-AWS-0065/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/kms/AVD-AWS-0065/Terraform.md new file mode 100644 index 0000000..74228a6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/kms/AVD-AWS-0065/Terraform.md @@ -0,0 +1,13 @@ + +Configure KMS key to auto rotate + +```hcl + resource "aws_kms_key" "good_example" { + enable_key_rotation = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key#enable_key_rotation + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/kms/AVD-AWS-0065/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/kms/AVD-AWS-0065/docs.md new file mode 100644 index 0000000..62ce83d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/kms/AVD-AWS-0065/docs.md @@ -0,0 +1,13 @@ + +You should configure your KMS keys to auto rotate to maintain security and defend against compromise. + +### Impact +Long life KMS keys increase the attack surface when compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md new file mode 100644 index 0000000..b08a117 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md @@ -0,0 +1,26 @@ + +Enable tracing + +```yaml--- +Resources: + Function: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Code: + S3Bucket: my-bucket + S3Key: function.zip + Runtime: nodejs12.x + Timeout: 5 + TracingConfig: + Mode: Active + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0066/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0066/Terraform.md new file mode 100644 index 0000000..9aced68 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0066/Terraform.md @@ -0,0 +1,52 @@ + +Enable tracing + +```hcl + resource "aws_iam_role" "iam_for_lambda" { + name = "iam_for_lambda" + + assume_role_policy = < +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md new file mode 100644 index 0000000..92b9258 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md @@ -0,0 +1,35 @@ + +Always provide a source arn for Lambda permissions + +```yaml--- +Resources: + GoodExample: + Type: AWS::Lambda::Function + Properties: + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Code: + S3Bucket: my-bucket + S3Key: function.zip + Runtime: nodejs12.x + Timeout: 5 + TracingConfig: + Mode: Active + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 + GoodPermission: + Type: AWS::Lambda::Permission + Properties: + FunctionName: !Ref BadExample + Action: lambda:InvokeFunction + Principal: s3.amazonaws.com + SourceArn: "lambda.amazonaws.com" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0067/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0067/Terraform.md new file mode 100644 index 0000000..1ae4a78 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0067/Terraform.md @@ -0,0 +1,17 @@ + +Always provide a source arn for Lambda permissions + +```hcl +resource "aws_lambda_permission" "good_example" { + statement_id = "AllowExecutionFromSNS" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.func.function_name + principal = "sns.amazonaws.com" + source_arn = aws_sns_topic.default.arn +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0067/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0067/docs.md new file mode 100644 index 0000000..7564864 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/lambda/AVD-AWS-0067/docs.md @@ -0,0 +1,17 @@ + +When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to. + +Without this, any resource from principal will be granted permission – even if that resource is from another account. + +For S3, this should be the ARN of the S3 Bucket. For CloudWatch Events, this should be the ARN of the CloudWatch Events Rule. For API Gateway, this should be the ARN of the API + +### Impact +Not providing the source ARN allows any resource from principal, even from other accounts + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-lambda-permission.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md new file mode 100644 index 0000000..e71d172 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable audit logging + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Broker: + Type: AWS::AmazonMQ::Broker + Properties: + Logs: + Audit: true + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0070/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0070/Terraform.md new file mode 100644 index 0000000..950c475 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0070/Terraform.md @@ -0,0 +1,31 @@ + +Enable audit logging + +```hcl + resource "aws_mq_broker" "good_example" { + broker_name = "example" + + configuration { + id = aws_mq_configuration.test.id + revision = aws_mq_configuration.test.latest_revision + } + + engine_type = "ActiveMQ" + engine_version = "5.15.0" + host_instance_type = "mq.t2.micro" + security_groups = [aws_security_group.test.id] + + user { + username = "ExampleUser" + password = "MindTheGap" + } + logs { + audit = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker#audit + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0070/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0070/docs.md new file mode 100644 index 0000000..d652415 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0070/docs.md @@ -0,0 +1,13 @@ + +Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation + +### Impact +Without audit logging it is difficult to trace activity in the MQ broker + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/configure-logging-monitoring-activemq.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md new file mode 100644 index 0000000..a2363b8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable general logging + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Broker: + Type: AWS::AmazonMQ::Broker + Properties: + Logs: + General: true + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0071/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0071/Terraform.md new file mode 100644 index 0000000..c0ed8ab --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0071/Terraform.md @@ -0,0 +1,31 @@ + +Enable general logging + +```hcl + resource "aws_mq_broker" "good_example" { + broker_name = "example" + + configuration { + id = aws_mq_configuration.test.id + revision = aws_mq_configuration.test.latest_revision + } + + engine_type = "ActiveMQ" + engine_version = "5.15.0" + host_instance_type = "mq.t2.micro" + security_groups = [aws_security_group.test.id] + + user { + username = "ExampleUser" + password = "MindTheGap" + } + logs { + general = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker#general + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0071/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0071/docs.md new file mode 100644 index 0000000..7e0f92e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0071/docs.md @@ -0,0 +1,13 @@ + +Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation + +### Impact +Without logging it is difficult to trace issues + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/configure-logging-monitoring-activemq.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md new file mode 100644 index 0000000..8aad332 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md @@ -0,0 +1,16 @@ + +Disable public access when not required + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Broker: + Type: AWS::AmazonMQ::Broker + Properties: + PubliclyAccessible: false + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0072/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0072/Terraform.md new file mode 100644 index 0000000..10ea73e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0072/Terraform.md @@ -0,0 +1,29 @@ + +Disable public access when not required + +```hcl + resource "aws_mq_broker" "good_example" { + broker_name = "example" + + configuration { + id = aws_mq_configuration.test.id + revision = aws_mq_configuration.test.latest_revision + } + + engine_type = "ActiveMQ" + engine_version = "5.15.0" + host_instance_type = "mq.t2.micro" + security_groups = [aws_security_group.test.id] + + user { + username = "ExampleUser" + password = "MindTheGap" + } + publicly_accessible = false + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker#publicly_accessible + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0072/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0072/docs.md new file mode 100644 index 0000000..716d66a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/mq/AVD-AWS-0072/docs.md @@ -0,0 +1,13 @@ + +Public access of the MQ broker should be disabled and only allow routes to applications that require access. + +### Impact +Publicly accessible MQ Broker may be vulnerable to compromise + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/using-amazon-mq-securely.html#prefer-brokers-without-public-accessibility + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md new file mode 100644 index 0000000..b9f7fa1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable in transit encryption + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Cluster: + Type: AWS::MSK::Cluster + Properties: + EncryptionInfo: + EncryptionInTransit: + ClientBroker: "TLS" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0073/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0073/Terraform.md new file mode 100644 index 0000000..dd3094c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0073/Terraform.md @@ -0,0 +1,18 @@ + +Enable in transit encryption + +```hcl + resource "aws_msk_cluster" "good_example" { + encryption_info { + encryption_in_transit { + client_broker = "TLS" + in_cluster = true + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#encryption_info-argument-reference + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0073/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0073/docs.md new file mode 100644 index 0000000..6c227cd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0073/docs.md @@ -0,0 +1,13 @@ + +Encryption should be forced for Kafka clusters, including for communication between nodes. This ensure sensitive data is kept private. + +### Impact +Intercepted data can be read in transit + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md new file mode 100644 index 0000000..595b3af --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md @@ -0,0 +1,20 @@ + +Enable logging + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Cluster: + Type: AWS::MSK::Cluster + Properties: + LoggingInfo: + BrokerLogs: + S3: + Enabled: true + + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0074/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0074/Terraform.md new file mode 100644 index 0000000..54d332f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0074/Terraform.md @@ -0,0 +1,121 @@ + +Enable logging + +```hcl + resource "aws_msk_cluster" "example" { + cluster_name = "example" + kafka_version = "2.4.1" + number_of_broker_nodes = 3 + + broker_node_group_info { + instance_type = "kafka.m5.large" + ebs_volume_size = 1000 + client_subnets = [ + aws_subnet.subnet_az1.id, + aws_subnet.subnet_az2.id, + aws_subnet.subnet_az3.id, + ] + security_groups = [aws_security_group.sg.id] + } + + logging_info { + broker_logs { + firehose { + enabled = false + delivery_stream = aws_kinesis_firehose_delivery_stream.test_stream.name + } + s3 { + enabled = true + bucket = aws_s3_bucket.bucket.id + prefix = "logs/msk-" + } + } + } + + tags = { + foo = "bar" + } + } + +``` +```hcl + resource "aws_msk_cluster" "example" { + cluster_name = "example" + kafka_version = "2.4.1" + number_of_broker_nodes = 3 + + broker_node_group_info { + instance_type = "kafka.m5.large" + ebs_volume_size = 1000 + client_subnets = [ + aws_subnet.subnet_az1.id, + aws_subnet.subnet_az2.id, + aws_subnet.subnet_az3.id, + ] + security_groups = [aws_security_group.sg.id] + } + + logging_info { + broker_logs { + cloudwatch_logs { + enabled = false + log_group = aws_cloudwatch_log_group.test.name + } + firehose { + enabled = true + delivery_stream = aws_kinesis_firehose_delivery_stream.test_stream.name + } + } + } + + tags = { + foo = "bar" + } + } + +``` +```hcl + resource "aws_msk_cluster" "example" { + cluster_name = "example" + kafka_version = "2.4.1" + number_of_broker_nodes = 3 + + broker_node_group_info { + instance_type = "kafka.m5.large" + ebs_volume_size = 1000 + client_subnets = [ + aws_subnet.subnet_az1.id, + aws_subnet.subnet_az2.id, + aws_subnet.subnet_az3.id, + ] + security_groups = [aws_security_group.sg.id] + } + + logging_info { + broker_logs { + cloudwatch_logs { + enabled = true + log_group = aws_cloudwatch_log_group.test.name + } + firehose { + enabled = false + delivery_stream = aws_kinesis_firehose_delivery_stream.test_stream.name + } + s3 { + enabled = true + bucket = aws_s3_bucket.bucket.id + prefix = "logs/msk-" + } + } + } + + tags = { + foo = "bar" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster# + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0074/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0074/docs.md new file mode 100644 index 0000000..cd37626 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0074/docs.md @@ -0,0 +1,13 @@ + +Managed streaming for Kafka can log to Cloud Watch, Kinesis Firehose and S3, at least one of these locations should be logged to + +### Impact +Without logging it is difficult to trace issues + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/msk/latest/developerguide/msk-logging.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md new file mode 100644 index 0000000..97580e1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable at rest encryption + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Cluster: + Type: AWS::MSK::Cluster + Properties: + EncryptionInfo: + EncryptionAtRest: + DataVolumeKMSKeyId: "foo-bar-key" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0179/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0179/Terraform.md new file mode 100644 index 0000000..65c002c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0179/Terraform.md @@ -0,0 +1,15 @@ + +Enable at rest encryption + +```hcl + resource "aws_msk_cluster" "good_example" { + encryption_info { + encryption_at_rest_kms_key_arn = "foo-bar-key" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/msk_cluster#encryption_info-argument-reference + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0179/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0179/docs.md new file mode 100644 index 0000000..d66a89a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/msk/AVD-AWS-0179/docs.md @@ -0,0 +1,13 @@ + +Encryption should be forced for Kafka clusters, including at rest. This ensures sensitive data is kept private. + +### Impact +Intercepted data can be read at rest + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/msk/latest/developerguide/msk-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md new file mode 100644 index 0000000..81cd425 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md @@ -0,0 +1,18 @@ + +Enable export logs + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Cluster: + Type: AWS::Neptune::DBCluster + Properties: + EnableCloudwatchLogsExports: + - audit + + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0075/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0075/Terraform.md new file mode 100644 index 0000000..ce18372 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0075/Terraform.md @@ -0,0 +1,20 @@ + +Enable export logs + +```hcl + resource "aws_neptune_cluster" "good_example" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true + enable_cloudwatch_logs_exports = ["audit"] + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#enable_cloudwatch_logs_exports + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0075/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0075/docs.md new file mode 100644 index 0000000..8c5a3f9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0075/docs.md @@ -0,0 +1,13 @@ + +Neptune does not have auditing by default. To ensure that you are able to accurately audit the usage of your Neptune instance you should enable export logs. + +### Impact +Limited visibility of audit trail for changes to Neptune + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/neptune/latest/userguide/auditing.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md new file mode 100644 index 0000000..d8fa03e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable encryption of Neptune storage + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Cluster: + Type: AWS::Neptune::DBCluster + Properties: + StorageEncrypted: true + KmsKeyId: "something" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0076/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0076/Terraform.md new file mode 100644 index 0000000..de85fb6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0076/Terraform.md @@ -0,0 +1,21 @@ + +Enable encryption of Neptune storage + +```hcl + resource "aws_neptune_cluster" "good_example" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true + storage_encrypted = true + kms_key_arn = aws_kms_key.example.arn + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0076/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0076/docs.md new file mode 100644 index 0000000..fceb8d3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0076/docs.md @@ -0,0 +1,13 @@ + +Encryption of Neptune storage ensures that if their is compromise of the disks, the data is still protected. + +### Impact +Unencrypted sensitive data is vulnerable to compromise. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/neptune/latest/userguide/encrypt.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md new file mode 100644 index 0000000..e668510 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable encryption using customer managed keys + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Cluster: + Type: AWS::Neptune::DBCluster + Properties: + StorageEncrypted: true + KmsKeyId: "something" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0128/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0128/Terraform.md new file mode 100644 index 0000000..a52438f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0128/Terraform.md @@ -0,0 +1,21 @@ + +Enable encryption using customer managed keys + +```hcl + resource "aws_neptune_cluster" "good_example" { + cluster_identifier = "neptune-cluster-demo" + engine = "neptune" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + skip_final_snapshot = true + iam_database_authentication_enabled = true + apply_immediately = true + storage_encrypted = true + kms_key_arn = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/neptune_cluster#storage_encrypted + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0128/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0128/docs.md new file mode 100644 index 0000000..c3d81dd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/neptune/AVD-AWS-0128/docs.md @@ -0,0 +1,13 @@ + +Encryption using AWS keys provides protection for your Neptune underlying storage. To increase control of the encryption and manage factors like rotation use customer managed keys. + +### Impact +Using AWS managed keys does not allow for fine grained control + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/neptune/latest/userguide/encrypt.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md new file mode 100644 index 0000000..77970d1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md @@ -0,0 +1,16 @@ + +Explicitly set the retention period to greater than the default + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Queue: + Type: AWS::RDS::DBInstance + Properties: + BackupRetentionPeriod: 30 + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0077/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0077/Terraform.md new file mode 100644 index 0000000..9c7f7fa --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0077/Terraform.md @@ -0,0 +1,39 @@ + +Explicitly set the retention period to greater than the default + +```hcl + resource "aws_rds_cluster" "good_example" { + cluster_identifier = "aurora-cluster-demo" + engine = "aurora-mysql" + engine_version = "5.7.mysql_aurora.2.03.2" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] + database_name = "mydb" + master_username = "foo" + master_password = "bar" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + } + + +``` +```hcl + resource "aws_db_instance" "good_example" { + allocated_storage = 10 + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t3.micro" + name = "mydb" + username = "foo" + password = "foobarbaz" + parameter_group_name = "default.mysql5.7" + backup_retention_period = 5 + skip_final_snapshot = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#backup_retention_period + + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#backup_retention_period + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0077/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0077/docs.md new file mode 100644 index 0000000..129f4ef --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0077/docs.md @@ -0,0 +1,13 @@ + +RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk. + +### Impact +Potential loss of data and short opportunity for recovery + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md new file mode 100644 index 0000000..409debd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md @@ -0,0 +1,17 @@ + +Use Customer Managed Keys to encrypt Performance Insights data + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Queue: + Type: AWS::RDS::DBInstance + Properties: + EnablePerformanceInsights: true + PerformanceInsightsKMSKeyId: "something" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0078/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0078/Terraform.md new file mode 100644 index 0000000..03bb694 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0078/Terraform.md @@ -0,0 +1,17 @@ + +Use Customer Managed Keys to encrypt Performance Insights data + +```hcl +resource "aws_rds_cluster_instance" "good_example" { + name = "bar" + performance_insights_enabled = true + performance_insights_kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id + + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0078/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0078/docs.md new file mode 100644 index 0000000..66aaa3d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0078/docs.md @@ -0,0 +1,17 @@ + +Amazon RDS uses the AWS managed key for your new DB instance. For complete control over KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, and rotating their cryptographic material, use a customer managed keys. + +The encryption key specified in `performance_insights_kms_key_id` references a KMS ARN + +### Impact +Using AWS managed keys does not allow for fine grained control + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.access-control.html#USER_PerfInsights.access-control.cmk-policy + +- https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md new file mode 100644 index 0000000..935d8e2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable encryption for RDS clusters + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of rds sgr +Resources: + Cluster: + Type: AWS::RDS::DBCluster + Properties: + StorageEncrypted: true + KmsKeyId: "something" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0079/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0079/Terraform.md new file mode 100644 index 0000000..6a75a93 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0079/Terraform.md @@ -0,0 +1,14 @@ + +Enable encryption for RDS clusters + +```hcl + resource "aws_rds_cluster" "good_example" { + name = "bar" + kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" + storage_encrypted = true + } +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0079/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0079/docs.md new file mode 100644 index 0000000..74d3d3e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0079/docs.md @@ -0,0 +1,15 @@ + +Encryption should be enabled for an RDS Aurora cluster. + +When enabling encryption by setting the kms_key_id, the storage_encrypted must also be set to true. + +### Impact +Data can be read from the RDS cluster if it is compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md new file mode 100644 index 0000000..d4c0592 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable encryption for RDS instances + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of rds sgr +Resources: + Instance: + Type: AWS::RDS::DBInstance + Properties: + StorageEncrypted: true + KmsKeyId: "something" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0080/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0080/Terraform.md new file mode 100644 index 0000000..dc2a0fd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0080/Terraform.md @@ -0,0 +1,13 @@ + +Enable encryption for RDS instances + +```hcl + resource "aws_db_instance" "good_example" { + storage_encrypted = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0080/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0080/docs.md new file mode 100644 index 0000000..d5ab2a5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0080/docs.md @@ -0,0 +1,15 @@ + +Encryption should be enabled for an RDS Database instances. + +When enabling encryption by setting the kms_key_id. + +### Impact +Data can be read from RDS instances if compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0081/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0081/CloudFormation.md new file mode 100644 index 0000000..285befd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0081/CloudFormation.md @@ -0,0 +1,12 @@ + +Switch to VPC resources + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of rds sgr +Resources: + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0081/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0081/Terraform.md new file mode 100644 index 0000000..7eb02e2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0081/Terraform.md @@ -0,0 +1,13 @@ + +Switch to VPC resources + +```hcl + resource "aws_security_group" "good_example" { + # ... + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_security_group + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0081/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0081/docs.md new file mode 100644 index 0000000..005a393 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0081/docs.md @@ -0,0 +1,14 @@ + +AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run +resources in a VPC instead. + +### Impact +Classic resources are running in a shared environment with other customers + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-classic-platform.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md new file mode 100644 index 0000000..8701d53 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable performance insights + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Queue: + Type: AWS::RDS::DBInstance + Properties: + EnablePerformanceInsights: true + PerformanceInsightsKMSKeyId: "something" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0133/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0133/Terraform.md new file mode 100644 index 0000000..95f5db0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0133/Terraform.md @@ -0,0 +1,17 @@ + +Enable performance insights + +```hcl +resource "aws_rds_cluster_instance" "good_example" { + name = "bar" + performance_insights_enabled = true + performance_insights_kms_key_id = "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster_instance#performance_insights_kms_key_id + + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#performance_insights_kms_key_id + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0133/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0133/docs.md new file mode 100644 index 0000000..c8bd18b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0133/docs.md @@ -0,0 +1,15 @@ + +Enabling Performance insights allows for greater depth in monitoring data. + +For example, information about active sessions could help diagose a compromise or assist in the investigation + +### Impact +Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise. + + +{{ remediationActions }} + +### Links +- https://aws.amazon.com/rds/performance-insights/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0176/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0176/docs.md new file mode 100644 index 0000000..b7d7a6d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0176/docs.md @@ -0,0 +1,13 @@ + +Ensure IAM Database Authentication is enabled for RDS database instances to manage database access + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/neptune/latest/userguide/iam-auth.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0177/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0177/docs.md new file mode 100644 index 0000000..24d65d1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0177/docs.md @@ -0,0 +1,13 @@ + +Ensure deletion protection is enabled for RDS database instances. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md new file mode 100644 index 0000000..e183f4c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md @@ -0,0 +1,16 @@ + +Remove the public endpoint from the RDS instance. + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Queue: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: false + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0180/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0180/Terraform.md new file mode 100644 index 0000000..929769b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0180/Terraform.md @@ -0,0 +1,11 @@ + +Remove the public endpoint from the RDS instance. + +```hcl + resource "aws_db_instance" "good_example" { + publicly_accessible = false + } + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0180/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0180/docs.md new file mode 100644 index 0000000..24487a1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0180/docs.md @@ -0,0 +1,13 @@ + +Ensures RDS instances and RDS Cluster instances are not launched into the public cloud. + +### Impact + + + +{{ remediationActions }} + +### Links +- http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0343/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0343/docs.md new file mode 100644 index 0000000..7c53ca4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/rds/AVD-AWS-0343/docs.md @@ -0,0 +1,13 @@ + +Ensure deletion protection is enabled for RDS clusters. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/config/latest/developerguide/rds-cluster-deletion-protection-enabled.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md new file mode 100644 index 0000000..85e3cd0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md @@ -0,0 +1,16 @@ + +Add descriptions for all security groups and rules + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of redshift sgr +Resources: + Queue: + Type: AWS::Redshift::ClusterSecurityGroup + Properties: + Description: "Disallow bad stuff" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0083/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0083/docs.md new file mode 100644 index 0000000..d8ebc71 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0083/docs.md @@ -0,0 +1,15 @@ + +Security groups and security group rules should include a description for auditing purposes. + +Simplifies auditing, debugging, and managing security groups. + +### Impact +Descriptions provide context for the firewall rule reasons + + +{{ remediationActions }} + +### Links +- https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md new file mode 100644 index 0000000..285ecfc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable encryption using CMK + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of redshift cluster +Resources: + Queue: + Type: AWS::Redshift::Cluster + Properties: + Encrypted: true + KmsKeyId: "something" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0084/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0084/Terraform.md new file mode 100644 index 0000000..0bd4140 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0084/Terraform.md @@ -0,0 +1,24 @@ + +Enable encryption using CMK + +```hcl + resource "aws_kms_key" "redshift" { + enable_key_rotation = true + } + + resource "aws_redshift_cluster" "good_example" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + encrypted = true + kms_key_id = aws_kms_key.redshift.key_id + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#encrypted + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0084/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0084/docs.md new file mode 100644 index 0000000..d02f2ef --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0084/docs.md @@ -0,0 +1,13 @@ + +Redshift clusters that contain sensitive data or are subject to regulation should be encrypted at rest to prevent data leakage should the infrastructure be compromised. + +### Impact +Data may be leaked if infrastructure is compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0085/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0085/CloudFormation.md new file mode 100644 index 0000000..c69a497 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0085/CloudFormation.md @@ -0,0 +1,12 @@ + +Switch to VPC resources + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of redshift sgr +Resources: + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0085/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0085/docs.md new file mode 100644 index 0000000..005a393 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0085/docs.md @@ -0,0 +1,14 @@ + +AWS Classic resources run in a shared environment with infrastructure owned by other AWS customers. You should run +resources in a VPC instead. + +### Impact +Classic resources are running in a shared environment with other customers + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-classic-platform.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md new file mode 100644 index 0000000..5ee4929 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md @@ -0,0 +1,16 @@ + +Deploy Redshift cluster into a non default VPC + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of redshift cluster +Resources: + Queue: + Type: AWS::Redshift::Cluster + Properties: + ClusterSubnetGroupName: "my-subnet-group" + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0127/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0127/Terraform.md new file mode 100644 index 0000000..2a2226f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0127/Terraform.md @@ -0,0 +1,20 @@ + +Deploy Redshift cluster into a non default VPC + +```hcl + resource "aws_redshift_cluster" "good_example" { + cluster_identifier = "tf-redshift-cluster" + database_name = "mydb" + master_username = "foo" + master_password = "Mustbe8characters" + node_type = "dc1.large" + cluster_type = "single-node" + + cluster_subnet_group_name = "redshift_subnet" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_cluster#cluster_subnet_group_name + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0127/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0127/docs.md new file mode 100644 index 0000000..5dd479f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/redshift/AVD-AWS-0127/docs.md @@ -0,0 +1,15 @@ + +Redshift clusters that are created without subnet details will be created in EC2 classic mode, meaning that they will be outside of a known VPC and running in tennant. + +In order to benefit from the additional security features achieved with using an owned VPC, the subnet should be set. + +### Impact +Redshift cluster does not benefit from VPC security if it is deployed in EC2 classic mode + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/redshift/latest/mgmt/managing-clusters-vpc.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0086/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0086/CloudFormation.md new file mode 100644 index 0000000..1d19560 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0086/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable blocking any PUT calls with a public ACL specified + +```yaml--- +Resources: + GoodExample: + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + Type: AWS::S3::Bucket + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0086/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0086/Terraform.md new file mode 100644 index 0000000..1f730eb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0086/Terraform.md @@ -0,0 +1,18 @@ + +Enable blocking any PUT calls with a public ACL specified + +```hcl +resource "aws_s3_bucket" "good_example" { + bucket = "mybucket" +} + +resource "aws_s3_bucket_public_access_block" "good_example" { + bucket = aws_s3_bucket.good_example.id + block_public_acls = true +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_acls + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0086/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0086/docs.md new file mode 100644 index 0000000..88f6291 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0086/docs.md @@ -0,0 +1,15 @@ + + +S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a. + + +### Impact +PUT calls with public ACLs specified can make objects public + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0087/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0087/CloudFormation.md new file mode 100644 index 0000000..826c037 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0087/CloudFormation.md @@ -0,0 +1,17 @@ + +Prevent policies that allow public access being PUT + +```yaml--- +Resources: + GoodExample: + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + Type: AWS::S3::Bucket + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0087/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0087/Terraform.md new file mode 100644 index 0000000..a999b31 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0087/Terraform.md @@ -0,0 +1,18 @@ + +Prevent policies that allow public access being PUT + +```hcl +resource "aws_s3_bucket" "example" { + bucket = "mybucket" +} + +resource "aws_s3_bucket_public_access_block" "good_example" { + bucket = aws_s3_bucket.example.id + block_public_policy = true +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#block_public_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0087/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0087/docs.md new file mode 100644 index 0000000..ee05d02 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0087/docs.md @@ -0,0 +1,15 @@ + + +S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access. + + +### Impact +Users could put a policy that allows public access + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md new file mode 100644 index 0000000..56c5f8c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md @@ -0,0 +1,17 @@ + +Configure bucket encryption + +```yaml +Resources: + GoodExample: + Properties: + BucketEncryption: + ServerSideEncryptionConfiguration: + - BucketKeyEnabled: true + ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 + Type: AWS::S3::Bucket + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0088/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0088/Terraform.md new file mode 100644 index 0000000..fa27f85 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0088/Terraform.md @@ -0,0 +1,83 @@ + +Configure bucket encryption + +```hcl + resource "aws_s3_bucket" "good_example" { + bucket = "mybucket" + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = "arn" + sse_algorithm = "aws:kms" + } + } + } + } + +``` +```hcl + resource "aws_s3_bucket" "good_example" { + bucket = "mybucket" + + # ... other configuration ... + } + + resource "aws_s3_bucket_server_side_encryption_configuration" "example" { + bucket = aws_s3_bucket.good_example.id + + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.mykey.arn + sse_algorithm = "aws:kms" + } + } + } + +``` +```hcl +terraform { + required_version = ">= 1.0, < 2.0" + + required_providers { + aws = ">= 4.0" + } +} + +resource "aws_kms_key" "s3_key" { + description = "This key is used to encrypt S3 bucket objects" + enable_key_rotation = true +} + +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "~> 3.0" + + bucket = "my_bucket" + acl = "private" + force_destroy = true + restrict_public_buckets = true + ignore_public_acls = true + block_public_policy = true + block_public_acls = true + + versioning = { + enabled = true + } + + server_side_encryption_configuration = { + rule = { + apply_server_side_encryption_by_default = { + sse_algorithm = "aws:kms" + kms_master_key_id = aws_kms_key.s3_key.arn + } + } + } + +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0088/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0088/docs.md new file mode 100644 index 0000000..3127560 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0088/docs.md @@ -0,0 +1,13 @@ + +S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised. + +### Impact +The bucket objects could be read if compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md new file mode 100644 index 0000000..b9513de --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md @@ -0,0 +1,15 @@ + +Add a logging block to the resource to enable access logging + +```yaml--- +Resources: + GoodExample: + Properties: + LoggingConfiguration: + DestinationBucketName: logging-bucket + LogFilePrefix: accesslogs/ + Type: AWS::S3::Bucket + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0089/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0089/Terraform.md new file mode 100644 index 0000000..8289018 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0089/Terraform.md @@ -0,0 +1,15 @@ + +Add a logging block to the resource to enable access logging + +```hcl +resource "aws_s3_bucket" "good_example" { + logging { + target_bucket = "target-bucket" + } +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0089/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0089/docs.md new file mode 100644 index 0000000..fe0e14d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0089/docs.md @@ -0,0 +1,13 @@ + +Ensures S3 bucket logging is enabled for S3 buckets + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md new file mode 100644 index 0000000..a7766b3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md @@ -0,0 +1,14 @@ + +Enable versioning to protect against accidental/malicious removal or modification + +```yaml--- +Resources: + GoodExample: + Properties: + VersioningConfiguration: + Status: Enabled + Type: AWS::S3::Bucket + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0090/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0090/Terraform.md new file mode 100644 index 0000000..79d3a20 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0090/Terraform.md @@ -0,0 +1,30 @@ + +Enable versioning to protect against accidental/malicious removal or modification + +```hcl +resource "aws_s3_bucket" "good_example" { + + versioning { + enabled = true + } +} + +``` +```hcl +resource "aws_s3_bucket" "example" { + bucket = "yournamehere" + + # ... other configuration ... +} + +resource "aws_s3_bucket_versioning" "example" { + bucket = aws_s3_bucket.example.id + versioning_configuration { + status = "Enabled" + } +} +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0090/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0090/docs.md new file mode 100644 index 0000000..e0988b2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0090/docs.md @@ -0,0 +1,17 @@ + + +Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket. +You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. +With versioning you can recover more easily from both unintended user actions and application failures. + + +### Impact +Deleted or modified data would not be recoverable + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md new file mode 100644 index 0000000..b4cf72f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md @@ -0,0 +1,18 @@ + +Enable ignoring the application of public ACLs in PUT calls + +```yaml--- +Resources: + GoodExample: + Properties: + AccessControl: Private + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + Type: AWS::S3::Bucket + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0091/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0091/Terraform.md new file mode 100644 index 0000000..99f2084 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0091/Terraform.md @@ -0,0 +1,19 @@ + +Enable ignoring the application of public ACLs in PUT calls + +```hcl +resource "aws_s3_bucket" "example" { + bucket = "bucket" +} + + resource "aws_s3_bucket_public_access_block" "good_example" { + bucket = aws_s3_bucket.example.id + + ignore_public_acls = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#ignore_public_acls + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0091/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0091/docs.md new file mode 100644 index 0000000..872642b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0091/docs.md @@ -0,0 +1,15 @@ + + +S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored. + + +### Impact +PUT calls with public ACLs specified can make objects public + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md new file mode 100644 index 0000000..ba29b33 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md @@ -0,0 +1,13 @@ + +Don't use canned ACLs or switch to private acl + +```yaml--- +Resources: + GoodExample: + Properties: + AccessControl: Private + Type: AWS::S3::Bucket + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0092/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0092/Terraform.md new file mode 100644 index 0000000..1cb25bc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0092/Terraform.md @@ -0,0 +1,23 @@ + +Don't use canned ACLs or switch to private acl + +```hcl +resource "aws_s3_bucket" "good_example" { + acl = "private" +} + +``` +```hcl +resource "aws_s3_bucket" "example" { + bucket = "yournamehere" +} + +resource "aws_s3_bucket_acl" "example" { + bucket = aws_s3_bucket.example.id + acl = "private" +} +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0092/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0092/docs.md new file mode 100644 index 0000000..6fa0fe8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0092/docs.md @@ -0,0 +1,15 @@ + + +Buckets should not have ACLs that allow public access + + +### Impact +Public access to the bucket can lead to data leakage + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md new file mode 100644 index 0000000..0f77f2e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md @@ -0,0 +1,17 @@ + +Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + +```yaml--- +Resources: + GoodExample: + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + Type: AWS::S3::Bucket + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0093/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0093/Terraform.md new file mode 100644 index 0000000..08467ca --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0093/Terraform.md @@ -0,0 +1,19 @@ + +Limit the access to public buckets to only the owner or AWS Services (eg; CloudFront) + +```hcl +resource "aws_s3_bucket" "example" { + bucket = "bucket" +} + +resource "aws_s3_bucket_public_access_block" "good_example" { + bucket = aws_s3_bucket.example.id + + restrict_public_buckets = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#restrict_public_buckets¡ + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0093/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0093/docs.md new file mode 100644 index 0000000..7450321 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0093/docs.md @@ -0,0 +1,13 @@ + +S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy. + +### Impact +Public buckets can be accessed by anyone + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/dev-retired/access-control-block-public-access.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md new file mode 100644 index 0000000..2fcff6a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md @@ -0,0 +1,18 @@ + +Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + +```yaml--- +Resources: + GoodExample: + Properties: + AccessControl: Private + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + Type: AWS::S3::Bucket + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0094/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0094/Terraform.md new file mode 100644 index 0000000..1e9d7fe --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0094/Terraform.md @@ -0,0 +1,20 @@ + +Define a aws_s3_bucket_public_access_block for the given bucket to control public access policies + +```hcl + resource "aws_s3_bucket" "example" { + bucket = "example" + acl = "private-read" + } + + resource "aws_s3_bucket_public_access_block" "example" { + bucket = aws_s3_bucket.example.id + block_public_acls = true + block_public_policy = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block#bucket + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0094/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0094/docs.md new file mode 100644 index 0000000..c9debfc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0094/docs.md @@ -0,0 +1,13 @@ + +The "block public access" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it. + +### Impact +Public access policies may be applied to sensitive data buckets + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md new file mode 100644 index 0000000..ca02c35 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md @@ -0,0 +1,18 @@ + +Enable encryption using customer managed keys + +```yaml +Resources: + GoodExample: + Properties: + BucketEncryption: + ServerSideEncryptionConfiguration: + - BucketKeyEnabled: true + ServerSideEncryptionByDefault: + KMSMasterKeyID: kms-arn + SSEAlgorithm: aws:kms + Type: AWS::S3::Bucket + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0132/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0132/Terraform.md new file mode 100644 index 0000000..aa75efe --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0132/Terraform.md @@ -0,0 +1,41 @@ + +Enable encryption using customer managed keys + +```hcl +resource "aws_kms_key" "good_example" { + enable_key_rotation = true +} + +resource "aws_s3_bucket" "good_example" { + bucket = "mybucket" + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.example.arn + sse_algorithm = "aws:kms" + } + } + } + } + +``` +```hcl +resource "aws_s3_bucket" "good_example" { + bucket = "mybucket" + acl = "log-delivery-write" + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#enable-default-server-side-encryption + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0132/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0132/docs.md new file mode 100644 index 0000000..38469ce --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0132/docs.md @@ -0,0 +1,13 @@ + +Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys. + +### Impact +Using AWS managed keys does not allow for fine grained control + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0170/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0170/Terraform.md new file mode 100644 index 0000000..74fbe4f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0170/Terraform.md @@ -0,0 +1,22 @@ + +Enable MFA deletion protection on the bucket + +```hcl +resource "aws_s3_bucket" "example" { + bucket = "bucket" +} + +resource "aws_s3_bucket_versioning" "good_example" { + bucket = aws_s3_bucket.example.id + + versioning_configuration { + status = "Enabled" + mfa_delete = "Enabled" + } +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0170/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0170/docs.md new file mode 100644 index 0000000..9b01e9f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0170/docs.md @@ -0,0 +1,15 @@ + + +Adding MFA delete to an S3 bucket, requires additional authentication when you change the version state of your bucket or you delete an object version, adding another layer of security in the event your security credentials are compromised or unauthorized access is obtained. + + +### Impact +Lessened protection against accidental/malicious deletion of data + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiFactorAuthenticationDelete.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0171/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0171/Terraform.md new file mode 100644 index 0000000..49983db --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0171/Terraform.md @@ -0,0 +1,23 @@ + +Enable Object-level logging for S3 buckets. + +```hcl +resource "aws_s3_bucket" "good_example" { + bucket = "my-bucket" +} + +resource "aws_cloudtrail" "example" { + event_selector { + read_write_type = "WriteOnly" # or "All" + data_resource { + type = "AWS::S3::Object" + values = ["arn:aws:s3:::${aws_s3_bucket.good_example.bucket}/"] + } + } +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0171/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0171/docs.md new file mode 100644 index 0000000..3ecf752 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0171/docs.md @@ -0,0 +1,15 @@ + + +Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events. + + +### Impact +Difficult/impossible to audit bucket object/data changes. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0172/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0172/Terraform.md new file mode 100644 index 0000000..83bd172 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0172/Terraform.md @@ -0,0 +1,24 @@ + +Enable Object-level logging for S3 buckets. + +```hcl +resource "aws_s3_bucket" "good_example" { + bucket = "my-bucket" +} + +resource "aws_cloudtrail" "example" { + event_selector { + read_write_type = "ReadOnly" # or "All" + data_resource { + type = "AWS::S3::Object" + values = ["arn:aws:s3:::${aws_s3_bucket.good_example.bucket}/"] + } + } +} + + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#versioning + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0172/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0172/docs.md new file mode 100644 index 0000000..3ecf752 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0172/docs.md @@ -0,0 +1,15 @@ + + +Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account or take immediate actions on any object-level API activity within your S3 Buckets using Amazon CloudWatch Events. + + +### Impact +Difficult/impossible to audit bucket object/data changes. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0320/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0320/docs.md new file mode 100644 index 0000000..8ace5ad --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/s3/AVD-AWS-0320/docs.md @@ -0,0 +1,13 @@ + +Ensures that S3 buckets have DNS complaint bucket names. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest./dev/transfer-acceleration.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md new file mode 100644 index 0000000..df4a977 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md @@ -0,0 +1,21 @@ + +Enable cache encryption + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Domain: + SecurityPolicy: TLS_1_2 + MethodSettings: + CacheDataEncrypted: true + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0110/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0110/docs.md new file mode 100644 index 0000000..40b6b27 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0110/docs.md @@ -0,0 +1,13 @@ + +Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception + +### Impact +Data stored in the cache that is unencrypted may be vulnerable to compromise + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-apigateway-stage-methodsetting.html#cfn-apigateway-stage-methodsetting-cachedataencrypted + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md new file mode 100644 index 0000000..70af5c1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable tracing + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: true + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0111/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0111/docs.md new file mode 100644 index 0000000..f8c27b9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0111/docs.md @@ -0,0 +1,13 @@ + +X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests. + +### Impact +Without full tracing enabled it is difficult to trace the flow of logs + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-tracingenabled + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md new file mode 100644 index 0000000..4ccf336 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md @@ -0,0 +1,19 @@ + +Use the most modern TLS/SSL policies available + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Domain: + SecurityPolicy: TLS_1_2 + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0112/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0112/docs.md new file mode 100644 index 0000000..e62d367 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0112/docs.md @@ -0,0 +1,13 @@ + +You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. + +### Impact +Outdated SSL policies increase exposure to known vulnerabilities + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-property-api-domainconfiguration.html#sam-api-domainconfiguration-securitypolicy + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md new file mode 100644 index 0000000..95ca9ab --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md @@ -0,0 +1,22 @@ + +Enable logging for API Gateway stages + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::Api + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Domain: + SecurityPolicy: TLS_1_2 + AccessLogSetting: + DestinationArn: gateway-logging + Format: json + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0113/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0113/docs.md new file mode 100644 index 0000000..1814ae1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0113/docs.md @@ -0,0 +1,13 @@ + +API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages. + +### Impact +Logging provides vital information about access and usage + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-api.html#sam-api-accesslogsetting + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md new file mode 100644 index 0000000..51d1242 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0114/CloudFormation.md @@ -0,0 +1,31 @@ + +Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM Function +Resources: + GoodFunction: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Policies: + - AWSLambdaExecute + - Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: 'arn:aws:s3:::my-bucket/*' + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0114/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0114/docs.md new file mode 100644 index 0000000..721f783 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0114/docs.md @@ -0,0 +1,13 @@ + +You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. + +### Impact +Overly permissive policies may grant access to sensitive resources + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-policies + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md new file mode 100644 index 0000000..14fbea6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md @@ -0,0 +1,20 @@ + +Enable logging for API Gateway stages + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + ApiGatewayApi: + Type: AWS::Serverless::HttpApi + Properties: + Name: Good SAM API example + StageName: Prod + Tracing: Activey + AccessLogSettings: + DestinationArn: gateway-logging + Format: json + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0116/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0116/docs.md new file mode 100644 index 0000000..daa6cc2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0116/docs.md @@ -0,0 +1,13 @@ + +API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages. + +### Impact +Logging provides vital information about access and usage + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-httpapi.html#sam-httpapi-accesslogsettings + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md new file mode 100644 index 0000000..9cc1aa6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md @@ -0,0 +1,24 @@ + +Enable tracing + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM API +Resources: + GoodStateMachine: + Type: AWS::Serverless::StateMachine + Properties: + Definition: + StartAt: MyLambdaState + States: + MyLambdaState: + Type: Task + Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app + End: true + Role: arn:aws:iam::123456123456:role/service-role/my-sample-role + Tracing: + Enabled: true + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0117/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0117/docs.md new file mode 100644 index 0000000..189389b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0117/docs.md @@ -0,0 +1,13 @@ + +X-Ray tracing enables end-to-end debugging and analysis of all state machine activities. + +### Impact +Without full tracing enabled it is difficult to trace the flow of logs + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-tracing + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0119/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0119/docs.md new file mode 100644 index 0000000..af65468 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0119/docs.md @@ -0,0 +1,13 @@ + +Logging enables end-to-end debugging and analysis of all state machine activities. + +### Impact +Without logging enabled it is difficult to identify suspicious activity + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-logging + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md new file mode 100644 index 0000000..07f97cb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0120/CloudFormation.md @@ -0,0 +1,33 @@ + +Specify the exact permissions required, and to which resources they should apply instead of using wildcards. + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM Function +Resources: + GoodFunction: + Type: AWS::Serverless::StateMachine + Properties: + Definition: + StartAt: MyLambdaState + States: + MyLambdaState: + Type: Task + Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app + End: true + Role: arn:aws:iam::123456123456:role/service-role/my-sample-role + Tracing: + Enabled: true + Policies: + - AWSLambdaExecute + - Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - s3:GetObject + - s3:GetObjectACL + Resource: 'arn:aws:s3:::my-bucket/*' + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0120/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0120/docs.md new file mode 100644 index 0000000..daade7f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0120/docs.md @@ -0,0 +1,13 @@ + +You should use the principle of least privilege when defining your IAM policies. This means you should specify each exact permission required without using wildcards, as this could cause the granting of access to certain undesired actions, resources and principals. + +### Impact +Overly permissive policies may grant access to sensitive resources + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-statemachine.html#sam-statemachine-policies + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md new file mode 100644 index 0000000..a9e173d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md @@ -0,0 +1,17 @@ + +Enable server side encryption + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM Table +Resources: + GoodFunction: + Type: AWS::Serverless::SimpleTable + Properties: + TableName: GoodTable + SSESpecification: + SSEEnabled: true + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0121/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0121/docs.md new file mode 100644 index 0000000..5f63d43 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0121/docs.md @@ -0,0 +1,13 @@ + +Encryption should be enabled at all available levels to ensure that data is protected if compromised. + +### Impact +Data stored in the table that is unencrypted may be vulnerable to compromise + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-simpletable.html#sam-simpletable-ssespecification + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md new file mode 100644 index 0000000..132c68a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md @@ -0,0 +1,23 @@ + +Enable tracing + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good Example of SAM Function +Resources: + GoodFunction: + Type: AWS::Serverless::Function + Properties: + PackageType: Image + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + ImageConfig: + Command: + - "app.lambda_handler" + EntryPoint: + - "entrypoint1" + WorkingDirectory: "workDir" + Tracing: Active + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0125/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0125/docs.md new file mode 100644 index 0000000..f2bd913 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sam/AVD-AWS-0125/docs.md @@ -0,0 +1,13 @@ + +X-Ray tracing enables end-to-end debugging and analysis of the function. + +### Impact +Without full tracing enabled it is difficult to trace the flow of logs + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/sam-resource-function.html#sam-function-tracing + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md new file mode 100644 index 0000000..ab23afc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md @@ -0,0 +1,17 @@ + +Turn on SNS Topic encryption + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of topic +Resources: + Queue: + Type: AWS::SQS::Topic + Properties: + TopicName: blah + KmsMasterKeyId: some-key + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0095/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0095/Terraform.md new file mode 100644 index 0000000..dc95563 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0095/Terraform.md @@ -0,0 +1,13 @@ + +Turn on SNS Topic encryption + +```hcl + resource "aws_sns_topic" "good_example" { + kms_master_key_id = "/blah" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0095/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0095/docs.md new file mode 100644 index 0000000..6cf5620 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0095/docs.md @@ -0,0 +1,13 @@ + +Topics should be encrypted to protect their contents. + +### Impact +The SNS topic messages could be read if compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md new file mode 100644 index 0000000..fee0370 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md @@ -0,0 +1,17 @@ + +Use a CMK for SNS Topic encryption + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of topic +Resources: + Queue: + Type: AWS::SQS::Topic + Properties: + TopicName: blah + KmsMasterKeyId: some-key + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0136/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0136/Terraform.md new file mode 100644 index 0000000..32ec4d1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0136/Terraform.md @@ -0,0 +1,13 @@ + +Use a CMK for SNS Topic encryption + +```hcl + resource "aws_sns_topic" "good_example" { + kms_master_key_id = "/blah" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0136/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0136/docs.md new file mode 100644 index 0000000..b5f8cc3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sns/AVD-AWS-0136/docs.md @@ -0,0 +1,13 @@ + +Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management. + +### Impact +Key management very limited when using default keys. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/sns/latest/dg/sns-server-side-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md new file mode 100644 index 0000000..5408c53 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md @@ -0,0 +1,17 @@ + +Turn on SQS Queue encryption + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of queue +Resources: + Queue: + Type: AWS::SQS::Queue + Properties: + KmsMasterKeyId: some-key + QueueName: my-queue + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0096/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0096/Terraform.md new file mode 100644 index 0000000..b4b5065 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0096/Terraform.md @@ -0,0 +1,19 @@ + +Turn on SQS Queue encryption + +```hcl + resource "aws_sqs_queue" "good_example" { + kms_master_key_id = "/blah" + } + +``` +```hcl +resource "aws_sqs_queue" "terraform_queue" { + name = "terraform-example-queue" + sqs_managed_sse_enabled = true +} +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#server-side-encryption-sse + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0096/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0096/docs.md new file mode 100644 index 0000000..0ddc8ad --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0096/docs.md @@ -0,0 +1,13 @@ + +Queues should be encrypted to protect queue contents. + +### Impact +The SQS queue messages could be read if compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md new file mode 100644 index 0000000..98791c9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md @@ -0,0 +1,31 @@ + +Keep policy scope to the minimum that is required to be effective + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of queue policy +Resources: + MyQueue: + Type: AWS::SQS::Queue + Properties: + Name: something + SampleSQSPolicy: + Type: AWS::SQS::QueuePolicy + Properties: + Queues: + - Ref: MyQueue + PolicyDocument: + Statement: + - + Action: + - "SQS:SendMessage" + - "SQS:ReceiveMessage" + Effect: "Allow" + Resource: "arn:aws:sqs:us-east-2:444455556666:queue2" + Principal: + AWS: + - "111122223333" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0097/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0097/Terraform.md new file mode 100644 index 0000000..0ec8a88 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0097/Terraform.md @@ -0,0 +1,25 @@ + +Keep policy scope to the minimum that is required to be effective + +```hcl + resource "aws_sqs_queue_policy" "good_example" { + queue_url = aws_sqs_queue.q.id + + policy = < +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-security-best-practices.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md new file mode 100644 index 0000000..45c261d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md @@ -0,0 +1,17 @@ + +Encrypt SQS Queue with a customer-managed key + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of queue +Resources: + Queue: + Type: AWS::SQS::Queue + Properties: + KmsMasterKeyId: some-key + QueueName: my-queue + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0135/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0135/Terraform.md new file mode 100644 index 0000000..a0ccb64 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0135/Terraform.md @@ -0,0 +1,13 @@ + +Encrypt SQS Queue with a customer-managed key + +```hcl + resource "aws_sqs_queue" "good_example" { + kms_master_key_id = "/blah" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue#server-side-encryption-sse + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0135/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0135/docs.md new file mode 100644 index 0000000..e418511 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/sqs/AVD-AWS-0135/docs.md @@ -0,0 +1,13 @@ + +Queues should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular control over access to specific queues. + +### Impact +The SQS queue messages could be read if compromised. Key management is very limited when using default keys. + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-server-side-encryption.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md new file mode 100644 index 0000000..b8b3b11 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md @@ -0,0 +1,18 @@ + +Use customer managed keys + +```yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example of ingress rule +Resources: + Secret: + Type: AWS::SecretsManager::Secret + Properties: + Description: "secret" + KmsKeyId: "my-key-id" + Name: "blah" + SecretString: "don't tell anyone" + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0098/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0098/Terraform.md new file mode 100644 index 0000000..ce02fbe --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0098/Terraform.md @@ -0,0 +1,18 @@ + +Use customer managed keys + +```hcl + resource "aws_kms_key" "secrets" { + enable_key_rotation = true + } + + resource "aws_secretsmanager_secret" "good_example" { + name = "lambda_password" + kms_key_id = aws_kms_key.secrets.arn + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret#kms_key_id + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0098/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0098/docs.md new file mode 100644 index 0000000..3b71d51 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0098/docs.md @@ -0,0 +1,13 @@ + +Secrets Manager encrypts secrets by default using a default key created by AWS. To ensure control and granularity of secret encryption, CMK's should be used explicitly. + +### Impact +Using AWS managed keys reduces the flexibility and control over the encryption key + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/kms/latest/developerguide/services-secrets-manager.html#asm-encrypt + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md new file mode 100644 index 0000000..f2a0349 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0134/Terraform.md @@ -0,0 +1,14 @@ + +Remove this potential exfiltration HTTP request. + +```hcl +resource "aws_ssm_parameter" "db_password" { + name = "db_password" + type = "SecureString" + value = var.db_password +} + + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0134/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0134/docs.md new file mode 100644 index 0000000..4fe0f81 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/ssm/AVD-AWS-0134/docs.md @@ -0,0 +1,13 @@ + +The data.http block can be used to send secret data outside of the organisation. + +### Impact +Secrets could be exposed outside of the organisation. + + +{{ remediationActions }} + +### Links +- https://sprocketfox.io/xssfox/2022/02/09/terraformsupply/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/workspaces/AVD-AWS-0109/CloudFormation.md b/cmd/trivy-policies-generator/avd_docs/aws/workspaces/AVD-AWS-0109/CloudFormation.md new file mode 100644 index 0000000..0c7200d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/workspaces/AVD-AWS-0109/CloudFormation.md @@ -0,0 +1,28 @@ + +Root and user volume encryption should be enabled + +```yaml--- +Resources: + GoodExample: + Type: AWS::WorkSpaces::Workspace + Properties: + RootVolumeEncryptionEnabled: true + UserVolumeEncryptionEnabled: true + UserName: "admin" + +``` +```yaml{ + "Resources": { + "GoodExample": { + "Type": "AWS::WorkSpaces::Workspace", + "Properties": { + "RootVolumeEncryptionEnabled": true, + "UserVolumeEncryptionEnabled": true, + "UserName": "admin" + } + } + } + } +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/workspaces/AVD-AWS-0109/Terraform.md b/cmd/trivy-policies-generator/avd_docs/aws/workspaces/AVD-AWS-0109/Terraform.md new file mode 100644 index 0000000..823c029 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/workspaces/AVD-AWS-0109/Terraform.md @@ -0,0 +1,25 @@ + +Root and user volume encryption should be enabled + +```hcl + resource "aws_workspaces_workspace" "good_example" { + directory_id = aws_workspaces_directory.test.id + bundle_id = data.aws_workspaces_bundle.value_windows_10.id + user_name = "Administrator" + root_volume_encryption_enabled = true + user_volume_encryption_enabled = true + + workspace_properties { + compute_type_name = "VALUE" + user_volume_size_gib = 10 + root_volume_size_gib = 80 + running_mode = "AUTO_STOP" + running_mode_auto_stop_timeout_in_minutes = 60 + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/workspaces_workspace#root_volume_encryption_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/aws/workspaces/AVD-AWS-0109/docs.md b/cmd/trivy-policies-generator/avd_docs/aws/workspaces/AVD-AWS-0109/docs.md new file mode 100644 index 0000000..def9e92 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/aws/workspaces/AVD-AWS-0109/docs.md @@ -0,0 +1,13 @@ + +Workspace volumes for both user and root should be encrypted to protect the data stored on them. + +### Impact +Data can be freely read if compromised + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/workspaces/latest/adminguide/encrypt-workspaces.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0001/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0001/Terraform.md new file mode 100644 index 0000000..fcc8f71 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0001/Terraform.md @@ -0,0 +1,17 @@ + +Enable incoming certificates for clients + +```hcl + resource "azurerm_app_service" "good_example" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + client_cert_enabled = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0001/docs.md new file mode 100644 index 0000000..0cb1198 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0001/docs.md @@ -0,0 +1,10 @@ + +The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled only an authenticated client with valid certificates can access the app. + +### Impact +Mutual TLS is not being used + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0002/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0002/Terraform.md new file mode 100644 index 0000000..7cc96bc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0002/Terraform.md @@ -0,0 +1,21 @@ + +Register the app identity with AD + +```hcl + resource "azurerm_app_service" "good_example" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + identity { + type = "UserAssigned" + identity_ids = "webapp1" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#identity + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0002/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0002/docs.md new file mode 100644 index 0000000..d01e5f7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0002/docs.md @@ -0,0 +1,10 @@ + +Registering the identity used by an App with AD allows it to interact with other services without using username and password + +### Impact +Interaction between services can't easily be achieved without username/password + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0003/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0003/Terraform.md new file mode 100644 index 0000000..6d7da57 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0003/Terraform.md @@ -0,0 +1,20 @@ + +Enable authentication to prevent anonymous request being accepted + +```hcl + resource "azurerm_app_service" "good_example" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + auth_settings { + enabled = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0003/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0003/docs.md new file mode 100644 index 0000000..3efdfc1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0003/docs.md @@ -0,0 +1,10 @@ + +Enabling authentication ensures that all communications in the application are authenticated. The auth_settings block needs to be filled out with the appropriate auth backend settings + +### Impact +Anonymous HTTP requests will be accepted + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0004/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0004/Terraform.md new file mode 100644 index 0000000..344874b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0004/Terraform.md @@ -0,0 +1,20 @@ + +You can redirect all HTTP requests to the HTTPS port. + +```hcl + resource "azurerm_function_app" "good_example" { + name = "test-azure-functions" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + storage_account_name = azurerm_storage_account.example.name + storage_account_access_key = azurerm_storage_account.example.primary_access_key + os_type = "linux" + https_only = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#https_only + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0004/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0004/docs.md new file mode 100644 index 0000000..5d44abb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0004/docs.md @@ -0,0 +1,15 @@ + +By default, clients can connect to function endpoints by using both HTTP or HTTPS. You should redirect HTTP to HTTPs because HTTPS uses the SSL/TLS protocol to provide a secure connection, which is both encrypted and authenticated. + +### Impact +Anyone can access the Function App using HTTP. + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/app-service/configure-ssl-bindings#enforce-https + +- https://docs.microsoft.com/en-us/azure/azure-functions/security-concepts + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0005/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0005/Terraform.md new file mode 100644 index 0000000..95cd5b3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0005/Terraform.md @@ -0,0 +1,20 @@ + +Use the latest version of HTTP + +```hcl + resource "azurerm_app_service" "good_example" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + + site_config { + http2_enabled = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0005/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0005/docs.md new file mode 100644 index 0000000..2713cb2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0005/docs.md @@ -0,0 +1,10 @@ + +Use the latest version of HTTP to ensure you are benefiting from security fixes + +### Impact +Outdated versions of HTTP has security vulnerabilities + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0006/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0006/Terraform.md new file mode 100644 index 0000000..e83651b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0006/Terraform.md @@ -0,0 +1,16 @@ + +The TLS version being outdated and has known vulnerabilities + +```hcl + resource "azurerm_app_service" "good_example" { + name = "example-app-service" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + app_service_plan_id = azurerm_app_service_plan.example.id + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0006/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0006/docs.md new file mode 100644 index 0000000..d2cc538 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/appservice/AVD-AZU-0006/docs.md @@ -0,0 +1,10 @@ + +Use a more recent TLS/SSL policy for the App Service + +### Impact +The minimum TLS version for apps should be TLS1_2 + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/authorization/AVD-AZU-0030/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/authorization/AVD-AZU-0030/Terraform.md new file mode 100644 index 0000000..bea3b01 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/authorization/AVD-AZU-0030/Terraform.md @@ -0,0 +1,27 @@ + +Use targeted permissions for roles + +```hcl + data "azurerm_subscription" "primary" { + } + + resource "azurerm_role_definition" "example" { + name = "my-custom-role" + scope = data.azurerm_subscription.primary.id + description = "This is a custom role created via Terraform" + + permissions { + actions = ["*"] + not_actions = [] + } + + assignable_scopes = [ + data.azurerm_subscription.primary.id, + ] + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition#actions + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/authorization/AVD-AZU-0030/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/authorization/AVD-AZU-0030/docs.md new file mode 100644 index 0000000..cb06855 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/authorization/AVD-AZU-0030/docs.md @@ -0,0 +1,10 @@ + +The permissions granted to a role should be kept to the minimum required to be able to do the task. Wildcard permissions must not be used. + +### Impact +Open permissions for subscriptions could result in an easily compromisable account + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0037/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0037/Terraform.md new file mode 100644 index 0000000..1ca9aad --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0037/Terraform.md @@ -0,0 +1,21 @@ + +Don't use sensitive credentials in the VM custom_data + +```hcl + resource "azurerm_virtual_machine" "good_example" { + name = "good_example" + os_profile_linux_config { + disable_password_authentication = false + } + os_profile { + custom_data =< +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0038/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0038/Terraform.md new file mode 100644 index 0000000..3bb69e0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0038/Terraform.md @@ -0,0 +1,14 @@ + +Enable encryption on managed disks + +```hcl + resource "azurerm_managed_disk" "good_example" { + encryption_settings { + enabled = true + } + } +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/managed_disk + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0038/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0038/docs.md new file mode 100644 index 0000000..0ca048f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0038/docs.md @@ -0,0 +1,13 @@ + +Manage disks should be encrypted at rest. When specifying the encryption_settings block, the enabled attribute should be set to true. + +### Impact +Data could be read if compromised + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0039/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0039/Terraform.md new file mode 100644 index 0000000..8295eff --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0039/Terraform.md @@ -0,0 +1,43 @@ + +Use ssh authentication for virtual machines + +```hcl + resource "azurerm_linux_virtual_machine" "good_linux_example" { + name = "good-linux-machine" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + size = "Standard_F2" + admin_username = "adminuser" + admin_password = "somePassword" + + admin_ssh_key { + username = "adminuser" + public_key = file("~/.ssh/id_rsa.pub") + } + } + + resource "azurerm_virtual_machine" "good_example" { + name = "good-linux-machine" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + size = "Standard_F2" + admin_username = "adminuser" + + + os_profile_linux_config { + ssh_keys = [{ + key_data = file("~/.ssh/id_rsa.pub") + path = "~/.ssh/id_rsa.pub" + }] + + disable_password_authentication = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine#disable_password_authentication + + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine#disable_password_authentication + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0039/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0039/docs.md new file mode 100644 index 0000000..e89c684 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/compute/AVD-AZU-0039/docs.md @@ -0,0 +1,10 @@ + +Access to virtual machines should be authenticated using SSH keys. Removing the option of password authentication enforces more secure methods while removing the risks inherent with passwords. + +### Impact +Using password authentication is less secure that ssh keys may result in compromised servers + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0040/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0040/Terraform.md new file mode 100644 index 0000000..1a65b18 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0040/Terraform.md @@ -0,0 +1,25 @@ + +Enable logging for AKS + +```hcl + resource "azurerm_kubernetes_cluster" "good_example" { + addon_profile { + oms_agent { + enabled = true + } + } + } + +``` +```hcl + resource "azurerm_kubernetes_cluster" "good_example" { + oms_agent { + log_analytics_workspace_id = "whatever" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#oms_agent + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0040/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0040/docs.md new file mode 100644 index 0000000..8e6e32d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0040/docs.md @@ -0,0 +1,13 @@ + +Ensure AKS logging to Azure Monitoring is configured for containers to monitor the performance of workloads. + +### Impact +Logging provides valuable information about access and usage + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-onboard + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0041/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0041/Terraform.md new file mode 100644 index 0000000..1eddde6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0041/Terraform.md @@ -0,0 +1,19 @@ + +Limit the access to the API server to a limited IP range + +```hcl + resource "azurerm_kubernetes_cluster" "good_example" { + api_server_access_profile { + authorized_ip_ranges = [ + "1.2.3.4/32" + ] + + } + + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#authorized_ip_ranges + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0041/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0041/docs.md new file mode 100644 index 0000000..01da3e2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0041/docs.md @@ -0,0 +1,13 @@ + +The API server is the central way to interact with and manage a cluster. To improve cluster security and minimize attacks, the API server should only be accessible from a limited set of IP address ranges. + +### Impact +Any IP can interact with the API server + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0042/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0042/Terraform.md new file mode 100644 index 0000000..bb09686 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0042/Terraform.md @@ -0,0 +1,57 @@ + +Enable RBAC + +```hcl + resource "azurerm_kubernetes_cluster" "good_example" { + // azurerm < 2.99.0 + role_based_access_control { + enabled = true + } + + // azurerm >= 2.99.0 + role_based_access_control_enabled = true + } + +``` +```hcl +resource "azurerm_kubernetes_cluster" "aks_cluster" { + name = var.name + location = var.location + resource_group_name = var.resource_group_name + dns_prefix = var.name + kubernetes_version = var.cluster_version + api_server_authorized_ip_ranges = var.ip_whitelist + azure_policy_enabled = true + default_node_pool { + name = "default" + enable_auto_scaling = true + min_count = var.node_min_count + max_count = var.node_max_count + max_pods = var.pod_max_count # If you don't specify only allows 30 pods + vm_size = var.vm_size + os_disk_size_gb = 250 # default 30GB + vnet_subnet_id = var.vnet_subnet_id + } + + network_profile { + network_plugin = "azure" + network_policy = "azure" + } + + identity { + type = "SystemAssigned" + } + + azure_active_directory_role_based_access_control { + managed = true + azure_rbac_enabled = true + admin_group_object_ids = [data.azuread_group.aks_admins.object_id] + } + +} + +``` + +#### Remediation Links + - https://www.terraform.io/docs/providers/azurerm/r/kubernetes_cluster.html#role_based_access_control + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0042/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0042/docs.md new file mode 100644 index 0000000..92d7cca --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0042/docs.md @@ -0,0 +1,13 @@ + +Using Kubernetes role-based access control (RBAC), you can grant users, groups, and service accounts access to only the resources they need. + +### Impact +No role based access control is in place for the AKS cluster + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/aks/concepts-identity + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0043/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0043/Terraform.md new file mode 100644 index 0000000..ffa1276 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0043/Terraform.md @@ -0,0 +1,15 @@ + +Configure a network policy + +```hcl + resource "azurerm_kubernetes_cluster" "good_example" { + network_profile { + network_policy = "calico" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#network_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0043/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0043/docs.md new file mode 100644 index 0000000..25936a7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/container/AVD-AZU-0043/docs.md @@ -0,0 +1,13 @@ + +The Kubernetes object type NetworkPolicy should be defined to have opportunity allow or block traffic to pods, as in a Kubernetes cluster configured with default settings, all pods can discover and communicate with each other without any restrictions. + +### Impact +No network policy is protecting the AKS cluster + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/services-networking/network-policies + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0018/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0018/Terraform.md new file mode 100644 index 0000000..288e9a4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0018/Terraform.md @@ -0,0 +1,22 @@ + +Provide at least one email address for threat alerts + +```hcl + resource "azurerm_mssql_server_security_alert_policy" "good_example" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + email_addresses = ["db-security@acme.org"] + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_security_alert_policy#email_addresses + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0018/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0018/docs.md new file mode 100644 index 0000000..7eccceb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0018/docs.md @@ -0,0 +1,10 @@ + +SQL Server sends alerts for threat detection via email, if there are no email addresses set then mitigation will be delayed. + +### Impact +Nobody will be promptly alerted in the case of a threat being detected + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0019/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0019/Terraform.md new file mode 100644 index 0000000..6f264c5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0019/Terraform.md @@ -0,0 +1,37 @@ + +Enable connection logging + +```hcl + resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" + } + + resource "azurerm_postgresql_server" "example" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + } + + resource "azurerm_postgresql_configuration" "example" { + name = "log_connections" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "on" + } + + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration + + - https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs#configure-logging + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0019/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0019/docs.md new file mode 100644 index 0000000..5f3cc1a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0019/docs.md @@ -0,0 +1,13 @@ + +Postgresql can generate logs for successful connections to improve visibility for audit and configuration issue resolution. + +### Impact +No visibility of successful connections + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs#configure-logging + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0020/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0020/Terraform.md new file mode 100644 index 0000000..e1c54cd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0020/Terraform.md @@ -0,0 +1,21 @@ + +Enable SSL enforcement + +```hcl + resource "azurerm_postgresql_server" "good_example" { + name = "good_example" + + public_network_access_enabled = false + ssl_enforcement_enabled = true + ssl_minimal_tls_version_enforced = "TLS1_2" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#ssl_enforcement_enabled + + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server#ssl_enforcement_enabled + + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_server#ssl_enforcement_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0020/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0020/docs.md new file mode 100644 index 0000000..c6f32a4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0020/docs.md @@ -0,0 +1,10 @@ + +SSL connections should be enforced were available to ensure secure transfer and reduce the risk of compromising data in flight. + +### Impact +Insecure connections could lead to data loss and other vulnerabilities + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0021/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0021/Terraform.md new file mode 100644 index 0000000..94895ff --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0021/Terraform.md @@ -0,0 +1,35 @@ + +Enable connection throttling logging + +```hcl + resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" + } + + resource "azurerm_postgresql_server" "example" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + } + + resource "azurerm_postgresql_configuration" "example" { + name = "connection_throttling" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "on" + } + + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0021/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0021/docs.md new file mode 100644 index 0000000..6331dad --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0021/docs.md @@ -0,0 +1,13 @@ + +Postgresql can generate logs for connection throttling to improve visibility for audit and configuration issue resolution. + +### Impact +No log information to help diagnosing connection contention issues + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs#configure-logging + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0022/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0022/Terraform.md new file mode 100644 index 0000000..217393a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0022/Terraform.md @@ -0,0 +1,21 @@ + +Disable public access to database when not required + +```hcl + resource "azurerm_postgresql_server" "good_example" { + name = "bad_example" + + public_network_access_enabled = false + ssl_enforcement_enabled = false + ssl_minimal_tls_version_enforced = "TLS1_2" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#public_network_access_enabled + + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server#public_network_access_enabled + + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mariadb_server#public_network_access_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0022/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0022/docs.md new file mode 100644 index 0000000..06ae4f5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0022/docs.md @@ -0,0 +1,10 @@ + +Database resources should not publicly available. You should limit all access to the minimum that is required for your application to function. + +### Impact +Publicly accessible database could lead to compromised data + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0023/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0023/Terraform.md new file mode 100644 index 0000000..b429277 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0023/Terraform.md @@ -0,0 +1,20 @@ + +Enable email to subscription owners + +```hcl + resource "azurerm_mssql_server_security_alert_policy" "good_example" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + disabled_alerts = [] + + email_account_admins = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_security_alert_policy#email_account_admins + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0023/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0023/docs.md new file mode 100644 index 0000000..e621fc2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0023/docs.md @@ -0,0 +1,10 @@ + +Subscription owners should be notified when there are security alerts. By ensuring the administrators of the account have been notified they can quickly assist in any required remediation + +### Impact +Administrators and subscription owners may have a delayed response + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0024/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0024/Terraform.md new file mode 100644 index 0000000..d9aa58a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0024/Terraform.md @@ -0,0 +1,35 @@ + +Enable checkpoint logging + +```hcl + resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "West Europe" + } + + resource "azurerm_postgresql_server" "example" { + name = "example-psqlserver" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + administrator_login = "psqladminun" + administrator_login_password = "H@Sh1CoR3!" + + sku_name = "GP_Gen5_4" + version = "9.6" + storage_mb = 640000 + } + + resource "azurerm_postgresql_configuration" "example" { + name = "log_checkpoints" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_postgresql_server.example.name + value = "on" + } + + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_configuration + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0024/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0024/docs.md new file mode 100644 index 0000000..5a66d6d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0024/docs.md @@ -0,0 +1,13 @@ + +Postgresql can generate logs for checkpoints to improve visibility for audit and configuration issue resolution. + +### Impact +No error and query logs generated on checkpoint + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/postgresql/concepts-server-logs#configure-logging + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0025/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0025/Terraform.md new file mode 100644 index 0000000..4693d39 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0025/Terraform.md @@ -0,0 +1,26 @@ + +Set retention periods of database auditing to greater than 90 days + +```hcl + resource "azurerm_mssql_database_extended_auditing_policy" "good_example" { + database_id = azurerm_mssql_database.example.id + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = false + } + + resource "azurerm_mssql_database_extended_auditing_policy" "good_example" { + database_id = azurerm_mssql_database.example.id + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = false + retention_in_days = 90 + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_database_extended_auditing_policy + + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server#retention_in_days + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0025/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0025/docs.md new file mode 100644 index 0000000..86e473b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0025/docs.md @@ -0,0 +1,15 @@ + +When Auditing is configured for a SQL database, if the retention period is not set, the retention will be unlimited. + +If the retention period is to be explicitly set, it should be set for no less than 90 days. + +### Impact +Short logging retention could result in missing valuable historical information + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/azure-sql/database/auditing-overview + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0026/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0026/Terraform.md new file mode 100644 index 0000000..86ba9c2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0026/Terraform.md @@ -0,0 +1,31 @@ + +Use the most modern TLS policies available + +```hcl + resource "azurerm_mssql_server" "good_example" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "missadministrator" + administrator_login_password = "thisIsKat11" + minimum_tls_version = "1.2" + } + + resource "azurerm_postgresql_server" "good_example" { + name = "bad_example" + + public_network_access_enabled = true + ssl_enforcement_enabled = false + ssl_minimal_tls_version_enforced = "TLS1_2" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server#minimum_tls_version + + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_server#ssl_minimal_tls_version_enforced + + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/postgresql_server#ssl_minimal_tls_version_enforced + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0026/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0026/docs.md new file mode 100644 index 0000000..1cbe228 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0026/docs.md @@ -0,0 +1,10 @@ + +You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. + +### Impact +Outdated TLS policies increase exposure to known issues + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0027/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0027/Terraform.md new file mode 100644 index 0000000..81b5309 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0027/Terraform.md @@ -0,0 +1,25 @@ + +Enable auditing on Azure SQL databases + +```hcl + resource "azurerm_sql_server" "good_example" { + name = "mssqlserver" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "mradministrator" + administrator_login_password = "tfsecRocks" + + extended_auditing_policy { + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + storage_account_access_key_is_secondary = true + retention_in_days = 6 + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_server#extended_auditing_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0027/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0027/docs.md new file mode 100644 index 0000000..09d302c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0027/docs.md @@ -0,0 +1,13 @@ + +Auditing helps you maintain regulatory compliance, understand database activity, and gain insight into discrepancies and anomalies that could indicate business concerns or suspected security violations. + +### Impact +Auditing provides valuable information about access and usage + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/azure-sql/database/auditing-overview + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0028/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0028/Terraform.md new file mode 100644 index 0000000..0f07baa --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0028/Terraform.md @@ -0,0 +1,19 @@ + +Use all provided threat alerts + +```hcl + resource "azurerm_mssql_server_security_alert_policy" "good_example" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.example.primary_access_key + disabled_alerts = [] + retention_days = 20 + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_security_alert_policy#disabled_alerts + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0028/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0028/docs.md new file mode 100644 index 0000000..895ef12 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0028/docs.md @@ -0,0 +1,10 @@ + +SQL Server can alert for security issues including SQL Injection, vulnerabilities, access anomalies and data exfiltration. Ensure none of these are disabled to benefit from the best protection + +### Impact +Disabling threat alerts means you are not getting the full benefit of server security protection + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0029/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0029/Terraform.md new file mode 100644 index 0000000..11e3170 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0029/Terraform.md @@ -0,0 +1,17 @@ + +Don't use wide ip ranges for the sql firewall + +```hcl + resource "azurerm_sql_firewall_rule" "good_example" { + name = "good_rule" + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_sql_server.example.name + start_ip_address = "0.0.0.0" + end_ip_address = "0.0.0.0" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sql_firewall_rule#end_ip_address + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0029/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0029/docs.md new file mode 100644 index 0000000..0bc32bc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/database/AVD-AZU-0029/docs.md @@ -0,0 +1,13 @@ + +Azure services can be allowed access through the firewall using a start and end IP address of 0.0.0.0. No other end ip address should be combined with a start of 0.0.0.0 + +### Impact +Publicly accessible databases could lead to compromised data + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/rest/api/sql/2021-02-01-preview/firewall-rules/create-or-update + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/datafactory/AVD-AZU-0035/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/datafactory/AVD-AZU-0035/Terraform.md new file mode 100644 index 0000000..f249dca --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/datafactory/AVD-AZU-0035/Terraform.md @@ -0,0 +1,16 @@ + +Set public access to disabled for Data Factory + +```hcl + resource "azurerm_data_factory" "good_example" { + name = "example" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + public_network_enabled = false + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_factory#public_network_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/datafactory/AVD-AZU-0035/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/datafactory/AVD-AZU-0035/docs.md new file mode 100644 index 0000000..aa0aae4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/datafactory/AVD-AZU-0035/docs.md @@ -0,0 +1,15 @@ + +Data Factory has public access set to true by default. + +Disabling public network access is applicable only to the self-hosted integration runtime, not to Azure Integration Runtime and SQL Server Integration Services (SSIS) Integration Runtime. + +### Impact +Data factory is publicly accessible + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/data-factory/data-movement-security-considerations#hybrid-scenarios + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/datalake/AVD-AZU-0036/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/datalake/AVD-AZU-0036/Terraform.md new file mode 100644 index 0000000..d25432c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/datalake/AVD-AZU-0036/Terraform.md @@ -0,0 +1,12 @@ + +Enable encryption of data lake storage + +```hcl + resource "azurerm_data_lake_store" "good_example" { + encryption_state = "Enabled" + } +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/data_lake_store + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/datalake/AVD-AZU-0036/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/datalake/AVD-AZU-0036/docs.md new file mode 100644 index 0000000..32f5ea7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/datalake/AVD-AZU-0036/docs.md @@ -0,0 +1,13 @@ + +Datalake storage encryption defaults to Enabled, it shouldn't be overridden to Disabled. + +### Impact +Data could be read if compromised + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/data-lake-store/data-lake-store-security-overview + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0013/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0013/Terraform.md new file mode 100644 index 0000000..eadbee7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0013/Terraform.md @@ -0,0 +1,22 @@ + +Set a network ACL for the key vault + +```hcl + resource "azurerm_key_vault" "good_example" { + name = "examplekeyvault" + location = azurerm_resource_group.good_example.location + enabled_for_disk_encryption = true + soft_delete_retention_days = 7 + purge_protection_enabled = false + + network_acls { + bypass = "AzureServices" + default_action = "Deny" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0013/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0013/docs.md new file mode 100644 index 0000000..03091f0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0013/docs.md @@ -0,0 +1,15 @@ + +Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. + +The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass. + +### Impact +Without a network ACL the key vault is freely accessible + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/key-vault/general/network-security + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0014/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0014/Terraform.md new file mode 100644 index 0000000..e4cda44 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0014/Terraform.md @@ -0,0 +1,26 @@ + +Set an expiration date on the vault key + +```hcl + resource "azurerm_key_vault_key" "good_example" { + name = "generated-certificate" + key_vault_id = azurerm_key_vault.example.id + key_type = "RSA" + key_size = 2048 + expiration_date = "1982-12-31T00:00:00Z" + + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#expiration_date + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0014/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0014/docs.md new file mode 100644 index 0000000..d2e5b27 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0014/docs.md @@ -0,0 +1,15 @@ + +Expiration Date is an optional Key Vault Key behavior and is not set by default. + +Set when the resource will be become inactive. + +### Impact +Long life keys increase the attack surface when compromised + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0015/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0015/Terraform.md new file mode 100644 index 0000000..b8896eb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0015/Terraform.md @@ -0,0 +1,16 @@ + +Provide content type for secrets to aid interpretation on retrieval + +```hcl + resource "azurerm_key_vault_secret" "good_example" { + name = "secret-sauce" + value = "szechuan" + key_vault_id = azurerm_key_vault.example.id + content_type = "password" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0015/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0015/docs.md new file mode 100644 index 0000000..ad64390 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0015/docs.md @@ -0,0 +1,15 @@ + +Content Type is an optional Key Vault Secret behavior and is not enabled by default. + +Clients may specify the content type of a secret to assist in interpreting the secret data when it's retrieved. The maximum length of this field is 255 characters. There are no pre-defined values. The suggested usage is as a hint for interpreting the secret data. + +### Impact +The secret's type is unclear without a content type + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0016/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0016/Terraform.md new file mode 100644 index 0000000..3ab531c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0016/Terraform.md @@ -0,0 +1,17 @@ + +Enable purge protection for key vaults + +```hcl + resource "azurerm_key_vault" "good_example" { + name = "examplekeyvault" + location = azurerm_resource_group.good_example.location + enabled_for_disk_encryption = true + soft_delete_retention_days = 7 + purge_protection_enabled = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#purge_protection_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0016/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0016/docs.md new file mode 100644 index 0000000..27eb6ad --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0016/docs.md @@ -0,0 +1,15 @@ + +Purge protection is an optional Key Vault behavior and is not enabled by default. + +Purge protection can only be enabled once soft-delete is enabled. It can be turned on via CLI or PowerShell. + +### Impact +Keys could be purged from the vault without protection + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview#purge-protection + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0017/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0017/Terraform.md new file mode 100644 index 0000000..e5b1f8e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0017/Terraform.md @@ -0,0 +1,38 @@ + +Set an expiry for secrets + +```hcl + resource "azurerm_key_vault_secret" "good_example" { + name = "secret-sauce" + value = "szechuan" + key_vault_id = azurerm_key_vault.example.id + expiration_date = "1982-12-31T00:00:00Z" + } + +``` +```hcl +resource "azuread_application" "myapp" { + display_name = "MyAzureAD App" + + group_membership_claims = ["ApplicationGroup"] + prevent_duplicate_names = true + +} + +resource "azuread_application_password" "myapp" { + application_object_id = azuread_application.myapp.object_id +} + +resource "azurerm_key_vault_secret" "myapp_pass" { + name = "myapp-oauth" + value = azuread_application_password.myapp.value + key_vault_id = azurerm_key_vault.cluster_key_vault.id + expiration_date = azuread_application_password.myapp.end_date + content_type = "Password" +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#expiration_date + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0017/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0017/docs.md new file mode 100644 index 0000000..a85b4c2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/keyvault/AVD-AZU-0017/docs.md @@ -0,0 +1,15 @@ + +Expiration Date is an optional Key Vault Secret behavior and is not set by default. + +Set when the resource will be become inactive. + +### Impact +Long life secrets increase the opportunity for compromise + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0031/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0031/Terraform.md new file mode 100644 index 0000000..ed69ea0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0031/Terraform.md @@ -0,0 +1,18 @@ + +Set a retention period that will allow for delayed investigation + +```hcl + resource "azurerm_monitor_log_profile" "good_example" { + name = "good_example" + + retention_policy { + enabled = true + days = 365 + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile#retention_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0031/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0031/docs.md new file mode 100644 index 0000000..2e4c39a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0031/docs.md @@ -0,0 +1,13 @@ + +The average time to detect a breach is up to 210 days, to ensure that all the information required for an effective investigation is available, the retention period should allow for delayed starts to investigating. + +### Impact +Short life activity logs can lead to missing records when investigating a breach + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/platform-logs-overview + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0032/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0032/Terraform.md new file mode 100644 index 0000000..b7e1094 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0032/Terraform.md @@ -0,0 +1,92 @@ + +Enable capture for all locations + +```hcl + resource "azurerm_monitor_log_profile" "good_example" { + name = "bad_example" + + categories = [] + + locations = [ + "eastus", + "eastus2", + "southcentralus", + "westus2", + "westus3", + "australiaeast", + "southeastasia", + "northeurope", + "swedencentral", + "uksouth", + "westeurope", + "centralus", + "northcentralus", + "westus", + "southafricanorth", + "centralindia", + "eastasia", + "japaneast", + "jioindiawest", + "koreacentral", + "canadacentral", + "francecentral", + "germanywestcentral", + "norwayeast", + "switzerlandnorth", + "uaenorth", + "brazilsouth", + "centralusstage", + "eastusstage", + "eastus2stage", + "northcentralusstage", + "southcentralusstage", + "westusstage", + "westus2stage", + "asia", + "asiapacific", + "australia", + "brazil", + "canada", + "europe", + "global", + "india", + "japan", + "uk", + "unitedstates", + "eastasiastage", + "southeastasiastage", + "centraluseuap", + "eastus2euap", + "westcentralus", + "southafricawest", + "australiacentral", + "australiacentral2", + "australiasoutheast", + "japanwest", + "jioindiacentral", + "koreasouth", + "southindia", + "westindia", + "canadaeast", + "francesouth", + "germanynorth", + "norwaywest", + "swedensouth", + "switzerlandwest", + "ukwest", + "uaecentral", + "brazilsoutheast", + ] + + retention_policy { + enabled = true + days = 7 + } + } + + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile#locations + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0032/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0032/docs.md new file mode 100644 index 0000000..ec736a9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0032/docs.md @@ -0,0 +1,13 @@ + +Log profiles should capture all regions to ensure that all events are logged + +### Impact +Activity may be occurring in locations that aren't being monitored + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create-required-parameters + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0033/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0033/Terraform.md new file mode 100644 index 0000000..be85029 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0033/Terraform.md @@ -0,0 +1,24 @@ + +Configure log profile to capture all activities + +```hcl + resource "azurerm_monitor_log_profile" "good_example" { + name = "good_example" + + categories = [ + "Action", + "Delete", + "Write", + ] + + retention_policy { + enabled = true + days = 365 + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_log_profile#categories + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0033/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0033/docs.md new file mode 100644 index 0000000..1619682 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/monitor/AVD-AZU-0033/docs.md @@ -0,0 +1,15 @@ + +Log profiles should capture all categories to ensure that all events are logged + +### Impact +Log profile must capture all activity to be able to ensure that all relevant information possible is available for an investigation + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/activity-log + +- https://docs.microsoft.com/en-us/cli/azure/monitor/log-profiles?view=azure-cli-latest#az_monitor_log_profiles_create-required-parameters + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0047/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0047/Terraform.md new file mode 100644 index 0000000..9d0018d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0047/Terraform.md @@ -0,0 +1,24 @@ + +Set a more restrictive cidr range + +```hcl + resource "azurerm_network_security_rule" "good_example" { + direction = "Inbound" + destination_address_prefix = "10.0.0.0/16" + access = "Allow" + } +``` +```hcl +resource "azurerm_network_security_rule" "allow_lb_prober" { + direction = "Inbound" + access = "Allow" + protocol = "Tcp" # Probes are always TCP + source_port_range = "*" + destination_port_ranges = "443" + source_address_prefix = "168.63.129.16" // single public IP (Azure well known) +} +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0047/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0047/docs.md new file mode 100644 index 0000000..4137611 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0047/docs.md @@ -0,0 +1,15 @@ + +Network security rules should not use very broad subnets. + +Where possible, segments should be broken into smaller subnets. + +### Impact +The port is exposed for ingress from the internet + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0048/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0048/Terraform.md new file mode 100644 index 0000000..0012503 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0048/Terraform.md @@ -0,0 +1,35 @@ + +Block RDP port from internet + +```hcl + resource "azurerm_network_security_rule" "good_example" { + name = "good_example_security_rule" + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_ranges = ["3389"] + source_address_prefix = "4.53.160.75" + destination_address_prefix = "*" + } + + resource "azurerm_network_security_group" "example" { + name = "tf-appsecuritygroup" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + security_rule { + source_port_range = "any" + destination_port_ranges = ["3389"] + source_address_prefix = "4.53.160.75" + destination_address_prefix = "*" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/network_security_group#security_rule + + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#source_port_ranges + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0048/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0048/docs.md new file mode 100644 index 0000000..eef047c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0048/docs.md @@ -0,0 +1,15 @@ + +RDP access can be configured on either the network security group or in the network security group rule. + +RDP access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any). Consider using the Azure Bastion Service. + +### Impact +Anyone from the internet can potentially RDP onto an instance + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0049/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0049/Terraform.md new file mode 100644 index 0000000..f8b5db6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0049/Terraform.md @@ -0,0 +1,23 @@ + +Ensure flow log retention is turned on with an expiry of >90 days + +```hcl +resource "azurerm_network_watcher_flow_log" "good_watcher" { + network_watcher_name = "good_watcher" + resource_group_name = "resource-group" + + network_security_group_id = azurerm_network_security_group.test.id + storage_account_id = azurerm_storage_account.test.id + enabled = true + + retention_policy { + enabled = true + days = 90 + } +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_watcher_flow_log#retention_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0049/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0049/docs.md new file mode 100644 index 0000000..d5e28c3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0049/docs.md @@ -0,0 +1,16 @@ + +Flow logs are the source of truth for all network activity in your cloud environment. +To enable analysis in security event that was detected late, you need to have the logs available. + +Setting an retention policy will help ensure as much information is available for review. + +### Impact +Not enabling retention or having short expiry on flow logs could lead to compromise being undetected limiting time for analysis + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0050/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0050/Terraform.md new file mode 100644 index 0000000..65c256a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0050/Terraform.md @@ -0,0 +1,22 @@ + +Block port 22 access from the internet + +```hcl + resource "azurerm_network_security_rule" "good_example" { + name = "good_example_security_rule" + direction = "Inbound" + access = "Allow" + protocol = "TCP" + source_port_range = "*" + destination_port_range = "22" + source_address_prefix = "82.102.23.23" + destination_address_prefix = "*" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/network_security_group#security_rule + + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule#source_port_ranges + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0050/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0050/docs.md new file mode 100644 index 0000000..e42590c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0050/docs.md @@ -0,0 +1,12 @@ + +SSH access can be configured on either the network security group or in the network security group rule. + +SSH access should not be permitted from the internet (*, 0.0.0.0, /0, internet, any) + +### Impact +Its dangerous to allow SSH access from the internet + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0051/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0051/Terraform.md new file mode 100644 index 0000000..1781c9c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0051/Terraform.md @@ -0,0 +1,14 @@ + +Set a more restrictive cidr range + +```hcl + resource "azurerm_network_security_rule" "good_example" { + direction = "Outbound" + destination_address_prefix = "10.0.0.0/16" + access = "Allow" + } +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_rule + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0051/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0051/docs.md new file mode 100644 index 0000000..b5834eb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/network/AVD-AZU-0051/docs.md @@ -0,0 +1,15 @@ + +Network security rules should not use very broad subnets. + +Where possible, segments should be broken into smaller subnets. + +### Impact +The port is exposed for egress to the internet + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0044/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0044/Terraform.md new file mode 100644 index 0000000..ddd8c46 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0044/Terraform.md @@ -0,0 +1,17 @@ + + Set alert notifications to be on + +```hcl + resource "azurerm_security_center_contact" "good_example" { + email = "good_example@example.com" + phone = "+1-555-555-5555" + + alert_notifications = true + alerts_to_admins = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact#alert_notifications + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0044/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0044/docs.md new file mode 100644 index 0000000..b1a5bf9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0044/docs.md @@ -0,0 +1,14 @@ + +It is recommended that at least one valid contact is configured for the security center. +Microsoft will notify the security contact directly in the event of a security incident using email and require alerting to be turned on. + +### Impact +The ability to react to high severity notifications could be delayed + + +{{ remediationActions }} + +### Links +- https://azure.microsoft.com/en-us/services/security-center/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0045/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0045/Terraform.md new file mode 100644 index 0000000..4db565e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0045/Terraform.md @@ -0,0 +1,14 @@ + +Enable standard subscription tier to benefit from Azure Defender + +```hcl + resource "azurerm_security_center_subscription_pricing" "good_example" { + tier = "Standard" + resource_type = "VirtualMachines" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_subscription_pricing#tier + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0045/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0045/docs.md new file mode 100644 index 0000000..62c1ab4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0045/docs.md @@ -0,0 +1,15 @@ + +To benefit from Azure Defender you should use the Standard subscription tier. + + Enabling Azure Defender extends the capabilities of the free mode to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads. + +### Impact +Using free subscription does not enable Azure Defender for the resource type + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/security-center/security-center-pricing + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0046/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0046/Terraform.md new file mode 100644 index 0000000..af31d46 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0046/Terraform.md @@ -0,0 +1,17 @@ + +Set a telephone number for security center contact + +```hcl + resource "azurerm_security_center_contact" "good_example" { + email = "good_contact@example.com" + phone = "+1-555-555-5555" + + alert_notifications = true + alerts_to_admins = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/security_center_contact#phone + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0046/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0046/docs.md new file mode 100644 index 0000000..1209555 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/securitycenter/AVD-AZU-0046/docs.md @@ -0,0 +1,14 @@ + +It is recommended that at least one valid contact is configured for the security center. +Microsoft will notify the security contact directly in the event of a security incident and will look to use a telephone number in cases where a prompt response is required. + +### Impact +Without a telephone number set, Azure support can't contact + + +{{ remediationActions }} + +### Links +- https://azure.microsoft.com/en-us/services/security-center/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0007/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0007/Terraform.md new file mode 100644 index 0000000..57a5030 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0007/Terraform.md @@ -0,0 +1,14 @@ + +Disable public access to storage containers + +```hcl + resource "azurerm_storage_container" "good_example" { + name = "terraform-container-storage" + container_access_type = "private" + } + +``` + +#### Remediation Links + - https://www.terraform.io/docs/providers/azure/r/storage_container.html#properties + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0007/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0007/docs.md new file mode 100644 index 0000000..0c33370 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0007/docs.md @@ -0,0 +1,15 @@ + +Storage container public access should be off. It can be configured for blobs only, containers and blobs or off entirely. The default is off, with no public access. + +Explicitly overriding publicAccess to anything other than off should be avoided. + +### Impact +Data in the storage container could be exposed publicly + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#set-the-public-access-level-for-a-container + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0008/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0008/Terraform.md new file mode 100644 index 0000000..e94b9e7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0008/Terraform.md @@ -0,0 +1,18 @@ + +Only allow secure connection for transferring data into storage accounts + +```hcl + resource "azurerm_storage_account" "good_example" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + enable_https_traffic_only = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0008/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0008/docs.md new file mode 100644 index 0000000..bf5b179 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0008/docs.md @@ -0,0 +1,17 @@ + +You can configure your storage account to accept requests from secure connections only by setting the Secure transfer required property for the storage account. + +When you require secure transfer, any requests originating from an insecure connection are rejected. + +Microsoft recommends that you always require secure transfer for all of your storage accounts. + +### Impact +Insecure transfer of data into secure accounts could be read if intercepted + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0009/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0009/Terraform.md new file mode 100644 index 0000000..a0170a9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0009/Terraform.md @@ -0,0 +1,26 @@ + +Enable logging for Queue Services + +```hcl + resource "azurerm_storage_account" "good_example" { + name = "example" + resource_group_name = data.azurerm_resource_group.example.name + location = data.azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + queue_properties { + logging { + delete = true + read = true + write = true + version = "1.0" + retention_policy_days = 10 + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0009/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0009/docs.md new file mode 100644 index 0000000..605f587 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0009/docs.md @@ -0,0 +1,17 @@ + +Storage Analytics logs detailed information about successful and failed requests to a storage service. + +This information can be used to monitor individual requests and to diagnose issues with a storage service. + +Requests are logged on a best-effort basis. + +### Impact +Logging provides valuable information about access and usage + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0010/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0010/Terraform.md new file mode 100644 index 0000000..cf440d4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0010/Terraform.md @@ -0,0 +1,41 @@ + +Allow Trusted Microsoft Services to bypass + +```hcl + resource "azurerm_storage_account" "good_example" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + + network_rules { + default_action = "Deny" + ip_rules = ["100.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.example.id] + bypass = ["Metrics", "AzureServices"] + } + + tags = { + environment = "staging" + } + } + + resource "azurerm_storage_account_network_rules" "test" { + resource_group_name = azurerm_resource_group.test.name + storage_account_name = azurerm_storage_account.test.name + + default_action = "Allow" + ip_rules = ["127.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.test.id] + bypass = ["Metrics", "AzureServices"] + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass + + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0010/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0010/docs.md new file mode 100644 index 0000000..f63f1b7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0010/docs.md @@ -0,0 +1,15 @@ + +Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. + +To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules + +### Impact +Trusted Microsoft Services won't be able to access storage account unless rules set to allow + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0011/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0011/Terraform.md new file mode 100644 index 0000000..5f47809 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0011/Terraform.md @@ -0,0 +1,16 @@ + +Use a more recent TLS/SSL policy for the load balancer + +```hcl + resource "azurerm_storage_account" "good_example" { + name = "storageaccountname" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + min_tls_version = "TLS1_2" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0011/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0011/docs.md new file mode 100644 index 0000000..c4985a2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0011/docs.md @@ -0,0 +1,17 @@ + +Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. + +Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. + +This check will warn if the minimum TLS is not set to TLS1_2. + +### Impact +The TLS version being outdated and has known vulnerabilities + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0012/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0012/Terraform.md new file mode 100644 index 0000000..b6ed570 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0012/Terraform.md @@ -0,0 +1,17 @@ + +Set network rules to deny + +```hcl + resource "azurerm_storage_account_network_rules" "good_example" { + + default_action = "Deny" + ip_rules = ["127.0.0.1"] + virtual_network_subnet_ids = [azurerm_subnet.test.id] + bypass = ["Metrics"] + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0012/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0012/docs.md new file mode 100644 index 0000000..9b76847 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/storage/AVD-AZU-0012/docs.md @@ -0,0 +1,15 @@ + +The default_action for network rules should come into effect when no other rules are matched. + +The default action should be set to Deny. + +### Impact +Network rules that allow could cause data to be exposed publicly + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/firewall/rule-processing + + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/synapse/AVD-AZU-0034/Terraform.md b/cmd/trivy-policies-generator/avd_docs/azure/synapse/AVD-AZU-0034/Terraform.md new file mode 100644 index 0000000..ca7bcf0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/synapse/AVD-AZU-0034/Terraform.md @@ -0,0 +1,28 @@ + +Set manage virtual network to enabled + +```hcl + resource "azurerm_synapse_workspace" "good_example" { + name = "example" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + storage_data_lake_gen2_filesystem_id = azurerm_storage_data_lake_gen2_filesystem.example.id + sql_administrator_login = "sqladminuser" + sql_administrator_login_password = "H@Sh1CoR3!" + managed_virtual_network_enabled = true + aad_admin { + login = "AzureAD Admin" + object_id = "00000000-0000-0000-0000-000000000000" + tenant_id = "00000000-0000-0000-0000-000000000000" + } + + tags = { + Env = "production" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/synapse_workspace#managed_virtual_network_enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/azure/synapse/AVD-AZU-0034/docs.md b/cmd/trivy-policies-generator/avd_docs/azure/synapse/AVD-AZU-0034/docs.md new file mode 100644 index 0000000..9e31b5d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/azure/synapse/AVD-AZU-0034/docs.md @@ -0,0 +1,18 @@ + +Synapse Workspace does not have managed virtual network enabled by default. + +When you create your Azure Synapse workspace, you can choose to associate it to a Microsoft Azure Virtual Network. The Virtual Network associated with your workspace is managed by Azure Synapse. This Virtual Network is called a Managed workspace Virtual Network. +Managed private endpoints are private endpoints created in a Managed Virtual Network associated with your Azure Synapse workspace. Managed private endpoints establish a private link to Azure resources. You can only use private links in a workspace that has a Managed workspace Virtual Network. + +### Impact +Your Synapse workspace is not using the private endpoints + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-managed-private-endpoints + +- https://docs.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-managed-vnet + + diff --git a/cmd/trivy-policies-generator/avd_docs/cloudstack/compute/AVD-CLDSTK-0001/Terraform.md b/cmd/trivy-policies-generator/avd_docs/cloudstack/compute/AVD-CLDSTK-0001/Terraform.md new file mode 100644 index 0000000..5cec9f6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/cloudstack/compute/AVD-CLDSTK-0001/Terraform.md @@ -0,0 +1,31 @@ + +Don't use sensitive data in the user data section + +```hcl + resource "cloudstack_instance" "web" { + name = "server-1" + service_offering = "small" + network_id = "6eb22f91-7454-4107-89f4-36afcdf33021" + template = "CentOS 6.5" + zone = "zone-1" + user_data = < +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0001/Terraform.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0001/Terraform.md new file mode 100644 index 0000000..bc13b46 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0001/Terraform.md @@ -0,0 +1,21 @@ + +Set a more restrictive CIRDR range + +```hcl + resource "digitalocean_firewall" "good_example" { + name = "only-22-80-and-443" + + droplet_ids = [digitalocean_droplet.web.id] + + inbound_rule { + protocol = "tcp" + port_range = "22" + source_addresses = ["192.168.1.0/24", "fc00::/7"] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/firewall + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0001/docs.md new file mode 100644 index 0000000..31113ce --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0001/docs.md @@ -0,0 +1,13 @@ + +Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible. + +### Impact +Your port is exposed to the internet + + +{{ remediationActions }} + +### Links +- https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0002/Terraform.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0002/Terraform.md new file mode 100644 index 0000000..fe0288f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0002/Terraform.md @@ -0,0 +1,24 @@ + +Switch to HTTPS to benefit from TLS security features + +```hcl + resource "digitalocean_loadbalancer" "good_example" { + name = "bad_example-1" + region = "nyc3" + + forwarding_rule { + entry_port = 443 + entry_protocol = "https" + + target_port = 443 + target_protocol = "https" + } + + droplet_ids = [digitalocean_droplet.web.id] + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/loadbalancer + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0002/docs.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0002/docs.md new file mode 100644 index 0000000..13b30d6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0002/docs.md @@ -0,0 +1,15 @@ + +Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth. + +You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic. + +### Impact +Your inbound traffic is not protected + + +{{ remediationActions }} + +### Links +- https://docs.digitalocean.com/products/networking/load-balancers/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0003/Terraform.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0003/Terraform.md new file mode 100644 index 0000000..4dea4aa --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0003/Terraform.md @@ -0,0 +1,21 @@ + +Set a more restrictive cidr range + +```hcl + resource "digitalocean_firewall" "good_example" { + name = "only-22-80-and-443" + + droplet_ids = [digitalocean_droplet.web.id] + + outbound_rule { + protocol = "tcp" + port_range = "22" + destination_addresses = ["192.168.1.0/24", "fc00::/7"] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/firewall + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0003/docs.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0003/docs.md new file mode 100644 index 0000000..37937fb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0003/docs.md @@ -0,0 +1,13 @@ + +Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible. + +### Impact +The port is exposed for ingress from the internet + + +{{ remediationActions }} + +### Links +- https://docs.digitalocean.com/products/networking/firewalls/how-to/configure-rules/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0004/Terraform.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0004/Terraform.md new file mode 100644 index 0000000..54ca633 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0004/Terraform.md @@ -0,0 +1,21 @@ + +Use ssh keys for login + +```hcl + data "digitalocean_ssh_key" "terraform" { + name = "myKey" + } + + resource "digitalocean_droplet" "good_example" { + image = "ubuntu-18-04-x64" + name = "web-1" + region = "nyc2" + size = "s-1vcpu-1gb" + ssh_keys = [ data.digitalocean_ssh_key.myKey.id ] + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/droplet#ssh_keys + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0004/docs.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0004/docs.md new file mode 100644 index 0000000..e4002c2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0004/docs.md @@ -0,0 +1,13 @@ + +When working with a server, you’ll likely spend most of your time in a terminal session connected to your server through SSH. A more secure alternative to password-based logins, SSH keys use encryption to provide a secure way of logging into your server and are recommended for all users. + +### Impact +Logging in with username and password is easier to compromise + + +{{ remediationActions }} + +### Links +- https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process + + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0005/Terraform.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0005/Terraform.md new file mode 100644 index 0000000..be591c2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0005/Terraform.md @@ -0,0 +1,28 @@ + +Enable surge upgrades in your Kubernetes cluster + +```hcl +resource "digitalocean_kubernetes_cluster" "surge_upgrade_good" { + name = "foo" + region = "nyc1" + version = "1.20.2-do.0" + surge_upgrade = true + + node_pool { + name = "worker-pool" + size = "s-2vcpu-2gb" + node_count = 3 + + taint { + key = "workloadKind" + value = "database" + effect = "NoSchedule" + } + } +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/kubernetes_cluster#surge_upgrade + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0005/docs.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0005/docs.md new file mode 100644 index 0000000..74fa06f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0005/docs.md @@ -0,0 +1,13 @@ + +While upgrading your cluster, workloads will temporarily be moved to new nodes. A small cost will follow, but as a bonus, you won't experience downtime. + +### Impact +Upgrades may influence availability of your Kubernetes cluster + + +{{ remediationActions }} + +### Links +- https://docs.digitalocean.com/products/kubernetes/how-to/upgrade-cluster/#surge-upgrades + + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0008/Terraform.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0008/Terraform.md new file mode 100644 index 0000000..4d6ebad --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0008/Terraform.md @@ -0,0 +1,24 @@ + +Set maintenance policy deterministically when auto upgrades are enabled + +```hcl +resource "digitalocean_kubernetes_cluster" "foo" { + name = "foo" + region = "nyc1" + version = "1.20.2-do.0" + auto_upgrade = true + + node_pool { + name = "autoscale-worker-pool" + size = "s-2vcpu-2gb" + auto_scale = true + min_nodes = 1 + max_nodes = 5 + } +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/kubernetes_cluster#auto-upgrade-example + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0008/docs.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0008/docs.md new file mode 100644 index 0000000..77bda0b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/compute/AVD-DIG-0008/docs.md @@ -0,0 +1,13 @@ + + + +### Impact +Not running the latest security patches on your Kubernetes cluster can make it a target for penetration. + + +{{ remediationActions }} + +### Links +- https://docs.digitalocean.com/products/kubernetes/resources/best-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0006/Terraform.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0006/Terraform.md new file mode 100644 index 0000000..b66249c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0006/Terraform.md @@ -0,0 +1,25 @@ + +Apply a more restrictive ACL + +```hcl + resource "digitalocean_spaces_bucket" "good_example" { + name = "private_space" + region = "nyc3" + acl = "private" + } + + resource "digitalocean_spaces_bucket_object" "index" { + region = digitalocean_spaces_bucket.good_example.region + bucket = digitalocean_spaces_bucket.good_example.name + key = "index.html" + content = "

This page is empty.

" + content_type = "text/html" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/spaces_bucket#acl + + - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/spaces_bucket_object#acl + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0006/docs.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0006/docs.md new file mode 100644 index 0000000..581bf74 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0006/docs.md @@ -0,0 +1,13 @@ + +Space bucket and bucket object permissions should be set to deny public access unless explicitly required. + +### Impact +The contents of the space can be accessed publicly + + +{{ remediationActions }} + +### Links +- https://docs.digitalocean.com/reference/api/spaces-api/#access-control-lists-acls + + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0007/Terraform.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0007/Terraform.md new file mode 100644 index 0000000..dbacca5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0007/Terraform.md @@ -0,0 +1,18 @@ + +Enable versioning to protect against accidental or malicious removal or modification + +```hcl + resource "digitalocean_spaces_bucket" "good_example" { + name = "foobar" + region = "nyc3" + + versioning { + enabled = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/spaces_bucket#versioning + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0007/docs.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0007/docs.md new file mode 100644 index 0000000..ba0791c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0007/docs.md @@ -0,0 +1,13 @@ + +Versioning is a means of keeping multiple variants of an object in the same bucket. You can use the Spaces (S3) Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets. With versioning you can recover more easily from both unintended user actions and application failures. + +### Impact +Deleted or modified data would not be recoverable + + +{{ remediationActions }} + +### Links +- https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0009/Terraform.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0009/Terraform.md new file mode 100644 index 0000000..28eee9d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0009/Terraform.md @@ -0,0 +1,14 @@ + +Don't use force destroy on bucket configuration + +```hcl + resource "digitalocean_spaces_bucket" "good_example" { + name = "foobar" + region = "nyc3" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/digitalocean/digitalocean/latest/docs/resources/spaces_bucket#force_destroy + diff --git a/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0009/docs.md b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0009/docs.md new file mode 100644 index 0000000..d999409 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/digitalocean/spaces/AVD-DIG-0009/docs.md @@ -0,0 +1,10 @@ + +Enabling force destroy on a Spaces bucket means that the bucket can be deleted without the additional check that it is empty. This risks important data being accidentally deleted by a bucket removal process. + +### Impact +Accidental deletion of bucket objects + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0001/docs.md new file mode 100644 index 0000000..066bf02 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0001/docs.md @@ -0,0 +1,10 @@ + +When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated. + +### Impact + + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0002/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0002/docs.md new file mode 100644 index 0000000..42d2f5a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0002/docs.md @@ -0,0 +1,13 @@ + +Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0004/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0004/docs.md new file mode 100644 index 0000000..2453639 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0004/docs.md @@ -0,0 +1,10 @@ + +Exposing port 22 might allow users to SSH into the container. + +### Impact + + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0005/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0005/docs.md new file mode 100644 index 0000000..1accae9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0005/docs.md @@ -0,0 +1,13 @@ + +You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/engine/reference/builder/#add + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0006/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0006/docs.md new file mode 100644 index 0000000..b6e00eb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0006/docs.md @@ -0,0 +1,13 @@ + +COPY '--from' should not mention the current FROM alias, since it is impossible to copy from itself. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/multistage-build/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0007/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0007/docs.md new file mode 100644 index 0000000..6121fe8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0007/docs.md @@ -0,0 +1,13 @@ + +There can only be one ENTRYPOINT instruction in a Dockerfile. Only the last ENTRYPOINT instruction in the Dockerfile will have an effect. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/engine/reference/builder/#entrypoint + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0008/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0008/docs.md new file mode 100644 index 0000000..bc133d6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0008/docs.md @@ -0,0 +1,13 @@ + +UNIX ports outside the range 0-65535 are exposed. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/engine/reference/builder/#expose + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0009/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0009/docs.md new file mode 100644 index 0000000..9d1d23e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0009/docs.md @@ -0,0 +1,13 @@ + +For clarity and reliability, you should always use absolute paths for your WORKDIR. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0010/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0010/docs.md new file mode 100644 index 0000000..82386d6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0010/docs.md @@ -0,0 +1,13 @@ + +Avoid using 'RUN' with 'sudo' commands, as it can lead to unpredictable behavior. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/engine/reference/builder/#run + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0011/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0011/docs.md new file mode 100644 index 0000000..017ef5d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0011/docs.md @@ -0,0 +1,13 @@ + +When a COPY command has more than two arguments, the last one should end with a slash. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/engine/reference/builder/#copy + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0012/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0012/docs.md new file mode 100644 index 0000000..e025aff --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0012/docs.md @@ -0,0 +1,13 @@ + +Different FROMs can't have the same alias defined. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/multistage-build/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0013/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0013/docs.md new file mode 100644 index 0000000..dd4522e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0013/docs.md @@ -0,0 +1,13 @@ + +Use WORKDIR instead of proliferating instructions like 'RUN cd … && do-something', which are hard to read, troubleshoot, and maintain. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#workdir + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0014/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0014/docs.md new file mode 100644 index 0000000..a20d8e9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0014/docs.md @@ -0,0 +1,13 @@ + +Avoid using both 'wget' and 'curl' since these tools have the same effect. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0015/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0015/docs.md new file mode 100644 index 0000000..4b0e97c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0015/docs.md @@ -0,0 +1,13 @@ + +You should use 'yum clean all' after using a 'yum install' command to clean package cached data and reduce image size. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0016/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0016/docs.md new file mode 100644 index 0000000..1523a1d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0016/docs.md @@ -0,0 +1,13 @@ + +There can only be one CMD instruction in a Dockerfile. If you list more than one CMD then only the last CMD will take effect. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/engine/reference/builder/#cmd + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0017/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0017/docs.md new file mode 100644 index 0000000..383a854 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0017/docs.md @@ -0,0 +1,13 @@ + +The instruction 'RUN update' should always be followed by ' install' in the same RUN statement. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0019/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0019/docs.md new file mode 100644 index 0000000..4470c2f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0019/docs.md @@ -0,0 +1,13 @@ + +Cached package data should be cleaned after installation to reduce image size. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0020/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0020/docs.md new file mode 100644 index 0000000..b707b7b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0020/docs.md @@ -0,0 +1,13 @@ + +The layer and image size should be reduced by deleting unneeded caches after running zypper. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#run + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0021/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0021/docs.md new file mode 100644 index 0000000..cdd09c1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0021/docs.md @@ -0,0 +1,13 @@ + +'apt-get' calls should use the flag '-y' to avoid manual user input. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/engine/reference/builder/#run + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0022/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0022/docs.md new file mode 100644 index 0000000..a808b11 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0022/docs.md @@ -0,0 +1,13 @@ + +MAINTAINER has been deprecated since Docker 1.13.0. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/engine/deprecated/#maintainer-in-dockerfile + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0023/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0023/docs.md new file mode 100644 index 0000000..a17a564 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0023/docs.md @@ -0,0 +1,13 @@ + +Providing more than one HEALTHCHECK instruction per stage is confusing and error-prone. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/engine/reference/builder/#healthcheck + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0024/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0024/docs.md new file mode 100644 index 0000000..44173f7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0024/docs.md @@ -0,0 +1,10 @@ + +'apt-get dist-upgrade' upgrades a major version so it doesn't make more sense in Dockerfile. + +### Impact + + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0025/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0025/docs.md new file mode 100644 index 0000000..144c245 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0025/docs.md @@ -0,0 +1,13 @@ + +You should use 'apk add' with '--no-cache' to clean package cached data and reduce image size. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://github.com/gliderlabs/docker-alpine/blob/master/docs/usage.md#disabling-cache + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0026/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0026/docs.md new file mode 100644 index 0000000..40b1c2c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0026/docs.md @@ -0,0 +1,13 @@ + +You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://blog.aquasec.com/docker-security-best-practices + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0027/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0027/docs.md new file mode 100644 index 0000000..4470c2f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0027/docs.md @@ -0,0 +1,13 @@ + +Cached package data should be cleaned after installation to reduce image size. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0029/docs.md b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0029/docs.md new file mode 100644 index 0000000..cf6a096 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/dockerfile/general/AVD-DS-0029/docs.md @@ -0,0 +1,13 @@ + +'apt-get' install should use '--no-install-recommends' to minimize image size. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/github/actions/AVD-GIT-0002/Terraform.md b/cmd/trivy-policies-generator/avd_docs/github/actions/AVD-GIT-0002/Terraform.md new file mode 100644 index 0000000..f9e895c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/github/actions/AVD-GIT-0002/Terraform.md @@ -0,0 +1,18 @@ + +Do not store plaintext values in your code but rather populate the encrypted_value using fields from a resource, data source or variable. + +```hcl +resource "github_actions_environment_secret" "good_example" { + repository = "my repository name" + environment = "my environment" + secret_name = "my secret name" + encrypted_value = var.some_encrypted_secret_string +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret + + - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + diff --git a/cmd/trivy-policies-generator/avd_docs/github/actions/AVD-GIT-0002/docs.md b/cmd/trivy-policies-generator/avd_docs/github/actions/AVD-GIT-0002/docs.md new file mode 100644 index 0000000..dbfa83f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/github/actions/AVD-GIT-0002/docs.md @@ -0,0 +1,15 @@ + +For the purposes of security, the contents of the plaintext_value field have been marked as sensitive to Terraform, but this does not hide it from state files. State should be treated as sensitive always. + +### Impact +Unencrypted sensitive plaintext value can be easily accessible in code. + + +{{ remediationActions }} + +### Links +- https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_environment_secret + +- https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + + diff --git a/cmd/trivy-policies-generator/avd_docs/github/branch_protections/AVD-GIT-0004/Terraform.md b/cmd/trivy-policies-generator/avd_docs/github/branch_protections/AVD-GIT-0004/Terraform.md new file mode 100644 index 0000000..038560d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/github/branch_protections/AVD-GIT-0004/Terraform.md @@ -0,0 +1,16 @@ + +Require signed commits + +```hcl + resource "github_branch_protection" "good_example" { + repository_id = "example" + pattern = "main" + + require_signed_commits = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection + diff --git a/cmd/trivy-policies-generator/avd_docs/github/branch_protections/AVD-GIT-0004/docs.md b/cmd/trivy-policies-generator/avd_docs/github/branch_protections/AVD-GIT-0004/docs.md new file mode 100644 index 0000000..7ee3833 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/github/branch_protections/AVD-GIT-0004/docs.md @@ -0,0 +1,19 @@ + +GitHub branch protection should be set to require signed commits. + +You can do this by setting the require_signed_commits attribute to 'true'. + +### Impact +Commits may not be verified and signed as coming from a trusted developer + + +{{ remediationActions }} + +### Links +- https://registry.terraform.io/providers/integrations/github/latest/docs/resources/branch_protection#require_signed_commits + +- https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification + +- https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests/about-protected-branches#require-signed-commits + + diff --git a/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0001/Terraform.md b/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0001/Terraform.md new file mode 100644 index 0000000..57d8474 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0001/Terraform.md @@ -0,0 +1,21 @@ + +Make sensitive or commercially important repositories private + +```hcl + resource "github_repository" "good_example" { + name = "example" + description = "My awesome codebase" + + visibility = "private" + + template { + owner = "github" + repository = "terraform-module-template" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository + diff --git a/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0001/docs.md new file mode 100644 index 0000000..b6ce668 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0001/docs.md @@ -0,0 +1,17 @@ + +Github repository should be set to be private. + +You can do this by either setting private attribute to 'true' or visibility attribute to 'internal' or 'private'. + +### Impact +Anyone can read the contents of the GitHub repository and leak IP + + +{{ remediationActions }} + +### Links +- https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-repository-visibility + +- https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-repository-visibility#about-internal-repositories + + diff --git a/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0003/Terraform.md b/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0003/Terraform.md new file mode 100644 index 0000000..5e179ad --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0003/Terraform.md @@ -0,0 +1,21 @@ + +Enable vulnerability alerts + +```hcl + resource "github_repository" "good_example" { + name = "example" + description = "My awesome codebase" + + vulnerability_alerts = true + + template { + owner = "github" + repository = "terraform-module-template" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/integrations/github/latest/docs/resources/repository + diff --git a/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0003/docs.md b/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0003/docs.md new file mode 100644 index 0000000..7fb4db4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/github/repositories/AVD-GIT-0003/docs.md @@ -0,0 +1,15 @@ + +GitHub repository should be set to use vulnerability alerts. + +You can do this by setting the vulnerability_alerts attribute to 'true'. + +### Impact +Known vulnerabilities may not be discovered + + +{{ remediationActions }} + +### Links +- https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/bigquery/AVD-GCP-0046/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/bigquery/AVD-GCP-0046/Terraform.md new file mode 100644 index 0000000..587723a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/bigquery/AVD-GCP-0046/Terraform.md @@ -0,0 +1,35 @@ + +Configure access permissions with higher granularity + +```hcl + resource "google_bigquery_dataset" "good_example" { + dataset_id = "example_dataset" + friendly_name = "test" + description = "This is a test description" + location = "EU" + default_table_expiration_ms = 3600000 + + labels = { + env = "default" + } + + access { + role = "OWNER" + user_by_email = google_service_account.bqowner.email + } + + access { + role = "READER" + domain = "hashicorp.com" + } + } + + resource "google_service_account" "bqowner" { + account_id = "bqowner" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/bigquery_dataset#special_group + diff --git a/cmd/trivy-policies-generator/avd_docs/google/bigquery/AVD-GCP-0046/docs.md b/cmd/trivy-policies-generator/avd_docs/google/bigquery/AVD-GCP-0046/docs.md new file mode 100644 index 0000000..eb5d517 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/bigquery/AVD-GCP-0046/docs.md @@ -0,0 +1,10 @@ + +Using 'allAuthenticatedUsers' provides any GCP user - even those outside of your organisation - access to your BigQuery dataset. + +### Impact +Exposure of sensitive data to the public iniernet + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0027/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0027/Terraform.md new file mode 100644 index 0000000..39a4cee --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0027/Terraform.md @@ -0,0 +1,46 @@ + +Set a more restrictive cidr range + +```hcl +resource "google_compute_firewall" "good_example" { + source_ranges = ["1.2.3.4/32"] + allow { + protocol = "icmp" + } +} +``` +```hcl +resource "google_compute_firewall" "allow-vms-to-some-machine" { + name = "allow-vms-to-some-machine" + network = local.network + priority = 1300 + direction = "INGRESS" + allow { + protocol = "tcp" + ports = ["8081"] + } + source_tags = ["vms"] + target_tags = ["some-machine"] +} +``` +```hcl +resource "google_compute_firewall" "test" { + name = "gmp-validating-webhook-fw" + network = google_compute_network.my_vpc_name.self_link + + allow { + protocol = "tcp" + ports = ["8443"] + } + + target_tags = [ "k8s-node-pool" ] + source_ranges = [google_container_cluster.my_cluster_name.private_cluster_config[0].master_ipv4_cidr_block] +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall#source_ranges + + - https://www.terraform.io/docs/providers/google/r/compute_firewall.html + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0027/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0027/docs.md new file mode 100644 index 0000000..5c1fdab --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0027/docs.md @@ -0,0 +1,15 @@ + +Network security rules should not use very broad subnets. + +Where possible, segments should be broken into smaller subnets and avoid using the /0 subnet. + +### Impact +The port is exposed for ingress from the internet + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/vpc/docs/using-firewalls + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0029/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0029/Terraform.md new file mode 100644 index 0000000..20b5774 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0029/Terraform.md @@ -0,0 +1,29 @@ + +Enable VPC flow logs + +```hcl +resource "google_compute_subnetwork" "good_example" { + name = "test-subnetwork" + ip_cidr_range = "10.2.0.0/16" + region = "us-central1" + network = google_compute_network.custom-test.id + secondary_ip_range { + range_name = "tf-test-secondary-range-update1" + ip_cidr_range = "192.168.10.0/24" + } + log_config { + aggregation_interval = "INTERVAL_10_MIN" + flow_sampling = 0.5 + metadata = "INCLUDE_ALL_METADATA" + } +} +resource "google_compute_network" "custom-test" { + name = "test-network" + auto_create_subnetworks = false +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork#enable_flow_logs + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0029/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0029/docs.md new file mode 100644 index 0000000..082212e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0029/docs.md @@ -0,0 +1,10 @@ + +VPC flow logs record information about all traffic, which is a vital tool in reviewing anomalous traffic. + +### Impact +Limited auditing capability and awareness + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0030/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0030/Terraform.md new file mode 100644 index 0000000..5150556 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0030/Terraform.md @@ -0,0 +1,53 @@ + +Disable project-wide SSH keys + +```hcl + resource "google_service_account" "default" { + account_id = "service_account_id" + display_name = "Service Account" + } + + resource "google_compute_instance" "default" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + metadata = { + block-project-ssh-keys = true + } + + metadata_startup_script = "echo hi > /test.txt" + + service_account { + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + email = google_service_account.default.email + scopes = ["cloud-platform"] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance# + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0030/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0030/docs.md new file mode 100644 index 0000000..00fbdf3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0030/docs.md @@ -0,0 +1,10 @@ + +Use of project-wide SSH keys means that a compromise of any one of these key pairs can result in all instances being compromised. It is recommended to use instance-level keys. + +### Impact +Compromise of a single key pair compromises all instances + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0031/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0031/Terraform.md new file mode 100644 index 0000000..c52aa99 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0031/Terraform.md @@ -0,0 +1,32 @@ + +Remove public IP + +```hcl + resource "google_compute_instance" "good_example" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#access_config + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0031/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0031/docs.md new file mode 100644 index 0000000..673dafc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0031/docs.md @@ -0,0 +1,13 @@ + +Instances should not be publicly exposed to the internet + +### Impact +Direct exposure of an instance to the public internet + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/compute/docs/ip-addresses#externaladdresses + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0032/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0032/Terraform.md new file mode 100644 index 0000000..ff4b858 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0032/Terraform.md @@ -0,0 +1,53 @@ + +Disable serial port access + +```hcl + resource "google_service_account" "default" { + account_id = "service_account_id" + display_name = "Service Account" + } + + resource "google_compute_instance" "default" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + metadata = { + serial-port-enable = false + } + + metadata_startup_script = "echo hi > /test.txt" + + service_account { + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + email = google_service_account.default.email + scopes = ["cloud-platform"] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance# + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0032/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0032/docs.md new file mode 100644 index 0000000..8bb9a13 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0032/docs.md @@ -0,0 +1,10 @@ + +When serial port access is enabled, the access is not governed by network security rules meaning the port can be exposed publicly. + +### Impact +Unrestricted network access to the serial console of the instance + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0033/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0033/Terraform.md new file mode 100644 index 0000000..686fe62 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0033/Terraform.md @@ -0,0 +1,54 @@ + +Use managed keys + +```hcl + resource "google_service_account" "default" { + account_id = "service_account_id" + display_name = "Service Account" + } + + resource "google_compute_instance" "good_example" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + kms_key_self_link = "something" + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + metadata = { + foo = "bar" + } + + metadata_startup_script = "echo hi > /test.txt" + + service_account { + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + email = google_service_account.default.email + scopes = ["cloud-platform"] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#kms_key_self_link + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0033/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0033/docs.md new file mode 100644 index 0000000..85cfbc5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0033/docs.md @@ -0,0 +1,10 @@ + +Using unmanaged keys makes rotation and general management difficult. + +### Impact +Using unmanaged keys does not allow for proper management + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0034/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0034/Terraform.md new file mode 100644 index 0000000..1b36b8d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0034/Terraform.md @@ -0,0 +1,23 @@ + +Use managed keys to encrypt disks. + +```hcl + resource "google_compute_disk" "good_example" { + name = "test-disk" + type = "pd-ssd" + zone = "us-central1-a" + image = "debian-9-stretch-v20200805" + labels = { + environment = "dev" + } + physical_block_size_bytes = 4096 + disk_encryption_key { + kms_key_self_link = "something" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_disk#kms_key_self_link + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0034/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0034/docs.md new file mode 100644 index 0000000..45bf9f5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0034/docs.md @@ -0,0 +1,10 @@ + +Using unmanaged keys makes rotation and general management difficult. + +### Impact +Using unmanaged keys does not allow for proper key management. + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0035/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0035/Terraform.md new file mode 100644 index 0000000..60b1667 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0035/Terraform.md @@ -0,0 +1,16 @@ + +Set a more restrictive cidr range + +```hcl + resource "google_compute_firewall" "good_example" { + direction = "EGRESS" + allow { + protocol = "icmp" + } + destination_ranges = ["1.2.3.4/32"] +} +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0035/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0035/docs.md new file mode 100644 index 0000000..de39ac9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0035/docs.md @@ -0,0 +1,15 @@ + +Network security rules should not use very broad subnets. + +Where possible, segments should be broken into smaller subnets and avoid using the /0 subnet. + +### Impact +The port is exposed for egress to the internet + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/vpc/docs/using-firewalls + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0036/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0036/Terraform.md new file mode 100644 index 0000000..2220b68 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0036/Terraform.md @@ -0,0 +1,29 @@ + +Enable OS Login at project level and remove instance-level overrides + +```hcl + resource "google_compute_instance" "default" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + metadata = { + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance# + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0036/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0036/docs.md new file mode 100644 index 0000000..ef1c309 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0036/docs.md @@ -0,0 +1,10 @@ + +OS Login automatically revokes the relevant SSH keys when an IAM user has their access revoked. + +### Impact +Access via SSH key cannot be revoked automatically when an IAM user is removed. + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0037/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0037/Terraform.md new file mode 100644 index 0000000..28195e9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0037/Terraform.md @@ -0,0 +1,15 @@ + +Reference a managed key rather than include the key in raw format. + +```hcl + resource "google_compute_disk" "good_example" { + disk_encryption_key { + kms_key_self_link = google_kms_crypto_key.my_crypto_key.id + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_disk#kms_key_self_link + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0037/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0037/docs.md new file mode 100644 index 0000000..ad6faf1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0037/docs.md @@ -0,0 +1,13 @@ + +Sensitive values such as raw encryption keys should not be included in your Terraform code, and should be stored securely by a secrets manager. + +### Impact +The encryption key should be considered compromised as it is not stored securely. + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/compute/docs/disks/customer-supplied-encryption + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0039/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0039/Terraform.md new file mode 100644 index 0000000..96546aa --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0039/Terraform.md @@ -0,0 +1,15 @@ + +Enforce a minimum TLS version of 1.2 + +```hcl + resource "google_compute_ssl_policy" "good_example" { + name = "production-ssl-policy" + profile = "MODERN" + min_tls_version = "TLS_1_2" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ssl_policy#min_tls_version + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0039/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0039/docs.md new file mode 100644 index 0000000..cc52743 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0039/docs.md @@ -0,0 +1,10 @@ + +TLS versions prior to 1.2 are outdated and insecure. You should use 1.2 as aminimum version. + +### Impact +Data in transit is not sufficiently secured + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0041/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0041/Terraform.md new file mode 100644 index 0000000..a958b9c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0041/Terraform.md @@ -0,0 +1,32 @@ + +Enable Shielded VM VTPM + +```hcl + resource "google_compute_instance" "good_example" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + shielded_instance_config { + enable_vtpm = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#enable_vtpm + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0041/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0041/docs.md new file mode 100644 index 0000000..b3523ef --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0041/docs.md @@ -0,0 +1,13 @@ + +The virtual TPM provides numerous security measures to your VM. + +### Impact +Unable to prevent unwanted system state modification + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/blog/products/identity-security/virtual-trusted-platform-module-for-shielded-vms-security-in-plaintext + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0042/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0042/Terraform.md new file mode 100644 index 0000000..9745c44 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0042/Terraform.md @@ -0,0 +1,15 @@ + +Enable OS Login at project level + +```hcl + resource "google_compute_project_metadata" "default" { + metadata = { + enable-oslogin = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_project_metadata# + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0042/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0042/docs.md new file mode 100644 index 0000000..ef1c309 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0042/docs.md @@ -0,0 +1,10 @@ + +OS Login automatically revokes the relevant SSH keys when an IAM user has their access revoked. + +### Impact +Access via SSH key cannot be revoked automatically when an IAM user is removed. + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0043/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0043/Terraform.md new file mode 100644 index 0000000..04e04b3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0043/Terraform.md @@ -0,0 +1,28 @@ + +Disable IP forwarding + +```hcl + resource "google_compute_instance" "good_example" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + can_ip_forward = false + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#can_ip_forward + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0043/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0043/docs.md new file mode 100644 index 0000000..b64da5d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0043/docs.md @@ -0,0 +1,10 @@ + +Disabling IP forwarding ensures the instance can only receive packets addressed to the instance and can only send packets with a source address of the instance. + +### Impact +Instance can send/receive packets without the explicit instance address + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0044/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0044/Terraform.md new file mode 100644 index 0000000..42e5a52 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0044/Terraform.md @@ -0,0 +1,53 @@ + +Remove use of default service account + +```hcl + resource "google_service_account" "default" { + account_id = "service_account_id" + display_name = "Service Account" + } + + resource "google_compute_instance" "default" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + network_interface { + network = "default" + + access_config { + // Ephemeral IP + } + } + + metadata = { + foo = "bar" + } + + metadata_startup_script = "echo hi > /test.txt" + + service_account { + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + email = google_service_account.default.email + scopes = ["cloud-platform"] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance# + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0044/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0044/docs.md new file mode 100644 index 0000000..9b01375 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0044/docs.md @@ -0,0 +1,10 @@ + +The default service account has full project access. Instances should instead be assigned the minimal access they need. + +### Impact +Instance has full access to the project + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0045/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0045/Terraform.md new file mode 100644 index 0000000..393c959 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0045/Terraform.md @@ -0,0 +1,32 @@ + +Enable Shielded VM Integrity Monitoring + +```hcl + resource "google_compute_instance" "good_example" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + shielded_instance_config { + enable_integrity_monitoring = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#enable_vtpm + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0045/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0045/docs.md new file mode 100644 index 0000000..80ab927 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0045/docs.md @@ -0,0 +1,13 @@ + +Integrity monitoring helps you understand and make decisions about the state of your VM instances. + +### Impact +No visibility of VM instance boot state. + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/security/shielded-cloud/shielded-vm#integrity-monitoring + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0067/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0067/Terraform.md new file mode 100644 index 0000000..a0ab93f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0067/Terraform.md @@ -0,0 +1,32 @@ + +Enable Shielded VM secure boot + +```hcl + resource "google_compute_instance" "good_example" { + name = "test" + machine_type = "e2-medium" + zone = "us-central1-a" + + tags = ["foo", "bar"] + + boot_disk { + initialize_params { + image = "debian-cloud/debian-9" + } + } + + // Local SSD disk + scratch_disk { + interface = "SCSI" + } + + shielded_instance_config { + enable_secure_boot = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#enable_secure_boot + diff --git a/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0067/docs.md b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0067/docs.md new file mode 100644 index 0000000..0f5d76f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/compute/AVD-GCP-0067/docs.md @@ -0,0 +1,13 @@ + +Secure boot helps ensure that the system only runs authentic software. + +### Impact +Unable to verify digital signature of boot components, and unable to stop the boot process if verification fails. + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/security/shielded-cloud/shielded-vm#secure-boot + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0012/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0012/Terraform.md new file mode 100644 index 0000000..a4b30f8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0012/Terraform.md @@ -0,0 +1,26 @@ + +Use RSA SHA512 + +```hcl +resource "google_dns_managed_zone" "example-zone" { + name = "example-zone" + dns_name = "example-${random_id.rnd.hex}.com." + + dnssec_config { + state = "on" + default_key_specs { + algorithm = "rsasha512" + key_type = "keySigning" + } + default_key_specs { + algorithm = "rsasha512" + key_type = "zoneSigning" + } + } +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone#algorithm + diff --git a/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0012/docs.md b/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0012/docs.md new file mode 100644 index 0000000..8217592 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0012/docs.md @@ -0,0 +1,10 @@ + +RSA SHA1 is a weaker algorithm than SHA2-based algorithms such as RSA SHA256/512 + +### Impact +Less secure encryption algorithm than others available + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0013/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0013/Terraform.md new file mode 100644 index 0000000..89a78e4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0013/Terraform.md @@ -0,0 +1,25 @@ + +Enable DNSSEC + +```hcl + resource "google_dns_managed_zone" "good_example" { + name = "example-zone" + dns_name = "example-${random_id.rnd.hex}.com." + description = "Example DNS zone" + labels = { + foo = "bar" + } + dnssec_config { + state = "on" + } + } + + resource "random_id" "rnd" { + byte_length = 4 + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/dns_managed_zone#state + diff --git a/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0013/docs.md b/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0013/docs.md new file mode 100644 index 0000000..7f1c42f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/dns/AVD-GCP-0013/docs.md @@ -0,0 +1,10 @@ + +DNSSEC authenticates DNS responses, preventing MITM attacks and impersonation. + +### Impact +Unverified DNS responses could lead to man-in-the-middle attacks + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0048/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0048/Terraform.md new file mode 100644 index 0000000..e2e7c1f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0048/Terraform.md @@ -0,0 +1,16 @@ + +Disable legacy metadata endpoints + +```hcl + resource "google_container_cluster" "good_example" { + node_config { + metadata = { + disable-legacy-endpoints = true + } + } + } +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#metadata + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0048/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0048/docs.md new file mode 100644 index 0000000..e47e4e6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0048/docs.md @@ -0,0 +1,19 @@ + +The Compute Engine instance metadata server exposes legacy v0.1 and v1beta1 endpoints, which do not enforce metadata query headers. + +This is a feature in the v1 APIs that makes it more difficult for a potential attacker to retrieve instance metadata. + +Unless specifically required, we recommend you disable these legacy APIs. + +When setting the metadata block, the default value for disable-legacy-endpoints is set to true, they should not be explicitly enabled. + +### Impact +Legacy metadata endpoints don't require metadata headers + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#protect_node_metadata_default_for_112 + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0049/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0049/Terraform.md new file mode 100644 index 0000000..b2c0423 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0049/Terraform.md @@ -0,0 +1,44 @@ + +Enable IP aliasing + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "good_example" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + ip_allocation_policy {} + } + + resource "google_container_node_pool" "primary_preemptible_nodes" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#ip_allocation_policy + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0049/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0049/docs.md new file mode 100644 index 0000000..af002d8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0049/docs.md @@ -0,0 +1,10 @@ + +IP aliasing allows the reuse of public IPs internally, removing the need for a NAT gateway. + +### Impact +Nodes need a NAT gateway to access local services + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0050/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0050/Terraform.md new file mode 100644 index 0000000..99c4a78 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0050/Terraform.md @@ -0,0 +1,15 @@ + +Use limited permissions for service accounts to be effective + +```hcl + resource "google_container_cluster" "good_example" { + node_config { + service_account = "cool-service-account@example.com" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#service_account + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0050/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0050/docs.md new file mode 100644 index 0000000..f3b63b8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0050/docs.md @@ -0,0 +1,13 @@ + +You should create and use a minimally privileged service account to run your GKE cluster instead of using the Compute Engine default service account. + +### Impact +Service accounts with wide permissions can increase the risk of compromise + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#use_least_privilege_sa + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0051/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0051/Terraform.md new file mode 100644 index 0000000..80b8e63 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0051/Terraform.md @@ -0,0 +1,46 @@ + +Set cluster resource labels + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "good_example" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + resource_labels = { + "env" = "staging" + } + } + + resource "google_container_node_pool" "primary_preemptible_nodes" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#resource_labels + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0051/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0051/docs.md new file mode 100644 index 0000000..538904b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0051/docs.md @@ -0,0 +1,10 @@ + +Labels make it easier to manage assets and differentiate between clusters and environments, allowing the mapping of computational resources to the wider organisational structure. + +### Impact +Asset management can be limited/more difficult + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0052/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0052/Terraform.md new file mode 100644 index 0000000..79773dd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0052/Terraform.md @@ -0,0 +1,44 @@ + +Enable StackDriver monitoring + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "good_example" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + monitoring_service = "monitoring.googleapis.com/kubernetes" + } + + resource "google_container_node_pool" "primary_preemptible_nodes" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#monitoring_service + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0052/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0052/docs.md new file mode 100644 index 0000000..b71f2e6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0052/docs.md @@ -0,0 +1,10 @@ + +StackDriver monitoring aggregates logs, events, and metrics from your Kubernetes environment on GKE to help you understand your application's behavior in production. + +### Impact +Visibility will be reduced + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0053/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0053/Terraform.md new file mode 100644 index 0000000..de70a02 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0053/Terraform.md @@ -0,0 +1,49 @@ + +Use private nodes and master authorised networks to prevent exposure + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "primary" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + master_authorized_networks_config { + cidr_blocks { + cidr_block = "10.10.128.0/24" + display_name = "internal" + } + } + } + + resource "google_container_node_pool" "primary_preemptible_nodes" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster# + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0053/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0053/docs.md new file mode 100644 index 0000000..150da2d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0053/docs.md @@ -0,0 +1,10 @@ + +The GKE control plane is exposed to the public internet by default. + +### Impact +GKE control plane exposed to public internet + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0054/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0054/Terraform.md new file mode 100644 index 0000000..4cce765 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0054/Terraform.md @@ -0,0 +1,43 @@ + +Use the COS image type + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "primary" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + } + + resource "google_container_node_pool" "good_example" { + name = "my-node-pool" + cluster = google_container_cluster.primary.id + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + image_type = "COS" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#image_type + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0054/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0054/docs.md new file mode 100644 index 0000000..95d4e0a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0054/docs.md @@ -0,0 +1,10 @@ + +GKE supports several OS image types but COS is the recommended OS image to use on cluster nodes for enhanced security + +### Impact +COS is the recommended OS image to use on cluster nodes + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0055/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0055/Terraform.md new file mode 100644 index 0000000..b303a42 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0055/Terraform.md @@ -0,0 +1,12 @@ + +Enable node shielding + +```hcl + resource "google_container_cluster" "good_example" { + enable_shielded_nodes = "true" + } +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_shielded_nodes + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0055/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0055/docs.md new file mode 100644 index 0000000..83d7af9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0055/docs.md @@ -0,0 +1,15 @@ + +CIS GKE Benchmark Recommendation: 6.5.5. Ensure Shielded GKE Nodes are Enabled + +Shielded GKE Nodes provide strong, verifiable node identity and integrity to increase the security of GKE nodes and should be enabled on all GKE clusters. + +### Impact +Node identity and integrity can't be verified without shielded GKE nodes + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#shielded_nodes + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0056/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0056/Terraform.md new file mode 100644 index 0000000..c17da33 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0056/Terraform.md @@ -0,0 +1,46 @@ + +Enable network policy + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "good_example" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + network_policy { + enabled = true + } + } + + resource "google_container_node_pool" "primary_preemptible_nodes" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enabled + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0056/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0056/docs.md new file mode 100644 index 0000000..0fb7a1a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0056/docs.md @@ -0,0 +1,10 @@ + +Enabling a network policy allows the segregation of network traffic by namespace + +### Impact +Unrestricted inter-cluster communication + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0057/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0057/Terraform.md new file mode 100644 index 0000000..99ac81b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0057/Terraform.md @@ -0,0 +1,16 @@ + +Set node metadata to SECURE or GKE_METADATA_SERVER + +```hcl + resource "google_container_node_pool" "good_example" { + node_config { + workload_metadata_config { + node_metadata = "SECURE" + } + } + } +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#node_metadata + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0057/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0057/docs.md new file mode 100644 index 0000000..9ffd067 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0057/docs.md @@ -0,0 +1,15 @@ + +If the workload_metadata_config block within node_config is included, the node_metadata attribute should be configured securely. + +The attribute should be set to SECURE to use metadata concealment, or GKE_METADATA_SERVER if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods. + +### Impact +Metadata that isn't concealed potentially risks leakage of sensitive data + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/kubernetes-engine/docs/how-to/protecting-cluster-metadata#create-concealed + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0058/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0058/Terraform.md new file mode 100644 index 0000000..fc8b533 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0058/Terraform.md @@ -0,0 +1,45 @@ + +Enable automatic upgrades + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "primary" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + } + + resource "google_container_node_pool" "good_example" { + name = "my-node-pool" + cluster = google_container_cluster.primary.id + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + management { + auto_upgrade = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#auto_upgrade + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0058/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0058/docs.md new file mode 100644 index 0000000..6c24632 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0058/docs.md @@ -0,0 +1,10 @@ + +Automatic updates keep nodes updated with the latest cluster master version. + +### Impact +Nodes will need the cluster master version manually updating + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0059/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0059/Terraform.md new file mode 100644 index 0000000..5d3b8af --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0059/Terraform.md @@ -0,0 +1,46 @@ + +Enable private cluster + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "good_example" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + private_cluster_config { + enable_private_nodes = true + } + } + + resource "google_container_node_pool" "primary_preemptible_nodes" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_private_nodes + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0059/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0059/docs.md new file mode 100644 index 0000000..a728250 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0059/docs.md @@ -0,0 +1,10 @@ + +Enabling private nodes on a cluster ensures the nodes are only available internally as they will only be assigned internal addresses. + +### Impact +Nodes may be exposed to the public internet + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0060/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0060/Terraform.md new file mode 100644 index 0000000..b1a3e99 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0060/Terraform.md @@ -0,0 +1,44 @@ + +Enable StackDriver logging + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "good_example" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + logging_service = "logging.googleapis.com/kubernetes" + } + + resource "google_container_node_pool" "primary_preemptible_nodes" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#logging_service + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0060/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0060/docs.md new file mode 100644 index 0000000..e646467 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0060/docs.md @@ -0,0 +1,10 @@ + +StackDriver logging provides a useful interface to all of stdout/stderr for each container and should be enabled for moitoring, debugging, etc. + +### Impact +Visibility will be reduced + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0061/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0061/Terraform.md new file mode 100644 index 0000000..d331a45 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0061/Terraform.md @@ -0,0 +1,49 @@ + +Enable master authorized networks + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "primary" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + master_authorized_networks_config { + cidr_blocks { + cidr_block = "10.10.128.0/24" + display_name = "internal" + } + } + } + + resource "google_container_node_pool" "primary_preemptible_nodes" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster# + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0061/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0061/docs.md new file mode 100644 index 0000000..38f0803 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0061/docs.md @@ -0,0 +1,10 @@ + +Enabling authorized networks means you can restrict master access to a fixed set of CIDR ranges + +### Impact +Unrestricted network access to the master + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0062/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0062/Terraform.md new file mode 100644 index 0000000..9fe7d44 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0062/Terraform.md @@ -0,0 +1,15 @@ + +Switch to using RBAC permissions + +```hcl + resource "google_container_cluster" "good_example" { + # ... + # enable_legacy_abac not set + # ... + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#enable_legacy_abac + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0062/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0062/docs.md new file mode 100644 index 0000000..47cab1e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0062/docs.md @@ -0,0 +1,15 @@ + +You should disable Attribute-Based Access Control (ABAC), and instead use Role-Based Access Control (RBAC) in GKE. + +RBAC has significant security advantages and is now stable in Kubernetes, so it’s time to disable ABAC. + +### Impact +ABAC permissions are less secure than RBAC permissions + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#leave_abac_disabled_default_for_110 + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0063/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0063/Terraform.md new file mode 100644 index 0000000..997cc57 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0063/Terraform.md @@ -0,0 +1,45 @@ + +Enable automatic repair + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "primary" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + } + + resource "google_container_node_pool" "good_example" { + name = "my-node-pool" + cluster = google_container_cluster.primary.id + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + management { + auto_repair = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_node_pool#auto_repair + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0063/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0063/docs.md new file mode 100644 index 0000000..934773e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0063/docs.md @@ -0,0 +1,10 @@ + +Automatic repair will monitor nodes and attempt repair when a node fails multiple subsequent health checks + +### Impact +Failing nodes will require manual repair. + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0064/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0064/Terraform.md new file mode 100644 index 0000000..ccf52e7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0064/Terraform.md @@ -0,0 +1,43 @@ + +Use service account or OAuth for authentication + +```hcl + resource "google_service_account" "default" { + account_id = "service-account-id" + display_name = "Service Account" + } + + resource "google_container_cluster" "good_example" { + name = "my-gke-cluster" + location = "us-central1" + + # We can't create a cluster with no node pool defined, but we want to only use + # separately managed node pools. So we create the smallest possible default + # node pool and immediately delete it. + remove_default_node_pool = true + initial_node_count = 1 + } + + resource "google_container_node_pool" "primary_preemptible_nodes" { + name = "my-node-pool" + location = "us-central1" + cluster = google_container_cluster.primary.name + node_count = 1 + + node_config { + preemptible = true + machine_type = "e2-medium" + + # Google recommends custom service accounts that have cloud-platform scope and permissions granted via IAM Roles. + service_account = google_service_account.default.email + oauth_scopes = [ + "https://www.googleapis.com/auth/cloud-platform" + ] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/container_cluster#master_auth + diff --git a/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0064/docs.md b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0064/docs.md new file mode 100644 index 0000000..e3a4144 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/gke/AVD-GCP-0064/docs.md @@ -0,0 +1,15 @@ + +It is recommended to use Service Accounts and OAuth as authentication methods for accessing the master in the container cluster. + +Basic authentication should be disabled by explicitly unsetting the username and password on the master_auth block. + +### Impact +Username/password or certificate authentication methods are less secure + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0003/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0003/Terraform.md new file mode 100644 index 0000000..29c76f2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0003/Terraform.md @@ -0,0 +1,18 @@ + +Roles should be granted permissions and assigned to users + +```hcl + resource "google_project_iam_binding" "good_example" { + members = [ + "group:test@example.com", + ] + } + + resource "google_storage_bucket_iam_member" "good_example" { + member = "serviceAccount:test@example.com" + } +``` + +#### Remediation Links + - https://www.terraform.io/docs/providers/google/d/iam_policy.html#members + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0003/docs.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0003/docs.md new file mode 100644 index 0000000..5a2a928 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0003/docs.md @@ -0,0 +1,19 @@ + +Permissions should not be directly granted to users, you identify roles that contain the appropriate permissions, and then grant those roles to the user. + +Granting permissions to users quickly become unwieldy and complex to make large scale changes to remove access to a particular resource. + +Permissions should be granted on roles, groups, services accounts instead. + +### Impact +Users shouldn't have permissions granted to them directly + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/iam/docs/overview#permissions + +- https://cloud.google.com/resource-manager/reference/rest/v1/projects/setIamPolicy + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0004/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0004/Terraform.md new file mode 100644 index 0000000..6992cec --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0004/Terraform.md @@ -0,0 +1,22 @@ + +Use specialised service accounts for specific purposes. + +```hcl + resource "google_service_account" "test" { + account_id = "account123" + display_name = "account123" + } + + resource "google_folder_iam_member" "folder-123" { + folder = "folder-123" + role = "roles/whatever" + member = "serviceAccount:${google_service_account.test.email}" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder_iam + + - + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0004/docs.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0004/docs.md new file mode 100644 index 0000000..9871f7b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0004/docs.md @@ -0,0 +1,13 @@ + +Default service accounts should not be used - consider creating specialised service accounts for individual purposes. + +### Impact +Violation of principal of least privilege + + +{{ remediationActions }} + +### Links +- + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0005/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0005/Terraform.md new file mode 100644 index 0000000..8d3a302 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0005/Terraform.md @@ -0,0 +1,14 @@ + +Provide access at the service-level instead of folder-level, if required + +```hcl + resource "google_folder_iam_binding" "folder-123" { + folder = "folder-123" + role = "roles/nothingInParticular" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_folder_iam + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0005/docs.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0005/docs.md new file mode 100644 index 0000000..952b459 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0005/docs.md @@ -0,0 +1,13 @@ + +Users with service account access at folder level can impersonate any service account. Instead, they should be given access to particular service accounts as required. + +### Impact +Privilege escalation, impersonation of any/all services + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/iam/docs/impersonating-service-accounts + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0006/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0006/Terraform.md new file mode 100644 index 0000000..1de6f0e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0006/Terraform.md @@ -0,0 +1,22 @@ + +Use specialised service accounts for specific purposes. + +```hcl + resource "google_service_account" "test" { + account_id = "account123" + display_name = "account123" + } + + resource "google_project_iam_member" "project-123" { + project = "project-123" + role = "roles/whatever" + member = "serviceAccount:${google_service_account.test.email}" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam + + - + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0006/docs.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0006/docs.md new file mode 100644 index 0000000..9871f7b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0006/docs.md @@ -0,0 +1,13 @@ + +Default service accounts should not be used - consider creating specialised service accounts for individual purposes. + +### Impact +Violation of principal of least privilege + + +{{ remediationActions }} + +### Links +- + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0007/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0007/Terraform.md new file mode 100644 index 0000000..7322e4d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0007/Terraform.md @@ -0,0 +1,21 @@ + +Limit service account access to minimal required set + +```hcl + resource "google_service_account" "test" { + account_id = "account123" + display_name = "account123" + email = "jim@tfsec.dev" + } + + resource "google_project_iam_member" "project" { + project = "your-project-id" + role = "roles/logging.logWriter" + member = "serviceAccount:${google_service_account.test.email}" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0007/docs.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0007/docs.md new file mode 100644 index 0000000..c795075 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0007/docs.md @@ -0,0 +1,13 @@ + +Service accounts should have a minimal set of permissions assigned in order to do their job. They should never have excessive access as if compromised, an attacker can escalate privileges and take over the entire account. + +### Impact +Cloud account takeover if a resource using a service account is compromised + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/iam/docs/understanding-roles + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0008/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0008/Terraform.md new file mode 100644 index 0000000..733b20e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0008/Terraform.md @@ -0,0 +1,22 @@ + +Use specialised service accounts for specific purposes. + +```hcl + resource "google_service_account" "test" { + account_id = "account123" + display_name = "account123" + } + + resource "google_organization_iam_member" "org-123" { + org_id = "org-123" + role = "roles/whatever" + member = "serviceAccount:${google_service_account.test.email}" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam + + - + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0008/docs.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0008/docs.md new file mode 100644 index 0000000..9871f7b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0008/docs.md @@ -0,0 +1,13 @@ + +Default service accounts should not be used - consider creating specialised service accounts for individual purposes. + +### Impact +Violation of principal of least privilege + + +{{ remediationActions }} + +### Links +- + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0009/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0009/Terraform.md new file mode 100644 index 0000000..367d3eb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0009/Terraform.md @@ -0,0 +1,14 @@ + +Provide access at the service-level instead of organization-level, if required + +```hcl + resource "google_organization_iam_binding" "organization-123" { + org_id = "org-123" + role = "roles/nothingInParticular" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0009/docs.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0009/docs.md new file mode 100644 index 0000000..f410642 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0009/docs.md @@ -0,0 +1,13 @@ + +Users with service account access at organization level can impersonate any service account. Instead, they should be given access to particular service accounts as required. + +### Impact +Privilege escalation, impersonation of any/all services + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/iam/docs/impersonating-service-accounts + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0010/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0010/Terraform.md new file mode 100644 index 0000000..8eeacd7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0010/Terraform.md @@ -0,0 +1,16 @@ + +Disable automatic default network creation + +```hcl + resource "google_project" "good_example" { + name = "My Project" + project_id = "your-project-id" + org_id = "1234567" + auto_create_network = false + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project#auto_create_network + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0010/docs.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0010/docs.md new file mode 100644 index 0000000..23f8d8b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0010/docs.md @@ -0,0 +1,10 @@ + +The default network which is provided for a project contains multiple insecure firewall rules which allow ingress to the project's infrastructure. Creation of this network should therefore be disabled. + +### Impact +Exposure of internal infrastructure/services to public internet + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0011/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0011/Terraform.md new file mode 100644 index 0000000..b3fe7b2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0011/Terraform.md @@ -0,0 +1,14 @@ + +Provide access at the service-level instead of project-level, if required + +```hcl + resource "google_project_iam_binding" "project-123" { + project = "project-123" + role = "roles/nothingInParticular" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0011/docs.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0011/docs.md new file mode 100644 index 0000000..848bbb3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0011/docs.md @@ -0,0 +1,13 @@ + +Users with service account access at project level can impersonate any service account. Instead, they should be given access to particular service accounts as required. + +### Impact +Privilege escalation, impersonation of any/all services + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/iam/docs/impersonating-service-accounts + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0068/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0068/Terraform.md new file mode 100644 index 0000000..59db56d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0068/Terraform.md @@ -0,0 +1,35 @@ + +Set conditions on this provider, for example by restricting it to only be allowed from repositories in your GitHub organization + +```hcl + resource "google_iam_workload_identity_pool" "github" { + provider = google + project = data.google_project.project.project_id + workload_identity_pool_id = "github" + } + + resource "google_iam_workload_identity_pool_provider" "github" { + provider = google + project = data.google_project.project.project_id + workload_identity_pool_id = google_iam_workload_identity_pool.github-actions[0].workload_identity_pool_id + workload_identity_pool_provider_id = "github" + + attribute_condition = "assertion.repository_owner=='your-github-organization'" + + attribute_mapping = { + "google.subject" = "assertion.sub" + "attribute.actor" = "assertion.actor" + "attribute.aud" = "assertion.aud" + "attribute.repository" = "assertion.repository" + } + + oidc { + issuer_uri = "https://token.actions.githubusercontent.com" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition + diff --git a/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0068/docs.md b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0068/docs.md new file mode 100644 index 0000000..ed1e8ce --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/iam/AVD-GCP-0068/docs.md @@ -0,0 +1,13 @@ + +In GitHub Actions, one can authenticate to Google Cloud by setting values for workload_identity_provider and service_account and requesting a short-lived OIDC token which is then used to execute commands as that Service Account. If you don't specify a condition in the workload identity provider pool configuration, then any GitHub Action can assume this role and act as that Service Account. + +### Impact +Allows an external attacker to authenticate as the attached service account and act with its permissions + + +{{ remediationActions }} + +### Links +- https://www.revblock.dev/exploiting-misconfigured-google-cloud-service-accounts-from-github-actions/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/kms/AVD-GCP-0065/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/kms/AVD-GCP-0065/Terraform.md new file mode 100644 index 0000000..9fb0a77 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/kms/AVD-GCP-0065/Terraform.md @@ -0,0 +1,24 @@ + +Set key rotation period to 90 days + +```hcl + resource "google_kms_key_ring" "keyring" { + name = "keyring-example" + location = "global" + } + + resource "google_kms_crypto_key" "example-key" { + name = "crypto-key-example" + key_ring = google_kms_key_ring.keyring.id + rotation_period = "7776000s" + + lifecycle { + prevent_destroy = true + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/kms_crypto_key#rotation_period + diff --git a/cmd/trivy-policies-generator/avd_docs/google/kms/AVD-GCP-0065/docs.md b/cmd/trivy-policies-generator/avd_docs/google/kms/AVD-GCP-0065/docs.md new file mode 100644 index 0000000..db99acb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/kms/AVD-GCP-0065/docs.md @@ -0,0 +1,10 @@ + +Keys should be rotated on a regular basis to limit exposure if a given key should become compromised. + +### Impact +Exposure is greater if the same keys are used over a long period + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0014/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0014/Terraform.md new file mode 100644 index 0000000..b0c0551 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0014/Terraform.md @@ -0,0 +1,21 @@ + +Enable temporary file logging for all files + +```hcl + resource "google_sql_database_instance" "db" { + name = "db" + database_version = "POSTGRES_12" + region = "us-central1" + settings { + database_flags { + name = "log_temp_files" + value = "0" + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0014/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0014/docs.md new file mode 100644 index 0000000..028480f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0014/docs.md @@ -0,0 +1,13 @@ + +Temporary files are not logged by default. To log all temporary files, a value of `0` should set in the `log_temp_files` flag - as all files greater in size than the number of bytes set in this flag will be logged. + +### Impact +Use of temporary files will not be logged + + +{{ remediationActions }} + +### Links +- https://postgresqlco.nf/doc/en/param/log_temp_files/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0015/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0015/Terraform.md new file mode 100644 index 0000000..74819cc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0015/Terraform.md @@ -0,0 +1,27 @@ + +Enforce SSL for all connections + +```hcl + resource "google_sql_database_instance" "postgres" { + name = "postgres-instance-a" + database_version = "POSTGRES_11" + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + authorized_networks { + value = "108.12.12.0/24" + name = "internal" + } + require_ssl = true + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0015/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0015/docs.md new file mode 100644 index 0000000..1917b5a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0015/docs.md @@ -0,0 +1,13 @@ + +In-transit data should be encrypted so that if traffic is intercepted data will not be exposed in plaintext to attackers. + +### Impact +Intercepted data can be read in transit + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/sql/docs/mysql/configure-ssl-instance + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0016/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0016/Terraform.md new file mode 100644 index 0000000..43352d2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0016/Terraform.md @@ -0,0 +1,21 @@ + +Enable connection logging. + +```hcl + resource "google_sql_database_instance" "db" { + name = "db" + database_version = "POSTGRES_12" + region = "us-central1" + settings { + database_flags { + name = "log_connections" + value = "on" + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0016/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0016/docs.md new file mode 100644 index 0000000..2ac6b74 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0016/docs.md @@ -0,0 +1,13 @@ + +Logging connections provides useful diagnostic data such as session length, which can identify performance issues in an application and potential DoS vectors. + +### Impact +Insufficient diagnostic data. + + +{{ remediationActions }} + +### Links +- https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-CONNECTIONS + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0017/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0017/Terraform.md new file mode 100644 index 0000000..d798390 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0017/Terraform.md @@ -0,0 +1,26 @@ + +Remove public access from database instances + +```hcl + resource "google_sql_database_instance" "postgres" { + name = "postgres-instance-a" + database_version = "POSTGRES_11" + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + authorized_networks { + value = "10.0.0.1/24" + name = "internal" + } + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0017/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0017/docs.md new file mode 100644 index 0000000..48ed19d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0017/docs.md @@ -0,0 +1,13 @@ + +Database instances should be configured so that they are not available over the public internet, but to internal compute resources which access them. + +### Impact +Public exposure of sensitive data + + +{{ remediationActions }} + +### Links +- https://www.cloudconformity.com/knowledge-base/gcp/CloudSQL/publicly-accessible-cloud-sql-instances.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0018/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0018/Terraform.md new file mode 100644 index 0000000..27f5f87 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0018/Terraform.md @@ -0,0 +1,21 @@ + +Set the minimum log severity to at least ERROR + +```hcl + resource "google_sql_database_instance" "db" { + name = "db" + database_version = "POSTGRES_12" + region = "us-central1" + settings { + database_flags { + name = "log_min_messages" + value = "WARNING" + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0018/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0018/docs.md new file mode 100644 index 0000000..d1e21e3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0018/docs.md @@ -0,0 +1,15 @@ + +Setting the minimum log severity too high will cause errors not to be logged + +### Impact +Loss of error logging + + +{{ remediationActions }} + +### Links +- https://postgresqlco.nf/doc/en/param/log_min_messages/ + +- https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-MIN-MESSAGES + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0019/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0019/Terraform.md new file mode 100644 index 0000000..d04338a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0019/Terraform.md @@ -0,0 +1,21 @@ + +Disable cross database ownership chaining + +```hcl + resource "google_sql_database_instance" "db" { + name = "db" + database_version = "SQLSERVER_2017_STANDARD" + region = "us-central1" + settings { + database_flags { + name = "cross db ownership chaining" + value = "off" + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0019/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0019/docs.md new file mode 100644 index 0000000..4daa9a9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0019/docs.md @@ -0,0 +1,13 @@ + +Cross-database ownership chaining, also known as cross-database chaining, is a security feature of SQL Server that allows users of databases access to other databases besides the one they are currently using. + +### Impact +Unintended access to sensitive data + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/cross-db-ownership-chaining-server-configuration-option?view=sql-server-ver15 + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0020/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0020/Terraform.md new file mode 100644 index 0000000..d50a8ee --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0020/Terraform.md @@ -0,0 +1,21 @@ + +Enable lock wait logging. + +```hcl + resource "google_sql_database_instance" "db" { + name = "db" + database_version = "POSTGRES_12" + region = "us-central1" + settings { + database_flags { + name = "log_lock_waits" + value = "on" + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0020/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0020/docs.md new file mode 100644 index 0000000..3ae6dd4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0020/docs.md @@ -0,0 +1,13 @@ + +Lock waits are often an indication of poor performance and often an indicator of a potential denial of service vulnerability, therefore occurrences should be logged for analysis. + +### Impact +Issues leading to denial of service may not be identified. + + +{{ remediationActions }} + +### Links +- https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-LOCK-WAITS + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0021/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0021/Terraform.md new file mode 100644 index 0000000..99dae56 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0021/Terraform.md @@ -0,0 +1,21 @@ + +Disable minimum duration statement logging completely + +```hcl + resource "google_sql_database_instance" "db" { + name = "db" + database_version = "POSTGRES_12" + region = "us-central1" + settings { + database_flags { + name = "log_min_duration_statement" + value = "-1" + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0021/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0021/docs.md new file mode 100644 index 0000000..649e695 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0021/docs.md @@ -0,0 +1,13 @@ + +Logging of statements which could contain sensitive data is not advised, therefore this setting should preclude all statements from being logged. + +### Impact +Sensitive data could be exposed in the database logs. + + +{{ remediationActions }} + +### Links +- https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-MIN-DURATION-STATEMENT + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0022/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0022/Terraform.md new file mode 100644 index 0000000..d10cd52 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0022/Terraform.md @@ -0,0 +1,21 @@ + +Enable disconnection logging. + +```hcl + resource "google_sql_database_instance" "db" { + name = "db" + database_version = "POSTGRES_12" + region = "us-central1" + settings { + database_flags { + name = "log_disconnections" + value = "on" + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0022/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0022/docs.md new file mode 100644 index 0000000..bf8acde --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0022/docs.md @@ -0,0 +1,13 @@ + +Logging disconnections provides useful diagnostic data such as session length, which can identify performance issues in an application and potential DoS vectors. + +### Impact +Insufficient diagnostic data. + + +{{ remediationActions }} + +### Links +- https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-DISCONNECTIONS + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0023/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0023/Terraform.md new file mode 100644 index 0000000..c8c3593 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0023/Terraform.md @@ -0,0 +1,21 @@ + +Disable contained database authentication + +```hcl + resource "google_sql_database_instance" "db" { + name = "db" + database_version = "SQLSERVER_2017_STANDARD" + region = "us-central1" + settings { + database_flags { + name = "contained database authentication" + value = "off" + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0023/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0023/docs.md new file mode 100644 index 0000000..386e858 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0023/docs.md @@ -0,0 +1,13 @@ + +Users with ALTER permissions on users can grant access to a contained database without the knowledge of an administrator + +### Impact +Access can be granted without knowledge of the database administrator + + +{{ remediationActions }} + +### Links +- https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/contained-database-authentication-server-configuration-option?view=sql-server-ver15 + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0024/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0024/Terraform.md new file mode 100644 index 0000000..920ab13 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0024/Terraform.md @@ -0,0 +1,36 @@ + +Enable automated backups + +```hcl + resource "google_sql_database_instance" "db" { + name = "db" + database_version = "POSTGRES_12" + region = "us-central1" + settings { + backup_configuration { + enabled = true + } + } + } + +``` +```hcl +resource "google_sql_database_instance" "new_instance_sql_replica" { + name = "replica" + region = "europe-west3" + database_version = "POSTGRES_14" + master_instance_name = google_sql_database_instance.instance[0].name + deletion_protection = terraform.workspace == "prod" ? true : false + + replica_configuration { + connect_retry_interval = 0 + failover_target = false + master_heartbeat_period = 0 + } +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#settings.backup_configuration.enabled=true + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0024/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0024/docs.md new file mode 100644 index 0000000..22329e8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0024/docs.md @@ -0,0 +1,13 @@ + +Automated backups are not enabled by default. Backups are an easy way to restore data in a corruption or data-loss scenario. + +### Impact +No recovery of lost or corrupted data + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/sql/docs/mysql/backup-recovery/backups + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0025/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0025/Terraform.md new file mode 100644 index 0000000..b7392c9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0025/Terraform.md @@ -0,0 +1,21 @@ + +Enable checkpoints logging. + +```hcl + resource "google_sql_database_instance" "db" { + name = "db" + database_version = "POSTGRES_12" + region = "us-central1" + settings { + database_flags { + name = "log_checkpoints" + value = "on" + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0025/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0025/docs.md new file mode 100644 index 0000000..09ee381 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0025/docs.md @@ -0,0 +1,13 @@ + +Logging checkpoints provides useful diagnostic data, which can identify performance issues in an application and potential DoS vectors. + +### Impact +Insufficient diagnostic data. + + +{{ remediationActions }} + +### Links +- https://www.postgresql.org/docs/13/runtime-config-logging.html#GUC-LOG-CHECKPOINTS + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0026/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0026/Terraform.md new file mode 100644 index 0000000..7cf38a2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0026/Terraform.md @@ -0,0 +1,23 @@ + +Disable the local infile setting + +```hcl + resource "google_sql_database_instance" "db" { + name = "db" + database_version = "MYSQL_5_6" + region = "us-central1" + settings { + database_flags { + name = "local_infile" + value = "off" + } + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance + + - https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html + diff --git a/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0026/docs.md b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0026/docs.md new file mode 100644 index 0000000..f3674d2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/sql/AVD-GCP-0026/docs.md @@ -0,0 +1,13 @@ + +Arbitrary files can be read from the system using LOAD_DATA unless this setting is disabled. + +### Impact +Arbitrary files read by attackers when combined with a SQL injection vulnerability. + + +{{ remediationActions }} + +### Links +- https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0001/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0001/Terraform.md new file mode 100644 index 0000000..2e6ec1e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0001/Terraform.md @@ -0,0 +1,17 @@ + +Restrict public access to the bucket. + +```hcl + resource "google_storage_bucket_iam_binding" "binding" { + bucket = google_storage_bucket.default.name + role = "roles/storage.admin" + members = [ + "user:jane@example.com", + ] + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_iam#member/members + diff --git a/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0001/docs.md new file mode 100644 index 0000000..c172693 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0001/docs.md @@ -0,0 +1,13 @@ + +Using 'allUsers' or 'allAuthenticatedUsers' as members in an IAM member/binding causes data to be exposed outside of the organisation. + +### Impact +Public exposure of sensitive data. + + +{{ remediationActions }} + +### Links +- https://jbrojbrojbro.medium.com/you-make-the-rules-with-authentication-controls-for-cloud-storage-53c32543747b + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0002/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0002/Terraform.md new file mode 100644 index 0000000..7e590ca --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0002/Terraform.md @@ -0,0 +1,28 @@ + +Enable uniform bucket level access to provide a uniform permissioning system. + +```hcl + resource "google_storage_bucket" "static-site" { + name = "image-store.com" + location = "EU" + force_destroy = true + + uniform_bucket_level_access = true + + website { + main_page_suffix = "index.html" + not_found_page = "404.html" + } + cors { + origin = ["http://image-store.com"] + method = ["GET", "HEAD", "PUT", "POST", "DELETE"] + response_header = ["*"] + max_age_seconds = 3600 + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#uniform_bucket_level_access + diff --git a/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0002/docs.md b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0002/docs.md new file mode 100644 index 0000000..6b9dfe8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0002/docs.md @@ -0,0 +1,15 @@ + +When you enable uniform bucket-level access on a bucket, Access Control Lists (ACLs) are disabled, and only bucket-level Identity and Access Management (IAM) permissions grant access to that bucket and the objects it contains. You revoke all access granted by object ACLs and the ability to administrate permissions using bucket ACLs. + +### Impact +ACLs are difficult to manage and often lead to incorrect/unintended configurations. + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/storage/docs/uniform-bucket-level-access + +- https://jbrojbrojbro.medium.com/you-make-the-rules-with-authentication-controls-for-cloud-storage-53c32543747b + + diff --git a/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0066/Terraform.md b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0066/Terraform.md new file mode 100644 index 0000000..fa2bf1c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0066/Terraform.md @@ -0,0 +1,20 @@ + +Encrypt Cloud Storage buckets using customer-managed keys. + +```hcl + resource "google_storage_bucket" "default" { + name = "my-default-bucket" + location = "EU" + force_destroy = true + uniform_bucket_level_access = true + + encryption { + default_kms_key_name = "projects/my-pet-project/locations/us-east1/keyRings/my-key-ring/cryptoKeys/my-key" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket#encryption + diff --git a/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0066/docs.md b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0066/docs.md new file mode 100644 index 0000000..e6b79d1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/google/storage/AVD-GCP-0066/docs.md @@ -0,0 +1,13 @@ + +Using unmanaged keys makes rotation and general management difficult. + +### Impact +Using unmanaged keys does not allow for proper key management. + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/storage/docs/encryption/customer-managed-keys + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0001/docs.md new file mode 100644 index 0000000..3932121 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0001/docs.md @@ -0,0 +1,13 @@ + +Disable anonymous requests to the API server. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0002/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0002/docs.md new file mode 100644 index 0000000..3dd60c0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0002/docs.md @@ -0,0 +1,13 @@ + +Do not use token based authentication. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0003/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0003/docs.md new file mode 100644 index 0000000..ba1ad62 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0003/docs.md @@ -0,0 +1,13 @@ + +This admission controller rejects all net-new usage of the Service field externalIPs. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0004/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0004/docs.md new file mode 100644 index 0000000..d330514 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0004/docs.md @@ -0,0 +1,13 @@ + +Use https for kubelet connections. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0005/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0005/docs.md new file mode 100644 index 0000000..c8470a9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0005/docs.md @@ -0,0 +1,13 @@ + +Enable certificate based kubelet authentication. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0006/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0006/docs.md new file mode 100644 index 0000000..b435b63 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0006/docs.md @@ -0,0 +1,13 @@ + +Verify kubelet's certificate before establishing connection. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0007/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0007/docs.md new file mode 100644 index 0000000..5d19e55 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0007/docs.md @@ -0,0 +1,13 @@ + +Do not always authorize all requests. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0008/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0008/docs.md new file mode 100644 index 0000000..d01328e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0008/docs.md @@ -0,0 +1,13 @@ + +Restrict kubelet nodes to reading only objects associated with them. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0009/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0009/docs.md new file mode 100644 index 0000000..4363c0f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0009/docs.md @@ -0,0 +1,13 @@ + +Turn on Role Based Access Control. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0010/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0010/docs.md new file mode 100644 index 0000000..bbe63e2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0010/docs.md @@ -0,0 +1,13 @@ + +Limit the rate at which the API server accepts requests. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0011/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0011/docs.md new file mode 100644 index 0000000..0c2f5ce --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0011/docs.md @@ -0,0 +1,13 @@ + +Do not allow all requests. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0012/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0012/docs.md new file mode 100644 index 0000000..f9792e7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0012/docs.md @@ -0,0 +1,13 @@ + +Always pull images. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0013/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0013/docs.md new file mode 100644 index 0000000..3820f7c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0013/docs.md @@ -0,0 +1,13 @@ + +The SecurityContextDeny admission controller can be used to deny pods which make use of some SecurityContext fields which could allow for privilege escalation in the cluster. This should be used where PodSecurityPolicy is not in place within the cluster. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0014/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0014/docs.md new file mode 100644 index 0000000..a1623ab --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0014/docs.md @@ -0,0 +1,13 @@ + +Automate service accounts management. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0015/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0015/docs.md new file mode 100644 index 0000000..39fc343 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0015/docs.md @@ -0,0 +1,13 @@ + +Reject creating objects in a namespace that is undergoing termination. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0016/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0016/docs.md new file mode 100644 index 0000000..f35fb8b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0016/docs.md @@ -0,0 +1,13 @@ + +Limit the Node and Pod objects that a kubelet could modify. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0017/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0017/docs.md new file mode 100644 index 0000000..d12c420 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0017/docs.md @@ -0,0 +1,13 @@ + +Do not disable the secure port. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0018/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0018/docs.md new file mode 100644 index 0000000..c82fe71 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0018/docs.md @@ -0,0 +1,13 @@ + +Disable profiling, if not needed. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0019/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0019/docs.md new file mode 100644 index 0000000..17be6b4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0019/docs.md @@ -0,0 +1,13 @@ + +Enable auditing on the Kubernetes API Server and set the desired audit log path. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0020/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0020/docs.md new file mode 100644 index 0000000..abb6d4c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0020/docs.md @@ -0,0 +1,13 @@ + +Retain the logs for at least 30 days or as appropriate. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0021/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0021/docs.md new file mode 100644 index 0000000..f455100 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0021/docs.md @@ -0,0 +1,13 @@ + +Retain 10 or an appropriate number of old log files. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0022/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0022/docs.md new file mode 100644 index 0000000..f0480f9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0022/docs.md @@ -0,0 +1,13 @@ + +Rotate log files on reaching 100 MB or as appropriate. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0024/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0024/docs.md new file mode 100644 index 0000000..2792499 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0024/docs.md @@ -0,0 +1,13 @@ + +Validate service account before validating token. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0025/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0025/docs.md new file mode 100644 index 0000000..2a05520 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0025/docs.md @@ -0,0 +1,13 @@ + +Explicitly set a service account public key file for service accounts on the apiserver. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0026/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0026/docs.md new file mode 100644 index 0000000..0730884 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0026/docs.md @@ -0,0 +1,13 @@ + +etcd should be configured to make use of TLS encryption for client connections. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0027/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0027/docs.md new file mode 100644 index 0000000..0bf8657 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0027/docs.md @@ -0,0 +1,13 @@ + +Setup TLS connection on the API server. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0028/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0028/docs.md new file mode 100644 index 0000000..0bf8657 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0028/docs.md @@ -0,0 +1,13 @@ + +Setup TLS connection on the API server. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0029/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0029/docs.md new file mode 100644 index 0000000..0730884 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0029/docs.md @@ -0,0 +1,13 @@ + +etcd should be configured to make use of TLS encryption for client connections. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0030/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0030/docs.md new file mode 100644 index 0000000..fa1e93b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0030/docs.md @@ -0,0 +1,13 @@ + +Encrypt etcd key-value store. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0033/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0033/docs.md new file mode 100644 index 0000000..7231e4f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0033/docs.md @@ -0,0 +1,13 @@ + +Activate garbage collector on pod termination, as appropriate. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0034/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0034/docs.md new file mode 100644 index 0000000..c82fe71 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0034/docs.md @@ -0,0 +1,13 @@ + +Disable profiling, if not needed. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0035/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0035/docs.md new file mode 100644 index 0000000..bf011ea --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0035/docs.md @@ -0,0 +1,13 @@ + +Use individual service account credentials for each controller. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0036/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0036/docs.md new file mode 100644 index 0000000..694aa39 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0036/docs.md @@ -0,0 +1,13 @@ + +Explicitly set a service account private key file for service accounts on the controller manager. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0037/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0037/docs.md new file mode 100644 index 0000000..893b1e8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0037/docs.md @@ -0,0 +1,13 @@ + +Allow pods to verify the API server's serving certificate before establishing connections. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0038/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0038/docs.md new file mode 100644 index 0000000..767dab0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0038/docs.md @@ -0,0 +1,13 @@ + +Enable kubelet server certificate rotation on controller-manager. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0039/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0039/docs.md new file mode 100644 index 0000000..637986c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0039/docs.md @@ -0,0 +1,13 @@ + +Do not bind the scheduler service to non-loopback insecure addresses. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0040/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0040/docs.md new file mode 100644 index 0000000..c82fe71 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0040/docs.md @@ -0,0 +1,13 @@ + +Disable profiling, if not needed. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0041/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0041/docs.md new file mode 100644 index 0000000..637986c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0041/docs.md @@ -0,0 +1,13 @@ + +Do not bind the scheduler service to non-loopback insecure addresses. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0042/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0042/docs.md new file mode 100644 index 0000000..b15ca5d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0042/docs.md @@ -0,0 +1,13 @@ + +Configure TLS encryption for the etcd service. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0043/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0043/docs.md new file mode 100644 index 0000000..dd8a89f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0043/docs.md @@ -0,0 +1,13 @@ + +Enable client authentication on etcd service. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0044/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0044/docs.md new file mode 100644 index 0000000..2ed5105 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0044/docs.md @@ -0,0 +1,13 @@ + +Do not use self-signed certificates for TLS. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0045/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0045/docs.md new file mode 100644 index 0000000..08770a0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0045/docs.md @@ -0,0 +1,13 @@ + +etcd should be configured to make use of TLS encryption for peer connections. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0046/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0046/docs.md new file mode 100644 index 0000000..2260332 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0046/docs.md @@ -0,0 +1,13 @@ + +etcd should be configured for peer authentication. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0047/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0047/docs.md new file mode 100644 index 0000000..2ed5105 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0047/docs.md @@ -0,0 +1,13 @@ + +Do not use self-signed certificates for TLS. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0048/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0048/docs.md new file mode 100644 index 0000000..c8cb4e5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0048/docs.md @@ -0,0 +1,13 @@ + +Ensure that the API server pod specification file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0049/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0049/docs.md new file mode 100644 index 0000000..eb23a15 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0049/docs.md @@ -0,0 +1,13 @@ + +Ensure that the API server pod specification file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0050/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0050/docs.md new file mode 100644 index 0000000..483f73f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0050/docs.md @@ -0,0 +1,13 @@ + +Ensure that the controller manager pod specification file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0051/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0051/docs.md new file mode 100644 index 0000000..81ccd22 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0051/docs.md @@ -0,0 +1,13 @@ + +Ensure that the controller manager pod specification file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0052/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0052/docs.md new file mode 100644 index 0000000..6afafed --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0052/docs.md @@ -0,0 +1,13 @@ + +Ensure that the scheduler pod specification file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0053/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0053/docs.md new file mode 100644 index 0000000..1abbdb9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0053/docs.md @@ -0,0 +1,13 @@ + +Ensure that the scheduler pod specification file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0054/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0054/docs.md new file mode 100644 index 0000000..041c52e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0054/docs.md @@ -0,0 +1,13 @@ + +Ensure that the etcd pod specification file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0055/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0055/docs.md new file mode 100644 index 0000000..5b50c6a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0055/docs.md @@ -0,0 +1,13 @@ + +Ensure that the etcd pod specification file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0056/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0056/docs.md new file mode 100644 index 0000000..3a20fa1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0056/docs.md @@ -0,0 +1,13 @@ + +Ensure that the container network interface file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0057/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0057/docs.md new file mode 100644 index 0000000..6daff67 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0057/docs.md @@ -0,0 +1,13 @@ + +Ensure that the container network interface file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0058/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0058/docs.md new file mode 100644 index 0000000..b8b24d1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0058/docs.md @@ -0,0 +1,13 @@ + +Ensure that the etcd data directory has permissions of 700 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0059/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0059/docs.md new file mode 100644 index 0000000..c250d00 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0059/docs.md @@ -0,0 +1,13 @@ + +Ensure that the etcd data directory ownership is set to etcd:etcd. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0060/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0060/docs.md new file mode 100644 index 0000000..4e499a1 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0060/docs.md @@ -0,0 +1,13 @@ + +Ensure that the admin config file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0061/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0061/docs.md new file mode 100644 index 0000000..1b6a6fb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0061/docs.md @@ -0,0 +1,13 @@ + +Ensure that the admin config file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0062/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0062/docs.md new file mode 100644 index 0000000..299023d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0062/docs.md @@ -0,0 +1,13 @@ + +Ensure that the scheduler config file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0063/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0063/docs.md new file mode 100644 index 0000000..ad17c0c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0063/docs.md @@ -0,0 +1,13 @@ + +Ensure that the scheduler config file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0064/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0064/docs.md new file mode 100644 index 0000000..9699676 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0064/docs.md @@ -0,0 +1,13 @@ + +Ensure that the controller-manager config file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0065/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0065/docs.md new file mode 100644 index 0000000..1676a6a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0065/docs.md @@ -0,0 +1,13 @@ + +Ensure that the controller-manager config file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0066/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0066/docs.md new file mode 100644 index 0000000..10a2d4c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0066/docs.md @@ -0,0 +1,13 @@ + +Ensure that the Kubernetes PKI directory and file file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0067/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0067/docs.md new file mode 100644 index 0000000..bcdbf09 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0067/docs.md @@ -0,0 +1,13 @@ + +Ensure that the Kubernetes PKI key file permission is set to 600. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0068/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0068/docs.md new file mode 100644 index 0000000..50da8c8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0068/docs.md @@ -0,0 +1,13 @@ + +Ensure that the Kubernetes PKI certificate file permission is set to 600. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0069/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0069/docs.md new file mode 100644 index 0000000..ae1729f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0069/docs.md @@ -0,0 +1,13 @@ + +Ensure that the kubelet service file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0070/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0070/docs.md new file mode 100644 index 0000000..3eb21b0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0070/docs.md @@ -0,0 +1,13 @@ + +Ensure that the kubelet service file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0071/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0071/docs.md new file mode 100644 index 0000000..d133f51 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0071/docs.md @@ -0,0 +1,13 @@ + +If kube-proxy is running, and if it is using a file-based kubeconfig file, ensure that the proxy kubeconfig file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0072/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0072/docs.md new file mode 100644 index 0000000..d840840 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0072/docs.md @@ -0,0 +1,13 @@ + +If kube-proxy is running, ensure that the file ownership of its kubeconfig file is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0073/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0073/docs.md new file mode 100644 index 0000000..a946dd2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0073/docs.md @@ -0,0 +1,13 @@ + +Ensure that the kubelet.conf file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0074/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0074/docs.md new file mode 100644 index 0000000..4345ccd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0074/docs.md @@ -0,0 +1,13 @@ + +Ensure that the kubelet.conf file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0075/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0075/docs.md new file mode 100644 index 0000000..49d5415 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0075/docs.md @@ -0,0 +1,13 @@ + +Ensure that the certificate authorities file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0076/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0076/docs.md new file mode 100644 index 0000000..3a61c69 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0076/docs.md @@ -0,0 +1,13 @@ + +Ensure that the certificate authorities file ownership is set to root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0077/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0077/docs.md new file mode 100644 index 0000000..d8cb32d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0077/docs.md @@ -0,0 +1,13 @@ + +Ensure that if the kubelet refers to a configuration file with the --config argument, that file has permissions of 600 or more restrictive. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0078/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0078/docs.md new file mode 100644 index 0000000..a3fb0dd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0078/docs.md @@ -0,0 +1,13 @@ + +Ensure that if the kubelet refers to a configuration file with the --config argument, that file is owned by root:root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0079/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0079/docs.md new file mode 100644 index 0000000..b1c5fcc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0079/docs.md @@ -0,0 +1,13 @@ + +Disable anonymous requests to the Kubelet server. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0080/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0080/docs.md new file mode 100644 index 0000000..91526c5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0080/docs.md @@ -0,0 +1,13 @@ + +Do not allow all requests. Enable explicit authorization. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0081/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0081/docs.md new file mode 100644 index 0000000..db6706b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0081/docs.md @@ -0,0 +1,13 @@ + +Enable Kubelet authentication using certificates. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0082/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0082/docs.md new file mode 100644 index 0000000..779adf6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0082/docs.md @@ -0,0 +1,13 @@ + +Disable the read-only port. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0083/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0083/docs.md new file mode 100644 index 0000000..a0e8350 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0083/docs.md @@ -0,0 +1,13 @@ + +Protect tuned kernel parameters from overriding kubelet default kernel parameter values. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0084/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0084/docs.md new file mode 100644 index 0000000..1b7181c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0084/docs.md @@ -0,0 +1,13 @@ + +Allow Kubelet to manage iptables. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0085/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0085/docs.md new file mode 100644 index 0000000..b4fc75e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0085/docs.md @@ -0,0 +1,13 @@ + +Do not disable timeouts on streaming connections. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0086/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0086/docs.md new file mode 100644 index 0000000..ec5d0ba --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0086/docs.md @@ -0,0 +1,13 @@ + +Do not override node hostnames. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0087/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0087/docs.md new file mode 100644 index 0000000..b00ddec --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0087/docs.md @@ -0,0 +1,13 @@ + +Security relevant information should be captured. The --event-qps flag on the Kubelet can be used to limit the rate at which events are gathered + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0088/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0088/docs.md new file mode 100644 index 0000000..561e5d0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0088/docs.md @@ -0,0 +1,13 @@ + +Setup TLS connection on the Kubelets. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0089/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0089/docs.md new file mode 100644 index 0000000..561e5d0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0089/docs.md @@ -0,0 +1,13 @@ + +Setup TLS connection on the Kubelets. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0090/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0090/docs.md new file mode 100644 index 0000000..7e993cb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0090/docs.md @@ -0,0 +1,13 @@ + +Enable kubelet client certificate rotation. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0091/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0091/docs.md new file mode 100644 index 0000000..0605d0e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0091/docs.md @@ -0,0 +1,13 @@ + +Enable kubelet server certificate rotation. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0092/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0092/docs.md new file mode 100644 index 0000000..59da13f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KCV-0092/docs.md @@ -0,0 +1,13 @@ + +Ensure that the Kubelet is configured to only use strong cryptographic ciphers. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://www.cisecurity.org/benchmark/kubernetes + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0001/docs.md new file mode 100644 index 0000000..2f43719 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0001/docs.md @@ -0,0 +1,13 @@ + +A program inside the container can elevate its own privileges and run as root, which might give the program control over the container and node. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0002/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0002/docs.md new file mode 100644 index 0000000..101f2a7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0002/docs.md @@ -0,0 +1,13 @@ + +According to pod security standard 'AppArmor', the AppArmor key must be set to the runtime/default profile or to be undefined. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0003/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0003/docs.md new file mode 100644 index 0000000..27e743b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0003/docs.md @@ -0,0 +1,13 @@ + +The container should drop all default capabilities and add only those that are needed for its execution. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0005/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0005/docs.md new file mode 100644 index 0000000..e5bf799 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0005/docs.md @@ -0,0 +1,13 @@ + +SYS_ADMIN gives the processes running inside the container privileges that are equivalent to root. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubesec.io/basics/containers-securitycontext-capabilities-add-index-sys-admin/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0006/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0006/docs.md new file mode 100644 index 0000000..702985f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0006/docs.md @@ -0,0 +1,13 @@ + +Mounting docker.sock from the host can give the container full root access to the host. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubesec.io/basics/spec-volumes-hostpath-path-var-run-docker-sock/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0008/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0008/docs.md new file mode 100644 index 0000000..93126cf --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0008/docs.md @@ -0,0 +1,13 @@ + +Sharing the host’s IPC namespace allows container processes to communicate with processes on the host. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0009/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0009/docs.md new file mode 100644 index 0000000..8441977 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0009/docs.md @@ -0,0 +1,13 @@ + +Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0010/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0010/docs.md new file mode 100644 index 0000000..d1542a8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0010/docs.md @@ -0,0 +1,13 @@ + +Sharing the host’s PID namespace allows visibility on host processes, potentially leaking information such as environment variables and configuration. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0011/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0011/docs.md new file mode 100644 index 0000000..cd9f0b7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0011/docs.md @@ -0,0 +1,13 @@ + +Enforcing CPU limits prevents DoS via resource exhaustion. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0012/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0012/docs.md new file mode 100644 index 0000000..86e5958 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0012/docs.md @@ -0,0 +1,13 @@ + +Force the running image to run as a non-root user to ensure least privileges. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0013/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0013/docs.md new file mode 100644 index 0000000..33f2e8c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0013/docs.md @@ -0,0 +1,13 @@ + +It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/configuration/overview/#container-images + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0014/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0014/docs.md new file mode 100644 index 0000000..b89b58f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0014/docs.md @@ -0,0 +1,13 @@ + +An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0015/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0015/docs.md new file mode 100644 index 0000000..32abec5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0015/docs.md @@ -0,0 +1,13 @@ + +When containers have resource requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-resource-requests-and-limits + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0016/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0016/docs.md new file mode 100644 index 0000000..bc7e225 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0016/docs.md @@ -0,0 +1,13 @@ + +When containers have memory requests specified, the scheduler can make better decisions about which nodes to place pods on, and how to deal with resource contention. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubesec.io/basics/containers-resources-limits-memory/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0017/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0017/docs.md new file mode 100644 index 0000000..fb20005 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0017/docs.md @@ -0,0 +1,13 @@ + +Privileged containers share namespaces with the host system and do not offer any security. They should be used exclusively for system containers that require high privileges. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0018/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0018/docs.md new file mode 100644 index 0000000..5e57994 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0018/docs.md @@ -0,0 +1,13 @@ + +Enforcing memory limits prevents DoS via resource exhaustion. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubesec.io/basics/containers-resources-limits-memory/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0020/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0020/docs.md new file mode 100644 index 0000000..114cf9c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0020/docs.md @@ -0,0 +1,13 @@ + +Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubesec.io/basics/containers-securitycontext-runasuser/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0021/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0021/docs.md new file mode 100644 index 0000000..5c4c384 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0021/docs.md @@ -0,0 +1,13 @@ + +Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubesec.io/basics/containers-securitycontext-runasuser/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0022/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0022/docs.md new file mode 100644 index 0000000..875a938 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0022/docs.md @@ -0,0 +1,13 @@ + +According to pod security standard 'Capabilities', capabilities beyond the default set must not be added. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0023/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0023/docs.md new file mode 100644 index 0000000..61a3fdd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0023/docs.md @@ -0,0 +1,13 @@ + +According to pod security standard 'HostPath Volumes', HostPath volumes must be forbidden. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0024/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0024/docs.md new file mode 100644 index 0000000..ac21a2b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0024/docs.md @@ -0,0 +1,13 @@ + +According to pod security standard 'Host Ports', hostPorts should be disallowed, or at minimum restricted to a known list. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0025/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0025/docs.md new file mode 100644 index 0000000..f636ebf --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0025/docs.md @@ -0,0 +1,13 @@ + +According to pod security standard 'SElinux', setting custom SELinux options should be disallowed. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0026/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0026/docs.md new file mode 100644 index 0000000..41d5c61 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0026/docs.md @@ -0,0 +1,13 @@ + +Sysctls can disable security mechanisms or affect all containers on a host, and should be disallowed except for an allowed 'safe' subset. A sysctl is considered safe if it is namespaced in the container or the Pod, and it is isolated from other Pods or processes on the same Node. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0027/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0027/docs.md new file mode 100644 index 0000000..241f125 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0027/docs.md @@ -0,0 +1,13 @@ + +According to pod security standard '/proc Mount Type', the default /proc masks are set up to reduce attack surface, and should be required. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0028/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0028/docs.md new file mode 100644 index 0000000..0084225 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0028/docs.md @@ -0,0 +1,13 @@ + +According to pod security standard 'Volume types', non-core volume types must not be used. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0030/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0030/docs.md new file mode 100644 index 0000000..10fa332 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0030/docs.md @@ -0,0 +1,13 @@ + +According to pod security standard 'Seccomp', the RuntimeDefault seccomp profile must be required, or allow specific additional profiles. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0036/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0036/docs.md new file mode 100644 index 0000000..70945a4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0036/docs.md @@ -0,0 +1,13 @@ + +ensure that Pod specifications disable the secret token being mounted by setting automountServiceAccountToken: false + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0037/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0037/docs.md new file mode 100644 index 0000000..b882c5f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0037/docs.md @@ -0,0 +1,13 @@ + +ensure that User pods are not placed in kube-system namespace + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0038/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0038/docs.md new file mode 100644 index 0000000..6c39825 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0038/docs.md @@ -0,0 +1,13 @@ + +ensure that network policies selectors are applied to pods or namespaces to restricted ingress and egress traffic within the pod network + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0041/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0041/docs.md new file mode 100644 index 0000000..7acf6da --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0041/docs.md @@ -0,0 +1,13 @@ + +Viewing secrets at the cluster-scope is akin to cluster-admin in most clusters as there are typically at least one service accounts (their token stored in a secret) bound to cluster-admin directly or a role/clusterrole that gives similar permissions. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0042/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0042/docs.md new file mode 100644 index 0000000..ab6d46c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0042/docs.md @@ -0,0 +1,13 @@ + +Used to cover attacker’s tracks, but most clusters ship logs quickly off-cluster. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0043/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0043/docs.md new file mode 100644 index 0000000..64a0b72 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0043/docs.md @@ -0,0 +1,13 @@ + +Check whether role permits impersonating privileged groups + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0044/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0044/docs.md new file mode 100644 index 0000000..a1c56b4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0044/docs.md @@ -0,0 +1,13 @@ + +Check whether role permits wildcard verb on wildcard resource + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0045/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0045/docs.md new file mode 100644 index 0000000..8fe1939 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0045/docs.md @@ -0,0 +1,13 @@ + +Check whether role permits wildcard verb on specific resources + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0046/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0046/docs.md new file mode 100644 index 0000000..4257a2a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0046/docs.md @@ -0,0 +1,13 @@ + +Full control of the cluster resources, and therefore also root on all nodes where workloads can run and has access to all pods, secrets, and data. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0047/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0047/docs.md new file mode 100644 index 0000000..c41c35c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0047/docs.md @@ -0,0 +1,13 @@ + +Check whether role permits privilege escalation from node proxy + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0048/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0048/docs.md new file mode 100644 index 0000000..a5b9acd --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0048/docs.md @@ -0,0 +1,13 @@ + +Depending on the policies enforced by the admission controller, this permission ranges from the ability to steal compute (crypto) by running workloads or allowing for creating workloads that escape to the node as root and escalation to cluster-admin. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0049/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0049/docs.md new file mode 100644 index 0000000..36e0dd2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0049/docs.md @@ -0,0 +1,13 @@ + +Some workloads leverage configmaps to store sensitive data or configuration parameters that affect runtime behavior that can be modified by an attacker or combined with another issue to potentially lead to compromise. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0050/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0050/docs.md new file mode 100644 index 0000000..2cef3c2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0050/docs.md @@ -0,0 +1,13 @@ + +An effective level of access equivalent to cluster-admin should not be provided. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0051/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0051/docs.md new file mode 100644 index 0000000..c746354 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0051/docs.md @@ -0,0 +1,13 @@ + +Check whether role permits creating role bindings and associating to privileged role/clusterrole + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0052/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0052/docs.md new file mode 100644 index 0000000..e98e4c3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0052/docs.md @@ -0,0 +1,13 @@ + +Check whether role permits creating role ClusterRoleBindings and association with privileged cluster role + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0053/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0053/docs.md new file mode 100644 index 0000000..85e8bc4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0053/docs.md @@ -0,0 +1,13 @@ + +The ability to exec into a container with privileged access to the host or with an attached SA with higher RBAC permissions is a common escalation path to cluster-admin. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0054/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0054/docs.md new file mode 100644 index 0000000..427f885 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0054/docs.md @@ -0,0 +1,13 @@ + +Check whether role permits attaching to shell on pods + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0055/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0055/docs.md new file mode 100644 index 0000000..5997ca3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0055/docs.md @@ -0,0 +1,13 @@ + +Check whether role permits allowing users in a rolebinding to add other users to their rolebindings + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0056/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0056/docs.md new file mode 100644 index 0000000..6b271c6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0056/docs.md @@ -0,0 +1,13 @@ + +The ability to control which pods get service traffic directed to them allows for interception attacks. Controlling network policy allows for bypassing lateral movement restrictions. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md new file mode 100644 index 0000000..f69f12c --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-01010/docs.md @@ -0,0 +1,10 @@ + +Storing sensitive content such as usernames and email addresses in configMaps is unsafe + +### Impact + + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0102/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0102/docs.md new file mode 100644 index 0000000..bda1e20 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0102/docs.md @@ -0,0 +1,10 @@ + +Check if Helm Tiller component is deployed. + +### Impact + + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0103/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0103/docs.md new file mode 100644 index 0000000..13047dc --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0103/docs.md @@ -0,0 +1,13 @@ + +Windows pods offer the ability to run HostProcess containers which enable privileged access to the Windows node. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0104/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0104/docs.md new file mode 100644 index 0000000..95ee956 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0104/docs.md @@ -0,0 +1,13 @@ + +A program inside the container can bypass Seccomp protection policies. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0105/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0105/docs.md new file mode 100644 index 0000000..ba2deb7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0105/docs.md @@ -0,0 +1,13 @@ + +Containers should be forbidden from running with a root UID. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0106/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0106/docs.md new file mode 100644 index 0000000..f7918c4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0106/docs.md @@ -0,0 +1,13 @@ + +Containers must drop ALL capabilities, and are only permitted to add back the NET_BIND_SERVICE capability. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md new file mode 100644 index 0000000..6af76b2 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0107/docs.md @@ -0,0 +1,13 @@ + +apiVersion '' and kind '' has been deprecated on: '' and planned for removal on:'' + +### Impact + + + +{{ remediationActions }} + +### Links +- + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md new file mode 100644 index 0000000..9c1e772 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0108/docs.md @@ -0,0 +1,10 @@ + +Services with external IP addresses allows direct access from the internet and might expose risk for CVE-2020-8554 + +### Impact + + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md new file mode 100644 index 0000000..70bba0f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0109/docs.md @@ -0,0 +1,10 @@ + +Storing secrets in configMaps is unsafe + +### Impact + + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0110/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0110/docs.md new file mode 100644 index 0000000..ecd7a45 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0110/docs.md @@ -0,0 +1,13 @@ + +Checks whether a workload is running in the default namespace. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0111/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0111/docs.md new file mode 100644 index 0000000..2504110 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0111/docs.md @@ -0,0 +1,13 @@ + +Either cluster-admin or those granted powerful permissions. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0112/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0112/docs.md new file mode 100644 index 0000000..dac8568 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0112/docs.md @@ -0,0 +1,13 @@ + +Full control of the resources within a namespace. In some cluster configurations, this is excessive. In others, this is normal (a gitops deployment operator like flux) + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0113/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0113/docs.md new file mode 100644 index 0000000..4e6afa6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0113/docs.md @@ -0,0 +1,13 @@ + +Viewing secrets at the namespace scope can lead to escalation if another service account in that namespace has a higher privileged rolebinding or clusterrolebinding bound. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0114/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0114/docs.md new file mode 100644 index 0000000..e5f0d5a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0114/docs.md @@ -0,0 +1,13 @@ + +Webhooks can silently intercept or actively mutate/block resources as they are being created or updated. This includes secrets and pod specs. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0115/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0115/docs.md new file mode 100644 index 0000000..aa50f17 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0115/docs.md @@ -0,0 +1,13 @@ + +Ability to add AWS IAM to RBAC bindings via special EKS configmap. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/rbac-good-practices/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0116/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0116/docs.md new file mode 100644 index 0000000..ef60ecb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0116/docs.md @@ -0,0 +1,13 @@ + +According to pod security standard 'Non-root groups', containers should be forbidden from running with a root primary or supplementary GID. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubesec.io/basics/containers-securitycontext-runasuser/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0117/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0117/docs.md new file mode 100644 index 0000000..a563b5b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0117/docs.md @@ -0,0 +1,13 @@ + +The ports which are lower than 1024 receive and transmit various sensitive and privileged data. Allowing containers to use them can bring serious implications. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0118/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0118/docs.md new file mode 100644 index 0000000..1a70c18 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0118/docs.md @@ -0,0 +1,13 @@ + +Security context controls the allocation of security parameters for the pod/container/volume, ensuring the appropriate level of protection. Relying on default security context may expose vulnerabilities to potential attacks that rely on privileged access. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0119/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0119/docs.md new file mode 100644 index 0000000..c0b5b17 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0119/docs.md @@ -0,0 +1,13 @@ + +The NET_RAW capability grants attackers the ability to eavesdrop on network traffic or generate IP traffic with falsified source addresses, posing serious security risks. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0120/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0120/docs.md new file mode 100644 index 0000000..2ab7ed4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0120/docs.md @@ -0,0 +1,13 @@ + +The SYS_MODULE capability grants attackers the ability to install and remove kernel modules, posing serious security risks. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0121/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0121/docs.md new file mode 100644 index 0000000..4959098 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0121/docs.md @@ -0,0 +1,13 @@ + +HostPath present many security risks and as a security practice it is better to avoid critical host paths mounts. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0122/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0122/docs.md new file mode 100644 index 0000000..cf60a5f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/general/AVD-KSV-0122/docs.md @@ -0,0 +1,13 @@ + +Binding to anonymous user to any clusterrole or role is a security risk. + +### Impact + + + +{{ remediationActions }} + +### Links +- https://blog.aquasec.com/kubernetes-exposed-one-yaml-away-from-disaster + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0001/Terraform.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0001/Terraform.md new file mode 100644 index 0000000..475ca5a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0001/Terraform.md @@ -0,0 +1,70 @@ + +Remove public access except where explicitly required + +```hcl + resource "kubernetes_network_policy" "good_example" { + metadata { + name = "terraform-example-network-policy" + namespace = "default" + } + + spec { + pod_selector { + match_expressions { + key = "name" + operator = "In" + values = ["webfront", "api"] + } + } + + ingress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + from { + ip_block { + cidr = "10.0.0.0/16" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + egress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + to { + ip_block { + cidr = "0.0.0.0/0" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + policy_types = ["Ingress", "Egress"] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.ingress.from.ip_block.cidr + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md new file mode 100644 index 0000000..d99ebb9 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0001/docs.md @@ -0,0 +1,10 @@ + +You should not expose infrastructure to the public internet except where explicitly required + +### Impact +Exposure of infrastructure to the public internet + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0002/Terraform.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0002/Terraform.md new file mode 100644 index 0000000..5d4db9e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0002/Terraform.md @@ -0,0 +1,70 @@ + +Remove public access except where explicitly required + +```hcl + resource "kubernetes_network_policy" "good_example" { + metadata { + name = "terraform-example-network-policy" + namespace = "default" + } + + spec { + pod_selector { + match_expressions { + key = "name" + operator = "In" + values = ["webfront", "api"] + } + } + + egress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + to { + ip_block { + cidr = "10.0.0.0/16" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + ingress { + ports { + port = "http" + protocol = "TCP" + } + ports { + port = "8125" + protocol = "UDP" + } + + from { + ip_block { + cidr = "10.0.0.0/16" + except = [ + "10.0.0.0/24", + "10.0.1.0/24", + ] + } + } + } + + policy_types = ["Ingress", "Egress"] + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/network_policy#spec.ingress.from.ip_block.cidr + diff --git a/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0002/docs.md b/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0002/docs.md new file mode 100644 index 0000000..53664db --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/kubernetes/network/AVD-KUBE-0002/docs.md @@ -0,0 +1,10 @@ + +You should not expose infrastructure to the public internet except where explicitly required + +### Impact +Exfiltration of data to the public internet + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0001/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0001/Terraform.md new file mode 100644 index 0000000..3c52cd4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0001/Terraform.md @@ -0,0 +1,25 @@ + +Set a more restrictive cidr range + +```hcl + resource "nifcloud_security_group_rule" "good_example" { + type = "IN" + cidr_ip = "10.0.0.0/16" + } + +``` +```hcl +resource "nifcloud_security_group_rule" "allow_partner_rsync" { + type = "IN" + security_group_names = [nifcloud_security_group.….group_name] + from_port = 22 + to_port = 22 + protocol = "TCP" + cidr_ip = "10.0.0.0/16" +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/security_group_rule#cidr_ip + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0001/docs.md new file mode 100644 index 0000000..776e9ee --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0001/docs.md @@ -0,0 +1,15 @@ + +Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible. +When publishing web applications, use a load balancer instead of publishing directly to instances. + + +### Impact +Your port exposed to the internet + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/help/fw/rule_new.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0002/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0002/Terraform.md new file mode 100644 index 0000000..27978c7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0002/Terraform.md @@ -0,0 +1,14 @@ + +Add descriptions for all security groups + +```hcl + resource "nifcloud_security_group" "good_example" { + group_name = "http" + description = "Allow inbound HTTP traffic" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/security_group#description + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0002/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0002/docs.md new file mode 100644 index 0000000..c7f7a77 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0002/docs.md @@ -0,0 +1,15 @@ + +Security groups should include a description for auditing purposes. + +Simplifies auditing, debugging, and managing security groups. + +### Impact +Descriptions provide context for the firewall rule reasons + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/help/fw/change.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0003/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0003/Terraform.md new file mode 100644 index 0000000..7775c9d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0003/Terraform.md @@ -0,0 +1,18 @@ + +Add descriptions for all security groups rules + +```hcl + resource "nifcloud_security_group_rule" "good_example" { + type = "IN" + description = "HTTP from VPC" + from_port = 80 + to_port = 80 + protocol = "TCP" + cidr_ip = nifcloud_private_lan.main.cidr_block + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/security_group_rule#description + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0003/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0003/docs.md new file mode 100644 index 0000000..d011baa --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0003/docs.md @@ -0,0 +1,15 @@ + +Security group rules should include a description for auditing purposes. + +Simplifies auditing, debugging, and managing security groups. + +### Impact +Descriptions provide context for the firewall rule reasons + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/help/fw/rule_new.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0004/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0004/Terraform.md new file mode 100644 index 0000000..4af4dea --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0004/Terraform.md @@ -0,0 +1,18 @@ + +Add security group for all instances + +```hcl + resource "nifcloud_instance" "good_example" { + image_id = data.nifcloud_image.ubuntu.id + security_group = nifcloud_security_group.example.group_name + + network_interface { + network_id = "net-COMMON_GLOBAL" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/instance#security_group + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0004/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0004/docs.md new file mode 100644 index 0000000..03104d0 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0004/docs.md @@ -0,0 +1,13 @@ + +Need to add a security group to your instance. + +### Impact +A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/help/server/change_fw.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0005/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0005/Terraform.md new file mode 100644 index 0000000..c588910 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0005/Terraform.md @@ -0,0 +1,18 @@ + +Use private LAN + +```hcl + resource "nifcloud_instance" "good_example" { + image_id = data.nifcloud_image.ubuntu.id + security_group = nifcloud_security_group.example.group_name + + network_interface { + network_id = nifcloud_private_lan.main.id + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/instance#network_id + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0005/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0005/docs.md new file mode 100644 index 0000000..26a9f07 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/computing/AVD-NIF-0005/docs.md @@ -0,0 +1,13 @@ + +When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network. + +### Impact +The common private network is shared with other users + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/service/plan.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/dns/AVD-NIF-0007/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/dns/AVD-NIF-0007/docs.md new file mode 100644 index 0000000..70cde12 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/dns/AVD-NIF-0007/docs.md @@ -0,0 +1,15 @@ + + +Removing verified record of TXT auth the risk that +If the authentication record remains, anyone can register the zone + +### Impact +Risk of DNS records be used by others + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/guide/dns/zone_new.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0013/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0013/Terraform.md new file mode 100644 index 0000000..b8e20c3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0013/Terraform.md @@ -0,0 +1,13 @@ + +Use private LAN + +```hcl + resource "nifcloud_nas_instance" "good_example" { + network_id = nifcloud_private_lan.main.id + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/nas_instance#network_id + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0013/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0013/docs.md new file mode 100644 index 0000000..26a9f07 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0013/docs.md @@ -0,0 +1,13 @@ + +When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network. + +### Impact +The common private network is shared with other users + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/service/plan.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0014/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0014/Terraform.md new file mode 100644 index 0000000..288a741 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0014/Terraform.md @@ -0,0 +1,15 @@ + +Set a more restrictive cidr range + +```hcl + resource "nifcloud_nas_security_group" "good_example" { + rule { + cidr_ip = "10.0.0.0/16" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/nas_security_group#cidr_ip + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0014/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0014/docs.md new file mode 100644 index 0000000..57f20db --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0014/docs.md @@ -0,0 +1,13 @@ + +Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible. + +### Impact +Your port exposed to the internet + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/api/nas/AuthorizeNASSecurityGroupIngress.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0015/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0015/Terraform.md new file mode 100644 index 0000000..984cf29 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0015/Terraform.md @@ -0,0 +1,14 @@ + +Add descriptions for all nas security groups + +```hcl + resource "nifcloud_nas_security_group" "good_example" { + group_name = "app" + description = "Allow from app traffic" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/nas_security_group#description + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0015/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0015/docs.md new file mode 100644 index 0000000..b3f2842 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/nas/AVD-NIF-0015/docs.md @@ -0,0 +1,15 @@ + +NAS security groups should include a description for auditing purposes. + +Simplifies auditing, debugging, and managing nas security groups. + +### Impact +Descriptions provide context for the firewall rule reasons + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/help/nas/fw_new.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0016/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0016/Terraform.md new file mode 100644 index 0000000..f664399 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0016/Terraform.md @@ -0,0 +1,17 @@ + +Add security group for all routers + +```hcl + resource "nifcloud_router" "good_example" { + security_group = nifcloud_security_group.example.group_name + + network_interface { + network_id = "net-COMMON_GLOBAL" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/router#security_group + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0016/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0016/docs.md new file mode 100644 index 0000000..feea9c8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0016/docs.md @@ -0,0 +1,13 @@ + +Need to add a security group to your router. + +### Impact +A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/help/router/change.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0017/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0017/Terraform.md new file mode 100644 index 0000000..21b00d4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0017/Terraform.md @@ -0,0 +1,17 @@ + +Use private LAN + +```hcl + resource "nifcloud_router" "good_example" { + security_group = nifcloud_security_group.example.group_name + + network_interface { + network_id = nifcloud_private_lan.main.id + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/router#network_id + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0017/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0017/docs.md new file mode 100644 index 0000000..26a9f07 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0017/docs.md @@ -0,0 +1,13 @@ + +When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network. + +### Impact +The common private network is shared with other users + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/service/plan.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0018/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0018/Terraform.md new file mode 100644 index 0000000..89aa23e --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0018/Terraform.md @@ -0,0 +1,17 @@ + +Add security group for all vpnGateways + +```hcl + resource "nifcloud_vpn_gateway" "good_example" { + security_group = nifcloud_security_group.example.group_name + + network_interface { + network_id = "net-COMMON_GLOBAL" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/vpn_gateway#security_group + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0018/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0018/docs.md new file mode 100644 index 0000000..fb87982 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0018/docs.md @@ -0,0 +1,13 @@ + +Need to add a security group to your vpnGateway. + +### Impact +A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/help/vpngw/change.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0019/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0019/Terraform.md new file mode 100644 index 0000000..a591aeb --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0019/Terraform.md @@ -0,0 +1,21 @@ + +Use private LAN + +```hcl + resource "nifcloud_elb" "good_example" { + elb_name = "foobar" + availability_zone = "east-11" + instance_port = 80 + protocol = "HTTP" + lb_port = 80 + + network_interface { + network_id = nifcloud_private_lan.main.id + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/elb#network_id + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0019/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0019/docs.md new file mode 100644 index 0000000..26a9f07 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0019/docs.md @@ -0,0 +1,13 @@ + +When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network. + +### Impact +The common private network is shared with other users + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/service/plan.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0020/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0020/Terraform.md new file mode 100644 index 0000000..f799d80 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0020/Terraform.md @@ -0,0 +1,17 @@ + +Use a more recent TLS/SSL policy for the load balancer + +```hcl + resource "nifcloud_load_balancer" "good_example" { + load_balancer_port = 443 + policy_type = "standard" + ssl_policy_name = "Standard Ciphers D ver1" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/load_balancer#ssl_policy_name + + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/load_balancer_listener#ssl_policy_name + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0020/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0020/docs.md new file mode 100644 index 0000000..9587778 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0020/docs.md @@ -0,0 +1,13 @@ + +You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+. + +### Impact +The SSL policy is outdated and has known vulnerabilities + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/service/lb_l4.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0021/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0021/Terraform.md new file mode 100644 index 0000000..51396f3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0021/Terraform.md @@ -0,0 +1,21 @@ + +Switch to HTTPS to benefit from TLS security features + +```hcl + resource "nifcloud_elb" "good_example" { + protocol = "HTTPS" + } + +``` +```hcl +resource "nifcloud_load_balancer" "good_example" { + load_balancer_port = 443 +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/elb#protocol + + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/load_balancer#load_balancer_port + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0021/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0021/docs.md new file mode 100644 index 0000000..b5ec5a8 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/network/AVD-NIF-0021/docs.md @@ -0,0 +1,15 @@ + +Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth. + +You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic. + +### Impact +Your traffic is not protected + + +{{ remediationActions }} + +### Links +- https://www.cloudflare.com/en-gb/learning/ssl/why-is-http-not-secure/ + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0008/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0008/Terraform.md new file mode 100644 index 0000000..0d5dc6b --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0008/Terraform.md @@ -0,0 +1,13 @@ + +Set the database to not be publicly accessible + +```hcl + resource "nifcloud_db_instance" "good_example" { + publicly_accessible = false + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/db_instance#publicly_accessible + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0008/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0008/docs.md new file mode 100644 index 0000000..ca4bd82 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0008/docs.md @@ -0,0 +1,13 @@ + +Database resources should not publicly available. You should limit all access to the minimum that is required for your application to function. + +### Impact +The database instance is publicly accessible + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/guide/rdb/server_new.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0009/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0009/Terraform.md new file mode 100644 index 0000000..6d8a8aa --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0009/Terraform.md @@ -0,0 +1,22 @@ + +Explicitly set the retention period to greater than the default + +```hcl + resource "nifcloud_db_instance" "good_example" { + allocated_storage = 100 + engine = "mysql" + engine_version = "5.7" + instance_class = "db.large8" + name = "mydb" + username = "foo" + password = "foobarbaz" + parameter_group_name = "default.mysql5.7" + backup_retention_period = 5 + skip_final_snapshot = true + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/db_instance#backup_retention_period + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0009/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0009/docs.md new file mode 100644 index 0000000..0235817 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0009/docs.md @@ -0,0 +1,13 @@ + +Backup retention periods should be set to a period that is a balance on cost and limiting risk. + +### Impact +Potential loss of data and short opportunity for recovery + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/spec/rdb/snapshot_backup.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0010/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0010/Terraform.md new file mode 100644 index 0000000..2286334 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0010/Terraform.md @@ -0,0 +1,13 @@ + +Use private LAN + +```hcl + resource "nifcloud_db_instance" "good_example" { + network_id = nifcloud_private_lan.main.id + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/db_instance#network_id + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0010/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0010/docs.md new file mode 100644 index 0000000..26a9f07 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0010/docs.md @@ -0,0 +1,13 @@ + +When handling sensitive data between servers, please consider using a private LAN to isolate the private side network from the shared network. + +### Impact +The common private network is shared with other users + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/service/plan.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0011/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0011/Terraform.md new file mode 100644 index 0000000..ee60f95 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0011/Terraform.md @@ -0,0 +1,15 @@ + +Set a more restrictive cidr range + +```hcl + resource "nifcloud_db_security_group" "good_example" { + rule { + cidr_ip = "10.0.0.0/16" + } + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/db_security_group#cidr_ip + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0011/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0011/docs.md new file mode 100644 index 0000000..c3fbcd7 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0011/docs.md @@ -0,0 +1,13 @@ + +Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible. + +### Impact +Your port exposed to the internet + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/api/rdb/AuthorizeDBSecurityGroupIngress.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0012/Terraform.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0012/Terraform.md new file mode 100644 index 0000000..490c742 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0012/Terraform.md @@ -0,0 +1,14 @@ + +Add descriptions for all db security groups + +```hcl + resource "nifcloud_db_security_group" "good_example" { + group_name = "app" + description = "Allow from app traffic" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/nifcloud/nifcloud/latest/docs/resources/db_security_group#description + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0012/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0012/docs.md new file mode 100644 index 0000000..2531a25 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/rdb/AVD-NIF-0012/docs.md @@ -0,0 +1,15 @@ + +DB security groups should include a description for auditing purposes. + +Simplifies auditing, debugging, and managing db security groups. + +### Impact +Descriptions provide context for the firewall rule reasons + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/help/rdb/fw_new.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/nifcloud/sslcertificate/AVD-NIF-0006/docs.md b/cmd/trivy-policies-generator/avd_docs/nifcloud/sslcertificate/AVD-NIF-0006/docs.md new file mode 100644 index 0000000..f450bb5 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/nifcloud/sslcertificate/AVD-NIF-0006/docs.md @@ -0,0 +1,18 @@ + + +Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be +deployed accidentally to a resource such as NIFCLOUD Load Balancer(L4LB), which candamage the +credibility of the application/website behind the L4LB. As a best practice, it is +recommended to delete expired certificates. + + +### Impact +Risk of misconfiguration and damage to credibility + + +{{ remediationActions }} + +### Links +- https://pfs.nifcloud.com/help/ssl/del.htm + + diff --git a/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0001/Terraform.md b/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0001/Terraform.md new file mode 100644 index 0000000..b0b1a64 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0001/Terraform.md @@ -0,0 +1,21 @@ + +Do not use plaintext passwords in terraform files + +```hcl + resource "openstack_compute_instance_v2" "good_example" { + name = "basic" + image_id = "ad091b52-742f-469e-8f3c-fd81cadf0743" + flavor_id = "3" + key_pair = "my_key_pair_name" + security_groups = ["default"] + user_data = "#cloud-config\nhostname: instance_1.example.com\nfqdn: instance_1.example.com" + + network { + name = "my_network" + } + } +``` + +#### Remediation Links + - https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/compute_instance_v2#admin_pass + diff --git a/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0001/docs.md new file mode 100644 index 0000000..f60c9e3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0001/docs.md @@ -0,0 +1,10 @@ + +Assigning a password to the compute instance using plaintext could lead to compromise; it would be preferable to use key-pairs as a login mechanism + +### Impact +Including a plaintext password could lead to compromised instance + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0002/Terraform.md b/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0002/Terraform.md new file mode 100644 index 0000000..a5904f3 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0002/Terraform.md @@ -0,0 +1,20 @@ + +Employ more restrictive firewall rules + +```hcl + resource "openstack_fw_rule_v1" "rule_1" { + name = "my_rule" + description = "don't let just anyone in" + action = "allow" + protocol = "tcp" + destination_ip_address = "10.10.10.1" + source_ip_address = "10.10.10.2" + destination_port = "22" + enabled = "true" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/fw_rule_v1 + diff --git a/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0002/docs.md b/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0002/docs.md new file mode 100644 index 0000000..b58677a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/openstack/compute/AVD-OPNSTK-0002/docs.md @@ -0,0 +1,10 @@ + +Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible. + +### Impact +Exposure of infrastructure to the public internet + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0003/Terraform.md b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0003/Terraform.md new file mode 100644 index 0000000..387a6ed --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0003/Terraform.md @@ -0,0 +1,18 @@ + +Employ more restrictive security group rules + +```hcl + resource "openstack_networking_secgroup_rule_v2" "rule_1" { + direction = "ingress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + remote_ip_prefix = "1.2.3.4/32" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/fw_rule_v1 + diff --git a/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0003/docs.md b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0003/docs.md new file mode 100644 index 0000000..b58677a --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0003/docs.md @@ -0,0 +1,10 @@ + +Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible. + +### Impact +Exposure of infrastructure to the public internet + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0004/Terraform.md b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0004/Terraform.md new file mode 100644 index 0000000..3bd7dd6 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0004/Terraform.md @@ -0,0 +1,18 @@ + +Employ more restrictive security group rules + +```hcl +resource "openstack_networking_secgroup_rule_v2" "rule_1" { + direction = "egress" + ethertype = "IPv4" + protocol = "tcp" + port_range_min = 22 + port_range_max = 22 + remote_ip_prefix = "1.2.3.4/32" +} + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs/resources/networking_secgroup_rule_v2 + diff --git a/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0004/docs.md b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0004/docs.md new file mode 100644 index 0000000..fc7f285 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0004/docs.md @@ -0,0 +1,10 @@ + +Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible. + +### Impact +Potential exfiltration of data to the public internet + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0005/Terraform.md b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0005/Terraform.md new file mode 100644 index 0000000..9bfe44d --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0005/Terraform.md @@ -0,0 +1,11 @@ + +Add descriptions for all security groups + +```hcl + resource "openstack_networking_secgroup_v2" "group_1" { + description = "don't let just anyone in" + } + +``` + + diff --git a/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0005/docs.md b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0005/docs.md new file mode 100644 index 0000000..656227f --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/openstack/networking/AVD-OPNSTK-0005/docs.md @@ -0,0 +1,10 @@ + +Security groups should include a description for auditing purposes. Simplifies auditing, debugging, and managing security groups. + +### Impact +Auditing capability and awareness limited. + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/avd_docs/oracle/compute/AVD-OCI-0001/Terraform.md b/cmd/trivy-policies-generator/avd_docs/oracle/compute/AVD-OCI-0001/Terraform.md new file mode 100644 index 0000000..51f21d4 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/oracle/compute/AVD-OCI-0001/Terraform.md @@ -0,0 +1,16 @@ + +Reconsider the use of an public IP + +```hcl + resource "opc_compute_ip_address_reservation" "good_example" { + name = "my-ip-address" + ip_address_pool = "cloud-ippool" + } + +``` + +#### Remediation Links + - https://registry.terraform.io/providers/hashicorp/opc/latest/docs/resources/opc_compute_ip_address_reservation + + - https://registry.terraform.io/providers/hashicorp/opc/latest/docs/resources/opc_compute_instance + diff --git a/cmd/trivy-policies-generator/avd_docs/oracle/compute/AVD-OCI-0001/docs.md b/cmd/trivy-policies-generator/avd_docs/oracle/compute/AVD-OCI-0001/docs.md new file mode 100644 index 0000000..da43796 --- /dev/null +++ b/cmd/trivy-policies-generator/avd_docs/oracle/compute/AVD-OCI-0001/docs.md @@ -0,0 +1,12 @@ + +Compute instance requests an IP reservation from a public pool + +The compute instance has the ability to be reached from outside, you might want to sonder the use of a non public IP. + +### Impact +The compute instance has the ability to be reached from outside + + +{{ remediationActions }} + + diff --git a/cmd/trivy-policies-generator/go.mod b/cmd/trivy-policies-generator/go.mod new file mode 100644 index 0000000..4a4f6f7 --- /dev/null +++ b/cmd/trivy-policies-generator/go.mod @@ -0,0 +1,80 @@ +module github.com/aquasecurity/avd-generator/trivy-policies-generator + +go 1.21.4 + +require ( + github.com/aquasecurity/defsec v0.93.2-0.20231121210951-9b3cc255faff + github.com/aquasecurity/trivy-policies v0.7.0 + github.com/stretchr/testify v1.8.4 +) + +require ( + dario.cat/mergo v1.0.0 // indirect + github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/OneOfOne/xxhash v1.2.8 // indirect + github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 // indirect + github.com/acomagu/bufpipe v1.0.4 // indirect + github.com/agext/levenshtein v1.2.3 // indirect + github.com/agnivade/levenshtein v1.1.1 // indirect + github.com/alecthomas/chroma v0.10.0 // indirect + github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect + github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect + github.com/beorn7/perks v1.0.1 // indirect + github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/cloudflare/circl v1.3.3 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/dlclark/regexp2 v1.4.0 // indirect + github.com/emirpasic/gods v1.18.1 // indirect + github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect + github.com/go-git/go-billy/v5 v5.4.1 // indirect + github.com/go-git/go-git/v5 v5.8.1 // indirect + github.com/go-ini/ini v1.67.0 // indirect + github.com/go-logr/logr v1.2.4 // indirect + github.com/go-logr/stdr v1.2.2 // indirect + github.com/gobwas/glob v0.2.3 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/golang/protobuf v1.5.3 // indirect + github.com/google/uuid v1.3.1 // indirect + github.com/gorilla/mux v1.8.0 // indirect + github.com/hashicorp/hcl/v2 v2.18.1 // indirect + github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect + github.com/kevinburke/ssh_config v1.2.0 // indirect + github.com/liamg/iamgo v0.0.9 // indirect + github.com/liamg/jfather v0.0.7 // indirect + github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect + github.com/mitchellh/go-wordwrap v1.0.1 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/open-policy-agent/opa v0.58.0 // indirect + github.com/owenrumney/squealer v1.2.1 // indirect + github.com/pjbgf/sha1cd v0.3.0 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/prometheus/client_golang v1.16.0 // indirect + github.com/prometheus/client_model v0.4.0 // indirect + github.com/prometheus/common v0.44.0 // indirect + github.com/prometheus/procfs v0.10.1 // indirect + github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect + github.com/sergi/go-diff v1.2.0 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/skeema/knownhosts v1.2.0 // indirect + github.com/tchap/go-patricia/v2 v2.3.1 // indirect + github.com/xanzy/ssh-agent v0.3.3 // indirect + github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect + github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect + github.com/yashtewari/glob-intersection v0.2.0 // indirect + github.com/zclconf/go-cty v1.13.0 // indirect + go.opentelemetry.io/otel v1.19.0 // indirect + go.opentelemetry.io/otel/metric v1.19.0 // indirect + go.opentelemetry.io/otel/sdk v1.19.0 // indirect + go.opentelemetry.io/otel/trace v1.19.0 // indirect + golang.org/x/crypto v0.14.0 // indirect + golang.org/x/mod v0.13.0 // indirect + golang.org/x/net v0.17.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/text v0.13.0 // indirect + golang.org/x/tools v0.13.0 // indirect + google.golang.org/protobuf v1.31.0 // indirect + gopkg.in/warnings.v0 v0.1.2 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect + sigs.k8s.io/yaml v1.4.0 // indirect +) diff --git a/cmd/trivy-policies-generator/go.sum b/cmd/trivy-policies-generator/go.sum new file mode 100644 index 0000000..367539f --- /dev/null +++ b/cmd/trivy-policies-generator/go.sum @@ -0,0 +1,304 @@ +dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= +dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= +github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8= +github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q= +github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 h1:KLq8BE0KwCL+mmXnjLWEAOYO+2l2AE4YMmqG1ZpZHBs= +github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= +github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ= +github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4= +github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= +github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8= +github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo= +github.com/alecthomas/chroma v0.10.0 h1:7XDcGkCQopCNKjZHfYrNLraA+M7e0fMiJ/Mfikbfjek= +github.com/alecthomas/chroma v0.10.0/go.mod h1:jtJATyUxlIORhUOFNA9NZDWGAQ8wpxQQqNSB4rjA/1s= +github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= +github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= +github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= +github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= +github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= +github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= +github.com/aquasecurity/defsec v0.93.2-0.20231121210951-9b3cc255faff h1:P9ISna6RaiMyoxDcROR4v68/OGnnrGC1AE60l/c6Y8M= +github.com/aquasecurity/defsec v0.93.2-0.20231121210951-9b3cc255faff/go.mod h1:djPPxDAf6seSulvNiZn7jelIddA9wdWRvfWarso3U3c= +github.com/aquasecurity/trivy-policies v0.7.0 h1:a5K3kTQMWQhUWnRxEahosJFcz32dxVq0eLs31vcEwEQ= +github.com/aquasecurity/trivy-policies v0.7.0/go.mod h1:47Eua7lLyrsS3agGxBhgeUV8/a/LN82bqYoHm9oEGm4= +github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= +github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= +github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= +github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= +github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= +github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= +github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= +github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= +github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= +github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgraph-io/badger/v3 v3.2103.5 h1:ylPa6qzbjYRQMU6jokoj4wzcaweHylt//CH0AKt0akg= +github.com/dgraph-io/badger/v3 v3.2103.5/go.mod h1:4MPiseMeDQ3FNCYwRbbcBOGJLf5jsE0PPFzRiKjtcdw= +github.com/dgraph-io/ristretto v0.1.1 h1:6CWw5tJNgpegArSHpNHJKldNeq03FQCwYvfMVWajOK8= +github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkzgwUve0VDWWA= +github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= +github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= +github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E= +github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc= +github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819 h1:RIB4cRk+lBqKK3Oy0r2gRX4ui7tuhiZq2SuTtTCi0/0= +github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= +github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= +github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk= +github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= +github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw= +github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g= +github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= +github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= +github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY= +github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= +github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4= +github.com/go-git/go-billy/v5 v5.4.1/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg= +github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8= +github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo= +github.com/go-git/go-git/v5 v5.8.1 h1:Zo79E4p7TRk0xoRgMq0RShiTHGKcKI4+DI6BfJc/Q+A= +github.com/go-git/go-git/v5 v5.8.1/go.mod h1:FHFuoD6yGz5OSKEBK+aWN9Oah0q54Jxl0abmj6GnqAo= +github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A= +github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8= +github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= +github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= +github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag= +github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE= +github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= +github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v1.1.2 h1:DVjP2PbBOzHyzA+dn3WhHIq4NdVu3Q+pvivFICf/7fo= +github.com/golang/glog v1.1.2/go.mod h1:zR+okUeTbrL6EL3xHUDxZuEtGv04p5shwip1+mL/rLQ= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM= +github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/flatbuffers v1.12.1 h1:MVlul7pQNoDzWRLTw5imwYsl+usrS1TXG2H4jg6ImGw= +github.com/google/flatbuffers v1.12.1/go.mod h1:1AeVuKshWv4vARoZatz6mlQ0JxURH0Kv5+zNeJKJCa8= +github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4= +github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= +github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg= +github.com/hashicorp/hcl/v2 v2.18.1 h1:6nxnOJFku1EuSawSD81fuviYUV8DxFr3fp2dUi3ZYSo= +github.com/hashicorp/hcl/v2 v2.18.1/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= +github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= +github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= +github.com/klauspost/compress v1.16.6 h1:91SKEy4K37vkp255cJ8QesJhjyRO0hn9i9G0GoUwLsk= +github.com/klauspost/compress v1.16.6/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/liamg/iamgo v0.0.9 h1:tADGm3xVotyRJmuKKaH4+zsBn7LOcvgdpuF3WsSKW3c= +github.com/liamg/iamgo v0.0.9/go.mod h1:Kk6ZxBF/GQqG9nnaUjIi6jf+WXNpeOTyhwc6gnguaZQ= +github.com/liamg/jfather v0.0.7 h1:Xf78zS263yfT+xr2VSo6+kyAy4ROlCacRqJG7s5jt4k= +github.com/liamg/jfather v0.0.7/go.mod h1:xXBGiBoiZ6tmHhfy5Jzw8sugzajwYdi6VosIpB3/cPM= +github.com/liamg/memoryfs v1.6.0 h1:jAFec2HI1PgMTem5gR7UT8zi9u4BfG5jorCRlLH06W8= +github.com/liamg/memoryfs v1.6.0/go.mod h1:z7mfqXFQS8eSeBBsFjYLlxYRMRyiPktytvYCYTb3BSk= +github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A= +github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= +github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= +github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg= +github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/open-policy-agent/opa v0.58.0 h1:S5qvevW8JoFizU7Hp66R/Y1SOXol0aCdFYVkzIqIpUo= +github.com/open-policy-agent/opa v0.58.0/go.mod h1:EGWBwvmyt50YURNvL8X4W5hXdlKeNhAHn3QXsetmYcc= +github.com/owenrumney/squealer v1.2.1 h1:4ryMMT59aaz8VMsqsD+FDkarADJz0F1dcq2fd0DRR+c= +github.com/owenrumney/squealer v1.2.1/go.mod h1:7D0a/+Bouwy504YhaWsBYW73kyklSEq1MNf6zsNoTRg= +github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= +github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= +github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= +github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= +github.com/prometheus/client_model v0.4.0/go.mod h1:oMQmHW1/JoDwqLtg57MGgP/Fb1CJEYF2imWWhWtMkYU= +github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= +github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= +github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= +github.com/prometheus/procfs v0.10.1/go.mod h1:nwNm2aOCAYw8uTR/9bWRREkZFxAUcWzPHWJq+XBB/FM= +github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= +github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ= +github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/skeema/knownhosts v1.2.0 h1:h9r9cf0+u7wSE+M183ZtMGgOJKiL96brpaz5ekfJCpM= +github.com/skeema/knownhosts v1.2.0/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes= +github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k= +github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= +github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo= +github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= +github.com/yashtewari/glob-intersection v0.2.0 h1:8iuHdN88yYuCzCdjt0gDe+6bAhUwBeEWqThExu54RFg= +github.com/yashtewari/glob-intersection v0.2.0/go.mod h1:LK7pIC3piUjovexikBbJ26Yml7g8xa5bsjfx2v1fwok= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zclconf/go-cty v1.13.0 h1:It5dfKTTZHe9aeppbNOda3mN7Ag7sg6QkBNm6TkyFa0= +github.com/zclconf/go-cty v1.13.0/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= +go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 h1:x8Z78aZx8cOF0+Kkazoc7lwUNMGy0LrzEMxTm4BbTxg= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0/go.mod h1:62CPTSry9QZtOaSsE3tOzhx6LzDhHnXJ6xHeMNNiM6Q= +go.opentelemetry.io/otel v1.19.0 h1:MuS/TNf4/j4IXsZuJegVzI1cwut7Qc00344rgH7p8bs= +go.opentelemetry.io/otel v1.19.0/go.mod h1:i0QyjOq3UPoTzff0PJB2N66fb4S0+rSbSB15/oyH9fY= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 h1:3d+S281UTjM+AbF31XSOYn1qXn3BgIdWl8HNEpx08Jk= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0/go.mod h1:0+KuTDyKL4gjKCF75pHOX4wuzYDUZYfAQdSu43o+Z2I= +go.opentelemetry.io/otel/metric v1.19.0 h1:aTzpGtV0ar9wlV4Sna9sdJyII5jTVJEvKETPiOKwvpE= +go.opentelemetry.io/otel/metric v1.19.0/go.mod h1:L5rUsV9kM1IxCj1MmSdS+JQAcVm319EUrDVLrt7jqt8= +go.opentelemetry.io/otel/sdk v1.19.0 h1:6USY6zH+L8uMH8L3t1enZPR3WFEmSTADlqldyHtJi3o= +go.opentelemetry.io/otel/sdk v1.19.0/go.mod h1:NedEbbS4w3C6zElbLdPJKOpJQOrGUJ+GfzpjUvI0v1A= +go.opentelemetry.io/otel/trace v1.19.0 h1:DFVQmlVbfVeOuBRrwdtaehRrWiL1JoVs9CPIQ1Dzxpg= +go.opentelemetry.io/otel/trace v1.19.0/go.mod h1:mfaSyvGyEJEI0nyV2I4qhNQnbBOUUmYZpYojqMnX2vo= +go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I= +go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= +golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= +golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= +golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ= +golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d h1:DoPTO70H+bcDXcd39vOqb2viZxgqeBeSGtZ55yZU4/Q= +google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d/go.mod h1:KjSP20unUpOx5kyQUFa7k4OJg0qeJ7DEZflGDu2p6Bk= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d h1:uvYuEyMHKNt+lT4K3bN6fGswmK8qSvcreM3BwjDh+y4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20230822172742-b8732ec3820d/go.mod h1:+Bk1OCOj40wS2hwAMA+aCW9ypzm63QTBBHp6lQ3p+9M= +google.golang.org/grpc v1.59.0 h1:Z5Iec2pjwb+LEOqzpB2MR12/eKFhDPhuqW91O+4bwUk= +google.golang.org/grpc v1.59.0/go.mod h1:aUPDwccQo6OTjy7Hct4AfBPD1GptF4fyUjIkQ9YtF98= +google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= +google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/cmd/trivy-policies-generator/main.go b/cmd/trivy-policies-generator/main.go new file mode 100644 index 0000000..1f1ab86 --- /dev/null +++ b/cmd/trivy-policies-generator/main.go @@ -0,0 +1,194 @@ +package main + +import ( + "fmt" + goast "go/ast" + "go/parser" + "go/token" + "io" + "os" + "path/filepath" + "strings" + "text/template" + + "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/trivy-policies/rules" + + _ "github.com/aquasecurity/defsec/pkg/rego" + registered "github.com/aquasecurity/defsec/pkg/rules" + drules "github.com/aquasecurity/defsec/pkg/types/rules" +) + +func main() { + var generateCount int + + for _, metadata := range registered.GetRegistered(framework.ALL) { + writeDocsFile(metadata, "avd_docs") + generateCount++ + } + + fmt.Printf("\nGenerated %d files in avd_docs\n", generateCount) +} + +// nolint: cyclop +func writeDocsFile(meta drules.RegisteredRule, path string) { + + tmpl, err := template.New("defsec").Parse(docsMarkdownTemplate) + if err != nil { + fail("error occurred creating the template %v\n", err) + } + + docpath := filepath.Join(path, + strings.ToLower(meta.GetRule().Provider.ConstName()), + strings.ToLower(strings.ReplaceAll(meta.GetRule().Service, "-", "")), + meta.GetRule().AVDID, + ) + + if err := os.MkdirAll(docpath, os.ModePerm); err != nil { + panic(err) + } + + file, err := os.Create(filepath.Join(docpath, "docs.md")) + if err != nil { + fail("error occurred creating the docs file for %s", docpath) + } + + if err := tmpl.Execute(file, meta.GetRule()); err != nil { + fail("error occurred generating the document %v", err) + } + fmt.Printf("Generating docs file for policy %s\n", meta.GetRule().AVDID) + + if meta.GetRule().Terraform != nil { + if len(meta.GetRule().Terraform.GoodExamples) > 0 || len(meta.GetRule().Terraform.Links) > 0 { + if meta.GetRule().RegoPackage != "" { // get examples from file as rego rules don't have embedded + value, err := GetExampleValueFromFile(meta.GetRule().Terraform.GoodExamples[0], "GoodExamples") + if err != nil { + fail("error retrieving examples from metadata: %v\n", err) + } + meta.GetRule().Terraform.GoodExamples = []string{value} + } + + tmpl, err := template.New("terraform").Parse(terraformMarkdownTemplate) + if err != nil { + fail("error occurred creating the template %v\n", err) + } + file, err := os.Create(filepath.Join(docpath, "Terraform.md")) + if err != nil { + fail("error occurred creating the Terraform file for %s", docpath) + } + defer func() { _ = file.Close() }() + + if err := tmpl.Execute(file, meta.GetRule()); err != nil { + fail("error occurred generating the document %v", err) + } + fmt.Printf("Generating Terraform file for policy %s\n", meta.GetRule().AVDID) + } + } + + if meta.GetRule().CloudFormation != nil { + if len(meta.GetRule().CloudFormation.GoodExamples) > 0 || len(meta.GetRule().CloudFormation.Links) > 0 { + if meta.GetRule().RegoPackage != "" { // get examples from file as rego rules don't have embedded + value, err := GetExampleValueFromFile(meta.GetRule().CloudFormation.GoodExamples[0], "GoodExamples") + if err != nil { + fail("error retrieving examples from metadata: %v\n", err) + } + meta.GetRule().CloudFormation.GoodExamples = []string{value} + } + + tmpl, err := template.New("cloudformation").Parse(cloudformationMarkdownTemplate) + if err != nil { + fail("error occurred creating the template %v\n", err) + } + file, err := os.Create(filepath.Join(docpath, "CloudFormation.md")) + if err != nil { + fail("error occurred creating the CloudFormation file for %s", docpath) + } + defer func() { _ = file.Close() }() + + if err := tmpl.Execute(file, meta.GetRule()); err != nil { + fail("error occurred generating the document %v", err) + } + fmt.Printf("Generating CloudFormation file for policy %s\n", meta.GetRule().AVDID) + } + } +} + +func fail(msg string, args ...interface{}) { + fmt.Printf(msg, args...) + os.Exit(1) +} + +func readFileFromPolicyFS(path string) (io.Reader, error) { + path = strings.TrimPrefix(path, "rules/") + return rules.EmbeddedPolicyFileSystem.Open(path) + +} + +func GetExampleValueFromFile(filename string, exampleType string) (string, error) { + r, err := readFileFromPolicyFS(filename) + if err != nil { + return "", err + } + f, err := parser.ParseFile(token.NewFileSet(), filename, r, parser.AllErrors) + if err != nil { + return "", err + } + + for _, d := range f.Decls { + switch decl := d.(type) { + case *goast.GenDecl: + for _, spec := range decl.Specs { + switch spec := spec.(type) { + case *goast.ValueSpec: + for _, id := range spec.Names { + switch v := id.Obj.Decl.(*goast.ValueSpec).Values[0].(type) { + case *goast.CompositeLit: + value := v.Elts[0].(*goast.BasicLit).Value + if strings.Contains(id.Name, exampleType) { + return strings.ReplaceAll(value, "`", ""), nil + } + } + } + } + } + } + } + return "", fmt.Errorf("exampleType %s not found in file: %s", exampleType, filename) +} + +var docsMarkdownTemplate = ` +{{ .Explanation }} + +### Impact +{{ if .Impact }}{{ .Impact }}{{ else }}{{ end }} + + +{{ ` + "`{{ " + `remediationActions ` + "`}}" + `}} + +{{ if .Links }}### Links{{ range .Links }} +- {{ . }} +{{ end}} +{{ end }} +` + +var terraformMarkdownTemplate = ` +{{ .Resolution }} + +{{ if .Terraform.GoodExamples }}{{ range .Terraform.GoodExamples }}` + "```hcl" + `{{ . }} +` + "```" + ` +{{ end}}{{ end }} +{{ if .Terraform.Links }}#### Remediation Links{{ range .Terraform.Links }} + - {{ . }} +{{ end}}{{ end }} +` + +var cloudformationMarkdownTemplate = ` +{{ .Resolution }} + +{{ if .CloudFormation.GoodExamples }}{{ range .CloudFormation.GoodExamples }}` + "```yaml" + `{{ . }} +` + "```" + ` +{{ end}}{{ end }} +{{ if .CloudFormation.Links }}#### Remediation Links{{ range .CloudFormation.Links }} + - {{ . }} +{{ end}}{{ end }} +` diff --git a/cmd/trivy-policies-generator/main_test.go b/cmd/trivy-policies-generator/main_test.go new file mode 100644 index 0000000..545bbca --- /dev/null +++ b/cmd/trivy-policies-generator/main_test.go @@ -0,0 +1,86 @@ +package main + +import ( + "fmt" + "os" + "path" + "path/filepath" + "runtime" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/aquasecurity/defsec/pkg/framework" + registered "github.com/aquasecurity/defsec/pkg/rules" +) + +func init() { // change the pwd for the test to top level defesc dir + _, filename, _, _ := runtime.Caller(0) + dir := path.Join(path.Dir(filename), "../..") + err := os.Chdir(dir) + if err != nil { + panic(err) + } +} + +func Test_AVDPageGeneration(t *testing.T) { + tmpDir := t.TempDir() + defer func() { + os.RemoveAll(tmpDir) + }() + + var generateCount int + for _, metadata := range registered.GetRegistered(framework.ALL) { + writeDocsFile(metadata, tmpDir) + generateCount++ + } + fmt.Printf("\nGenerated %d files in avd_docs\n", generateCount) + + // check golang policies + b, err := os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0077", "Terraform.md")) + require.NoError(t, err) + assert.Contains(t, string(b), `hcl + resource "aws_rds_cluster" "good_example" { + cluster_identifier = "aurora-cluster-demo" + engine = "aurora-mysql" + engine_version = "5.7.mysql_aurora.2.03.2" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] + database_name = "mydb" + master_username = "foo" + master_password = "bar" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" + }`) + + b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0077", "CloudFormation.md")) + require.NoError(t, err) + assert.Contains(t, string(b), `yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Queue: + Type: AWS::RDS::DBInstance + Properties: + BackupRetentionPeriod: 30 +`) + + // check rego policies + b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0180", "Terraform.md")) + require.NoError(t, err) + assert.Contains(t, string(b), `hcl + resource "aws_db_instance" "good_example" { + publicly_accessible = false + }`) + + b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0180", "CloudFormation.md")) + require.NoError(t, err) + assert.Contains(t, string(b), `yaml--- +AWSTemplateFormatVersion: 2010-09-09 +Description: Good example +Resources: + Queue: + Type: AWS::RDS::DBInstance + Properties: + PubliclyAccessible: false`) +} diff --git a/docGen/main.go b/docGen/main.go index 49cc533..dfc2b9e 100644 --- a/docGen/main.go +++ b/docGen/main.go @@ -42,11 +42,11 @@ func main() { generateChainBenchPages("../avd-repo/chain-bench-repo/internal/checks", "../avd-repo/content/compliance") generateKubeBenchPages("../avd-repo/kube-bench-repo/cfg", "../avd-repo/content/compliance") - generateDefsecComplianceSpecPages("../avd-repo/trivy-policies-repo/rules/specs/compliance", "../avd-repo/content/compliance") + generateDefsecComplianceSpecPages("../avd-repo/trivy-policies-repo/specs/compliance", "../avd-repo/content/compliance") generateKubeHunterPages("../avd-repo/kube-hunter-repo/docs/_kb", "../avd-repo/content/misconfig/kubernetes") generateCloudSploitPages("../avd-repo/cloudsploit-repo/plugins", "../avd-repo/content/misconfig", "../avd-repo/remediations-repo/en") generateTraceePages("../avd-repo/tracee-repo/signatures", "../avd-repo/content/tracee", realClock{}) - generateDefsecPages("../avd-repo/trivy-policies-repo/avd_docs", "../avd-repo/content/misconfig") + generateDefsecPages("../cmd/trivy-policies-generator/avd_docs", "../avd-repo/content/misconfig") generateVulnPages() diff --git a/test/go.mod b/test/go.mod new file mode 100644 index 0000000..17b74cd --- /dev/null +++ b/test/go.mod @@ -0,0 +1,52 @@ +module github.com/aquasecurity/avd-generator/test + +go 1.21.4 + +require ( + github.com/aquasecurity/defsec v0.93.2-0.20231201010509-455085f613e1 + github.com/stretchr/testify v1.8.4 +) + +require ( + dario.cat/mergo v1.0.0 // indirect + github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 // indirect + github.com/acomagu/bufpipe v1.0.4 // indirect + github.com/agext/levenshtein v1.2.3 // indirect + github.com/alecthomas/chroma v0.10.0 // indirect + github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect + github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect + github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842 // indirect + github.com/cloudflare/circl v1.3.3 // indirect + github.com/davecgh/go-spew v1.1.1 // indirect + github.com/dlclark/regexp2 v1.4.0 // indirect + github.com/emirpasic/gods v1.18.1 // indirect + github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect + github.com/go-git/go-billy/v5 v5.4.1 // indirect + github.com/go-git/go-git/v5 v5.8.1 // indirect + github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect + github.com/google/uuid v1.4.0 // indirect + github.com/hashicorp/hcl/v2 v2.19.1 // indirect + github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect + github.com/kevinburke/ssh_config v1.2.0 // indirect + github.com/liamg/iamgo v0.0.9 // indirect + github.com/liamg/jfather v0.0.7 // indirect + github.com/mitchellh/go-wordwrap v1.0.1 // indirect + github.com/owenrumney/squealer v1.2.1 // indirect + github.com/pjbgf/sha1cd v0.3.0 // indirect + github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/sergi/go-diff v1.1.0 // indirect + github.com/sirupsen/logrus v1.9.3 // indirect + github.com/skeema/knownhosts v1.2.0 // indirect + github.com/xanzy/ssh-agent v0.3.3 // indirect + github.com/zclconf/go-cty v1.13.0 // indirect + golang.org/x/crypto v0.14.0 // indirect + golang.org/x/mod v0.10.0 // indirect + golang.org/x/net v0.17.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/text v0.14.0 // indirect + golang.org/x/tools v0.8.0 // indirect + gopkg.in/warnings.v0 v0.1.2 // indirect + gopkg.in/yaml.v2 v2.4.0 // indirect + gopkg.in/yaml.v3 v3.0.1 // indirect +) diff --git a/test/go.sum b/test/go.sum new file mode 100644 index 0000000..31981da --- /dev/null +++ b/test/go.sum @@ -0,0 +1,186 @@ +dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= +dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= +github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= +github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 h1:KLq8BE0KwCL+mmXnjLWEAOYO+2l2AE4YMmqG1ZpZHBs= +github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0= +github.com/acomagu/bufpipe v1.0.4 h1:e3H4WUzM3npvo5uv95QuJM3cQspFNtFBzvJ2oNjKIDQ= +github.com/acomagu/bufpipe v1.0.4/go.mod h1:mxdxdup/WdsKVreO5GpW4+M/1CE2sMG4jeGJ2sYmHc4= +github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo= +github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558= +github.com/alecthomas/chroma v0.10.0 h1:7XDcGkCQopCNKjZHfYrNLraA+M7e0fMiJ/Mfikbfjek= +github.com/alecthomas/chroma v0.10.0/go.mod h1:jtJATyUxlIORhUOFNA9NZDWGAQ8wpxQQqNSB4rjA/1s= +github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= +github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= +github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= +github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= +github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= +github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= +github.com/aquasecurity/defsec v0.93.2-0.20231201010509-455085f613e1 h1:oeo+IclFPQggaRTFIe0qwLDLYXS3ZZOGMWltP38zPAc= +github.com/aquasecurity/defsec v0.93.2-0.20231201010509-455085f613e1/go.mod h1:NBF6hvbQSc4s/WCHdKV5sNNxLl258M2OiIFoUfgEn/k= +github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842 h1:RnxM3eTcwPlA/WBwnmaEpeEk3WOCDcnz7yTIFxVL7us= +github.com/aquasecurity/trivy-policies v0.6.1-0.20231120231532-f6f2330bf842/go.mod h1:BmEeSFgmBjo3avCli71736sy0veGcSUzGATupp1MCgA= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= +github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs= +github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= +github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dlclark/regexp2 v1.4.0 h1:F1rxgk7p4uKjwIQxBs9oAXe5CqrXlCduYEJvrF4u93E= +github.com/dlclark/regexp2 v1.4.0/go.mod h1:2pZnwuY/m+8K6iRw6wQdMtk+rH5tNGR1i55kozfMjCc= +github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819 h1:RIB4cRk+lBqKK3Oy0r2gRX4ui7tuhiZq2SuTtTCi0/0= +github.com/elazarl/goproxy v0.0.0-20221015165544-a0805db90819/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= +github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= +github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= +github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY= +github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= +github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4= +github.com/go-git/go-billy/v5 v5.4.1/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg= +github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f h1:Pz0DHeFij3XFhoBRGUDPzSJ+w2UcK5/0JvF8DRI58r8= +github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20230305113008-0c11038e723f/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo= +github.com/go-git/go-git/v5 v5.8.1 h1:Zo79E4p7TRk0xoRgMq0RShiTHGKcKI4+DI6BfJc/Q+A= +github.com/go-git/go-git/v5 v5.8.1/go.mod h1:FHFuoD6yGz5OSKEBK+aWN9Oah0q54Jxl0abmj6GnqAo= +github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68= +github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= +github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4= +github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/hashicorp/hcl/v2 v2.19.1 h1://i05Jqznmb2EXqa39Nsvyan2o5XyMowW5fnCKW5RPI= +github.com/hashicorp/hcl/v2 v2.19.1/go.mod h1:ThLC89FV4p9MPW804KVbe/cEXoQ8NZEh+JtMeeGErHE= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= +github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= +github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= +github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= +github.com/liamg/iamgo v0.0.9 h1:tADGm3xVotyRJmuKKaH4+zsBn7LOcvgdpuF3WsSKW3c= +github.com/liamg/iamgo v0.0.9/go.mod h1:Kk6ZxBF/GQqG9nnaUjIi6jf+WXNpeOTyhwc6gnguaZQ= +github.com/liamg/jfather v0.0.7 h1:Xf78zS263yfT+xr2VSo6+kyAy4ROlCacRqJG7s5jt4k= +github.com/liamg/jfather v0.0.7/go.mod h1:xXBGiBoiZ6tmHhfy5Jzw8sugzajwYdi6VosIpB3/cPM= +github.com/liamg/memoryfs v1.6.0 h1:jAFec2HI1PgMTem5gR7UT8zi9u4BfG5jorCRlLH06W8= +github.com/liamg/memoryfs v1.6.0/go.mod h1:z7mfqXFQS8eSeBBsFjYLlxYRMRyiPktytvYCYTb3BSk= +github.com/matryer/is v1.2.0 h1:92UTHpy8CDwaJ08GqLDzhhuixiBUUD1p3AU6PHddz4A= +github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA= +github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= +github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= +github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= +github.com/owenrumney/squealer v1.2.1 h1:4ryMMT59aaz8VMsqsD+FDkarADJz0F1dcq2fd0DRR+c= +github.com/owenrumney/squealer v1.2.1/go.mod h1:7D0a/+Bouwy504YhaWsBYW73kyklSEq1MNf6zsNoTRg= +github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= +github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8= +github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= +github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0= +github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM= +github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= +github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/skeema/knownhosts v1.2.0 h1:h9r9cf0+u7wSE+M183ZtMGgOJKiL96brpaz5ekfJCpM= +github.com/skeema/knownhosts v1.2.0/go.mod h1:g4fPeYpque7P0xefxtGzV81ihjC8sX2IqpAoNkjxbMo= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= +github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= +github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= +github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zclconf/go-cty v1.13.0 h1:It5dfKTTZHe9aeppbNOda3mN7Ag7sg6QkBNm6TkyFa0= +github.com/zclconf/go-cty v1.13.0/go.mod h1:YKQzy/7pZ7iq2jNFzy5go57xdxdWoLLpaEp4u238AE0= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= +golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= +golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= +golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= +golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= +golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= +golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= +golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y= +golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= +gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= +gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= +gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= +gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/test/rules_test.go b/test/rules_test.go new file mode 100644 index 0000000..600c789 --- /dev/null +++ b/test/rules_test.go @@ -0,0 +1,46 @@ +package test + +import ( + "fmt" + "os" + "path/filepath" + "strings" + "testing" + + "github.com/aquasecurity/defsec/pkg/framework" + "github.com/aquasecurity/defsec/pkg/rules" + "github.com/stretchr/testify/require" +) + +func TestAVDIDs(t *testing.T) { + existing := make(map[string]struct{}) + for _, rule := range rules.GetRegistered(framework.ALL) { + t.Run(rule.LongID(), func(t *testing.T) { + if rule.GetRule().AVDID == "" { + t.Errorf("Rule has no AVD ID: %#v", rule) + return + } + if _, ok := existing[rule.GetRule().AVDID]; ok { + t.Errorf("Rule detected with duplicate AVD ID: %s", rule.GetRule().AVDID) + } + }) + existing[rule.GetRule().AVDID] = struct{}{} + } +} + +func TestRulesAgainstExampleCode(t *testing.T) { + for _, rule := range rules.GetRegistered(framework.ALL) { + testName := fmt.Sprintf("%s/%s", rule.GetRule().AVDID, rule.LongID()) + t.Run(testName, func(t *testing.T) { + rule := rule + t.Parallel() + + t.Run("avd docs", func(t *testing.T) { + provider := strings.ToLower(rule.GetRule().Provider.ConstName()) + service := strings.ToLower(strings.ReplaceAll(rule.GetRule().Service, "-", "")) + _, err := os.Stat(filepath.Join("..", "cmd", "trivy-policies-generator", "avd_docs", provider, service, rule.GetRule().AVDID, "docs.md")) + require.NoError(t, err) + }) + }) + } +}