Merge pull request #186 from mastersans/subcharts

feat: added SQS and RDS helm sub-chart for Cloud-Controls
nirmata · Feb 5, 2025 · 1020c2f · 1020c2f
2 parents 990165c + a429242
commit 1020c2f
Show file tree

Hide file tree

Showing 17 changed files with 552 additions and 1 deletion.
diff --git a/charts/cloud-controls/Chart.yaml b/charts/cloud-controls/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: cloud-controls
 description: Cloud Controls Helm Chart
-version: 0.0.2
+version: 0.0.3
 keywords:
   - kubernetes
   - nirmata
@@ -28,3 +28,11 @@ dependencies:
     condition: aws-apigateway-best-practices.enabled
     version: 0.0.1
     repository: file://charts/apigateway
+  - name: aws-sqs-best-practices
+    condition: aws-sqs-best-practices.enabled
+    version: 0.0.1
+    repository: file://charts/sqs
+  - name: aws-rds-best-practices
+    condition: aws-rds-best-practices.enabled
+    version: 0.0.1
+    repository: file://charts/rds
diff --git a/charts/cloud-controls/charts/rds/.helmignore b/charts/cloud-controls/charts/rds/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/cloud-controls/charts/rds/Chart.yaml b/charts/cloud-controls/charts/rds/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: aws-rds-best-practices
+description: Aws RDS Best Practices CloudController Policy Set
+type: application
+version: 0.0.1
+keywords:
+  - kubernetes
+  - nirmata
+  - kyverno
+  - policy
+  - cloud-controller
+maintainers:
+  - name: Nirmata
+    url: https://nirmata.com/
diff --git a/...ts/cloud-controls/charts/rds/templates/check-rds-cluster-deletion-protection-enabled.yaml b/...ts/cloud-controls/charts/rds/templates/check-rds-cluster-deletion-protection-enabled.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkRdsClusterDeletionProtectionEnabled" }}
+{{- $name := "check-rds-cluster-deletion-protection-enabled" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Check RDS Cluster Deletion Protection Enabled
+    policies.kyverno.io/category: AWS RDS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Preventing accidental deletion of an RDS database through the AWS Management Console, AWS CLI, or the RDS API is essential for avoiding data loss. 
+      The database can't be deleted when deletion protection is enabled. This ensures an extra layer of protection for your data, preventing 
+      unintended actions from impacting availability or causing data loss. By enabling deletion protection, you ensure that the database 
+      remains intact until deliberate action is taken to disable this setting.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.dBClusterIdentifier
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): RDS
+        - (metadata.resource): DBCluster
+      assert:
+        all:
+        - message: >- 
+            RDS Database Deletion Protection must be enabled
+          check:
+            payload:
+              deletionProtection: true
+{{- end }}
+{{- end }}
diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-cluster-encrypted-at-rest.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-cluster-encrypted-at-rest.yaml
@@ -0,0 +1,41 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkRdsClusterEncryptedAtRest" }}
+{{- $name := "check-rds-cluster-encrypted-at-rest" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Check RDS Cluster Encrypted At Rest
+    policies.kyverno.io/category: AWS RDS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks if an RDS DB cluster is encrypted at rest. The policy fails if an RDS DB cluster isn't encrypted at rest.
+      Data at rest refers to any data that's stored in persistent, non-volatile storage for any duration. 
+      Encryption helps you protect the confidentiality of such data, reducing the risk that an unauthorized user can access it. 
+      Encrypting your RDS DB clusters protects your data and metadata against unauthorized access. 
+      It also fulfills compliance requirements for data-at-rest encryption of production file systems.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.dBClusterIdentifier
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): RDS
+        - (metadata.resource): DBCluster
+      assert:
+        all:
+        - message: >- 
+            RDS DB Clusters should have encryption at-rest enabled
+          check:
+            payload:
+              storageEncrypted: true
+{{- end }}
+{{- end }}
diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-db-proxy-tls.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-db-proxy-tls.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkRdsDbProxyTls" }}
+{{- $name := "check-rds-db-proxy-tls" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Check RDS DB Proxy TLS
+    policies.kyverno.io/category: AWS RDS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      RDS Proxy can use security mechanisms such as TLS to add an additional layer of security between client applications and the underlying database. 
+      Database connections often involve sensitive information, such as personally identifiable information (PII), financial data, or confidential business data. 
+      Protecting this data in transit is important to maintain security of the data.
+      This policy checks if the RDS Proxy is using TLS.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.dBProxyName
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): RDS
+        - (metadata.resource): DBProxy
+      assert:
+        all:
+        - message: >- 
+            RDS Database Proxy should use TLS
+          check:
+            payload:
+              requireTLS: true
+{{- end }}
+{{- end }}
diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-enhanced-monitoring-enabled.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-enhanced-monitoring-enabled.yaml
@@ -0,0 +1,51 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkRdsEnhancedMonitoringEnabled" }}
+{{- $name := "check-rds-enhanced-monitoring-enabled" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Check RDS Enhanced Monitoring Enabled
+    policies.kyverno.io/category: AWS RDS Best Practices
+    policies.kyverno.io/severity: low
+    policies.kyverno.io/description: >-
+      This policy checks whether enhanced monitoring is enabled for an Amazon Relational Database Service (Amazon RDS) DB instance. 
+      The policy fails if enhanced monitoring isn't enabled for the instance. If you provide a custom value for the monitoringInterval parameter, 
+      the policy passes only if enhanced monitoring metrics are collected for the instance at the specified interval.
+      In Amazon RDS, Enhanced Monitoring enables a more rapid response to performance changes in underlying infrastructure. 
+      These performance changes could result in a lack of availability of the data. Enhanced Monitoring provides real-time metrics of the operating system that your RDS DB instance runs on. 
+      An agent is installed on the instance. The agent can obtain metrics more accurately than is possible from the hypervisor layer.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.dBInstanceIdentifier
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): RDS
+        - (metadata.resource): DBInstance
+      context:
+      - name: monitoringInterval
+        variable: 
+        - 1
+        - 5 
+        - 10
+        - 15 
+        - 30 
+        - 60
+      assert:
+        all:
+        - message: >- 
+            Enhanced monitoring should be configured for RDS DB instances
+          check:
+            payload:
+              (contains($monitoringInterval, monitoringInterval)): true
+{{- end }}
+{{- end }}
diff --git a/...loud-controls/charts/rds/templates/check-rds-instance-copy-tags-to-snapshots-enabled.yaml b/...loud-controls/charts/rds/templates/check-rds-instance-copy-tags-to-snapshots-enabled.yaml
@@ -0,0 +1,41 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkRdsInstanceCopyTagsToSnapshotsEnabled" }}
+{{- $name := "check-rds-instance-copy-tags-to-snapshots-enabled" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Check RDS Instance Copy Tags To Snapshots Enabled
+    policies.kyverno.io/category: AWS RDS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks whether RDS DB instances are configured to copy all tags to snapshots when the snapshots are created.
+      Identification and inventory of your IT assets is a crucial aspect of governance and security. 
+      You need to have visibility of all your RDS DB instances so that you can assess their security posture and take action on 
+      potential areas of weakness. Snapshots should be tagged in the same way as their parent RDS database instances. 
+      Enabling this setting ensures that snapshots inherit the tags of their parent database instances.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.dBInstanceIdentifier
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): RDS
+        - (metadata.resource): DBInstance
+      assert:
+        all:
+        - message: >- 
+            RDS DB instances should be configured to copy tags to snapshots
+          check:
+            payload:
+              copyTagsToSnapshot: true
+{{- end }}
+{{- end }}
diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-instance-public-access.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-instance-public-access.yaml
@@ -0,0 +1,41 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkRdsInstancePublicAccess" }}
+{{- $name := "check-rds-instance-public-access" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Check RDS Instance Public Access
+    policies.kyverno.io/category: AWS RDS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      The `PubliclyAccessible` value in the RDS instance configuration indicates whether the DB instance is publicly accessible. 
+      When the DB instance is configured with `PubliclyAccessible`, it is an Internet-facing instance with a publicly resolvable DNS name, 
+      which resolves to a public IP address. When the DB instance isn't publicly accessible, it is an internal instance with a DNS name 
+      that resolves to a private IP address. Unless you intend for your RDS instance to be publicly accessible, the RDS instance 
+      should not be configured with `PubliclyAccessible` value. Doing so might allow unnecessary traffic to your database instance.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.dBInstanceIdentifier
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): RDS
+        - (metadata.resource): DBInstance
+      assert:
+        all:
+        - message: >- 
+            RDS Database Instance should not be publicly accessible
+          check:
+            payload:
+              publiclyAccessible: false
+{{- end }}
+{{- end }}
diff --git a/charts/cloud-controls/charts/rds/templates/check-rds-multi-az-support.yaml b/charts/cloud-controls/charts/rds/templates/check-rds-multi-az-support.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkRdsMultiAzSupport" }}
+{{- $name := "check-rds-multi-az-support" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+    policies.kyverno.io/title: Check RDS Multi AZ Support
+    policies.kyverno.io/category: AWS RDS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks whether high availability is enabled for your RDS DB instances.
+      RDS DB instances should be configured for multiple Availability Zones (AZs). 
+      This ensures the availability of the data stored. Multi-AZ deployments allow for automated failover 
+      if there is an issue with AZ availability and during regular RDS maintenance.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.dBInstanceIdentifier
+      match:
+        all:
+        - (metadata.provider): AWS
+        - (metadata.service): RDS
+        - (metadata.resource): DBInstance
+      assert:
+        all:
+        - message: >- 
+            RDS DB instances should be configured with multiple Availability Zones
+          check:
+            payload:
+              multiAZ: true
+{{- end }}
+{{- end }}