Skip to content

Commit

Permalink
add rds best practices terraform plan policies
Browse files Browse the repository at this point in the history 
Signed-off-by: Chandan-DK <[email protected]>
  • Loading branch information
@Chandan-DK
Chandan-DK committed Oct 2, 2024
1 parent 0f21f11 commit cfa4d2c
Show file tree
Hide file tree
Showing 92 changed files with 9,516 additions and 0 deletions.
76 changes: 76 additions & 0 deletions .../plan/rds-best-practices/check-rds-aurora-mysql-audit-logging-enabled/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# Check RDS Aurora Mysql Audit Logging Enabled

This policy checks whether an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs.
The policy fails if the cluster isn't configured to publish audit logs to CloudWatch Logs. The policy doesn't generate findings foAurora Serverless v1 DB clusters. Audit logs capture a record of database activity, including login attempts, data modifications, schema changes, and other events that can be audited for security and compliance purposes.
When you configure an Aurora MySQL DB cluster to publish audit logs to a log group in Amazon CloudWatch Logs, you can perform real-time analysis of the log data.
CloudWatch Logs retains logs in highly durable storage. You can also create alarms and view metrics in CloudWatch.

## Policy Details:

- **Policy Name:** check-rds-aurora-mysql-audit-logging-enabled
- **Check Description:** This policy checks whether Aurora MySQL DB clusters publish audit logs to CloudWatch Logs
- **Policy Category:** AWS RDS Best Practices

### Policy Validation Testing Instructions

For testing this policy you will need to:
- Make sure you have `kyverno-json` installed on the machine
- Properly authenticate with AWS

1. **Initialize Terraform:**
```bash
terraform init
```

2. **Create Binary Terraform Plan:**
```bash
terraform plan -out tfplan.binary
```

3. **Convert Binary to JSON Payload:**
```bash
terraform show -json tfplan.binary | jq > payload.json
```

4. **Test the Policy with Kyverno:**
```bash
kyverno-json scan --payload payload.json --policy policy.yaml
```

a. **Test Policy Against Valid Payload:**
```bash
kyverno-json scan --payload test/good-test/good-payload-01.json --policy check-rds-aurora-mysql-audit-logging-enabled.yaml --bindings test/binding.yaml
```

This produces the output:
```bash
Loading policies ...
Loading bindings ...
- analyzer -> map[resource:map[type:terraform-plan]]
Loading payload ...
Pre processing ...
Running ( evaluating 1 resource against 1 policy ) ...
- PASSED (POLICY=check-rds-aurora-mysql-audit-logging-enabled, RULE=check-rds-aurora-mysql-audit-logging-enabled)
Done
```
b. **Test Against Invalid Payload:**
```
kyverno-json scan --payload test/bad-test/bad-payload-01.json --policy check-rds-aurora-mysql-audit-logging-enabled.yaml --bindings test/binding.yaml
```
This produces the output:
```bash
Loading policies ...
Loading bindings ...
- analyzer -> map[resource:map[type:terraform-plan]]
Loading payload ...
Pre processing ...
Running ( evaluating 1 resource against 1 policy ) ...
- FAILED (POLICY=check-rds-aurora-mysql-audit-logging-enabled, RULE=check-rds-aurora-mysql-audit-logging-enabled)
-> Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs (CHECK=spec.rules[0].assert.all[0])
-> Invalid value: false: Expected value: true (PATH=~.(planned_values.root_module.resources[?type=='aws_rds_cluster' && contains('aurora-mysql', values.engine) && !contains('serverless', values.engine_mode)])[0].values.(enabled_cloudwatch_logs_exports != `null` && length(enabled_cloudwatch_logs_exports) > `0`))
Done
```
---
29 changes: 29 additions & 0 deletions ...-rds-aurora-mysql-audit-logging-enabled/check-rds-aurora-mysql-audit-logging-enabled.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
apiVersion: json.kyverno.io/v1alpha1
kind: ValidatingPolicy
metadata:
name: check-rds-aurora-mysql-audit-logging-enabled
annotations:
policies.kyverno.io/title: Check RDS Aurora Mysql Audit Logging Enabled
policies.kyverno.io/category: AWS RDS Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/description: >-
This policy checks whether an Amazon Aurora MySQL DB cluster is configured to publish audit logs to Amazon CloudWatch Logs.
The policy fails if the cluster isn't configured to publish audit logs to CloudWatch Logs. The policy doesn't generate findings for Aurora Serverless v1 DB clusters.
Audit logs capture a record of database activity, including login attempts, data modifications, schema changes, and other events
that can be audited for security and compliance purposes. When you configure an Aurora MySQL DB cluster to publish
audit logs to a log group in Amazon CloudWatch Logs, you can perform real-time analysis of the log data.
CloudWatch Logs retains logs in highly durable storage. You can also create alarms and view metrics in CloudWatch.
spec:
rules:
- name: check-rds-aurora-mysql-audit-logging-enabled
match:
all:
- ($analyzer.resource.type): terraform-plan
- (planned_values.root_module.resources[?type=='aws_rds_cluster' && contains('aurora-mysql', values.engine) && !contains('serverless', values.engine_mode)] || `[]` | length(@) > `0`): true
assert:
all:
- message: Aurora MySQL DB clusters should publish audit logs to CloudWatch Logs
check:
~.(planned_values.root_module.resources[?type=='aws_rds_cluster' && contains('aurora-mysql', values.engine) && !contains('serverless', values.engine_mode)]):
values:
(enabled_cloudwatch_logs_exports != `null` && length(enabled_cloudwatch_logs_exports) > `0`): true
24 changes: 24 additions & 0 deletions ...n/rds-best-practices/check-rds-aurora-mysql-audit-logging-enabled/test/bad-test/bad-01.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
terraform {
required_version = ">= 1.0"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.32"
}
}
}

provider "aws" {
region = "us-west-2" # Updated region
}

# No audit log publication to CloudWatch Logs
resource "aws_rds_cluster" "bad_aurora_mysql_cluster" {
cluster_identifier = "bad-aurora-mysql-cluster"
engine = "aurora-mysql"
master_username = "admin"
master_password = "secret99"
backup_retention_period = 7
skip_final_snapshot = true
}
224 changes: 224 additions & 0 deletions ...-practices/check-rds-aurora-mysql-audit-logging-enabled/test/bad-test/bad-payload-01.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,224 @@
{
"format_version": "1.2",
"terraform_version": "1.9.2",
"planned_values": {
"root_module": {
"resources": [
{
"address": "aws_rds_cluster.bad_aurora_mysql_cluster",
"mode": "managed",
"type": "aws_rds_cluster",
"name": "bad_aurora_mysql_cluster",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 1,
"values": {
"allow_major_version_upgrade": null,
"backtrack_window": null,
"backup_retention_period": 7,
"cluster_identifier": "bad-aurora-mysql-cluster",
"copy_tags_to_snapshot": false,
"db_cluster_instance_class": null,
"db_instance_parameter_group_name": null,
"delete_automated_backups": true,
"deletion_protection": null,
"domain": null,
"domain_iam_role_name": null,
"enable_global_write_forwarding": false,
"enable_http_endpoint": false,
"enable_local_write_forwarding": false,
"enabled_cloudwatch_logs_exports": null,
"engine": "aurora-mysql",
"engine_mode": "provisioned",
"final_snapshot_identifier": null,
"global_cluster_identifier": null,
"iam_database_authentication_enabled": null,
"iops": null,
"manage_master_user_password": null,
"master_password": "secret99",
"master_username": "admin",
"performance_insights_enabled": null,
"replication_source_identifier": null,
"restore_to_point_in_time": [],
"s3_import": [],
"scaling_configuration": [],
"serverlessv2_scaling_configuration": [],
"skip_final_snapshot": true,
"snapshot_identifier": null,
"source_region": null,
"tags": null,
"timeouts": null
},
"sensitive_values": {
"availability_zones": [],
"cluster_members": [],
"iam_roles": [],
"master_password": true,
"master_user_secret": [],
"restore_to_point_in_time": [],
"s3_import": [],
"scaling_configuration": [],
"serverlessv2_scaling_configuration": [],
"tags_all": {},
"vpc_security_group_ids": []
}
}
]
}
},
"resource_changes": [
{
"address": "aws_rds_cluster.bad_aurora_mysql_cluster",
"mode": "managed",
"type": "aws_rds_cluster",
"name": "bad_aurora_mysql_cluster",
"provider_name": "registry.terraform.io/hashicorp/aws",
"change": {
"actions": [
"create"
],
"before": null,
"after": {
"allow_major_version_upgrade": null,
"backtrack_window": null,
"backup_retention_period": 7,
"cluster_identifier": "bad-aurora-mysql-cluster",
"copy_tags_to_snapshot": false,
"db_cluster_instance_class": null,
"db_instance_parameter_group_name": null,
"delete_automated_backups": true,
"deletion_protection": null,
"domain": null,
"domain_iam_role_name": null,
"enable_global_write_forwarding": false,
"enable_http_endpoint": false,
"enable_local_write_forwarding": false,
"enabled_cloudwatch_logs_exports": null,
"engine": "aurora-mysql",
"engine_mode": "provisioned",
"final_snapshot_identifier": null,
"global_cluster_identifier": null,
"iam_database_authentication_enabled": null,
"iops": null,
"manage_master_user_password": null,
"master_password": "secret99",
"master_username": "admin",
"performance_insights_enabled": null,
"replication_source_identifier": null,
"restore_to_point_in_time": [],
"s3_import": [],
"scaling_configuration": [],
"serverlessv2_scaling_configuration": [],
"skip_final_snapshot": true,
"snapshot_identifier": null,
"source_region": null,
"tags": null,
"timeouts": null
},
"after_unknown": {
"allocated_storage": true,
"apply_immediately": true,
"arn": true,
"availability_zones": true,
"ca_certificate_identifier": true,
"ca_certificate_valid_till": true,
"cluster_identifier_prefix": true,
"cluster_members": true,
"cluster_resource_id": true,
"database_name": true,
"db_cluster_parameter_group_name": true,
"db_subnet_group_name": true,
"db_system_id": true,
"endpoint": true,
"engine_lifecycle_support": true,
"engine_version": true,
"engine_version_actual": true,
"hosted_zone_id": true,
"iam_roles": true,
"id": true,
"kms_key_id": true,
"master_user_secret": true,
"master_user_secret_kms_key_id": true,
"network_type": true,
"performance_insights_kms_key_id": true,
"performance_insights_retention_period": true,
"port": true,
"preferred_backup_window": true,
"preferred_maintenance_window": true,
"reader_endpoint": true,
"restore_to_point_in_time": [],
"s3_import": [],
"scaling_configuration": [],
"serverlessv2_scaling_configuration": [],
"storage_encrypted": true,
"storage_type": true,
"tags_all": true,
"vpc_security_group_ids": true
},
"before_sensitive": false,
"after_sensitive": {
"availability_zones": [],
"cluster_members": [],
"iam_roles": [],
"master_password": true,
"master_user_secret": [],
"restore_to_point_in_time": [],
"s3_import": [],
"scaling_configuration": [],
"serverlessv2_scaling_configuration": [],
"tags_all": {},
"vpc_security_group_ids": []
}
}
}
],
"configuration": {
"provider_config": {
"aws": {
"name": "aws",
"full_name": "registry.terraform.io/hashicorp/aws",
"version_constraint": ">= 5.32.0",
"expressions": {
"region": {
"constant_value": "us-west-2"
}
}
}
},
"root_module": {
"resources": [
{
"address": "aws_rds_cluster.bad_aurora_mysql_cluster",
"mode": "managed",
"type": "aws_rds_cluster",
"name": "bad_aurora_mysql_cluster",
"provider_config_key": "aws",
"expressions": {
"backup_retention_period": {
"constant_value": 7
},
"cluster_identifier": {
"constant_value": "bad-aurora-mysql-cluster"
},
"engine": {
"constant_value": "aurora-mysql"
},
"master_password": {
"constant_value": "secret99"
},
"master_username": {
"constant_value": "admin"
},
"skip_final_snapshot": {
"constant_value": true
}
},
"schema_version": 1
}
]
}
},
"timestamp": "2024-10-01T13:07:17Z",
"applyable": true,
"complete": true,
"errored": false
}
3 changes: 3 additions & 0 deletions ...rm/plan/rds-best-practices/check-rds-aurora-mysql-audit-logging-enabled/test/binding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
analyzer:
resource:
type: terraform-plan
Loading

0 comments on commit cfa4d2c

Please sign in to comment.