diff --git a/bp-base.json b/bp-base.json index 48f4056..295615e 100644 --- a/bp-base.json +++ b/bp-base.json @@ -1,4 +1,74 @@ { + "VPC": { + "enabled": true, + "rules": { + "ec2-transit-gateway-auto-vpc-attach-disabled": { + "enabled": true, + "level": 1 + }, + "restricted-ssh": { + "enabled": true, + "level": 2 + }, + "restricted-common-ports": { + "enabled": true, + "level": 2 + }, + "subnet-auto-assign-public-ip-disabled": { + "enabled": true, + "level": 1 + }, + "vpc-default-security-group-closed": { + "enabled": true, + "level": 2 + }, + "vpc-flow-logs-enabled": { + "enabled": true, + "level": 2 + }, + "vpc-network-acl-unused-check": { + "enabled": true, + "level": 2 + }, + "vpc-peering-dns-resolution-check": { + "enabled": true, + "level": 2 + }, + "vpc-sg-open-only-to-authorized-ports": { + "enabled": true, + "level": 2 + } + } + }, + "CloudFront": { + "enabled": true, + "rules": { + "cloudfront-accesslogs-enabled": { + "enabled": true, + "level": 2 + }, + "cloudfront-associated-with-waf": { + "enabled": true, + "level": 2 + }, + "cloudfront-default-root-object-configured": { + "enabled": true, + "level": 2 + }, + "cloudfront-no-deprecated-ssl-protocols": { + "enabled": true, + "level": 2 + }, + "cloudfront-s3-origin-access-control-enabled": { + "enabled": true, + "level": 2 + }, + "cloudfront-viewer-policy-https": { + "enabled": true, + "level": 2 + } + } + }, "ALB": { "enabled": true, "rules": { @@ -53,6 +123,180 @@ } } }, + "EC2": { + "enabled": true, + "rules": { + "ec2-ebs-encryption-by-default": { + "enabled": true, + "level": 2 + }, + "ec2-imdsv2-check": { + "enabled": true, + "level": 2 + }, + "ec2-instance-detailed-monitoring-enabled": { + "enabled": true, + "level": 2 + }, + "ec2-instance-managed-by-systems-manager": { + "enabled": true, + "level": 2 + }, + "ec2-instance-profile-attached": { + "enabled": true, + "level": 2 + }, + "ec2-no-amazon-key-pair": { + "enabled": true, + "level": 1 + }, + "ec2-stopped-instance": { + "enabled": true, + "level": 2 + }, + "ec2-token-hop-limit-check": { + "enabled": true, + "level": 2 + } + } + }, + "ASG": { + "enabled": true, + "rules": { + "autoscaling-group-elb-healthcheck-required": { + "enabled": true, + "level": 2 + }, + "autoscaling-multiple-az": { + "enabled": true, + "level": 2 + }, + "autoscaling-launch-template": { + "enabled": true, + "level": 2 + } + } + }, + "ECS": { + "enabled": true, + "rules": { + "ecs-awsvpc-networking-enabled": { + "enabled": true, + "level": 2 + }, + "ecs-containers-nonprivileged": { + "enabled": true, + "level": 2 + }, + "ecs-containers-readonly-access": { + "enabled": true, + "level": 2 + }, + "ecs-container-insights-enabled": { + "enabled": true, + "level": 2 + }, + "ecs-fargate-latest-platform-version": { + "enabled": true, + "level": 2 + }, + "ecs-task-definition-log-configuration": { + "enabled": true, + "level": 2 + }, + "ecs-task-definition-memory-hard-limit": { + "enabled": true, + "level": 1 + }, + "ecs-task-definition-nonroot-user": { + "enabled": true, + "level": 1 + } + } + }, + "EKS": { + "enabled": true, + "rules": { + "eks-cluster-logging-enabled": { + "enabled": true, + "level": 2 + }, + "eks-cluster-secrets-encrypted": { + "enabled": true, + "level": 2 + }, + "eks-endpoint-no-public-access": { + "enabled": true, + "level": 1 + } + } + }, + "ECR": { + "enabled": true, + "rules": { + "ecr-private-image-scanning-enabled": { + "enabled": true, + "level": 2 + }, + "ecr-private-lifecycle-policy-configured": { + "enabled": true, + "level": 2 + }, + "ecr-private-tag-immutability-enabled": { + "enabled": true, + "level": 2 + }, + "ecr-kms-encryption-1": { + "enabled": true, + "level": 2 + } + } + }, + "S3": { + "enabled": true, + "rules": { + "s3-access-point-in-vpc-only": { + "enabled": true, + "level": 1 + }, + "s3-bucket-default-lock-enabled": { + "enabled": true, + "level": 1 + }, + "s3-bucket-level-public-access-prohibited": { + "enabled": true, + "level": 2 + }, + "s3-bucket-logging-enabled": { + "enabled": true, + "level": 1 + }, + "s3-bucket-ssl-requests-only": { + "enabled": true, + "level": 2 + }, + "s3-bucket-versioning-enabled": { + "enabled": true, + "level": 2 + }, + "s3-default-encryption-kms": { + "enabled": true, + "level": 2 + }, + "s3-event-notifications-enabled": { + "enabled": true, + "level": 1 + }, + "s3-last-backup-recovery-point-created": { + "enabled": true, + "level": 1 + }, + "s3-lifecycle-policy-check": { + "enabled": true, + "level": 2 + } + } + }, "RDS": { "enabled": true, "rules": { @@ -114,123 +358,30 @@ } } }, - "ASG": { + "ElastiCache": { "enabled": true, "rules": { - "autoscaling-group-elb-healthcheck-required": { + "elasticache-auto-minor-version-upgrade-check": { "enabled": true, "level": 2 }, - "autoscaling-multiple-az": { + "elasticache-redis-cluster-automatic-backup-check": { "enabled": true, "level": 2 }, - "autoscaling-launch-template": { - "enabled": true, - "level": 2 - } - } - }, - "EC2": { - "enabled": true, - "rules": { - "ec2-ebs-encryption-by-default": { + "elasticache-repl-grp-auto-failover-enabled": { "enabled": true, "level": 2 }, - "ec2-imdsv2-check": { + "elasticache-repl-grp-encrypted-at-rest": { "enabled": true, "level": 2 }, - "ec2-instance-detailed-monitoring-enabled": { + "elasticache-repl-grp-encrypted-in-transit": { "enabled": true, "level": 2 }, - "ec2-instance-managed-by-systems-manager": { - "enabled": true, - "level": 2 - }, - "ec2-instance-profile-attached": { - "enabled": true, - "level": 2 - }, - "ec2-no-amazon-key-pair": { - "enabled": true, - "level": 1 - }, - "ec2-stopped-instance": { - "enabled": true, - "level": 2 - }, - "ec2-token-hop-limit-check": { - "enabled": true, - "level": 2 - } - } - }, - "CloudFront": { - "enabled": true, - "rules": { - "cloudfront-accesslogs-enabled": { - "enabled": true, - "level": 2 - }, - "cloudfront-associated-with-waf": { - "enabled": true, - "level": 2 - }, - "cloudfront-default-root-object-configured": { - "enabled": true, - "level": 2 - }, - "cloudfront-no-deprecated-ssl-protocols": { - "enabled": true, - "level": 2 - }, - "cloudfront-s3-origin-access-control-enabled": { - "enabled": true, - "level": 2 - }, - "cloudfront-viewer-policy-https": { - "enabled": true, - "level": 2 - } - } - }, - "KMS": { - "enabled": true, - "rules": { - "cmk-backing-key-rotation-enabled": { - "enabled": true, - "level": 2 - } - } - }, - "CodeSeries": { - "enabled": true, - "rules": { - "codebuild-project-environment-privileged-check": { - "enabled": true, - "level": 1 - }, - "codebuild-project-logging-enabled": { - "enabled": true, - "level": 2 - }, - "codedeploy-auto-rollback-monitor-enabled": { - "enabled": true, - "level": 2 - } - } - }, - "CloudWatch": { - "enabled": true, - "rules": { - "cw-loggroup-retention-period-check": { - "enabled": true, - "level": 2 - }, - "cloudwatch-alarm-settings-check": { + "elasticache-subnet-group-check": { "enabled": true, "level": 2 } @@ -265,64 +416,6 @@ } } }, - "ECR": { - "enabled": true, - "rules": { - "ecr-private-image-scanning-enabled": { - "enabled": true, - "level": 2 - }, - "ecr-private-lifecycle-policy-configured": { - "enabled": true, - "level": 2 - }, - "ecr-private-tag-immutability-enabled": { - "enabled": true, - "level": 2 - }, - "ecr-kms-encryption-1": { - "enabled": true, - "level": 2 - } - } - }, - "ECS": { - "enabled": true, - "rules": { - "ecs-awsvpc-networking-enabled": { - "enabled": true, - "level": 2 - }, - "ecs-containers-nonprivileged": { - "enabled": true, - "level": 2 - }, - "ecs-containers-readonly-access": { - "enabled": true, - "level": 2 - }, - "ecs-container-insights-enabled": { - "enabled": true, - "level": 2 - }, - "ecs-fargate-latest-platform-version": { - "enabled": true, - "level": 2 - }, - "ecs-task-definition-log-configuration": { - "enabled": true, - "level": 2 - }, - "ecs-task-definition-memory-hard-limit": { - "enabled": true, - "level": 1 - }, - "ecs-task-definition-nonroot-user": { - "enabled": true, - "level": 1 - } - } - }, "EFS": { "enabled": true, "rules": { @@ -348,69 +441,6 @@ } } }, - "EKS": { - "enabled": true, - "rules": { - "eks-cluster-logging-enabled": { - "enabled": true, - "level": 2 - }, - "eks-cluster-secrets-encrypted": { - "enabled": true, - "level": 2 - }, - "eks-endpoint-no-public-access": { - "enabled": true, - "level": 1 - } - } - }, - "ElastiCache": { - "enabled": true, - "rules": { - "elasticache-auto-minor-version-upgrade-check": { - "enabled": true, - "level": 2 - }, - "elasticache-redis-cluster-automatic-backup-check": { - "enabled": true, - "level": 2 - }, - "elasticache-repl-grp-auto-failover-enabled": { - "enabled": true, - "level": 2 - }, - "elasticache-repl-grp-encrypted-at-rest": { - "enabled": true, - "level": 2 - }, - "elasticache-repl-grp-encrypted-in-transit": { - "enabled": true, - "level": 2 - }, - "elasticache-subnet-group-check": { - "enabled": true, - "level": 2 - } - } - }, - "IAM": { - "enabled": true, - "rules": { - "iam-policy-no-statements-with-admin-access": { - "enabled": true, - "level": 1 - }, - "iam-policy-no-statements-with-full-access": { - "enabled": true, - "level": 1 - }, - "iam-role-managed-policy-check": { - "enabled": true, - "level": 1 - } - } - }, "Lambda": { "enabled": true, "rules": { @@ -432,46 +462,23 @@ } } }, - "S3": { + "CloudWatch": { "enabled": true, "rules": { - "s3-access-point-in-vpc-only": { - "enabled": true, - "level": 1 - }, - "s3-bucket-default-lock-enabled": { - "enabled": true, - "level": 1 - }, - "s3-bucket-level-public-access-prohibited": { + "cw-loggroup-retention-period-check": { "enabled": true, "level": 2 }, - "s3-bucket-logging-enabled": { - "enabled": true, - "level": 1 - }, - "s3-bucket-ssl-requests-only": { + "cloudwatch-alarm-settings-check": { "enabled": true, "level": 2 - }, - "s3-bucket-versioning-enabled": { - "enabled": true, - "level": 2 - }, - "s3-default-encryption-kms": { - "enabled": true, - "level": 2 - }, - "s3-event-notifications-enabled": { - "enabled": true, - "level": 1 - }, - "s3-last-backup-recovery-point-created": { - "enabled": true, - "level": 1 - }, - "s3-lifecycle-policy-check": { + } + } + }, + "KMS": { + "enabled": true, + "rules": { + "cmk-backing-key-rotation-enabled": { "enabled": true, "level": 2 } @@ -494,69 +501,6 @@ } } }, - "Security Hub": { - "enabled": true, - "rules": { - "securityhub-enabled": { - "enabled": true, - "level": 1 - } - } - }, - "SNS": { - "enabled": true, - "rules": { - "sns-encrypted-kms": { - "enabled": true, - "level": 2 - }, - "sns-topic-message-delivery-notification-enabled": { - "enabled": true, - "level": 2 - } - } - }, - "VPC": { - "enabled": true, - "rules": { - "ec2-transit-gateway-auto-vpc-attach-disabled": { - "enabled": true, - "level": 1 - }, - "restricted-ssh": { - "enabled": true, - "level": 2 - }, - "restricted-common-ports": { - "enabled": true, - "level": 2 - }, - "subnet-auto-assign-public-ip-disabled": { - "enabled": true, - "level": 1 - }, - "vpc-default-security-group-closed": { - "enabled": true, - "level": 2 - }, - "vpc-flow-logs-enabled": { - "enabled": true, - "level": 2 - }, - "vpc-network-acl-unused-check": { - "enabled": true, - "level": 2 - }, - "vpc-peering-dns-resolution-check": { - "enabled": true, - "level": 2 - }, - "vpc-sg-open-only-to-authorized-ports": { - "enabled": true, - "level": 2 - } - } - }, "WAFv2": { "enabled": true, "rules": { @@ -577,5 +521,61 @@ "level": 2 } } + }, + "IAM": { + "enabled": true, + "rules": { + "iam-policy-no-statements-with-admin-access": { + "enabled": true, + "level": 1 + }, + "iam-policy-no-statements-with-full-access": { + "enabled": true, + "level": 1 + }, + "iam-role-managed-policy-check": { + "enabled": true, + "level": 1 + } + } + }, + "CodeSeries": { + "enabled": true, + "rules": { + "codebuild-project-environment-privileged-check": { + "enabled": true, + "level": 1 + }, + "codebuild-project-logging-enabled": { + "enabled": true, + "level": 2 + }, + "codedeploy-auto-rollback-monitor-enabled": { + "enabled": true, + "level": 2 + } + } + }, + "SNS": { + "enabled": true, + "rules": { + "sns-encrypted-kms": { + "enabled": true, + "level": 2 + }, + "sns-topic-message-delivery-notification-enabled": { + "enabled": true, + "level": 2 + } + } + }, + "Security Hub": { + "enabled": true, + "rules": { + "securityhub-enabled": { + "enabled": true, + "level": 1 + } + } } } diff --git a/bp-simple.json b/bp-simple.json new file mode 100644 index 0000000..917f447 --- /dev/null +++ b/bp-simple.json @@ -0,0 +1,581 @@ +{ + "VPC": { + "enabled": true, + "rules": { + "ec2-transit-gateway-auto-vpc-attach-disabled": { + "enabled": false, + "level": 1 + }, + "restricted-ssh": { + "enabled": true, + "level": 2 + }, + "restricted-common-ports": { + "enabled": true, + "level": 2 + }, + "subnet-auto-assign-public-ip-disabled": { + "enabled": false, + "level": 1 + }, + "vpc-default-security-group-closed": { + "enabled": true, + "level": 2 + }, + "vpc-flow-logs-enabled": { + "enabled": true, + "level": 2 + }, + "vpc-network-acl-unused-check": { + "enabled": false, + "level": 2 + }, + "vpc-peering-dns-resolution-check": { + "enabled": false, + "level": 2 + }, + "vpc-sg-open-only-to-authorized-ports": { + "enabled": true, + "level": 2 + } + } + }, + "CloudFront": { + "enabled": true, + "rules": { + "cloudfront-accesslogs-enabled": { + "enabled": true, + "level": 2 + }, + "cloudfront-associated-with-waf": { + "enabled": true, + "level": 2 + }, + "cloudfront-default-root-object-configured": { + "enabled": true, + "level": 2 + }, + "cloudfront-no-deprecated-ssl-protocols": { + "enabled": true, + "level": 2 + }, + "cloudfront-s3-origin-access-control-enabled": { + "enabled": true, + "level": 2 + }, + "cloudfront-viewer-policy-https": { + "enabled": true, + "level": 2 + } + } + }, + "ALB": { + "enabled": true, + "rules": { + "alb-http-drop-invalid-header-enabled": { + "enabled": false, + "level": 2 + }, + "alb-waf-enabled": { + "enabled": true, + "level": 2 + }, + "elb-cross-zone-load-balancing-enabled": { + "enabled": false, + "level": 2 + }, + "elb-deletion-protection-enabled": { + "enabled": true, + "level": 1 + }, + "elb-logging-enabled": { + "enabled": true, + "level": 2 + } + } + }, + "API GW": { + "enabled": true, + "rules": { + "api-gwv2-access-logs-enabled": { + "enabled": true, + "level": 2 + }, + "api-gwv2-authorization-type-configured": { + "enabled": true, + "level": 1 + }, + "api-gw-associated-with-waf": { + "enabled": true, + "level": 2 + }, + "api-gw-cache-enabled-and-encrypted": { + "enabled": true, + "level": 2 + }, + "api-gw-execution-logging-enabled": { + "enabled": true, + "level": 2 + }, + "api-gw-xray-enabled": { + "enabled": true, + "level": 1 + } + } + }, + "EC2": { + "enabled": true, + "rules": { + "ec2-ebs-encryption-by-default": { + "enabled": true, + "level": 2 + }, + "ec2-imdsv2-check": { + "enabled": true, + "level": 2 + }, + "ec2-instance-detailed-monitoring-enabled": { + "enabled": true, + "level": 2 + }, + "ec2-instance-managed-by-systems-manager": { + "enabled": false, + "level": 2 + }, + "ec2-instance-profile-attached": { + "enabled": false, + "level": 2 + }, + "ec2-no-amazon-key-pair": { + "enabled": true, + "level": 1 + }, + "ec2-stopped-instance": { + "enabled": true, + "level": 2 + }, + "ec2-token-hop-limit-check": { + "enabled": true, + "level": 2 + } + } + }, + "ASG": { + "enabled": true, + "rules": { + "autoscaling-group-elb-healthcheck-required": { + "enabled": true, + "level": 2 + }, + "autoscaling-multiple-az": { + "enabled": true, + "level": 2 + }, + "autoscaling-launch-template": { + "enabled": true, + "level": 2 + } + } + }, + "ECS": { + "enabled": true, + "rules": { + "ecs-awsvpc-networking-enabled": { + "enabled": true, + "level": 2 + }, + "ecs-containers-nonprivileged": { + "enabled": true, + "level": 2 + }, + "ecs-containers-readonly-access": { + "enabled": false, + "level": 2 + }, + "ecs-container-insights-enabled": { + "enabled": true, + "level": 2 + }, + "ecs-fargate-latest-platform-version": { + "enabled": false, + "level": 2 + }, + "ecs-task-definition-log-configuration": { + "enabled": true, + "level": 2 + }, + "ecs-task-definition-memory-hard-limit": { + "enabled": false, + "level": 1 + }, + "ecs-task-definition-nonroot-user": { + "enabled": false, + "level": 1 + } + } + }, + "EKS": { + "enabled": true, + "rules": { + "eks-cluster-logging-enabled": { + "enabled": true, + "level": 2 + }, + "eks-cluster-secrets-encrypted": { + "enabled": true, + "level": 2 + }, + "eks-endpoint-no-public-access": { + "enabled": true, + "level": 1 + } + } + }, + "ECR": { + "enabled": true, + "rules": { + "ecr-private-image-scanning-enabled": { + "enabled": true, + "level": 2 + }, + "ecr-private-lifecycle-policy-configured": { + "enabled": true, + "level": 2 + }, + "ecr-private-tag-immutability-enabled": { + "enabled": true, + "level": 2 + }, + "ecr-kms-encryption-1": { + "enabled": true, + "level": 2 + } + } + }, + "S3": { + "enabled": true, + "rules": { + "s3-access-point-in-vpc-only": { + "enabled": false, + "level": 1 + }, + "s3-bucket-default-lock-enabled": { + "enabled": false, + "level": 1 + }, + "s3-bucket-level-public-access-prohibited": { + "enabled": true, + "level": 2 + }, + "s3-bucket-logging-enabled": { + "enabled": true, + "level": 1 + }, + "s3-bucket-ssl-requests-only": { + "enabled": true, + "level": 2 + }, + "s3-bucket-versioning-enabled": { + "enabled": true, + "level": 2 + }, + "s3-default-encryption-kms": { + "enabled": true, + "level": 2 + }, + "s3-event-notifications-enabled": { + "enabled": false, + "level": 1 + }, + "s3-last-backup-recovery-point-created": { + "enabled": false, + "level": 1 + }, + "s3-lifecycle-policy-check": { + "enabled": true, + "level": 2 + } + } + }, + "RDS": { + "enabled": true, + "rules": { + "aurora-last-backup-recovery-point-created": { + "enabled": true, + "level": 2 + }, + "aurora-mysql-backtracking-enabled": { + "enabled": true, + "level": 2 + }, + "db-instance-backup-enabled": { + "enabled": true, + "level": 2 + }, + "rds-cluster-auto-minor-version-upgrade-enable": { + "enabled": true, + "level": 2 + }, + "rds-cluster-default-admin-check": { + "enabled": true, + "level": 2 + }, + "rds-cluster-deletion-protection-enabled": { + "enabled": true, + "level": 1 + }, + "rds-cluster-encrypted-at-rest": { + "enabled": true, + "level": 2 + }, + "rds-cluster-iam-authentication-enabled": { + "enabled": true, + "level": 2 + }, + "rds-cluster-multi-az-enabled": { + "enabled": true, + "level": 2 + }, + "rds-db-security-group-not-allowed": { + "enabled": true, + "level": 2 + }, + "rds-enhanced-monitoring-enabled": { + "enabled": true, + "level": 2 + }, + "rds-instance-public-access-check": { + "enabled": true, + "level": 2 + }, + "rds-logging-enabled": { + "enabled": true, + "level": 2 + }, + "rds-snapshot-encrypted": { + "enabled": false, + "level": 2 + } + } + }, + "ElastiCache": { + "enabled": true, + "rules": { + "elasticache-auto-minor-version-upgrade-check": { + "enabled": true, + "level": 2 + }, + "elasticache-redis-cluster-automatic-backup-check": { + "enabled": true, + "level": 2 + }, + "elasticache-repl-grp-auto-failover-enabled": { + "enabled": true, + "level": 2 + }, + "elasticache-repl-grp-encrypted-at-rest": { + "enabled": true, + "level": 2 + }, + "elasticache-repl-grp-encrypted-in-transit": { + "enabled": true, + "level": 2 + }, + "elasticache-subnet-group-check": { + "enabled": false, + "level": 2 + } + } + }, + "DynamoDB": { + "enabled": true, + "rules": { + "dynamodb-autoscaling-enabled": { + "enabled": true, + "level": 2 + }, + "dynamodb-last-backup-recovery-point-created": { + "enabled": true, + "level": 2 + }, + "dynamodb-pitr-enabled": { + "enabled": true, + "level": 2 + }, + "dynamodb-table-deletion-protection-enabled": { + "enabled": true, + "level": 1 + }, + "dynamodb-table-encrypted-kms": { + "enabled": true, + "level": 2 + }, + "dynamodb-table-encryption-enabled": { + "enabled": true, + "level": 2 + } + } + }, + "EFS": { + "enabled": true, + "rules": { + "efs-access-point-enforce-root-directory": { + "enabled": true, + "level": 2 + }, + "efs-access-point-enforce-user-identity": { + "enabled": true, + "level": 2 + }, + "efs-automatic-backups-enabled": { + "enabled": true, + "level": 2 + }, + "efs-encrypted-check": { + "enabled": true, + "level": 2 + }, + "efs-mount-target-public-accessible": { + "enabled": false, + "level": 2 + } + } + }, + "Lambda": { + "enabled": true, + "rules": { + "lambda-dlq-check": { + "enabled": false, + "level": 1 + }, + "lambda-function-public-access-prohibited": { + "enabled": false, + "level": 2 + }, + "lambda-function-settings-check": { + "enabled": true, + "level": 2 + }, + "lambda-inside-vpc": { + "enabled": false, + "level": 1 + } + } + }, + "CloudWatch": { + "enabled": true, + "rules": { + "cw-loggroup-retention-period-check": { + "enabled": true, + "level": 2 + }, + "cloudwatch-alarm-settings-check": { + "enabled": false, + "level": 2 + } + } + }, + "KMS": { + "enabled": true, + "rules": { + "cmk-backing-key-rotation-enabled": { + "enabled": true, + "level": 2 + } + } + }, + "Secrets Manager": { + "enabled": true, + "rules": { + "secretsmanager-rotation-enabled-check": { + "enabled": true, + "level": 2 + }, + "secretsmanager-scheduled-rotation-success-check": { + "enabled": true, + "level": 1 + }, + "secretsmanager-secret-periodic-rotation": { + "enabled": true, + "level": 2 + } + } + }, + "WAFv2": { + "enabled": true, + "rules": { + "wafv2-logging-enabled": { + "enabled": true, + "level": 2 + }, + "wafv2-rulegroup-logging-enabled": { + "enabled": true, + "level": 2 + }, + "wafv2-rulegroup-not-empty": { + "enabled": true, + "level": 2 + }, + "wafv2-webacl-not-empty": { + "enabled": true, + "level": 2 + } + } + }, + "IAM": { + "enabled": false, + "rules": { + "iam-policy-no-statements-with-admin-access": { + "enabled": true, + "level": 1 + }, + "iam-policy-no-statements-with-full-access": { + "enabled": true, + "level": 1 + }, + "iam-role-managed-policy-check": { + "enabled": true, + "level": 1 + } + } + }, + "CodeSeries": { + "enabled": true, + "rules": { + "codebuild-project-environment-privileged-check": { + "enabled": true, + "level": 1 + }, + "codebuild-project-logging-enabled": { + "enabled": true, + "level": 2 + }, + "codedeploy-auto-rollback-monitor-enabled": { + "enabled": true, + "level": 2 + } + } + }, + "SNS": { + "enabled": true, + "rules": { + "sns-encrypted-kms": { + "enabled": true, + "level": 2 + }, + "sns-topic-message-delivery-notification-enabled": { + "enabled": true, + "level": 2 + } + } + }, + "Security Hub": { + "enabled": true, + "rules": { + "securityhub-enabled": { + "enabled": true, + "level": 1 + } + } + } +} diff --git a/exclude.csv b/exclude.csv new file mode 100644 index 0000000..e50ab9d --- /dev/null +++ b/exclude.csv @@ -0,0 +1,3 @@ +resource,scope +sg-04e88ce667a9bac70 / sgr-0b5cea485d7e46045,restricted-common-ports +test \ No newline at end of file diff --git a/main.py b/main.py index 2c8ca1f..b6f4f00 100644 --- a/main.py +++ b/main.py @@ -1,5 +1,6 @@ from datetime import datetime from concurrent.futures import ThreadPoolExecutor +import argparse from InquirerLib import prompt from InquirerLib.InquirerPy.utils import InquirerPyKeybindings @@ -17,6 +18,26 @@ prompt_key_bindings: InquirerPyKeybindings = { } +def get_command_line_args(): + parser = argparse.ArgumentParser() + parser.add_argument( + "--level", + help="Only perform checks if level <= rule_level. Default: 1", + type=int, + choices=[1, 2], + default=1, + ) + parser.add_argument( + "--ruleset", help="Use predefined bp rule sets. Please provide filename." + ) + parser.add_argument( + "--show-all", + help="Show all resources including compliant one.", + action="store_true", + ) + return parser.parse_args() + + def ask_services_to_enable(bp): cli_questions = [ { @@ -36,10 +57,10 @@ def ask_services_to_enable(bp): return bp -def perform_bp_rules_check(bp): +def perform_bp_rules_check(bp, level=2): with ThreadPoolExecutor() as executor: futures = [ - executor.submit(_rule_check, service_name, service) + executor.submit(_rule_check, service_name, service, level) for service_name, service in bp.items() ] @@ -47,7 +68,7 @@ def perform_bp_rules_check(bp): return bp -def _rule_check(service_name, service): +def _rule_check(service_name, service, level): now = datetime.now() if not service["enabled"]: @@ -57,7 +78,7 @@ def _rule_check(service_name, service): rule_checker = getattr(services, convert_snake_case(service_name)).rule_checker() for rule_name, rule in service["rules"].items(): - if not rule["enabled"]: + if not rule["enabled"] or rule["level"] < level: continue rule["result"] = rule_checker.check_rule(convert_snake_case(rule_name)) @@ -65,14 +86,14 @@ def _rule_check(service_name, service): print(convert_snake_case(service_name), elapsed_time.total_seconds()) -def show_bp_result(bp): +def show_bp_result(bp, level=2, show_all=False, excluded_resources={}): for service_name, service in bp.items(): if not service["enabled"]: continue print(f"{'=' * 25} {service_name + ' ':=<30}") for rule_name, rule in service["rules"].items(): - if not rule["enabled"]: + if not rule["enabled"] or rule["level"] < level: continue if rule["result"].passed: @@ -89,15 +110,31 @@ def show_bp_result(bp): mark = "❕" print(f"{style}{rule_name:50}{Style.RESET_ALL} - {color}{mark}{Fore.RESET}") + if show_all: + for resource in rule["result"].compliant_resources: + print(f" - {Style.DIM}{resource}{Style.RESET_ALL}") for resource in rule["result"].non_compliant_resources: - print(f" - {color}{resource}{Fore.RESET}") + if excluded_resources.get(resource) in [rule_name, "all"]: + print(f" - {Style.DIM}{resource}{Style.RESET_ALL}") + else: + print(f" - {color}{resource}{Fore.RESET}") + print() if __name__ == "__main__": - bp = load_bp_from_file() + args = get_command_line_args() + + excluded_resources = parse_excluded_resources() + + bp = load_bp_from_file(default_ruleset=args.ruleset) bp = ask_services_to_enable(bp) save_bp_to_file(bp) - bp = perform_bp_rules_check(bp) - show_bp_result(bp) + bp = perform_bp_rules_check(bp, level=args.level) + show_bp_result( + bp, + level=args.level, + show_all=args.show_all, + excluded_resources=excluded_resources, + ) diff --git a/utils.py b/utils.py index 90eca73..c5460d1 100644 --- a/utils.py +++ b/utils.py @@ -2,7 +2,10 @@ import json import shutil -def load_bp_from_file(filepath="bp.json"): +def load_bp_from_file(filepath="bp.json", default_ruleset=None): + if default_ruleset: + shutil.copy(default_ruleset, filepath) + try: with open(filepath, "r") as f: content = "".join(f.readlines()) @@ -36,6 +39,21 @@ def convert_bp_to_snake_case(bp): return bp +def parse_excluded_resources(): + with open("exclude.csv", "r") as f: + content = f.readlines() + + excluded_resources = {} + for line in content: + if "," in line: + resource, scope = line.strip().split(",") + else: + resource = line + scope = "all" + excluded_resources[resource] = scope + return excluded_resources + + if __name__ == "__main__": bp = load_bp_from_file() rules = [