The workflow will help you explore more scenatios that use an advance custom rules logic involging multiple conditions.
Multiple and/or nested conditions
The examples provided so far use very simple logic with only one condition. You may
use more combined conditions for custom rules.
AWS
S3 Bucket has any Encryption (single attribute)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "S3 bucket has any Encryption",
"description": "We want to make sure there is any encryption",
"service": "S3",
"resourceType": "s3-bucket",
"riskLevel": "HIGH",
"enabled": true,
"provider": "aws",
"categories": ["security"],
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"attributes": [
{
"name": "bucketEncryption",
"path": "data.Encryption",
"required": true
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"fact": "bucketEncryption",
"operator": "notEqual",
"value": null
}
]
},
"description": "Bucket has encryption enabled"
}
]
}
}
S3 Bucket has Server Side Encryption AES256 (single attribute, nested array)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "S3 bucket has Server Side Encryption",
"description": "We want to make sure there is correct encryption",
"service": "S3",
"resourceType": "s3-bucket",
"riskLevel": "HIGH",
"enabled": true,
"provider": "aws",
"categories": ["security"],
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"attributes": [
{
"name": "encryptionAlgorithm",
"path": "data.Encryption.Rules[*].ApplyServerSideEncryptionByDefault.SSEAlgorithm",
"required": true
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"fact": "encryptionAlgorithm",
"operator": "contains",
"value": "AES256"
}
]
},
"description": "has AES256 encryption"
}
]
}
}
S3 Bucket Encryption Enabled, Bucket Versioning Enabled, and Bucket Lifecycle Policy
Enabled (multiple attributes, multiple rules)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "S3 bucket has Encryption Enabled, Versioning Enabled, and Lifecycle Enabled",
"description": "We want to make sure there is any encryption and versioning enabled",
"resourceId": "conformity-audit-manager",
"service": "S3",
"resourceType": "s3-bucket",
"riskLevel": "HIGH",
"enabled": true,
"provider": "aws",
"categories": ["operational-excellence"],
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"attributes": [
{
"name": "bucketEncryption",
"path": "data.Encryption",
"required": true
},
{
"name": "bucketVersioning",
"path": "data.BucketVersioning",
"required": true
},
{
"name": "bucketLifecycle",
"path": "data.Lifecycle",
"required": true
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"fact": "bucketEncryption",
"operator": "notEqual",
"value": null
}
]
},
"description": "Bucket has encryption enabled"
},
{
"conditions": {
"all": [
{
"fact": "bucketVersioning",
"operator": "equal",
"value": "Enabled",
"path": "$.Status"
}
]
},
"description": "Bucket has versioning enabled"
},
{
"conditions": {
"all": [
{
"fact": "bucketLifecycle",
"operator": "notEqual",
"value": null
},
{
"fact": "bucketLifecycle",
"operator": "contains",
"value": "Enabled",
"path": "$.[*].Status"
}
]
},
"description": "Bucket has lifecycle enabled"
}
]
}
}
EC2 Security Group with Port 22 (single attribute required false, missing attribute
is allowed)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "EC2 Security Group with Port 22",
"description": "Check the IpPermissions From Port",
"service": "EC2",
"resourceType": "ec2-securitygroup",
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"riskLevel": "MEDIUM",
"provider": "aws",
"categories": ["performance-efficiency", "security"],
"enabled": true,
"attributes": [
{
"name": "securityGroupIpPermissionsFromPort",
"path": "data.IpPermissions[*].FromPort",
"required": false
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"value": 22,
"operator": "contains",
"fact": "securityGroupIpPermissionsFromPort"
}
]
},
"description": "securityGroupIpPermissionsFromPort"
}
]
}
}
IAM Role with right tag key, deployment region in name, and name length is less than
64 characters (multiple attributes and multiple conditionals in single rule)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "IAM Role with right tag key, region and name length",
"description": "We want to make sure that IAM roles adhere to serverless format for multi-region deployment. Role should be tagged with Key 'Service' or 'service', role name should be less than 64, and contain the region in the name",
"remediationNote": "If this is a failure, please contact the service owner and follow these steps:\n1. Step one \n2. Step two\n",
"service": "IAM",
"resourceType": "iam-role",
"attributes": [
{
"name": "roleName",
"path": "data.RoleName",
"required": true
},
{
"name": "serviceTag",
"path": "data.Tags",
"required": true
}
],
"riskLevel": "HIGH",
"provider": "aws",
"categories": ["security"],
"enabled": true,
"eventRules": [
{
"conditions": {
"any": [
{
"path": "$.length",
"fact": "serviceTag",
"value": 0,
"operator": "equal"
},
{
"all": [
{
"path": "$.[*].Key",
"fact": "serviceTag",
"value": "Service",
"operator": "doesNotContain"
},
{
"path": "$.[*].Key",
"fact": "serviceTag",
"value": "service",
"operator": "doesNotContain"
}
]
},
{
"all": [
{
"fact": "roleName",
"operator": "pattern",
"value": "^([a-zA-Z0-9_-]){1,64}$"
},
{
"fact": "roleName",
"operator": "pattern",
"value": "(us-west-2|us-east-1|ap-southeast-2|eu-west-1)"
}
]
}
]
},
"description": "Is tagged service, name not longer than 64 chars and has region in name"
}
]
}
}
Azure
Storage Blob with Public Access (single attribute, single rule)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "Storage Blob with Public Access",
"description": "Checking public access for storage account blob container",
"service": "StorageAccounts",
"resourceType": "storage-accounts-blob-containers",
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"riskLevel": "HIGH",
"provider": "azure",
"categories": ["security"],
"enabled": true,
"attributes": [
{
"name": "blobPublicAccess",
"path": "data.publicAccess",
"required": true
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"value": "None",
"operator": "notEqual",
"fact": "blobPublicAccess"
}
]
},
"description": "Storage blob has public access."
}
]
}
}
StorageAccounts Environment Tags (single attribute, single rule with nested attribute)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "StorageAccounts Environment Tags",
"description": "Check for correct tag key and value for storage accounts",
"service": "StorageAccounts",
"resourceType": "storage-accounts",
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"riskLevel": "MEDIUM",
"provider": "azure",
"categories": ["security"],
"enabled": true,
"attributes": [
{
"name": "serviceTag",
"path": "data.Tags",
"required": true
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"path": "$.[?(@.Key=='Environment'&& @.Value=='Sandbox')].Value",
"fact": "serviceTag",
"value": "Sandbox",
"operator": "contains"
}
]
},
"description": "has tags Key: Environment and Value: Sandbox"
}
]
}
}