Available in Preview
AWS
S3 Bucket has any Encryption (single attribute)
{
"name": "S3 bucket has any Encryption",
"description": "We want to make sure there is any encryption",
"service": "S3",
"resourceType": "s3-bucket",
"severity": "HIGH",
"enabled": true,
"provider": "aws",
"categories": [
"security"
],
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"attributes": [
{
"name": "bucketEncryption",
"path": "data.Encryption",
"required": true
}
],
"rules": [
{
"conditions": {
"all": [
{
"fact": "bucketEncryption",
"operator": "notEqual",
"value": null
}
]
},
"event": {
"type": "Bucket has encryption enabled"
}
}
]
}
S3 Bucket has Server Side Encryption AES256 (single attribute, nested array)
{
"name": "S3 bucket has Server Side Encryption",
"description": "We want to make sure there is correct encryption",
"service": "S3",
"resourceType": "s3-bucket",
"severity": "HIGH",
"enabled": true,
"provider": "aws",
"categories": [
"security"
],
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"attributes": [
{
"name": "encryptionAlgorithm",
"path": "data.Encryption.Rules[*].ApplyServerSideEncryptionByDefault.SSEAlgorithm",
"required": true
}
],
"rules": [
{
"conditions": {
"all": [
{
"fact": "encryptionAlgorithm",
"operator": "contains",
"value": "AES256"
}
]
},
"event": {
"type": "has AES256 encryption"
}
}
]
}
S3 Bucket Encryption Enabled, Bucket Versioning Enabled, and Bucket Lifecycle Policy Enabled (multiple attributes, multiple rules)
{
"name": "S3 bucket has Encryption Enabled, Versioning Enabled, and Lifecycle Enabled",
"description": "We want to make sure there is any encryption and versioning enabled",
"resourceId": "conformity-audit-manager",
"service": "S3",
"resourceType": "s3-bucket",
"severity": "HIGH",
"enabled": true,
"provider": "aws",
"categories": [
"operational-excellence"
],
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"attributes": [
{
"name": "bucketEncryption",
"path": "data.Encryption",
"required": true
},
{
"name": "bucketVersioning",
"path": "data.BucketVersioning",
"required": true
},
{
"name": "bucketLifecycle",
"path": "data.Lifecycle",
"required": true
}
],
"rules": [
{
"conditions": {
"all": [
{
"fact": "bucketEncryption",
"operator": "notEqual",
"value": null
}
]
},
"event": {
"type": "Bucket has encryption enabled"
}
},
{
"conditions": {
"all": [
{
"fact": "bucketVersioning",
"operator": "equal",
"value": "Enabled",
"path": "$.Status"
}
]
},
"event": {
"type": "Bucket has versioning enabled"
}
},
{
"conditions": {
"all": [
{
"fact": "bucketLifecycle",
"operator": "notEqual",
"value": null
},
{
"fact": "bucketLifecycle",
"operator": "contains",
"value": "Enabled",
"path": "$.[*].Status"
}
]
},
"event": {
"type": "Bucket has lifecycle enabled"
}
}
]
}
EC2 Security Group with Port 22 (single attribute required false, missing attribute is allowed)
{
"name": "EC2 Security Group with Port 22",
"description": "Check the IpPermissions From Port",
"service": "EC2",
"resourceType": "ec2-securitygroup",
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"severity": "MEDIUM",
"provider": "aws",
"categories": [
"performance-efficiency",
"security"
],
"enabled": true,
"attributes": [
{
"name": "securityGroupIpPermissionsFromPort",
"path": "data.IpPermissions[*].FromPort",
"required": false
}
],
"rules": [
{
"conditions": {
"all": [
{
"value": 22,
"operator": "contains",
"fact": "securityGroupIpPermissionsFromPort"
}
]
},
"event": {
"type": "securityGroupIpPermissionsFromPort"
}
}
]
}
IAM Role with right tag key, deployment region in name, and name length is less than 64 characters (multiple attributes and multiple conditionals in single rule)
{
"name": "IAM Role with right tag key, region and name length",
"description": "We want to make sure that IAM roles adhere to serverless format for multi-region deployment. Role should be tagged with Key 'Service' or 'service', role name should be less than 64, and contain the region in the name",
"remediationNotes": "If this is a failure, please contact the service owner and follow these steps:\n1. Step one \n2. Step two\n",
"service": "IAM",
"resourceType": "iam-role",
"attributes": [
{
"name": "roleName",
"path": "data.RoleName",
"required": true
},
{
"name": "serviceTag",
"path": "data.Tags",
"required": true
}
],
"severity": "HIGH",
"provider": "aws",
"categories": [
"security"
],
"enabled": true,
"rules": [
{
"conditions": {
"any": [
{
"path": "$.length",
"fact": "serviceTag",
"value": 0,
"operator": "equal"
},
{
"all": [
{
"path": "$.[*].Key",
"fact": "serviceTag",
"value": "Service",
"operator": "doesNotContain"
},
{
"path": "$.[*].Key",
"fact": "serviceTag",
"value": "service",
"operator": "doesNotContain"
}
]
},
{
"all": [
{
"fact": "roleName",
"operator": "pattern",
"value": "^([a-zA-Z0-9_-]){1,64}
IAM Role with right tag key, deployment region in name, and name length is less than 64 characters (multiple attributes and multiple conditionals in single rule)
{
"name": "IAM Role with right tag key, region and name length",
"description": "We want to make sure that IAM roles adhere to serverless format for multi-region deployment. Role should be tagged with Key 'Service' or 'service', role name should be less than 64, and contain the region in the name",
"remediationNotes": "If this is a failure, please contact the service owner and follow these steps:\n1. Step one \n2. Step two\n",
"service": "IAM",
"resourceType": "iam-role",
"attributes": [
{
"name": "roleName",
"path": "data.RoleName",
"required": true
},
{
"name": "serviceTag",
"path": "data.Tags",
"required": true
}
],
"severity": "HIGH",
"provider": "aws",
"categories": [
"security"
],
"enabled": true,
"rules": [
{
"conditions": {
"any": [
{
"path": "$.length",
"fact": "serviceTag",
"value": 0,
"operator": "equal"
},
{
"all": [
{
"path": "$.[*].Key",
"fact": "serviceTag",
"value": "Service",
"operator": "doesNotContain"
},
{
"path": "$.[*].Key",
"fact": "serviceTag",
"value": "service",
"operator": "doesNotContain"
}
]
},
{
"all": [
{
"fact": "roleName",
"operator": "pattern",
"value": "^([a-zA-Z0-9_-]){1,64}$"
},
{
"fact": "roleName",
"operator": "pattern",
"value": "(us-west-2|us-east-1|ap-southeast-2|eu-west-1)"
}
]
}
]
},
"event": {
"type": "Is tagged service, name not longer than 64 chars and has region in name"
}
}
]
}
Azure
Storage Blob with Public Access (single attribute, single rule)
{
"name": "Storage Blob with Public Access",
"description": "Checking public access for storage account blob container",
"service": "StorageAccounts",
"resourceType": "storage-accounts-blob-containers",
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"severity": "HIGH",
"provider": "azure",
"categories": [
"security"
],
"enabled": true,
"attributes": [
{
"name": "blobPublicAccess",
"path": "data.publicAccess",
"required": true
}
],
"rules": [
{
"conditions": {
"all": [
{
"value": "None",
"operator": "notEqual",
"fact": "blobPublicAccess"
}
]
},
"event": {
"type": "Storage blob has public access."
}
}
]
}
StorageAccounts Environment Tags (single attribute, single rule with nested attribute)
{
"name": "StorageAccounts Environment Tags",
"description": "Check for correct tag key and value for storage accounts",
"service": "StorageAccounts",
"resourceType": "storage-accounts",
"remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"severity": "MEDIUM",
"provider": "azure",
"categories": [
"security"
],
"enabled": true,
"attributes": [
{
"name": "serviceTag",
"path": "data.Tags",
"required": true
}
],
"rules": [
{
"conditions": {
"all": [
{
"path": "$.[?(@.Key=='Environment'&& @.Value=='Sandbox')].Value",
"fact": "serviceTag",
"value": "Sandbox",
"operator": "contains"
}
]
},
"event": {
"type": "has tags Key: Environment and Value: Sandbox"
}
}
]
}