プレビューで利用可能
AWS
S3バケットに暗号化がある (単一属性)
{ "name": "S3 bucket has any Encryption", "description": "We want to make sure there is any encryption", "service": "S3", "resourceType": "s3-bucket", "severity": "HIGH", "enabled": true, "provider": "aws", "categories": [ "security" ], "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n", "attributes": [ { "name": "bucketEncryption", "path": "data.Encryption", "required": true } ], "rules": [ { "conditions": { "all": [ { "fact": "bucketEncryption", "operator": "notEqual", "value": null } ] }, "event": { "type": "Bucket has encryption enabled" } } ] }
S3バケットにはサーバサイド暗号化AES256があります (単一属性、ネストされた配列)
{ "name": "S3 bucket has Server Side Encryption", "description": "We want to make sure there is correct encryption", "service": "S3", "resourceType": "s3-bucket", "severity": "HIGH", "enabled": true, "provider": "aws", "categories": [ "security" ], "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n", "attributes": [ { "name": "encryptionAlgorithm", "path": "data.Encryption.Rules[*].ApplyServerSideEncryptionByDefault.SSEAlgorithm", "required": true } ], "rules": [ { "conditions": { "all": [ { "fact": "encryptionAlgorithm", "operator": "contains", "value": "AES256" } ] }, "event": { "type": "has AES256 encryption" } } ] }
S3バケット暗号化有効、バケットバージョニング有効、バケットライフサイクルポリシー有効 (複数属性、複数ルール)
{ "name": "S3 bucket has Encryption Enabled, Versioning Enabled, and Lifecycle Enabled", "description": "We want to make sure there is any encryption and versioning enabled", "resourceId": "conformity-audit-manager", "service": "S3", "resourceType": "s3-bucket", "severity": "HIGH", "enabled": true, "provider": "aws", "categories": [ "operational-excellence" ], "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n", "attributes": [ { "name": "bucketEncryption", "path": "data.Encryption", "required": true }, { "name": "bucketVersioning", "path": "data.BucketVersioning", "required": true }, { "name": "bucketLifecycle", "path": "data.Lifecycle", "required": true } ], "rules": [ { "conditions": { "all": [ { "fact": "bucketEncryption", "operator": "notEqual", "value": null } ] }, "event": { "type": "Bucket has encryption enabled" } }, { "conditions": { "all": [ { "fact": "bucketVersioning", "operator": "equal", "value": "Enabled", "path": "$.Status" } ] }, "event": { "type": "Bucket has versioning enabled" } }, { "conditions": { "all": [ { "fact": "bucketLifecycle", "operator": "notEqual", "value": null }, { "fact": "bucketLifecycle", "operator": "contains", "value": "Enabled", "path": "$.[*].Status" } ] }, "event": { "type": "Bucket has lifecycle enabled" } } ] }
ポート22を持つEC2セキュリティGroup (単一属性が必要でない場合、属性が欠落していても許可されます)
{ "name": "EC2 Security Group with Port 22", "description": "Check the IpPermissions From Port", "service": "EC2", "resourceType": "ec2-securitygroup", "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n", "severity": "MEDIUM", "provider": "aws", "categories": [ "performance-efficiency", "security" ], "enabled": true, "attributes": [ { "name": "securityGroupIpPermissionsFromPort", "path": "data.IpPermissions[*].FromPort", "required": false } ], "rules": [ { "conditions": { "all": [ { "value": 22, "operator": "contains", "fact": "securityGroupIpPermissionsFromPort" } ] }, "event": { "type": "securityGroupIpPermissionsFromPort" } } ] }
タグキーが正しいIAM Role、名前に展開リージョンが含まれ、名前の長さが64文字未満 (単一のRuleに複数の属性と複数の条件)
{ "name": "IAM Role with right tag key, region and name length", "description": "We want to make sure that IAM roles adhere to serverless format for multi-region deployment. Role should be tagged with Key 'Service' or 'service', role name should be less than 64, and contain the region in the name", "remediationNotes": "If this is a failure, please contact the service owner and follow these steps:\n1. Step one \n2. Step two\n", "service": "IAM", "resourceType": "iam-role", "attributes": [ { "name": "roleName", "path": "data.RoleName", "required": true }, { "name": "serviceTag", "path": "data.Tags", "required": true } ], "severity": "HIGH", "provider": "aws", "categories": [ "security" ], "enabled": true, "rules": [ { "conditions": { "any": [ { "path": "$.length", "fact": "serviceTag", "value": 0, "operator": "equal" }, { "all": [ { "path": "$.[*].Key", "fact": "serviceTag", "value": "Service", "operator": "doesNotContain" }, { "path": "$.[*].Key", "fact": "serviceTag", "value": "service", "operator": "doesNotContain" } ] }, { "all": [ { "fact": "roleName", "operator": "pattern", "value": "^([a-zA-Z0-9_-]){1,64}
タグキーが正しいIAM Role、名前に展開リージョンが含まれ、名前の長さが64文字未満 (単一のRuleに複数の属性と複数の条件)
{ "name": "IAM Role with right tag key, region and name length", "description": "We want to make sure that IAM roles adhere to serverless format for multi-region deployment. Role should be tagged with Key 'Service' or 'service', role name should be less than 64, and contain the region in the name", "remediationNotes": "If this is a failure, please contact the service owner and follow these steps:\n1. Step one \n2. Step two\n", "service": "IAM", "resourceType": "iam-role", "attributes": [ { "name": "roleName", "path": "data.RoleName", "required": true }, { "name": "serviceTag", "path": "data.Tags", "required": true } ], "severity": "HIGH", "provider": "aws", "categories": [ "security" ], "enabled": true, "rules": [ { "conditions": { "any": [ { "path": "$.length", "fact": "serviceTag", "value": 0, "operator": "equal" }, { "all": [ { "path": "$.[*].Key", "fact": "serviceTag", "value": "Service", "operator": "doesNotContain" }, { "path": "$.[*].Key", "fact": "serviceTag", "value": "service", "operator": "doesNotContain" } ] }, { "all": [ { "fact": "roleName", "operator": "pattern", "value": "^([a-zA-Z0-9_-]){1,64}$" }, { "fact": "roleName", "operator": "pattern", "value": "(us-west-2|us-east-1|ap-southeast-2|eu-west-1)" } ] } ] }, "event": { "type": "Is tagged service, name not longer than 64 chars and has region in name" } } ] }
Azure
パブリックアクセスを持つストレージBlob (単一属性、単一Rule)
{ "name": "Storage Blob with Public Access", "description": "Checking public access for storage account blob container", "service": "StorageAccounts", "resourceType": "storage-accounts-blob-containers", "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n", "severity": "HIGH", "provider": "azure", "categories": [ "security" ], "enabled": true, "attributes": [ { "name": "blobPublicAccess", "path": "data.publicAccess", "required": true } ], "rules": [ { "conditions": { "all": [ { "value": "None", "operator": "notEqual", "fact": "blobPublicAccess" } ] }, "event": { "type": "Storage blob has public access." } } ] }
StorageAccounts環境タグ (単一属性、ネストされた属性を持つ単一のRule)
{ "name": "StorageAccounts Environment Tags", "description": "Check for correct tag key and value for storage accounts", "service": "StorageAccounts", "resourceType": "storage-accounts", "remediationNotes": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n", "severity": "MEDIUM", "provider": "azure", "categories": [ "security" ], "enabled": true, "attributes": [ { "name": "serviceTag", "path": "data.Tags", "required": true } ], "rules": [ { "conditions": { "all": [ { "path": "$.[?(@.Key=='Environment'&& @.Value=='Sandbox')].Value", "fact": "serviceTag", "value": "Sandbox", "operator": "contains" } ] }, "event": { "type": "has tags Key: Environment and Value: Sandbox" } } ] }