ワークフローは、複数の条件を含む高度なカスタムルールロジックを使用するシナリオをさらに探索するのに役立ちます。
複数および/またはネストされた条件
これまでに提供された例は、1つの条件のみを使用した非常に単純なロジックを使用しています。カスタムルールには、より多くの条件を組み合わせて使用することができます。
AWS
S3 Bucketに暗号化があるか (単一属性)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "S3 bucket has any Encryption",
"description": "We want to make sure there is any encryption",
"service": "S3",
"resourceType": "s3-bucket",
"riskLevel": "HIGH",
"enabled": true,
"provider": "aws",
"categories": ["security"],
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"attributes": [
{
"name": "bucketEncryption",
"path": "data.Encryption",
"required": true
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"fact": "bucketEncryption",
"operator": "notEqual",
"value": null
}
]
},
"description": "Bucket has encryption enabled"
}
]
}
}
S3 Bucketはサーバサイド暗号化AES256 (単一属性、ネストされた配列) を持っています
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "S3 bucket has Server Side Encryption",
"description": "We want to make sure there is correct encryption",
"service": "S3",
"resourceType": "s3-bucket",
"riskLevel": "HIGH",
"enabled": true,
"provider": "aws",
"categories": ["security"],
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"attributes": [
{
"name": "encryptionAlgorithm",
"path": "data.Encryption.Rules[*].ApplyServerSideEncryptionByDefault.SSEAlgorithm",
"required": true
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"fact": "encryptionAlgorithm",
"operator": "contains",
"value": "AES256"
}
]
},
"description": "has AES256 encryption"
}
]
}
}
S3 bucket暗号化が有効、バケットバージョニングが有効、バケットライフサイクルポリシーが有効 (複数の属性、複数のルール)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "S3 bucket has Encryption Enabled, Versioning Enabled, and Lifecycle Enabled",
"description": "We want to make sure there is any encryption and versioning enabled",
"resourceId": "conformity-audit-manager",
"service": "S3",
"resourceType": "s3-bucket",
"riskLevel": "HIGH",
"enabled": true,
"provider": "aws",
"categories": ["operational-excellence"],
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"attributes": [
{
"name": "bucketEncryption",
"path": "data.Encryption",
"required": true
},
{
"name": "bucketVersioning",
"path": "data.BucketVersioning",
"required": true
},
{
"name": "bucketLifecycle",
"path": "data.Lifecycle",
"required": true
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"fact": "bucketEncryption",
"operator": "notEqual",
"value": null
}
]
},
"description": "Bucket has encryption enabled"
},
{
"conditions": {
"all": [
{
"fact": "bucketVersioning",
"operator": "equal",
"value": "Enabled",
"path": "$.Status"
}
]
},
"description": "Bucket has versioning enabled"
},
{
"conditions": {
"all": [
{
"fact": "bucketLifecycle",
"operator": "notEqual",
"value": null
},
{
"fact": "bucketLifecycle",
"operator": "contains",
"value": "Enabled",
"path": "$.[*].Status"
}
]
},
"description": "Bucket has lifecycle enabled"
}
]
}
}
ポート22を持つEC2 Security Group (単一属性が必要でない場合、属性の欠落は許可されます)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "EC2 Security Group with Port 22",
"description": "Check the IpPermissions From Port",
"service": "EC2",
"resourceType": "ec2-securitygroup",
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"riskLevel": "MEDIUM",
"provider": "aws",
"categories": ["performance-efficiency", "security"],
"enabled": true,
"attributes": [
{
"name": "securityGroupIpPermissionsFromPort",
"path": "data.IpPermissions[*].FromPort",
"required": false
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"value": 22,
"operator": "contains",
"fact": "securityGroupIpPermissionsFromPort"
}
]
},
"description": "securityGroupIpPermissionsFromPort"
}
]
}
}
正しいタグキーを持ち、デプロイメントリージョンが名前に含まれ、名前の長さが64文字未満のIAMロール (単一のルールで複数の属性と複数の条件)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "IAM Role with right tag key, region and name length",
"description": "We want to make sure that IAM roles adhere to serverless format for multi-region deployment. Role should be tagged with Key 'Service' or 'service', role name should be less than 64, and contain the region in the name",
"remediationNote": "If this is a failure, please contact the service owner and follow these steps:\n1. Step one \n2. Step two\n",
"service": "IAM",
"resourceType": "iam-role",
"attributes": [
{
"name": "roleName",
"path": "data.RoleName",
"required": true
},
{
"name": "serviceTag",
"path": "data.Tags",
"required": true
}
],
"riskLevel": "HIGH",
"provider": "aws",
"categories": ["security"],
"enabled": true,
"eventRules": [
{
"conditions": {
"any": [
{
"path": "$.length",
"fact": "serviceTag",
"value": 0,
"operator": "equal"
},
{
"all": [
{
"path": "$.[*].Key",
"fact": "serviceTag",
"value": "Service",
"operator": "doesNotContain"
},
{
"path": "$.[*].Key",
"fact": "serviceTag",
"value": "service",
"operator": "doesNotContain"
}
]
},
{
"all": [
{
"fact": "roleName",
"operator": "pattern",
"value": "^([a-zA-Z0-9_-]){1,64}$"
},
{
"fact": "roleName",
"operator": "pattern",
"value": "(us-west-2|us-east-1|ap-southeast-2|eu-west-1)"
}
]
}
]
},
"description": "Is tagged service, name not longer than 64 chars and has region in name"
}
]
}
}
Azure
パブリックアクセスを持つストレージBlob (単一属性、単一ルール)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "Storage Blob with Public Access",
"description": "Checking public access for storage account blob container",
"service": "StorageAccounts",
"resourceType": "storage-accounts-blob-containers",
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"riskLevel": "HIGH",
"provider": "azure",
"categories": ["security"],
"enabled": true,
"attributes": [
{
"name": "blobPublicAccess",
"path": "data.publicAccess",
"required": true
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"value": "None",
"operator": "notEqual",
"fact": "blobPublicAccess"
}
]
},
"description": "Storage blob has public access."
}
]
}
}
StorageAccounts環境タグ (単一属性、ネストされた属性を持つ単一ルール)
{
"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
"configuration": {
"name": "StorageAccounts Environment Tags",
"description": "Check for correct tag key and value for storage accounts",
"service": "StorageAccounts",
"resourceType": "storage-accounts",
"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
"riskLevel": "MEDIUM",
"provider": "azure",
"categories": ["security"],
"enabled": true,
"attributes": [
{
"name": "serviceTag",
"path": "data.Tags",
"required": true
}
],
"eventRules": [
{
"conditions": {
"all": [
{
"path": "$.[?(@.Key=='Environment'&& @.Value=='Sandbox')].Value",
"fact": "serviceTag",
"value": "Sandbox",
"operator": "contains"
}
]
},
"description": "has tags Key: Environment and Value: Sandbox"
}
]
}
}