github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_nacl_change_alarm.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_nacl_change_alarm.go (about)

     1  package cloudwatch
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/internal/rules"
     5  	"github.com/khulnasoft-lab/defsec/pkg/framework"
     6  	"github.com/khulnasoft-lab/defsec/pkg/providers"
     7  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch"
     8  	"github.com/khulnasoft-lab/defsec/pkg/scan"
     9  	"github.com/khulnasoft-lab/defsec/pkg/severity"
    10  	"github.com/khulnasoft-lab/defsec/pkg/state"
    11  	"github.com/khulnasoft-lab/defsec/pkg/types"
    12  )
    13  
    14  var requireNACLChangeAlarm = rules.Register(
    15  	scan.Rule{
    16  		AVDID:      "AVD-AWS-0157",
    17  		Provider:   providers.AWSProvider,
    18  		Service:    "cloudwatch",
    19  		ShortCode:  "require-nacl-changes-alarm",
    20  		Summary:    "Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL)",
    21  		Impact:     "Network ACLs control the ingress and egress, changes could be made to maliciously allow egress of data or external ingress. Without alerting, this could go unnoticed.",
    22  		Resolution: "Create an alarm to alert on network acl changes",
    23  		Frameworks: map[framework.Framework][]string{
    24  			framework.CIS_AWS_1_2: {
    25  				"3.11",
    26  			},
    27  			framework.CIS_AWS_1_4: {
    28  				"4.11",
    29  			},
    30  		},
    31  		Explanation: `You can do real-time monitoring of API calls by directing CloudTrail logs to CloudWatch Logs and establishing corresponding metric filters and alarms.   
    32  NACLs are used as a stateless packet filter to control ingress and egress traffic for subnets in a VPC.                                               
    33                                                                                
    34  CIS recommends that you create a metric filter and alarm for changes to NACLs. Monitoring these changes helps ensure that AWS resources and services aren't unintentionally exposed.`,
    35  		Links: []string{
    36  			"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudwatch-alarms-for-cloudtrail.html",
    37  		},
    38  		Terraform:      &scan.EngineMetadata{},
    39  		CloudFormation: &scan.EngineMetadata{},
    40  		Severity:       severity.Low,
    41  	},
    42  	func(s *state.State) (results scan.Results) {
    43  
    44  		multiRegionTrails := s.AWS.CloudTrail.MultiRegionTrails()
    45  		for _, trail := range multiRegionTrails {
    46  			logGroup := s.AWS.CloudWatch.GetLogGroupByArn(trail.CloudWatchLogsLogGroupArn.Value())
    47  			if logGroup == nil || trail.IsLogging.IsFalse() {
    48  				continue
    49  			}
    50  
    51  			var metricFilter cloudwatch.MetricFilter
    52  			var found bool
    53  			for _, filter := range logGroup.MetricFilters {
    54  				if filter.FilterPattern.Contains(`{($.eventName=CreateNetworkAcl) || 
    55  					($.eventName=CreateNetworkAclEntry) || ($.eventName=DeleteNetworkAcl) || 
    56  					($.eventName=DeleteNetworkAclEntry) || ($.eventName=ReplaceNetworkAclEntry) || 
    57  					($.eventName=ReplaceNetworkAclAssociation)}`, types.IgnoreWhitespace) {
    58  					metricFilter = filter
    59  					found = true
    60  					break
    61  				}
    62  			}
    63  
    64  			if !found {
    65  				results.Add("Cloudtrail has no network ACL change log filter", trail)
    66  				continue
    67  			}
    68  
    69  			if metricAlarm := s.AWS.CloudWatch.GetAlarmByMetricName(metricFilter.FilterName.Value()); metricAlarm == nil {
    70  				results.Add("Cloudtrail has no network ACL change alarm", trail)
    71  				continue
    72  			}
    73  
    74  			results.AddPassed(trail)
    75  		}
    76  
    77  		return
    78  	},
    79  )