github.com/turbot/steampipe@v1.7.0-rc.0.0.20240517123944-7cef272d4458/pkg/control/testdata/aws_dummy/cis_v130/section1.sp (about) 1 locals { 2 cis_v130_1_common_tags = merge(local.cis_v130_common_tags, { 3 cis_section_id = "1" 4 }) 5 } 6 // 7 //benchmark "cis_v130_1dupe" { 8 // title = "1 Identity and Access Management" 9 // documentation = file("./cis_v130/docs/cis_v130_1.md") 10 // children = [ 11 // control.cis_v130_1_1, 12 // control.cis_v130_1_2, 13 // ] 14 // tags = local.cis_v130_1_common_tags 15 //} 16 17 benchmark "cis_v130_1" { 18 title = "1 Identity and Access Management" 19 documentation = file("./cis_v130/docs/cis_v130_1.md") 20 children = [ 21 control.cis_v130_1_1, 22 control.cis_v130_1_2, 23 control.cis_v130_1_3, 24 control.cis_v130_1_4, 25 control.cis_v130_1_5, 26 control.cis_v130_1_6, 27 control.cis_v130_1_7, 28 control.cis_v130_1_8, 29 control.cis_v130_1_9, 30 control.cis_v130_1_10, 31 control.cis_v130_1_11, 32 control.cis_v130_1_12, 33 control.cis_v130_1_13, 34 control.cis_v130_1_14, 35 control.cis_v130_1_15, 36 control.cis_v130_1_16, 37 control.cis_v130_1_17, 38 control.cis_v130_1_18, 39 control.cis_v130_1_19, 40 control.cis_v130_1_20, 41 control.cis_v130_1_21, 42 control.cis_v130_1_22 43 ] 44 tags = local.cis_v130_1_common_tags 45 } 46 47 control "cis_v130_1_1" { 48 title = "1.1 Maintain current contact details" 49 description = "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization." 50 sql = query.alarm.sql 51 documentation = file("./cis_v130/docs/cis_v130_1_1.md") 52 severity = "high" 53 search_path="a,b,c" 54 tags = merge(local.cis_v130_1_common_tags, { 55 cis_controls = "6.3" 56 cis_item_id = "1.1" 57 cis_levels = "1" 58 cis_type = "manual" 59 }) 60 } 61 62 control "cis_v130_1_2" { 63 title = "1.2 Ensure security contact information is registered" 64 description = "AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided." 65 sql = query.alarm.sql 66 documentation = file("./cis_v130/docs/cis_v130_1_2.md") 67 severity = "high" 68 tags = merge(local.cis_v130_1_common_tags, { 69 cis_controls = "19,19.2" 70 cis_item_id = "1.2" 71 cis_levels = "1" 72 cis_type = "manual" 73 }) 74 } 75 76 control "cis_v130_1_3" { 77 title = "1.3 Ensure security questions are registered in the AWS account" 78 description = "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established." 79 sql = query.ok.sql 80 documentation = file("./cis_v130/docs/cis_v130_1_3.md") 81 severity = "high" 82 tags = merge(local.cis_v130_1_common_tags, { 83 cis_controls = "16" 84 cis_item_id = "1.3" 85 cis_levels = "1" 86 cis_type = "manual" 87 }) 88 } 89 90 control "cis_v130_1_4" { 91 title = "1.4 Ensure no root user account access key exists" 92 description = "The root user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root user account be removed." 93 sql = query.ok.sql 94 documentation = file("./cis_v130/docs/cis_v130_1_4.md") 95 severity = "high" 96 tags = merge(local.cis_v130_1_common_tags, { 97 cis_controls = "4.3" 98 cis_item_id = "1.4" 99 cis_levels = "1" 100 cis_type = "automated" 101 }) 102 } 103 104 control "cis_v130_1_5" { 105 title = "1.5 Ensure MFA is enabled for the \"root user\" account" 106 description = "The root user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device." 107 sql = query.alarm.sql 108 #documentation = file("./cis_v130/docs/cis_v130_1_5.md") 109 110 tags = merge(local.cis_v130_1_common_tags, { 111 cis_controls = "4.5" 112 cis_item_id = "1.5" 113 cis_levels = "1" 114 cis_type = "automated" 115 }) 116 } 117 118 control "cis_v130_1_6" { 119 title = "1.6 Ensure hardware MFA is enabled for the \"root user\" account" 120 description = "The root user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA." 121 sql = query.error.sql 122 #documentation = file("./cis_v130/docs/cis_v130_1_6.md") 123 124 tags = merge(local.cis_v130_1_common_tags, { 125 cis_controls = "4.5" 126 cis_item_id = "1.6" 127 cis_levels = "2" 128 cis_type = "automated" 129 }) 130 } 131 132 control "cis_v130_1_7" { 133 title = "1.7 Eliminate use of the root user for administrative and daily tasks" 134 description = "With the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks." 135 sql = query.ok.sql 136 #documentation = file("./cis_v130/docs/cis_v130_1_7.md") 137 138 tags = merge(local.cis_v130_1_common_tags, { 139 cis_controls = "4.3" 140 cis_item_id = "1.7" 141 cis_levels = "1" 142 cis_type = "automated" 143 }) 144 } 145 146 control "cis_v130_1_8" { 147 title = "1.8 Ensure IAM password policy requires minimum length of 14 or greater" 148 description = "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14." 149 sql = query.ok.sql 150 #documentation = file("./cis_v130/docs/cis_v130_1_8.md") 151 152 tags = merge(local.cis_v130_1_common_tags, { 153 cis_controls = "16" 154 cis_item_id = "1.8" 155 cis_levels = "1" 156 cis_type = "automated" 157 }) 158 } 159 160 control "cis_v130_1_9" { 161 title = "1.9 Ensure IAM password policy prevents password reuse" 162 description = "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords." 163 sql = query.ok.sql 164 #documentation = file("./cis_v130/docs/cis_v130_1_9.md") 165 166 tags = merge(local.cis_v130_1_common_tags, { 167 cis_controls = "4.4" 168 cis_item_id = "1.9" 169 cis_levels = "1" 170 cis_type = "automated" 171 }) 172 } 173 174 control "cis_v130_1_10" { 175 title = "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password" 176 description = "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password." 177 sql = query.ok.sql 178 #documentation = file("./cis_v130/docs/cis_v130_1_X.md") 179 severity = "critical" 180 tags = merge(local.cis_v130_1_common_tags, { 181 cis_item_id = "1.10" 182 cis_type = "automated" 183 cis_levels = "1" 184 cis_controls = "4.5" 185 }) 186 } 187 188 control "cis_v130_1_11" { 189 title = "1.11 Do not setup access keys during initial user setup for all IAM users that have a console password" 190 description = "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require." 191 sql = query.ok.sql 192 #documentation = file("./cis_v130/docs/cis_v130_1_11.md") 193 194 tags = merge(local.cis_v130_1_common_tags, { 195 cis_item_id = "1.11" 196 cis_type = "manual" 197 cis_levels = "1" 198 cis_controls = "16" 199 }) 200 } 201 202 control "cis_v130_1_12" { 203 title = "1.12 Ensure credentials unused for 90 days or greater are disabled" 204 description = "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 90 or greater days be deactivated or removed." 205 sql = query.ok.sql 206 #documentation = file("./cis_v130/docs/cis_v130_1_12.md") 207 208 tags = merge(local.cis_v130_1_common_tags, { 209 cis_item_id = "1.12" 210 cis_type = "automated" 211 cis_levels = "1" 212 cis_controls = "16.9" 213 }) 214 } 215 216 control "cis_v130_1_13" { 217 title = "1.13 Ensure there is only one active access key available for any single IAM user" 218 description = "Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys." 219 sql = query.ok.sql 220 #documentation = file("./cis_v130/docs/cis_v130_1_13.md") 221 222 tags = merge(local.cis_v130_1_common_tags, { 223 cis_item_id = "1.13" 224 cis_type = "automated" 225 cis_levels = "1" 226 cis_controls = "4" 227 }) 228 } 229 230 control "cis_v130_1_14" { 231 title = "1.14 Ensure access keys are rotated every 90 days or less" 232 description = "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated." 233 sql = query.ok.sql 234 #documentation = file("./cis_v130/docs/cis_v130_1_14.md") 235 236 tags = merge(local.cis_v130_1_common_tags, { 237 cis_item_id = "1.14" 238 cis_type = "automated" 239 cis_levels = "1" 240 cis_controls = "16" 241 }) 242 } 243 244 control "cis_v130_1_15" { 245 title = "1.15 Ensure IAM Users Receive Permissions Only Through Groups" 246 description = "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." 247 sql = query.alarm.sql 248 #documentation = file("./cis_v130/docs/cis_v130_1_15.md") 249 250 tags = merge(local.cis_v130_1_common_tags, { 251 cis_item_id = "1.15" 252 cis_type = "automated" 253 cis_levels = "1" 254 cis_controls = "16" 255 }) 256 } 257 258 control "cis_v130_1_16" { 259 title = "1.16 Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached" 260 description = "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges." 261 sql = query.ok.sql 262 #documentation = file("./cis_v130/docs/cis_v130_1_16.md") 263 severity = "critical" 264 tags = merge(local.cis_v130_1_common_tags, { 265 cis_item_id = "1.16" 266 cis_type = "automated" 267 cis_levels = "1" 268 cis_controls = "4" 269 }) 270 } 271 272 control "cis_v130_1_17" { 273 title = "1.17 Ensure a support role has been created to manage incidents with AWS Support" 274 description = "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support." 275 sql = query.ok.sql 276 #documentation = file("./cis_v130/docs/cisv130_1_17.md") 277 278 tags = merge(local.cis_v130_1_common_tags, { 279 cis_item_id = "1.17" 280 cis_type = "automated" 281 cis_levels = "1" 282 cis_controls = "14" 283 }) 284 } 285 286 control "cis_v130_1_18" { 287 title = "1.18 Ensure IAM instance roles are used for AWS resource access from instances" 288 description = "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources." 289 sql = query.ok.sql 290 #documentation = file("./cis_v130/docs/cisv130_1_18.md") 291 292 tags = merge(local.cis_v130_1_common_tags, { 293 cis_item_id = "1.18" 294 cis_type = "manual" 295 cis_levels = "2" 296 cis_controls = "19" 297 }) 298 } 299 300 control "cis_v130_1_19" { 301 title = "1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed" 302 description = "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console." 303 sql = query.ok.sql 304 #documentation = file("./cis_v130/docs/cisv130_1_19.md") 305 306 tags = merge(local.cis_v130_1_common_tags, { 307 cis_item_id = "1.19" 308 cis_type = "automated" 309 cis_levels = "1" 310 cis_controls = "13" 311 }) 312 } 313 314 control "cis_v130_1_20" { 315 title = "1.20 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'" 316 description = "Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account." 317 sql = query.ok.sql 318 #documentation = file("./cis_v130/docs/cisv130_1_20.md") 319 320 tags = merge(local.cis_v130_1_common_tags, { 321 cis_item_id = "1.20" 322 cis_type = "automated" 323 cis_levels = "1" 324 cis_controls = "14.6" 325 }) 326 } 327 328 control "cis_v130_1_21" { 329 title = "1.21 Ensure that IAM Access analyzer is enabled" 330 description = "Enable IAM Access analyzer for IAM policies about all resources. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access." 331 sql = query.alarm.sql 332 #documentation = file("./cis_v130/docs/cis_v130_1_21.md") 333 severity = "critical" 334 tags = merge(local.cis_v130_1_common_tags, { 335 cis_item_id = "1.21" 336 cis_type = "automated" 337 cis_levels = "1" 338 cis_controls = "14.6" 339 }) 340 } 341 342 control "cis_v130_1_22" { 343 title = "1.22 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments" 344 description = "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations." 345 sql = query.ok.sql 346 #documentation = file("./cis_v130/docs/cisv130_1_22.md") 347 348 tags = merge(local.cis_v130_1_common_tags, { 349 cis_controls = "16.2" 350 cis_item_id = "1.22" 351 cis_levels = "2" 352 cis_type = "manual" 353 }) 354 }