github.com/turbot/steampipe@v1.7.0-rc.0.0.20240517123944-7cef272d4458/tests/acceptance/test_data/mods/sample_workspace/cis_v130/section1.sp (about) 1 locals { 2 cis_v130_1_common_tags = merge(local.cis_v130_common_tags, { 3 cis_section_id = "1" 4 }) 5 } 6 // 7 //benchmark "cis_v130_1dupe" { 8 // title = "1 Identity and Access Management" 9 // documentation = file("./cis_v130/docs/cis_v130_1.md") 10 // children = [ 11 // control.cis_v130_1_1, 12 // control.cis_v130_1_2, 13 // ] 14 // tags = local.cis_v130_1_common_tags 15 //} 16 17 benchmark "cis_v130_1" { 18 title = "1 Identity and Access Management" 19 documentation = file("./cis_v130/docs/cis_v130_1.md") 20 children = [ 21 control.cis_v130_1_1, 22 control.cis_v130_1_2, 23 control.cis_v130_1_3, 24 control.cis_v130_1_4, 25 control.cis_v130_1_5, 26 control.cis_v130_1_6, 27 control.cis_v130_1_7, 28 control.cis_v130_1_8, 29 control.cis_v130_1_9, 30 control.cis_v130_1_10, 31 control.cis_v130_1_11, 32 control.cis_v130_1_12, 33 control.cis_v130_1_13, 34 control.cis_v130_1_14, 35 control.cis_v130_1_15, 36 control.cis_v130_1_16, 37 control.cis_v130_1_17, 38 control.cis_v130_1_18, 39 control.cis_v130_1_19, 40 control.cis_v130_1_20, 41 control.cis_v130_1_21, 42 control.cis_v130_1_22 43 ] 44 tags = local.cis_v130_1_common_tags 45 } 46 47 control "cis_v130_1_1" { 48 title = "1.1 Maintain current contact details" 49 description = "Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization." 50 sql = query.alarm.sql 51 documentation = file("./cis_v130/docs/cis_v130_1_1.md") 52 severity = "high" 53 tags = merge(local.cis_v130_1_common_tags, { 54 cis_controls = "6.3" 55 cis_item_id = "1.1" 56 cis_levels = "1" 57 cis_type = "manual" 58 }) 59 } 60 61 control "cis_v130_1_2" { 62 title = "1.2 Ensure security contact information is registered" 63 description = "AWS provides customers with the option of specifying the contact information for accounts security team. It is recommended that this information be provided." 64 sql = query.alarm.sql 65 documentation = file("./cis_v130/docs/cis_v130_1_2.md") 66 severity = "high" 67 tags = merge(local.cis_v130_1_common_tags, { 68 cis_controls = "19,19.2" 69 cis_item_id = "1.2" 70 cis_levels = "1" 71 cis_type = "manual" 72 }) 73 } 74 75 control "cis_v130_1_3" { 76 title = "1.3 Ensure security questions are registered in the AWS account" 77 description = "The AWS support portal allows account owners to establish security questions that can be used to authenticate individuals calling AWS customer service for support. It is recommended that security questions be established." 78 sql = query.ok.sql 79 documentation = file("./cis_v130/docs/cis_v130_1_3.md") 80 severity = "high" 81 tags = merge(local.cis_v130_1_common_tags, { 82 cis_controls = "16" 83 cis_item_id = "1.3" 84 cis_levels = "1" 85 cis_type = "manual" 86 }) 87 } 88 89 control "cis_v130_1_4" { 90 title = "1.4 Ensure no root user account access key exists" 91 description = "The root user account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root user account be removed." 92 sql = query.ok.sql 93 documentation = file("./cis_v130/docs/cis_v130_1_4.md") 94 severity = "high" 95 tags = merge(local.cis_v130_1_common_tags, { 96 cis_controls = "4.3" 97 cis_item_id = "1.4" 98 cis_levels = "1" 99 cis_type = "automated" 100 }) 101 } 102 103 control "cis_v130_1_5" { 104 title = "1.5 Ensure MFA is enabled for the \"root user\" account" 105 description = "The root user account is the most privileged user in an AWS account. Multi-factor Authentication (MFA) adds an extra layer of protection on top of a username and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their username and password as well as for an authentication code from their AWS MFA device." 106 sql = query.alarm.sql 107 #documentation = file("./cis_v130/docs/cis_v130_1_5.md") 108 109 tags = merge(local.cis_v130_1_common_tags, { 110 cis_controls = "4.5" 111 cis_item_id = "1.5" 112 cis_levels = "1" 113 cis_type = "automated" 114 }) 115 } 116 117 control "cis_v130_1_6" { 118 title = "1.6 Ensure hardware MFA is enabled for the \"root user\" account" 119 description = "The root user account is the most privileged user in an AWS account. MFA adds an extra layer of protection on top of a user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password as well as for an authentication code from their AWS MFA device. For Level 2, it is recommended that the root user account be protected with a hardware MFA." 120 sql = query.error.sql 121 #documentation = file("./cis_v130/docs/cis_v130_1_6.md") 122 123 tags = merge(local.cis_v130_1_common_tags, { 124 cis_controls = "4.5" 125 cis_item_id = "1.6" 126 cis_levels = "2" 127 cis_type = "automated" 128 }) 129 } 130 131 control "cis_v130_1_7" { 132 title = "1.7 Eliminate use of the root user for administrative and daily tasks" 133 description = "With the creation of an AWS account, a root user is created that cannot be disabled or deleted. That user has unrestricted access to and control over all resources in the AWS account. It is highly recommended that the use of this account be avoided for everyday tasks." 134 sql = query.ok.sql 135 #documentation = file("./cis_v130/docs/cis_v130_1_7.md") 136 137 tags = merge(local.cis_v130_1_common_tags, { 138 cis_controls = "4.3" 139 cis_item_id = "1.7" 140 cis_levels = "1" 141 cis_type = "automated" 142 }) 143 } 144 145 control "cis_v130_1_8" { 146 title = "1.8 Ensure IAM password policy requires minimum length of 14 or greater" 147 description = "Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are at least a given length. It is recommended that the password policy require a minimum password length 14." 148 sql = query.ok.sql 149 #documentation = file("./cis_v130/docs/cis_v130_1_8.md") 150 151 tags = merge(local.cis_v130_1_common_tags, { 152 cis_controls = "16" 153 cis_item_id = "1.8" 154 cis_levels = "1" 155 cis_type = "automated" 156 }) 157 } 158 159 control "cis_v130_1_9" { 160 title = "1.9 Ensure IAM password policy prevents password reuse" 161 description = "IAM password policies can prevent the reuse of a given password by the same user. It is recommended that the password policy prevent the reuse of passwords." 162 sql = query.ok.sql 163 #documentation = file("./cis_v130/docs/cis_v130_1_9.md") 164 165 tags = merge(local.cis_v130_1_common_tags, { 166 cis_controls = "4.4" 167 cis_item_id = "1.9" 168 cis_levels = "1" 169 cis_type = "automated" 170 }) 171 } 172 173 control "cis_v130_1_10" { 174 title = "1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password" 175 description = "Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password." 176 sql = query.ok.sql 177 #documentation = file("./cis_v130/docs/cis_v130_1_X.md") 178 severity = "critical" 179 tags = merge(local.cis_v130_1_common_tags, { 180 cis_item_id = "1.10" 181 cis_type = "automated" 182 cis_levels = "1" 183 cis_controls = "4.5" 184 }) 185 } 186 187 control "cis_v130_1_11" { 188 title = "1.11 Do not setup access keys during initial user setup for all IAM users that have a console password" 189 description = "AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require." 190 sql = query.ok.sql 191 #documentation = file("./cis_v130/docs/cis_v130_1_11.md") 192 193 tags = merge(local.cis_v130_1_common_tags, { 194 cis_item_id = "1.11" 195 cis_type = "manual" 196 cis_levels = "1" 197 cis_controls = "16" 198 }) 199 } 200 201 control "cis_v130_1_12" { 202 title = "1.12 Ensure credentials unused for 90 days or greater are disabled" 203 description = "AWS IAM users can access AWS resources using different types of credentials, such as passwords or access keys. It is recommended that all credentials that have been unused in 90 or greater days be deactivated or removed." 204 sql = query.ok.sql 205 #documentation = file("./cis_v130/docs/cis_v130_1_12.md") 206 207 tags = merge(local.cis_v130_1_common_tags, { 208 cis_item_id = "1.12" 209 cis_type = "automated" 210 cis_levels = "1" 211 cis_controls = "16.9" 212 }) 213 } 214 215 control "cis_v130_1_13" { 216 title = "1.13 Ensure there is only one active access key available for any single IAM user" 217 description = "Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API. One of the best ways to protect your account is to not allow users to have multiple access keys." 218 sql = query.ok.sql 219 #documentation = file("./cis_v130/docs/cis_v130_1_13.md") 220 221 tags = merge(local.cis_v130_1_common_tags, { 222 cis_item_id = "1.13" 223 cis_type = "automated" 224 cis_levels = "1" 225 cis_controls = "4" 226 }) 227 } 228 229 control "cis_v130_1_14" { 230 title = "1.14 Ensure access keys are rotated every 90 days or less" 231 description = "Access keys consist of an access key ID and secret access key, which are used to sign programmatic requests that you make to AWS. AWS users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. It is recommended that all access keys be regularly rotated." 232 sql = query.ok.sql 233 #documentation = file("./cis_v130/docs/cis_v130_1_14.md") 234 235 tags = merge(local.cis_v130_1_common_tags, { 236 cis_item_id = "1.14" 237 cis_type = "automated" 238 cis_levels = "1" 239 cis_controls = "16" 240 }) 241 } 242 243 control "cis_v130_1_15" { 244 title = "1.15 Ensure IAM Users Receive Permissions Only Through Groups" 245 description = "IAM users are granted access to services, functions, and data through IAM policies. There are three ways to define policies for a user: 1) Edit the user policy directly, aka an inline, or user, policy; 2) attach a policy directly to a user; 3) add the user to an IAM group that has an attached policy. Only the third implementation is recommended." 246 sql = query.alarm.sql 247 #documentation = file("./cis_v130/docs/cis_v130_1_15.md") 248 249 tags = merge(local.cis_v130_1_common_tags, { 250 cis_item_id = "1.15" 251 cis_type = "automated" 252 cis_levels = "1" 253 cis_controls = "16" 254 }) 255 } 256 257 control "cis_v130_1_16" { 258 title = "1.16 Ensure IAM policies that allow full \"*:*\" administrative privileges are not attached" 259 description = "IAM policies are the means by which privileges are granted to users, groups, or roles. It is recommended and considered a standard security advice to grant least privilege -that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of allowing full administrative privileges." 260 sql = query.ok.sql 261 #documentation = file("./cis_v130/docs/cis_v130_1_16.md") 262 severity = "critical" 263 tags = merge(local.cis_v130_1_common_tags, { 264 cis_item_id = "1.16" 265 cis_type = "automated" 266 cis_levels = "1" 267 cis_controls = "4" 268 }) 269 } 270 271 control "cis_v130_1_17" { 272 title = "1.17 Ensure a support role has been created to manage incidents with AWS Support" 273 description = "AWS provides a support center that can be used for incident notification and response, as well as technical support and customer services. Create an IAM Role to allow authorized users to manage incidents with AWS Support." 274 sql = query.ok.sql 275 #documentation = file("./cis_v130/docs/cisv130_1_17.md") 276 277 tags = merge(local.cis_v130_1_common_tags, { 278 cis_item_id = "1.17" 279 cis_type = "automated" 280 cis_levels = "1" 281 cis_controls = "14" 282 }) 283 } 284 285 control "cis_v130_1_18" { 286 title = "1.18 Ensure IAM instance roles are used for AWS resource access from instances" 287 description = "AWS access from within AWS instances can be done by either encoding AWS keys into AWS API calls or by assigning the instance to a role which has an appropriate permissions policy for the required access. \"AWS Access\" means accessing the APIs of AWS in order to access AWS resources or manage AWS account resources." 288 sql = query.ok.sql 289 #documentation = file("./cis_v130/docs/cisv130_1_18.md") 290 291 tags = merge(local.cis_v130_1_common_tags, { 292 cis_item_id = "1.18" 293 cis_type = "manual" 294 cis_levels = "2" 295 cis_controls = "19" 296 }) 297 } 298 299 control "cis_v130_1_19" { 300 title = "1.19 Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed" 301 description = "To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console." 302 sql = query.ok.sql 303 #documentation = file("./cis_v130/docs/cisv130_1_19.md") 304 305 tags = merge(local.cis_v130_1_common_tags, { 306 cis_item_id = "1.19" 307 cis_type = "automated" 308 cis_levels = "1" 309 cis_controls = "13" 310 }) 311 } 312 313 control "cis_v130_1_20" { 314 title = "1.20 Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'" 315 description = "Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principle with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account." 316 sql = query.ok.sql 317 #documentation = file("./cis_v130/docs/cisv130_1_20.md") 318 319 tags = merge(local.cis_v130_1_common_tags, { 320 cis_item_id = "1.20" 321 cis_type = "automated" 322 cis_levels = "1" 323 cis_controls = "14.6" 324 }) 325 } 326 327 control "cis_v130_1_21" { 328 title = "1.21 Ensure that IAM Access analyzer is enabled" 329 description = "Enable IAM Access analyzer for IAM policies about all resources. IAM Access Analyzer is a technology introduced at AWS reinvent 2019. After the Analyzer is enabled in IAM, scan results are displayed on the console showing the accessible resources. Scans show resources that other accounts and federated users can access, such as KMS keys and IAM roles. So the results allow you to determine if an unintended user is allowed, making it easier for administrators to monitor least privileges access." 330 sql = query.alarm.sql 331 #documentation = file("./cis_v130/docs/cis_v130_1_21.md") 332 severity = "critical" 333 tags = merge(local.cis_v130_1_common_tags, { 334 cis_item_id = "1.21" 335 cis_type = "automated" 336 cis_levels = "1" 337 cis_controls = "14.6" 338 }) 339 } 340 341 control "cis_v130_1_22" { 342 title = "1.22 Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments" 343 description = "In multi-account environments, IAM user centralization facilitates greater user control. User access beyond the initial account is then provide via role assumption. Centralization of users can be accomplished through federation with an external identity provider or through the use of AWS Organizations." 344 sql = query.ok.sql 345 #documentation = file("./cis_v130/docs/cisv130_1_22.md") 346 347 tags = merge(local.cis_v130_1_common_tags, { 348 cis_controls = "16.2" 349 cis_item_id = "1.22" 350 cis_levels = "2" 351 cis_type = "manual" 352 }) 353 }