Skip to content

Commit

Permalink
Updates from project type (#32)
Browse files Browse the repository at this point in the history 
* (automated) Updates from project type

* Delete guide/content/test-deployment.md

---------

Co-authored-by: IA Automator <dev@null>
Co-authored-by: Kishore Vinjam <[email protected]>
  • Loading branch information
@aws-ia-automator-gamma @kkvinjam
3 people authored Oct 30, 2023
1 parent 280cc9a commit c445ffe
Show file tree
Hide file tree
Showing 12 changed files with 1,263 additions and 4 deletions.
4 changes: 2 additions & 2 deletions .copier-answers.yml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# This file is auto-generated, changes will be overwritten
_commit: v0.0.13
_src_path: /task/cef6ced7-f9a1-11ed-8bca-cae66981e6ca/projecttype
_commit: v0.1.3
_src_path: /task/bf3beac4-751b-11ee-affa-429c8fcd4fb9/projecttype
starting_version: v0.0.0
version_file: VERSION

3 changes: 2 additions & 1 deletion .project_automation/functional_tests/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
FROM public.ecr.aws/codebuild/amazonlinux2-x86_64-standard:4.0
RUN pip install taskcat
RUN pip install --upgrade taskcat
RUN pip install scoutsuite boto3
68 changes: 68 additions & 0 deletions .project_automation/functional_tests/abi-cloudtrail-no-encryption-with-kms.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
{
"description": "CloudTrail Logs Not Encrypted with KMS Customer Master Keys (CMKs)",
"rationale": "Not encrypting CloudTrail logs with SSE-KMS affects the confidentiality of the log data.",
"remediation": "Ensure each Trail is encrypted with a KMS key",
"compliance": [
{
"name": "CIS Amazon Web Services Foundations",
"version": "1.0.0",
"reference": "2.7"
},
{
"name": "CIS Amazon Web Services Foundations",
"version": "1.1.0",
"reference": "2.7"
},
{
"name": "CIS Amazon Web Services Foundations",
"version": "1.2.0",
"reference": "2.7"
}
],
"references": [
"https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html"
],
"dashboard_name": "Configurations",
"display_path": "cloudtrail.regions.id.trails.id",
"path": "cloudtrail.regions.id.trails.id",
"conditions": [
"and",
[
"cloudtrail.regions.id.trails.id.",
"withoutKey",
"scout_link"
],
[
"or",
[
"cloudtrail.regions.id.trails.id.",
"withoutKey",
"KmsKeyId"
],
[
"and",
[
"cloudtrail.regions.id.trails.id.",
"withKey",
"KmsKeyId"
],
[
"cloudtrail.regions.id.trails.id.KmsKeyId",
"null",
""
]
]
],
[
"cloudtrail.regions.id.trails.id.name",
"notEqual",
"IsengardTrail-DO-NOT-DELETE"
],
[
"cloudtrail.regions.id.trails.id.name",
"notEqual",
"aws-controltower-BaselineCloudTrail"
]
],
"id_suffix": "cloudtrail-kms-key-unused"
}
138 changes: 138 additions & 0 deletions .project_automation/functional_tests/abi-iam-assume-role-lacks-external-id-and-mfa.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
{
"description": "Cross-Account AssumeRole Policy Lacks External ID and MFA",
"rationale": "When authorizing cross-account role assumption, either an External ID or MFA should be required. If the role is intended for use by a service, an External ID can prevent \"confused deputy\" attacks. If the role is intended for use by an external user, then MFA will strengthen the authentication by requiring a second factor.",
"references": [
"https://research.nccgroup.com/2019/12/18/demystifying-aws-assumerole-and-stsexternalid/",
"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html"
],
"dashboard_name": "Roles",
"display_path": "iam.roles.id",
"path": "iam.roles.id.assume_role_policy.PolicyDocument.Statement.id",
"conditions": [
"and",
[
"iam.roles.id.name",
"notEqual",
"ABPIntegrationRole"
],
[
"iam.roles.id.name",
"notEqual",
"ABPPublicationRole"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Effect",
"equal",
"Allow"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.",
"containAction",
"sts:AssumeRole"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal",
"withKey",
"AWS"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Principal.AWS",
"isCrossAccount",
"_ACCOUNT_ID_"
],
[
"or",
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.",
"withoutKey",
"Condition"
],
[
"and",
[
"or",
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition",
"withoutKey",
"Bool"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.Bool.",
"withoutKey",
"aws:MultiFactorAuthPresent"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.Bool.aws:MultiFactorAuthPresent",
"notTrue",
""
]
],
[
"or",
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition",
"withoutKey",
"BoolIfExists"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.BoolIfExists.",
"withoutKey",
"aws:MultiFactorAuthPresent"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.BoolIfExists.aws:MultiFactorAuthPresent",
"notTrue",
""
]
]
]
],
[
"or",
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.",
"withoutKey",
"Condition"
],
[
"and",
[
"or",
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition",
"withoutKey",
"StringEquals"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.StringEquals.",
"withoutKey",
"sts:ExternalId"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.StringEquals.sts:ExternalId",
"empty",
""
]
],
[
"or",
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition",
"withoutKey",
"StringLike"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.StringLike.",
"withoutKey",
"sts:ExternalId"
],
[
"iam.roles.id.assume_role_policy.PolicyDocument.Statement.id.Condition.StringLike.sts:ExternalId",
"empty",
""
]
]
]
]
]
}
Loading

0 comments on commit c445ffe

Please sign in to comment.