From 48587bd0341ae464436895938ad3266e623b32cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= Date: Wed, 31 Jan 2024 10:18:31 +0100 Subject: [PATCH] feat(compliance): account security onboarding compliance framework (#3286) Co-authored-by: Sergio Garcia <38561120+sergargar@users.noreply.github.com> --- .../aws_account_security_onboarding_aws.json | 1190 +++++++++++++++++ prowler/lib/check/compliance_models.py | 4 +- prowler/lib/outputs/models.py | 4 +- 3 files changed, 1194 insertions(+), 4 deletions(-) create mode 100644 prowler/compliance/aws/aws_account_security_onboarding_aws.json diff --git a/prowler/compliance/aws/aws_account_security_onboarding_aws.json b/prowler/compliance/aws/aws_account_security_onboarding_aws.json new file mode 100644 index 00000000..53f8fbb3 --- /dev/null +++ b/prowler/compliance/aws/aws_account_security_onboarding_aws.json @@ -0,0 +1,1190 @@ +{ + "Framework": "AWS-Account-Security-Onboarding", + "Version": "", + "Provider": "AWS", + "Description": "Checklist when onboarding new AWS Accounts to existing AWS Organization.", + "Requirements": [ + { + "Id": "Predefine IAM Roles", + "Description": "Check if exists predefine IAM Roles", + "Attributes": [ + { + "Section": "Deploy account from predefined IaC template", + "Service": "IAM", + "Type": "Automated" + } + ], + "Checks": [ + "iam_no_custom_policy_permissive_role_assumption", + "iam_policy_attached_only_to_group_or_roles", + "iam_support_role_created", + "iam_role_cross_service_confused_deputy_prevention" + ] + }, + { + "Id": "Enabled security services", + "Description": "Check if security services are enabled", + "Attributes": [ + { + "Section": "Deploy account from predefined IaC template", + "Service": "SecurityServices", + "Type": "Automated" + } + ], + "Checks": [ + "securityhub_enabled", + "guardduty_is_enabled", + "accessanalyzer_enabled", + "macie_is_enabled" + ] + }, + { + "Id": "IDC integration, SSO configuration", + "Description": "Check if IDC integration and SSO configuration is enabled", + "Attributes": [ + { + "Section": "Deploy account from predefined IaC template", + "Service": "IAM Identity Center", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Organization invitation", + "Description": "Check if organization invitation is enabled", + "Attributes": [ + { + "Section": "Deploy account from predefined IaC template", + "Service": "Organizations", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Billing, emergency, security contacts", + "Description": "Check if billing, emergency, security contacts are configured", + "Attributes": [ + { + "Section": "Deploy account from predefined IaC template", + "Service": "Billing", + "Type": "Automated" + } + ], + "Checks": [ + "account_maintain_current_contact_details", + "account_security_contact_information_is_registered" + ] + }, + { + "Id": "Root user - distribution email + MFA", + "Description": "Check if root user has distribution email and MFA enabled", + "Attributes": [ + { + "Section": "Deploy account from predefined IaC template", + "Service": "IAM", + "Type": "Automated" + } + ], + "Checks": [ + "iam_root_mfa_enabled", + "iam_root_hardware_mfa_enabled" + ] + }, + { + "Id": "S3 Block Public Access", + "Description": "Block public access to S3 buckets", + "Attributes": [ + { + "Section": "Deploy account from predefined IaC template", + "Service": "S3", + "Type": "Automated" + } + ], + "Checks": [ + "s3_account_level_public_access_blocks", + "s3_bucket_public_access", + "s3_bucket_level_public_access_block" + ] + }, + { + "Id": "Disable AMI public sharing", + "Description": "Disable AMI public sharing", + "Attributes": [ + { + "Section": "Deploy account from predefined IaC template", + "Service": "EC2", + "Type": "Automated" + } + ], + "Checks": [ + "ec2_ami_public" + ] + }, + { + "Id": "Block unused regions", + "Description": "Block unsued regions", + "Attributes": [ + { + "Section": "SCPs", + "SubSection": "Apply existing SCPs based on OU placement", + "Service": "IAM", + "Type": "Automated" + } + ], + "Checks": [ + "organizations_scp_check_deny_regions" + ] + }, + { + "Id": "Block tampering with security-related settings and services", + "Description": "Block tampering with security-related settings and services", + "Attributes": [ + { + "Section": "SCPs", + "SubSection": "Apply existing SCPs based on OU placement", + "Service": "IAM", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Restrict instances types", + "Description": "Restrict instances types", + "Attributes": [ + { + "Section": "SCPs", + "SubSection": "Apply existing SCPs based on OU placement", + "Service": "IAM", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Block root user", + "Description": "Block root user", + "Attributes": [ + { + "Section": "SCPs", + "SubSection": "Apply existing SCPs based on OU placement", + "Service": "IAM", + "Type": "Automated" + } + ], + "Checks": [ + "iam_no_root_access_key", + "iam_avoid_root_usage" + ] + }, + { + "Id": "Add custom SCPs if required", + "Description": "Add custom SCPs if required", + "Attributes": [ + { + "Section": "SCPs", + "Service": "IAM", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Send DNS Resolvers queries to SIEM", + "Description": "Send DNS Resolvers queries to SIEM", + "Attributes": [ + { + "Section": "Logging", + "Service": "Logging", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Send VPC Flow Logs (only DENYs) to S3 bucket", + "Description": "Send VPC Flow Logs (only DENYs) to S3 bucket", + "Attributes": [ + { + "Section": "Logging", + "Service": "Logging", + "Type": "Automated" + } + ], + "Checks": [ + "vpc_flow_logs_enabled" + ] + }, + { + "Id": "Send S3 access logs for critical buckets to separate S3 bucket", + "Description": "Send S3 access logs for critical buckets to separate S3 bucket", + "Attributes": [ + { + "Section": "Logging", + "Service": "Logging", + "Type": "Automated" + } + ], + "Checks": [ + "cloudtrail_logs_s3_bucket_access_logging_enabled", + "cloudtrail_s3_dataevents_write_enabled" + ] + }, + { + "Id": "Establish ready-to-be-enabled pipelines to deliver ALB and CFD to SIEM to toggle in case of emergency and investigations", + "Description": "Establish ready-to-be-enabled pipelines to deliver ALB and CFD to SIEM to toggle in case of emergency and investigations", + "Attributes": [ + { + "Section": "Logging", + "Service": "Logging", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Alert on each High finding", + "Description": "Checks that GuardDuty is enabled and configured to send High findings to CloudWatch Events", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "GuardDuty", + "Service": "GuardDuty", + "Type": "Automated" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_is_enabled" + ] + }, + { + "Id": "Alerts based on aggregated findings with severity Medium and below", + "Description": "Alert based on aggregated findings with severity Medium and below", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "GuardDuty", + "Service": "GuardDuty", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Critical alert on every root user activity", + "Description": "Send critical alert on every root user activity", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "CloudTrail", + "Service": "CloudTrail", + "Type": "Automated" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_root_usage" + ] + }, + { + "Id": "Critical alert on cloudtrail settings changes", + "Description": "Send critical alert on cloudtrail settings changes", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "CloudTrail", + "Service": "CloudTrail", + "Type": "Automated" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled" + ] + }, + { + "Id": "Alert on rise of ConsoleLoginFailures events", + "Description": "Alert on rise ConsoleLoginFailures events", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "CloudTrail", + "Service": "CloudTrail", + "Type": "Automated" + } + ], + "Checks": [ + "cloudwatch_log_metric_filter_authentication_failures" + ] + }, + { + "Id": "Alert on IAM user changes", + "Description": "Alert on IAM user changes", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "CloudTrail", + "Service": "CloudTrail", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Alert on snapshot manipulations", + "Description": "Alert when a snapshot is manipulated", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "CloudTrail", + "Service": "CloudTrail", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Alerts on raised cost anomaly events", + "Description": "Alert when cost anomaly events are raised", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "Cost Anomaly", + "Service": "Billing", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Alerts based on (at least) each new CRITICAL finding", + "Description": "Alerts triggered by every new CRITICAL finding, at a minimum.", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "SecurityHub", + "Service": "SecurityHub", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Realert on inactivity in a set period", + "Description": "Activate a re-alert system for detecting inactivity within a specified time frame.", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "SecurityHub", + "Service": "SecurityHub", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Alerts based on rate-based rules", + "Description": "Notifications triggered by rate-based regulations", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "WAF", + "Service": "WAF", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Alerts based on high amount of blocked requests by managed rules", + "Description": "Notifications triggered by a significant number of blocked requests as a result of managed rules.", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "WAF", + "Service": "WAF", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Alert based on DDoSDetected metric", + "Description": "Generate an alert triggered by the detection of a DDoS attack based on the DDoSDetected metric.", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "Shield", + "Service": "Shield", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Adopt incident response guide and prepared battle card", + "Description": "Utilize the incident response manual and have the battle card ready for use.", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "Shield", + "Service": "Shield", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Alert on blocked DNS query", + "Description": "Notify when a DNS query is obstructed.", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "R53 DNS Resolver", + "Service": "Route53", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Alert on critical vulnerabilities in AMIs/Images", + "Description": "Notification regarding severe vulnerabilities detected in AMIs/Images.", + "Attributes": [ + { + "Section": "Alerting", + "SubSection": "Vulnerability Scanning", + "Service": "Inspector", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Create Cost Anomaly Detection monitors to alert spending anomalies", + "Description": "Develop monitoring systems for detecting cost anomalies and generating alerts for irregular spending patterns.", + "Attributes": [ + { + "Section": "Budget Alarms", + "SubSection": "Prod", + "Service": "CloudWatch", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Create Cost Anomaly Detection monitors to alert spending anomalies", + "Description": "Establish monitoring systems for cost anomaly detection to promptly notify about unusual spending patterns.", + "Attributes": [ + { + "Section": "Budget Alarms", + "SubSection": "QA", + "Service": "CloudWatch", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Configure Budgets Actions to stop services in cases of big unexpected spendings", + "Description": "Set up Budgets Actions to halt services when significant unexpected expenses occur.", + "Attributes": [ + { + "Section": "Budget Alarms", + "SubSection": "QA", + "Service": "SNS", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Create analyzers in each active regions", + "Description": "Establish analyzers within every active region.", + "Attributes": [ + { + "Section": "IAM Access Analyzer", + "Service": "IAM Access Analyzer", + "Type": "Automated" + } + ], + "Checks": [ + "accessanalyzer_enabled", + "accessanalyzer_enabled_without_findings" + ] + }, + { + "Id": "Verify that events are present in SecurityHub aggregated view", + "Description": "Confirm the presence of events within the aggregated view of SecurityHub.", + "Attributes": [ + { + "Section": "IAM Access Analyzer", + "Service": "SecurityHub", + "Type": "Automated" + } + ], + "Checks": [ + "securityhub_enabled", + "accessanalyzer_enabled", + "accessanalyzer_enabled_without_findings" + ] + }, + { + "Id": "Consider enabling for critical buckets only", + "Description": "Please contemplate activating this feature exclusively for essential or crucial buckets.", + "Attributes": [ + { + "Section": "Macie", + "Service": "Macie", + "Type": "Automated" + } + ], + "Checks": [ + "macie_is_enabled" + ] + }, + { + "Id": "Enable and configure AWS Inspector", + "Description": "Enable and set up AWS Inspector.", + "Attributes": [ + { + "Section": "Vulnerability Scanning", + "SubSection": "EC2 used as servers", + "Service": "EC2", + "Type": "Automated" + } + ], + "Checks": [ + "inspector2_findings_exist" + ] + }, + { + "Id": "Export scan results as metrics in centralized collector", + "Description": "Export scan results as metrics to a centralized collector.", + "Attributes": [ + { + "Section": "Vulnerability Scanning", + "SubSection": "EC2 used as servers", + "Service": "EC2", + "Type": "Automated" + } + ], + "Checks": [ + "guardduty_centrally_managed" + ] + }, + { + "Id": "Scan images for vulnerability on upload to ECR", + "Description": "Check uploaded images for vulnerabilities when adding them to the ECR (Elastic Container Registry).", + "Attributes": [ + { + "Section": "Vulnerability Scanning", + "SubSection": "ECR used as docker images hub", + "Service": "ECR", + "Type": "Automated" + } + ], + "Checks": [ + "inspector2_findings_exist", + "ecr_registry_scan_images_on_push_enabled", + "ecr_repositories_scan_vulnerabilities_in_latest_image", + "ecr_repositories_scan_images_on_push_enabled" + ] + }, + { + "Id": "Deploy solution to periodically rescan currently used images and report found vulnerabilities", + "Description": "Implement a solution to conduct regular scans on currently employed images and notify about any identified vulnerabilities.", + "Attributes": [ + { + "Section": "Vulnerability Scanning", + "SubSection": "ECR used as docker images hub", + "Service": "ECR", + "Type": "Automated" + } + ], + "Checks": [ + "ecr_repositories_scan_vulnerabilities_in_latest_image" + ] + }, + { + "Id": "Export scan results as metrics in centralized collector", + "Description": "Generate metric data from scan results and store it in a centralized collector.", + "Attributes": [ + { + "Section": "Vulnerability Scanning", + "SubSection": "ECR used as docker images hub", + "Service": "ECR", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Enable as part of Organization trail", + "Description": "Activate as a component of the Organization trail.", + "Attributes": [ + { + "Section": "AWS Cloudtrail", + "Service": "CloudTrail", + "Type": "Automated" + } + ], + "Checks": [ + "cloudtrail_multi_region_enabled", + "cloudtrail_multi_region_enabled_logging_management_events" + ] + }, + { + "Id": "Confirm that logs are present in S3 bucket and SIEM", + "Description": "Verify the existence of logs within both the S3 bucket and the SIEM system.", + "Attributes": [ + { + "Section": "AWS Cloudtrail", + "Service": "CloudTrail", + "Type": "Automated" + } + ], + "Checks": [ + "cloudtrail_logs_s3_bucket_access_logging_enabled", + "cloudtrail_s3_dataevents_read_enabled", + "cloudtrail_s3_dataevents_write_enabled" + ] + }, + { + "Id": "Deploy solution to alert on at least critical new findings", + "Description": "Implement a solution to trigger alerts for newly identified critical issues at minimum.", + "Attributes": [ + { + "Section": "Enable AWS SecurityHub", + "Service": "SecurityHub", + "Type": "Automated" + } + ], + "Checks": [ + "securityhub_enabled" + ] + }, + { + "Id": "Apply SecurityHub Central Configuration for Organization", + "Description": "Apply SecurityHub Central Configuration for Organization", + "Attributes": [ + { + "Section": "Enable AWS SecurityHub", + "Service": "SecurityHub", + "Type": "Automated" + } + ], + "Checks": [ + "securityhub_enabled" + ] + }, + { + "Id": "Enable/disable additional standards and controls", + "Description": "Implement SecurityHub Central Configuration across the organization.", + "Attributes": [ + { + "Section": "Enable AWS SecurityHub", + "Service": "SecurityHub", + "Type": "Automated" + } + ], + "Checks": [ + "securityhub_enabled" + ] + }, + { + "Id": "Confirm that findings are being visible in the aggregated view", + "Description": "Please verify that the findings are visible when viewed in the aggregated perspective.", + "Attributes": [ + { + "Section": "Enable AWS SecurityHub", + "Service": "SecurityHub", + "Type": "Automated" + } + ], + "Checks": [ + "securityhub_enabled" + ] + }, + { + "Id": "Ensure that there are no critical (and considered critical) findings present in account", + "Description": "Make certain that there are no critical findings, whether deemed critical or not, within the account.", + "Attributes": [ + { + "Section": "Enable AWS SecurityHub", + "Service": "SecurityHub", + "Type": "Automated" + } + ], + "Checks": [ + "securityhub_enabled" + ] + }, + { + "Id": "Enable continuous recording for most of the resources", + "Description": "Activate continuous recording for the majority of resources.", + "Attributes": [ + { + "Section": "Enable AWS Config", + "Service": "Config", + "Type": "Automated" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "Consider periodic recording for some resources to optimize bill", + "Description": "Think about implementing scheduled monitoring for specific resources in order to maximize cost efficiency.", + "Attributes": [ + { + "Section": "Enable AWS Config", + "Service": "Config", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Confirm that records are present in central aggregator", + "Description": "Confirm that records are present in central aggregator", + "Attributes": [ + { + "Section": "Enable AWS Config", + "Service": "Config", + "Type": "Automated" + } + ], + "Checks": [ + "config_recorder_all_regions_enabled" + ] + }, + { + "Id": "Enable as part of central configuration for Organization", + "Description": "Please verify the existence of records within the central aggregator.", + "Attributes": [ + { + "Section": "Enable GuardDuty", + "Service": "GuardDuty", + "Type": "Must" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_centrally_managed" + ] + }, + { + "Id": "Threat Detection", + "Description": "Detection of Threats in your AWS environment", + "Attributes": [ + { + "Section": "Enable GuardDuty", + "Service": "GuardDuty", + "Type": "Must" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "RDS protection", + "Description": "Protection for RDS instances", + "Attributes": [ + { + "Section": "Enable GuardDuty", + "Service": "GuardDuty", + "Type": "Must" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "Lambda protection", + "Description": "Protection using Lambda", + "Attributes": [ + { + "Section": "Enable GuardDuty", + "Service": "Lambda", + "Type": "Must" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "S3 protection", + "Description": "Protection using S3", + "Attributes": [ + { + "Section": "Enable GuardDuty", + "Service": "S3", + "Type": "Must" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "Malware Scanning", + "Description": "Conducting a Comprehensive Scan for Malicious Software", + "Attributes": [ + { + "Section": "Enable GuardDuty", + "Service": "GuardDuty", + "Type": "Must" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "Confirm that events are present in SIEM", + "Description": "Confirm that events are present in SIEM", + "Attributes": [ + { + "Section": "Enable GuardDuty", + "Service": "GuardDuty", + "Type": "Must" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "Apply suppression filters to disable useless findings", + "Description": "Implementing suppression filters to deactivate non-essential detections.", + "Attributes": [ + { + "Section": "Enable GuardDuty", + "Service": "GuardDuty", + "Type": "Must" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "Include in process of incident response based on events", + "Description": "Incorporate within the procedural framework of incident response, taking into account the triggering events.", + "Attributes": [ + { + "Section": "Enable GuardDuty", + "Service": "GuardDuty", + "Type": "Must" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "Runtime protection", + "Description": "Brand new and in need of thorough testing.", + "Attributes": [ + { + "Section": "Enable GuardDuty", + "Service": "GuardDuty", + "Type": "Optional" + } + ], + "Checks": [ + "guardduty_is_enabled", + "guardduty_no_high_severity_findings" + ] + }, + { + "Id": "EKS protection (if EKS is used)", + "Description": "Enhanced Kubernetes Security (EKS) protection, if the Kubernetes service is employed.", + "Attributes": [ + { + "Section": "Enable GuardDuty", + "Service": "EKS", + "Type": "Optional" + } + ], + "Checks": [] + }, + { + "Id": "Apply managed domain name lists for Resolver in block mode)", + "Description": "Utilize managed domain name lists within Resolver to implement block mode.", + "Attributes": [ + { + "Section": "R53 DNS Resolver Firewall", + "Service": "Route53", + "Type": "Automated" + } + ], + "Checks": [ + "route53_domains_privacy_protection_enabled", + "route53_domains_transferlock_enabled" + ] + }, + { + "Id": "Use strictly AWS VPC DNS resolver", + "Description": "Exclusively Employ Amazon Web Services (AWS) Virtual Private Cloud (VPC) DNS Resolver", + "Attributes": [ + { + "Section": "R53 DNS Resolver Firewall", + "Service": "Route53", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Ban outbound DNS calls from all VPCs to ports 53", + "Description": "Prohibit all Virtual Private Clouds (VPCs) from initiating outbound DNS calls on port 53.", + "Attributes": [ + { + "Section": "R53 DNS Resolver Firewall", + "Service": "Route53", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Apply custom threat list for GuardDuty to alert on access to DoH servers", + "Description": "Implement a customized threat list within GuardDuty to generate alerts when there is access to Domain Name System over HTTPS (DoH) servers.", + "Attributes": [ + { + "Section": "R53 DNS Resolver Firewall", + "Service": "Route53", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Enable Shield Advanced subscription for public facing account", + "Description": "Activate the Shield Advanced subscription for the publicly accessible account.", + "Attributes": [ + { + "Section": "Shield Advanced", + "Service": "Shield Advanced", + "Type": "Automated" + } + ], + "Checks": [ + "shield_advanced_protection_in_route53_hosted_zones", + "shield_advanced_protection_in_classic_load_balancers", + "shield_advanced_protection_in_internet_facing_load_balancers", + "shield_advanced_protection_in_cloudfront_distributions", + "shield_advanced_protection_in_associated_elastic_ips", + "shield_advanced_protection_in_global_accelerators" + ] + }, + { + "Id": "Export metrics in centralized collector", + "Description": "Exporting metrics to a centralized collector for data aggregation and analysis.", + "Attributes": [ + { + "Section": "Shield Advanced", + "Service": "Shield Advanced", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Create DDoS battle card with main info about protected services", + "Description": "Prepare a Detailed Distributed Denial of Service (DDoS) Battle Card Encompassing Key Information Regarding Safeguarded Services.", + "Attributes": [ + { + "Section": "Shield Advanced", + "Service": "Shield Advanced", + "Type": "Automated" + } + ], + "Checks": [ + "shield_advanced_protection_in_route53_hosted_zones", + "shield_advanced_protection_in_classic_load_balancers", + "shield_advanced_protection_in_internet_facing_load_balancers", + "shield_advanced_protection_in_cloudfront_distributions", + "shield_advanced_protection_in_associated_elastic_ips", + "shield_advanced_protection_in_global_accelerators" + ] + }, + { + "Id": "CFD + ALB + secret rotation architecture", + "Description": "Designing an Architecture for Computational Fluid Dynamics (CFD), Application Load Balancing (ALB), and Secret Rotation Integration", + "Attributes": [ + { + "Section": "WAFv2", + "SubSection": "Deploy WAF setup for each public web service", + "Service": "WAFv2", + "Type": "Must" + } + ], + "Checks": [ + "apigateway_restapi_waf_acl_attached", + "cloudfront_distributions_using_waf", + "elbv2_waf_acl_attached" + ] + }, + { + "Id": "Predefined set of managed rules", + "Description": "A pre-established collection of rules under management control.", + "Attributes": [ + { + "Section": "WAFv2", + "SubSection": "Deploy WAF setup for each public web service", + "Service": "WAFv2", + "Type": "Must" + } + ], + "Checks": [ + "apigateway_restapi_waf_acl_attached", + "cloudfront_distributions_using_waf", + "elbv2_waf_acl_attached" + ] + }, + { + "Id": "Global allow - and block-lists", + "Description": "Establishing International Lists for Permissions and Restrictions", + "Attributes": [ + { + "Section": "WAFv2", + "SubSection": "Deploy WAF setup for each public web service", + "Service": "WAFv2", + "Type": "Must" + } + ], + "Checks": [ + "apigateway_restapi_waf_acl_attached", + "cloudfront_distributions_using_waf", + "elbv2_waf_acl_attached" + ] + }, + { + "Id": "Blanket rate-based rules", + "Description": "Establishing rules based on a standardized, all-encompassing rate.", + "Attributes": [ + { + "Section": "WAFv2", + "SubSection": "Deploy WAF setup for each public web service", + "Service": "WAFv2", + "Type": "Must" + } + ], + "Checks": [] + }, + { + "Id": "Service-unique exclusion rules", + "Description": "Exclusion rules specific to the service provided.", + "Attributes": [ + { + "Section": "WAFv2", + "SubSection": "Deploy WAF setup for each public web service", + "Service": "WAFv2", + "Type": "Must" + } + ], + "Checks": [ + "apigateway_restapi_waf_acl_attached", + "cloudfront_distributions_using_waf", + "elbv2_waf_acl_attached" + ] + }, + { + "Id": "Additional managed rules", + "Description": "Supplementary managed rules", + "Attributes": [ + { + "Section": "WAFv2", + "SubSection": "Deploy WAF setup for each public web service", + "Service": "WAFv2", + "Type": "Discuss" + } + ], + "Checks": [] + }, + { + "Id": "Scoped-down rate-based rules", + "Description": "Rate-based rules with a narrowed scope", + "Attributes": [ + { + "Section": "WAFv2", + "SubSection": "Deploy WAF setup for each public web service", + "Service": "WAFv2", + "Type": "Discuss" + } + ], + "Checks": [ + "apigateway_restapi_waf_acl_attached", + "cloudfront_distributions_using_waf", + "elbv2_waf_acl_attached" + ] + }, + { + "Id": "Enable Shield Advanced automatic application layer DDoS mitigation", + "Description": "Activate automatic application layer Distributed Denial of Service (DDoS) mitigation within Shield Advanced.", + "Attributes": [ + { + "Section": "WAFv2", + "Service": "Shield Advanced", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Configure R53 health checks for all protected resources", + "Description": "Establishing Amazon Route 53 (R53) health checks to monitor the well-being of all safeguarded resources.", + "Attributes": [ + { + "Section": "WAFv2", + "Service": "Route53", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Configure sensitive fields redaction and send WAF logs to SIEM", + "Description": "Configure the redaction of sensitive fields and transmit Web Application Firewall (WAF) logs to the Security Information and Event Management (SIEM) system.", + "Attributes": [ + { + "Section": "WAFv2", + "Service": "WAFv2", + "Type": "Manual" + } + ], + "Checks": [] + }, + { + "Id": "Export metrics in centralized collector", + "Description": "Exporting metrics to a centralized collector for comprehensive data aggregation.", + "Attributes": [ + { + "Section": "WAFv2", + "Service": "CloudWatch", + "Type": "Automated" + } + ], + "Checks": [ + "wafv2_webacl_logging_enabled" + ] + } + ] +} diff --git a/prowler/lib/check/compliance_models.py b/prowler/lib/check/compliance_models.py index e01f6e8d..607ef887 100644 --- a/prowler/lib/check/compliance_models.py +++ b/prowler/lib/check/compliance_models.py @@ -52,11 +52,11 @@ class ENS_Requirement_Attribute(BaseModel): class Generic_Compliance_Requirement_Attribute(BaseModel): """Generic Compliance Requirement Attribute""" - ItemId: str + ItemId: Optional[str] Section: Optional[str] SubSection: Optional[str] SubGroup: Optional[str] - Service: str + Service: Optional[str] Type: Optional[str] diff --git a/prowler/lib/outputs/models.py b/prowler/lib/outputs/models.py index 09f42b6e..6fbfa543 100644 --- a/prowler/lib/outputs/models.py +++ b/prowler/lib/outputs/models.py @@ -614,8 +614,8 @@ class Check_Output_CSV_Generic_Compliance(BaseModel): Requirements_Attributes_Section: Optional[str] Requirements_Attributes_SubSection: Optional[str] Requirements_Attributes_SubGroup: Optional[str] - Requirements_Attributes_Service: str - Requirements_Attributes_Soc_Type: Optional[str] + Requirements_Attributes_Service: Optional[str] + Requirements_Attributes_Type: Optional[str] Status: str StatusExtended: str ResourceId: str