feat: Added queries for bigquery pci_dss (#325)

cloudquery · Jan 16, 2024 · 3a6a500 · 3a6a500
1 parent 30bf646
commit 3a6a500
Show file tree

Hide file tree

Showing 34 changed files with 753 additions and 87 deletions.
diff --git a/transformations/aws/compliance-free/models/aws_compliance__pci_dss_v3_2_1_free.sql b/transformations/aws/compliance-free/models/aws_compliance__pci_dss_v3_2_1_free.sql
@@ -3,22 +3,22 @@
 with
     aggregated as (
         ({{ autoscaling_groups_elb_check('pci_dss_v3.2.1','autoscaling.1') }})
-        UNION
+        {{ union() }}
         ({{ logs_encrypted('pci_dss_v3.2.1','cloudtrail.1') }})
-        UNION
+        {{ union() }}
         ({{ cloudtrail_enabled_all_regions('pci_dss_v3.2.1','cloudtrail.2') }})
-        UNION
+        {{ union() }}
         ({{ log_file_validation_enabled('pci_dss_v3.2.1','cloudtrail.3') }})
-        UNION
+        {{ union() }}
         ({{ integrated_with_cloudwatch_logs('pci_dss_v3.2.1','cloudtrail.4') }})
-        UNION
+        {{ union() }}
         ({{ check_oauth_usage_for_sources('pci_dss_v3.2.1','codebuild.1') }})
-        UNION
+        {{ union() }}
         ({{ check_environment_variables('pci_dss_v3.2.1','codebuild.2') }})
-        UNION
+        {{ union() }}
         ({{ config_enabled_all_regions('pci_dss_v3.2.1','config.1') }})   
     )
 select 
-        ('{{ run_started_at }}')::timestamp as policy_execution_time,
+        {{ gen_timestamp() }},
         aggregated.*
 from aggregated
diff --git a/transformations/aws/compliance-premium/models/aws_compliance__pci_dss_v3_2_1.sql b/transformations/aws/compliance-premium/models/aws_compliance__pci_dss_v3_2_1.sql
@@ -1,105 +1,103 @@
-{{ config(enabled=block_bigquery()) }}
-
 with
     aggregated as (
         ({{ autoscaling_groups_elb_check('pci_dss_v3.2.1','autoscaling.1') }})
-        UNION
+        {{ union() }}
         ({{ logs_encrypted('pci_dss_v3.2.1','cloudtrail.1') }})
-        UNION
+        {{ union() }}
         ({{ cloudtrail_enabled_all_regions('pci_dss_v3.2.1','cloudtrail.2') }})
-        UNION
+        {{ union() }}
         ({{ log_file_validation_enabled('pci_dss_v3.2.1','cloudtrail.3') }})
-        UNION
+        {{ union() }}
         ({{ integrated_with_cloudwatch_logs('pci_dss_v3.2.1','cloudtrail.4') }})
-        UNION
+        {{ union() }}
         ({{ check_oauth_usage_for_sources('pci_dss_v3.2.1','codebuild.1') }})
-        UNION
+        {{ union() }}
         ({{ check_environment_variables('pci_dss_v3.2.1','codebuild.2') }})
-        UNION
+        {{ union() }}
         ({{ config_enabled_all_regions('pci_dss_v3.2.1','config.1') }})
-        UNION
+        {{ union() }}
         ({{ alarm_root_account('pci_dss_v3.2.1','cloudwatch.1') }})
-        UNION
+        {{ union() }}
         ({{ replication_not_public('pci_dss_v3.2.1','dms.1') }})
-        UNION
+        {{ union() }}
         ({{ ebs_snapshot_permissions_check('pci_dss_v3.2.1','ec2.1') }})
-        UNION
+        {{ union() }}
         ({{ default_sg_no_access('pci_dss_v3.2.1','ec2.2') }})
-        UNION
+        {{ union() }}
         ({{ get_unused_public_ips('pci_dss_v3.2.1','ec2.4') }})
-        UNION
+        {{ union() }}
         ({{ no_broad_public_ingress_on_port_22('pci_dss_v3.2.1','ec2.5') }})
-        UNION
+        {{ union() }}
         ({{ flow_logs_enabled_in_all_vpcs('pci_dss_v3.2.1','ec2.6') }})
-        UNION
+        {{ union() }}
         ({{ elbv2_redirect_http_to_https('pci_dss_v3.2.1','elbv2.1') }})
-        UNION
+        {{ union() }}
         ({{ elasticsearch_domains_should_be_in_vpc('pci_dss_v3.2.1','elasticsearch.1') }})
-        UNION
+        {{ union() }}
         ({{ elasticsearch_domains_should_have_encryption_at_rest_enabled('pci_dss_v3.2.1','elasticsearch.2') }})
-        UNION
+        {{ union() }}
         ({{ detector_enabled('pci_dss_v3.2.1','guardduty enabled in all enabled regions') }})
-        UNION
+        {{ union() }}
         ({{ root_user_no_access_keys('pci_dss_v3.2.1','iam.1') }})
-        UNION
+        {{ union() }}
         ({{ policies_attached_to_groups_roles('pci_dss_v3.2.1','iam.2') }})
-        UNION
+        {{ union() }}
         ({{ no_star('pci_dss_v3.2.1','iam.3') }})
-        UNION
+        {{ union() }}
         ({{ hardware_mfa_enabled_for_root('pci_dss_v3.2.1','iam.4') }})
-        UNION
+        {{ union() }}
         ({{ mfa_enabled_for_root('pci_dss_v3.2.1','iam.5') }})
-        UNION
+        {{ union() }}
         ({{ mfa_enabled_for_console_access('pci_dss_v3.2.1','iam.6') }})
-        UNION
+        {{ union() }}
         ({{ unused_creds_disabled('pci_dss_v3.2.1','iam.7') }})
-        UNION
+        {{ union() }}
         ({{ password_policy_strong('pci_dss_v3.2.1','iam.8') }})
-        UNION
+        {{ union() }}
         ({{ rotation_enabled_for_customer_key('pci_dss_v3.2.1','kms.1') }})
-        UNION
+        {{ union() }}
         ({{ lambda_function_prohibit_public_access('pci_dss_v3.2.1','lambda.1') }})
-        UNION
+        {{ union() }}
         ({{ lambda_function_in_vpc('pci_dss_v3.2.1','lambda.2') }})
-        UNION
+        {{ union() }}
         ({{ snapshots_should_prohibit_public_access('pci_dss_v3.2.1','rds.1') }})
-        UNION
+        {{ union() }}
         ({{ rds_db_instances_should_prohibit_public_access('pci_dss_v3.2.1','rds.2') }})
-        UNION
+        {{ union() }}
         ({{ cluster_publicly_accessible('pci_dss_v3.2.1','redshift.1') }})
-        UNION
+        {{ union() }}
         ({{ publicly_writable_buckets('pci_dss_v3.2.1','s3.1') }})
-        UNION
+        {{ union() }}
         ({{ publicly_readable_buckets('pci_dss_v3.2.1','s3.2') }})
-        UNION
+        {{ union() }}
         ({{ s3_cross_region_replication('pci_dss_v3.2.1','s3.3') }})
-        UNION
+        {{ union() }}
         ({{ s3_server_side_encryption_enabled('pci_dss_v3.2.1','s3.4') }})
-        UNION
+        {{ union() }}
         ({{ deny_http_requests('pci_dss_v3.2.1','s3.5') }})
-        UNION
+        {{ union() }}
         ({{ account_level_public_access_blocks('pci_dss_v3.2.1','s3.6') }})
-        UNION
+        {{ union() }}
         ({{ sagemaker_notebook_instance_direct_internet_access_disabled('pci_dss_v3.2.1','sagemaker.1') }})
-        UNION
+        {{ union() }}
         ({{ secrets_should_have_automatic_rotation_enabled('pci_dss_v3.2.1','secretmanager.1') }})
-        UNION
+        {{ union() }}
         ({{ secrets_configured_with_automatic_rotation_should_rotate_successfully('pci_dss_v3.2.1','secretmanager.2') }})
-        UNION
+        {{ union() }}
         ({{ remove_unused_secrets_manager_secrets('pci_dss_v3.2.1','secretmanager.3') }})
-        UNION
+        {{ union() }}
         ({{ secrets_should_be_rotated_within_a_specified_number_of_days('pci_dss_v3.2.1','secretmanager.4') }})
-        UNION
+        {{ union() }}
         ({{ instances_should_have_patch_compliance_status_of_compliant('pci_dss_v3.2.1','ssm.1') }})
-        UNION
+        {{ union() }}
         ({{ instances_should_have_association_compliance_status_of_compliant('pci_dss_v3.2.1','ssm.2') }})
-        UNION
+        {{ union() }}
         ({{ ec2_instances_should_be_managed_by_ssm('pci_dss_v3.2.1','ssm.3') }})
-        UNION
+        {{ union() }}
         ({{ wafv2_web_acl_logging_should_be_enabled('pci_dss_v3.2.1','waf.1') }})    
     )
 select 
-        ('{{ run_started_at }}')::timestamp as policy_execution_time,
+        {{ gen_timestamp() }},
         aggregated.*
 from aggregated
 
diff --git a/transformations/aws/macros/autoscaling/autoscaling_groups_elb_check.sql b/transformations/aws/macros/autoscaling/autoscaling_groups_elb_check.sql
@@ -31,3 +31,17 @@ select
     end as status
 from aws_autoscaling_groups
 {% endmacro %}
+
+{% macro bigquery__autoscaling_groups_elb_check(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'Auto Scaling groups associated with a load balancer should use health checks' as title,
+    account_id,
+    arn as resource_id,
+    case
+        when ARRAY_LENGTH(load_balancer_names) > 0 and health_check_type is distinct from 'ELB' then 'fail'
+        else 'pass'
+    end as status
+from {{ full_table_name("aws_autoscaling_groups") }}
+{% endmacro %}
diff --git a/transformations/aws/macros/codebuild/check_environment_variables.sql b/transformations/aws/macros/codebuild/check_environment_variables.sql
@@ -43,4 +43,24 @@ from aws_codebuild_projects, JSONB_ARRAY_ELEMENTS(environment->'EnvironmentVaria
 {% endmacro %}
 
 {% macro default__check_environment_variables(framework, check_id) %}{% endmacro %}
-
+
+{% macro bigquery__check_environment_variables(framework, check_id) %}
+select distinct
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'CodeBuild project environment variables should not contain clear text credentials' as title,
+    account_id,
+    arn as resource_id,
+    case when
+            JSON_VALUE(e.Type) = 'PLAINTEXT'
+            and (
+                UPPER(JSON_VALUE(e.Name)) like '%ACCESS_KEY%' or
+                UPPER(JSON_VALUE(e.Name)) like '%SECRET%' or
+                UPPER(JSON_VALUE(e.Name)) like '%PASSWORD%'
+            )
+            then 'fail'
+        else 'pass'
+    end as status
+from {{ full_table_name("aws_codebuild_projects") }},
+UNNEST(JSON_QUERY_ARRAY(environment.EnvironmentVariables)) AS e
+{% endmacro %}
diff --git a/transformations/aws/macros/codebuild/check_oauth_usage_for_sources.sql b/transformations/aws/macros/codebuild/check_oauth_usage_for_sources.sql
@@ -33,4 +33,18 @@ from aws_codebuild_projects
 {% endmacro %}
 
 {% macro default__check_oauth_usage_for_sources(framework, check_id) %}{% endmacro %}
-
+
+{% macro bigquery__check_oauth_usage_for_sources(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'CodeBuild GitHub or Bitbucket source repository URLs should use OAuth' as title,
+    account_id,
+    arn as resource_id,
+    case when
+        JSON_VALUE(source.Type) IN ('GITHUB', 'BITBUCKET') AND JSON_VALUE(source.Auth.Type) != 'OAUTH'
+      then 'fail'
+      else 'pass'
+    end as status
+from {{ full_table_name("aws_codebuild_projects") }}
+{% endmacro %}
diff --git a/transformations/aws/macros/config/config_enabled_all_regions.sql b/transformations/aws/macros/config/config_enabled_all_regions.sql
@@ -38,4 +38,22 @@ FROM
 {% endmacro %}
 
 {% macro default__config_enabled_all_regions(framework, check_id) %}{% endmacro %}
-
+
+{% macro bigquery__config_enabled_all_regions(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'AWS Config should be enabled' as title,
+    account_id,
+    arn as resource_id,
+    case when
+      CAST( JSON_VALUE(recording_group.IncludeGlobalResourceTypes) AS BOOL) IS NOT TRUE
+      OR CAST( JSON_VALUE(recording_group.AllSupported) AS BOOL) IS NOT TRUE
+      OR status_recording IS NOT TRUE
+      OR status_last_status IS DISTINCT FROM 'SUCCESS'
+    then 'fail'
+    else 'pass'
+    end as status
+FROM
+    {{ full_table_name("aws_config_configuration_recorders") }}
+{% endmacro %}
diff --git a/transformations/aws/macros/dms/replication_not_public.sql b/transformations/aws/macros/dms/replication_not_public.sql
@@ -33,4 +33,18 @@ from aws_dms_replication_instances
 {% endmacro %}
 
 {% macro default__replication_not_public(framework, check_id) %}{% endmacro %}
-
+
+{% macro bigquery__replication_not_public(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'AWS Database Migration Service replication instances should not be public' as title,
+    account_id,
+    arn as resource_id,
+    case when
+        publicly_accessible is true
+        then 'fail'
+        else 'pass'
+    end as status
+from {{ full_table_name("aws_dms_replication_instances") }}
+{% endmacro %}
diff --git a/transformations/aws/macros/ec2/ebs_snapshot_permissions_check.sql b/transformations/aws/macros/ec2/ebs_snapshot_permissions_check.sql
@@ -55,4 +55,31 @@ FROM snapshot_access_groups
 {% endmacro %}
 
 {% macro default__ebs_snapshot_permissions_check(framework, check_id) %}{% endmacro %}
-
+
+{% macro bigquery__ebs_snapshot_permissions_check(framework, check_id) %}
+WITH snapshot_access_groups AS (
+    SELECT account_id,
+           region,
+           snapshot_id,
+           groupa,
+           user_id
+    FROM {{ full_table_name("aws_ec2_ebs_snapshot_attributes") }},
+    UNNEST(JSON_QUERY_ARRAY(create_volume_permissions.Group)) AS groupa,
+    UNNEST(JSON_QUERY_ARRAY(create_volume_permissions.UserId)) AS user_id
+)
+SELECT DISTINCT
+  '{{framework}}' as framework,
+  '{{check_id}}' as check_id,
+  'Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone' as title,
+  account_id,
+  snapshot_id as resource_id,
+  case when
+    JSON_VALUE(groupa) = 'all'
+    -- this is under question because
+    -- trusted accounts(user_id) do not violate this control
+        OR JSON_VALUE(user_id) IS DISTINCT FROM ''
+    then 'fail'
+    else 'pass'
+  end as status
+FROM snapshot_access_groups
+{% endmacro %}                    
diff --git a/transformations/aws/macros/ec2/get_unused_public_ips.sql b/transformations/aws/macros/ec2/get_unused_public_ips.sql
@@ -18,6 +18,22 @@ select
     end as status
 from aws_ec2_eips
 {% endmacro %}
+
+{% macro bigquery__get_unused_public_ips(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'Unused EC2 EIPs should be removed' as title,
+    account_id,
+    public_ip as resource_id,
+    case when
+        instance_id is null
+        then 'fail'
+        else 'pass'
+    end as status
+from {{ full_table_name("aws_ec2_eips") }}
+{% endmacro %}
+
 {% macro snowflake__get_unused_public_ips(framework, check_id) %}
 select
     '{{framework}}' as framework,

diff --git a/transformations/aws/macros/elasticsearch/elasticsearch_domains_should_be_in_vpc.sql b/transformations/aws/macros/elasticsearch/elasticsearch_domains_should_be_in_vpc.sql
@@ -33,4 +33,18 @@ from aws_elasticsearch_domains
 {% endmacro %}
 
 {% macro default__elasticsearch_domains_should_be_in_vpc(framework, check_id) %}{% endmacro %}
-
+
+{% macro bigquery__elasticsearch_domains_should_be_in_vpc(framework, check_id) %}
+select
+  '{{framework}}' as framework,
+  '{{check_id}}' as check_id,
+  'Elasticsearch domains should be in a VPC' as title,
+  account_id,
+  arn as resource_id,
+  case when
+    vpc_options.VPCId is null
+    then 'fail'
+    else 'pass'
+  end as status
+from {{ full_table_name("aws_elasticsearch_domains") }}
+{% endmacro %}