Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Added queries for bigquery pci_dss #325

Merged
merged 4 commits into from
Jan 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -3,22 +3,22 @@
with
aggregated as (
({{ autoscaling_groups_elb_check('pci_dss_v3.2.1','autoscaling.1') }})
UNION
{{ union() }}
({{ logs_encrypted('pci_dss_v3.2.1','cloudtrail.1') }})
UNION
{{ union() }}
({{ cloudtrail_enabled_all_regions('pci_dss_v3.2.1','cloudtrail.2') }})
UNION
{{ union() }}
({{ log_file_validation_enabled('pci_dss_v3.2.1','cloudtrail.3') }})
UNION
{{ union() }}
({{ integrated_with_cloudwatch_logs('pci_dss_v3.2.1','cloudtrail.4') }})
UNION
{{ union() }}
({{ check_oauth_usage_for_sources('pci_dss_v3.2.1','codebuild.1') }})
UNION
{{ union() }}
({{ check_environment_variables('pci_dss_v3.2.1','codebuild.2') }})
UNION
{{ union() }}
({{ config_enabled_all_regions('pci_dss_v3.2.1','config.1') }})
)
select
('{{ run_started_at }}')::timestamp as policy_execution_time,
{{ gen_timestamp() }},
aggregated.*
from aggregated
Original file line number Diff line number Diff line change
@@ -1,105 +1,103 @@
{{ config(enabled=block_bigquery()) }}

with
aggregated as (
({{ autoscaling_groups_elb_check('pci_dss_v3.2.1','autoscaling.1') }})
UNION
{{ union() }}
({{ logs_encrypted('pci_dss_v3.2.1','cloudtrail.1') }})
UNION
{{ union() }}
({{ cloudtrail_enabled_all_regions('pci_dss_v3.2.1','cloudtrail.2') }})
UNION
{{ union() }}
({{ log_file_validation_enabled('pci_dss_v3.2.1','cloudtrail.3') }})
UNION
{{ union() }}
({{ integrated_with_cloudwatch_logs('pci_dss_v3.2.1','cloudtrail.4') }})
UNION
{{ union() }}
({{ check_oauth_usage_for_sources('pci_dss_v3.2.1','codebuild.1') }})
UNION
{{ union() }}
({{ check_environment_variables('pci_dss_v3.2.1','codebuild.2') }})
UNION
{{ union() }}
({{ config_enabled_all_regions('pci_dss_v3.2.1','config.1') }})
UNION
{{ union() }}
({{ alarm_root_account('pci_dss_v3.2.1','cloudwatch.1') }})
UNION
{{ union() }}
({{ replication_not_public('pci_dss_v3.2.1','dms.1') }})
UNION
{{ union() }}
({{ ebs_snapshot_permissions_check('pci_dss_v3.2.1','ec2.1') }})
UNION
{{ union() }}
({{ default_sg_no_access('pci_dss_v3.2.1','ec2.2') }})
UNION
{{ union() }}
({{ get_unused_public_ips('pci_dss_v3.2.1','ec2.4') }})
UNION
{{ union() }}
({{ no_broad_public_ingress_on_port_22('pci_dss_v3.2.1','ec2.5') }})
UNION
{{ union() }}
({{ flow_logs_enabled_in_all_vpcs('pci_dss_v3.2.1','ec2.6') }})
UNION
{{ union() }}
({{ elbv2_redirect_http_to_https('pci_dss_v3.2.1','elbv2.1') }})
UNION
{{ union() }}
({{ elasticsearch_domains_should_be_in_vpc('pci_dss_v3.2.1','elasticsearch.1') }})
UNION
{{ union() }}
({{ elasticsearch_domains_should_have_encryption_at_rest_enabled('pci_dss_v3.2.1','elasticsearch.2') }})
UNION
{{ union() }}
({{ detector_enabled('pci_dss_v3.2.1','guardduty enabled in all enabled regions') }})
UNION
{{ union() }}
({{ root_user_no_access_keys('pci_dss_v3.2.1','iam.1') }})
UNION
{{ union() }}
({{ policies_attached_to_groups_roles('pci_dss_v3.2.1','iam.2') }})
UNION
{{ union() }}
({{ no_star('pci_dss_v3.2.1','iam.3') }})
UNION
{{ union() }}
({{ hardware_mfa_enabled_for_root('pci_dss_v3.2.1','iam.4') }})
UNION
{{ union() }}
({{ mfa_enabled_for_root('pci_dss_v3.2.1','iam.5') }})
UNION
{{ union() }}
({{ mfa_enabled_for_console_access('pci_dss_v3.2.1','iam.6') }})
UNION
{{ union() }}
({{ unused_creds_disabled('pci_dss_v3.2.1','iam.7') }})
UNION
{{ union() }}
({{ password_policy_strong('pci_dss_v3.2.1','iam.8') }})
UNION
{{ union() }}
({{ rotation_enabled_for_customer_key('pci_dss_v3.2.1','kms.1') }})
UNION
{{ union() }}
({{ lambda_function_prohibit_public_access('pci_dss_v3.2.1','lambda.1') }})
UNION
{{ union() }}
({{ lambda_function_in_vpc('pci_dss_v3.2.1','lambda.2') }})
UNION
{{ union() }}
({{ snapshots_should_prohibit_public_access('pci_dss_v3.2.1','rds.1') }})
UNION
{{ union() }}
({{ rds_db_instances_should_prohibit_public_access('pci_dss_v3.2.1','rds.2') }})
UNION
{{ union() }}
({{ cluster_publicly_accessible('pci_dss_v3.2.1','redshift.1') }})
UNION
{{ union() }}
({{ publicly_writable_buckets('pci_dss_v3.2.1','s3.1') }})
UNION
{{ union() }}
({{ publicly_readable_buckets('pci_dss_v3.2.1','s3.2') }})
UNION
{{ union() }}
({{ s3_cross_region_replication('pci_dss_v3.2.1','s3.3') }})
UNION
{{ union() }}
({{ s3_server_side_encryption_enabled('pci_dss_v3.2.1','s3.4') }})
UNION
{{ union() }}
({{ deny_http_requests('pci_dss_v3.2.1','s3.5') }})
UNION
{{ union() }}
({{ account_level_public_access_blocks('pci_dss_v3.2.1','s3.6') }})
UNION
{{ union() }}
({{ sagemaker_notebook_instance_direct_internet_access_disabled('pci_dss_v3.2.1','sagemaker.1') }})
UNION
{{ union() }}
({{ secrets_should_have_automatic_rotation_enabled('pci_dss_v3.2.1','secretmanager.1') }})
UNION
{{ union() }}
({{ secrets_configured_with_automatic_rotation_should_rotate_successfully('pci_dss_v3.2.1','secretmanager.2') }})
UNION
{{ union() }}
({{ remove_unused_secrets_manager_secrets('pci_dss_v3.2.1','secretmanager.3') }})
UNION
{{ union() }}
({{ secrets_should_be_rotated_within_a_specified_number_of_days('pci_dss_v3.2.1','secretmanager.4') }})
UNION
{{ union() }}
({{ instances_should_have_patch_compliance_status_of_compliant('pci_dss_v3.2.1','ssm.1') }})
UNION
{{ union() }}
({{ instances_should_have_association_compliance_status_of_compliant('pci_dss_v3.2.1','ssm.2') }})
UNION
{{ union() }}
({{ ec2_instances_should_be_managed_by_ssm('pci_dss_v3.2.1','ssm.3') }})
UNION
{{ union() }}
({{ wafv2_web_acl_logging_should_be_enabled('pci_dss_v3.2.1','waf.1') }})
)
select
('{{ run_started_at }}')::timestamp as policy_execution_time,
{{ gen_timestamp() }},
aggregated.*
from aggregated

Original file line number Diff line number Diff line change
Expand Up @@ -31,3 +31,17 @@ select
end as status
from aws_autoscaling_groups
{% endmacro %}

{% macro bigquery__autoscaling_groups_elb_check(framework, check_id) %}
select
'{{framework}}' as framework,
'{{check_id}}' as check_id,
'Auto Scaling groups associated with a load balancer should use health checks' as title,
account_id,
arn as resource_id,
case
when ARRAY_LENGTH(load_balancer_names) > 0 and health_check_type is distinct from 'ELB' then 'fail'
else 'pass'
end as status
from {{ full_table_name("aws_autoscaling_groups") }}
{% endmacro %}
Original file line number Diff line number Diff line change
Expand Up @@ -43,4 +43,24 @@ from aws_codebuild_projects, JSONB_ARRAY_ELEMENTS(environment->'EnvironmentVaria
{% endmacro %}

{% macro default__check_environment_variables(framework, check_id) %}{% endmacro %}


{% macro bigquery__check_environment_variables(framework, check_id) %}
select distinct
'{{framework}}' as framework,
'{{check_id}}' as check_id,
'CodeBuild project environment variables should not contain clear text credentials' as title,
account_id,
arn as resource_id,
case when
JSON_VALUE(e.Type) = 'PLAINTEXT'
and (
UPPER(JSON_VALUE(e.Name)) like '%ACCESS_KEY%' or
UPPER(JSON_VALUE(e.Name)) like '%SECRET%' or
UPPER(JSON_VALUE(e.Name)) like '%PASSWORD%'
)
then 'fail'
else 'pass'
end as status
from {{ full_table_name("aws_codebuild_projects") }},
UNNEST(JSON_QUERY_ARRAY(environment.EnvironmentVariables)) AS e
{% endmacro %}
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,18 @@ from aws_codebuild_projects
{% endmacro %}

{% macro default__check_oauth_usage_for_sources(framework, check_id) %}{% endmacro %}


{% macro bigquery__check_oauth_usage_for_sources(framework, check_id) %}
select
'{{framework}}' as framework,
'{{check_id}}' as check_id,
'CodeBuild GitHub or Bitbucket source repository URLs should use OAuth' as title,
account_id,
arn as resource_id,
case when
JSON_VALUE(source.Type) IN ('GITHUB', 'BITBUCKET') AND JSON_VALUE(source.Auth.Type) != 'OAUTH'
then 'fail'
else 'pass'
end as status
from {{ full_table_name("aws_codebuild_projects") }}
{% endmacro %}
Original file line number Diff line number Diff line change
Expand Up @@ -38,4 +38,22 @@ FROM
{% endmacro %}

{% macro default__config_enabled_all_regions(framework, check_id) %}{% endmacro %}


{% macro bigquery__config_enabled_all_regions(framework, check_id) %}
select
'{{framework}}' as framework,
'{{check_id}}' as check_id,
'AWS Config should be enabled' as title,
account_id,
arn as resource_id,
case when
CAST( JSON_VALUE(recording_group.IncludeGlobalResourceTypes) AS BOOL) IS NOT TRUE
OR CAST( JSON_VALUE(recording_group.AllSupported) AS BOOL) IS NOT TRUE
OR status_recording IS NOT TRUE
OR status_last_status IS DISTINCT FROM 'SUCCESS'
then 'fail'
else 'pass'
end as status
FROM
{{ full_table_name("aws_config_configuration_recorders") }}
{% endmacro %}
16 changes: 15 additions & 1 deletion transformations/aws/macros/dms/replication_not_public.sql
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,18 @@ from aws_dms_replication_instances
{% endmacro %}

{% macro default__replication_not_public(framework, check_id) %}{% endmacro %}


{% macro bigquery__replication_not_public(framework, check_id) %}
select
'{{framework}}' as framework,
'{{check_id}}' as check_id,
'AWS Database Migration Service replication instances should not be public' as title,
account_id,
arn as resource_id,
case when
publicly_accessible is true
then 'fail'
else 'pass'
end as status
from {{ full_table_name("aws_dms_replication_instances") }}
{% endmacro %}
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,31 @@ FROM snapshot_access_groups
{% endmacro %}

{% macro default__ebs_snapshot_permissions_check(framework, check_id) %}{% endmacro %}


{% macro bigquery__ebs_snapshot_permissions_check(framework, check_id) %}
WITH snapshot_access_groups AS (
SELECT account_id,
region,
snapshot_id,
groupa,
user_id
FROM {{ full_table_name("aws_ec2_ebs_snapshot_attributes") }},
UNNEST(JSON_QUERY_ARRAY(create_volume_permissions.Group)) AS groupa,
UNNEST(JSON_QUERY_ARRAY(create_volume_permissions.UserId)) AS user_id
)
SELECT DISTINCT
'{{framework}}' as framework,
'{{check_id}}' as check_id,
'Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone' as title,
account_id,
snapshot_id as resource_id,
case when
JSON_VALUE(groupa) = 'all'
-- this is under question because
-- trusted accounts(user_id) do not violate this control
OR JSON_VALUE(user_id) IS DISTINCT FROM ''
then 'fail'
else 'pass'
end as status
FROM snapshot_access_groups
{% endmacro %}
16 changes: 16 additions & 0 deletions transformations/aws/macros/ec2/get_unused_public_ips.sql
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,22 @@ select
end as status
from aws_ec2_eips
{% endmacro %}

{% macro bigquery__get_unused_public_ips(framework, check_id) %}
select
'{{framework}}' as framework,
'{{check_id}}' as check_id,
'Unused EC2 EIPs should be removed' as title,
account_id,
public_ip as resource_id,
case when
instance_id is null
then 'fail'
else 'pass'
end as status
from {{ full_table_name("aws_ec2_eips") }}
{% endmacro %}

{% macro snowflake__get_unused_public_ips(framework, check_id) %}
select
'{{framework}}' as framework,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,18 @@ from aws_elasticsearch_domains
{% endmacro %}

{% macro default__elasticsearch_domains_should_be_in_vpc(framework, check_id) %}{% endmacro %}


{% macro bigquery__elasticsearch_domains_should_be_in_vpc(framework, check_id) %}
select
'{{framework}}' as framework,
'{{check_id}}' as check_id,
'Elasticsearch domains should be in a VPC' as title,
account_id,
arn as resource_id,
case when
vpc_options.VPCId is null
then 'fail'
else 'pass'
end as status
from {{ full_table_name("aws_elasticsearch_domains") }}
{% endmacro %}
Loading