Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableAllRegions = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0014", Provider: providers.AWSProvider, Service: "cloudtrail", ShortCode: "enable-all-regions", Frameworks: map[framework.Framework][]string{ framework.Default: nil, framework.CIS_AWS_1_2: {"2.5"}, }, Summary: "Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed", Impact: "Activity could be happening in your account in a different region", Resolution: "Enable Cloudtrail in all regions", Explanation: `When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.`, Links: []string{ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableAllRegionsGoodExamples, BadExamples: terraformEnableAllRegionsBadExamples, Links: terraformEnableAllRegionsLinks, RemediationMarkdown: terraformEnableAllRegionsRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableAllRegionsGoodExamples, BadExamples: cloudFormationEnableAllRegionsBadExamples, Links: cloudFormationEnableAllRegionsLinks, RemediationMarkdown: cloudFormationEnableAllRegionsRemediationMarkdown, }, Severity: severity.Medium, }, func(s *state.State) (results scan.Results) { for _, trail := range s.AWS.CloudTrail.Trails { if trail.IsMultiRegion.IsFalse() { results.Add( "Trail is not enabled across all regions.", trail.IsMultiRegion, ) } else { results.AddPassed(&trail) } } return }, )
View Source
var CheckEnableLogValidation = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0016", Provider: providers.AWSProvider, Service: "cloudtrail", ShortCode: "enable-log-validation", Summary: "Cloudtrail log validation should be enabled to prevent tampering of log data", Impact: "Illicit activity could be removed from the logs", Resolution: "Turn on log validation for Cloudtrail", Explanation: `Log validation should be activated on Cloudtrail logs to prevent the tampering of the underlying data in the S3 bucket. It is feasible that a rogue actor compromising an AWS account might want to modify the log data to remove trace of their actions.`, Links: []string{ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEnableLogValidationGoodExamples, BadExamples: terraformEnableLogValidationBadExamples, Links: terraformEnableLogValidationLinks, RemediationMarkdown: terraformEnableLogValidationRemediationMarkdown, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEnableLogValidationGoodExamples, BadExamples: cloudFormationEnableLogValidationBadExamples, Links: cloudFormationEnableLogValidationLinks, RemediationMarkdown: cloudFormationEnableLogValidationRemediationMarkdown, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, trail := range s.AWS.CloudTrail.Trails { if trail.EnableLogFileValidation.IsFalse() { results.Add( "Trail does not have log validation enabled.", trail.EnableLogFileValidation, ) } else { results.AddPassed(&trail) } } return }, )
View Source
var EncryptionCustomerManagedKey = rules.Register( scan.Rule{ AVDID: "AVD-AWS-0015", Provider: providers.AWSProvider, Service: "cloudtrail", ShortCode: "encryption-customer-managed-key", Summary: "CloudTrail should use Customer managed keys to encrypt the logs", Impact: "Using AWS managed keys does not allow for fine grained control", Resolution: "Use Customer managed key", Explanation: `Using Customer managed keys provides comprehensive control over cryptographic keys, enabling management of policies, permissions, and rotation, thus enhancing security and compliance measures for sensitive data and systems.`, Links: []string{ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html", "https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-mgmt", }, Terraform: &scan.EngineMetadata{ GoodExamples: terraformEncryptionCustomerManagedKeyGoodExamples, BadExamples: terraformEncryptionCustomerManagedKeyBadExamples, Links: terraformEncryptionCustomerManagedKeyLinks, RemediationMarkdown: ``, }, CloudFormation: &scan.EngineMetadata{ GoodExamples: cloudFormationEncryptionCustomerManagedKeyGoodExamples, BadExamples: cloudFormationEncryptionCustomerManagedKeyBadExamples, Links: cloudFormationEncryptionCustomerManagedKeyLinks, RemediationMarkdown: ``, }, Severity: severity.High, }, func(s *state.State) (results scan.Results) { for _, trail := range s.AWS.CloudTrail.Trails { if trail.KMSKeyID.IsEmpty() { results.Add( "CloudTrail does not use a customer managed key to encrypt the logs.", trail.KMSKeyID, ) } else { results.AddPassed(&trail) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files
¶
- enable_all_regions.cf.go
- enable_all_regions.go
- enable_all_regions.tf.go
- enable_log_validation.cf.go
- enable_log_validation.go
- enable_log_validation.tf.go
- encryption_customer_key.cf.go
- encryption_customer_key.go
- encryption_customer_key.tf.go
- ensure_cloudwatch_integration.cf.go
- ensure_cloudwatch_integration.go
- ensure_cloudwatch_integration.tf.go
- no_public_log_access.cf.go
- no_public_log_access.go
- no_public_log_access.tf.go
- require_bucket_access_logging.cf.go
- require_bucket_access_logging.go
- require_bucket_access_logging.tf.go
Click to show internal directories.
Click to hide internal directories.