Documentation ¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var CheckEnableAllRegions = rules.Register( scan2.Rule{ AVDID: "AVD-AWS-0014", Provider: providers2.AWSProvider, Service: "cloudtrail", ShortCode: "enable-all-regions", Frameworks: map[framework2.Framework][]string{ framework2.Default: nil, framework2.CIS_AWS_1_2: {"2.5"}, }, Summary: "Cloudtrail should be enabled in all regions regardless of where your AWS resources are generally homed", Impact: "Activity could be happening in your account in a different region", Resolution: "Enable Cloudtrail in all regions", Explanation: `When creating Cloudtrail in the AWS Management Console the trail is configured by default to be multi-region, this isn't the case with the Terraform resource. Cloudtrail should cover the full AWS account to ensure you can track changes in regions you are not actively operting in.`, Links: []string{ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html", }, Terraform: &scan2.EngineMetadata{ GoodExamples: terraformEnableAllRegionsGoodExamples, BadExamples: terraformEnableAllRegionsBadExamples, Links: terraformEnableAllRegionsLinks, RemediationMarkdown: terraformEnableAllRegionsRemediationMarkdown, }, CloudFormation: &scan2.EngineMetadata{ GoodExamples: cloudFormationEnableAllRegionsGoodExamples, BadExamples: cloudFormationEnableAllRegionsBadExamples, Links: cloudFormationEnableAllRegionsLinks, RemediationMarkdown: cloudFormationEnableAllRegionsRemediationMarkdown, }, Severity: severity2.Medium, }, func(s *state2.State) (results scan2.Results) { for _, trail := range s.AWS.CloudTrail.Trails { if trail.IsMultiRegion.IsFalse() { results.Add( "Trail is not enabled across all regions.", trail.IsMultiRegion, ) } else { results.AddPassed(&trail) } } return }, )
View Source
var CheckEnableAtRestEncryption = rules.Register( scan2.Rule{ AVDID: "AVD-AWS-0015", Provider: providers2.AWSProvider, Service: "cloudtrail", ShortCode: "enable-at-rest-encryption", Summary: "Cloudtrail should be encrypted at rest to secure access to sensitive trail data", Impact: "Data can be freely read if compromised", Resolution: "Enable encryption at rest", Explanation: `Cloudtrail logs should be encrypted at rest to secure the sensitive data. Cloudtrail logs record all activity that occurs in the the account through API calls and would be one of the first places to look when reacting to a breach.`, Links: []string{ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html", }, Terraform: &scan2.EngineMetadata{ GoodExamples: terraformEnableAtRestEncryptionGoodExamples, BadExamples: terraformEnableAtRestEncryptionBadExamples, Links: terraformEnableAtRestEncryptionLinks, RemediationMarkdown: terraformEnableAtRestEncryptionRemediationMarkdown, }, CloudFormation: &scan2.EngineMetadata{ GoodExamples: cloudFormationEnableAtRestEncryptionGoodExamples, BadExamples: cloudFormationEnableAtRestEncryptionBadExamples, Links: cloudFormationEnableAtRestEncryptionLinks, RemediationMarkdown: cloudFormationEnableAtRestEncryptionRemediationMarkdown, }, Severity: severity2.High, }, func(s *state2.State) (results scan2.Results) { for _, trail := range s.AWS.CloudTrail.Trails { if trail.KMSKeyID.IsEmpty() { results.Add( "Trail is not encrypted.", trail.KMSKeyID, ) } else { results.AddPassed(&trail) } } return }, )
View Source
var CheckEnableLogValidation = rules.Register( scan2.Rule{ AVDID: "AVD-AWS-0016", Provider: providers2.AWSProvider, Service: "cloudtrail", ShortCode: "enable-log-validation", Summary: "Cloudtrail log validation should be enabled to prevent tampering of log data", Impact: "Illicit activity could be removed from the logs", Resolution: "Turn on log validation for Cloudtrail", Explanation: `Log validation should be activated on Cloudtrail logs to prevent the tampering of the underlying data in the S3 bucket. It is feasible that a rogue actor compromising an AWS account might want to modify the log data to remove trace of their actions.`, Links: []string{ "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-file-validation-intro.html", }, Terraform: &scan2.EngineMetadata{ GoodExamples: terraformEnableLogValidationGoodExamples, BadExamples: terraformEnableLogValidationBadExamples, Links: terraformEnableLogValidationLinks, RemediationMarkdown: terraformEnableLogValidationRemediationMarkdown, }, CloudFormation: &scan2.EngineMetadata{ GoodExamples: cloudFormationEnableLogValidationGoodExamples, BadExamples: cloudFormationEnableLogValidationBadExamples, Links: cloudFormationEnableLogValidationLinks, RemediationMarkdown: cloudFormationEnableLogValidationRemediationMarkdown, }, Severity: severity2.High, }, func(s *state2.State) (results scan2.Results) { for _, trail := range s.AWS.CloudTrail.Trails { if trail.EnableLogFileValidation.IsFalse() { results.Add( "Trail does not have log validation enabled.", trail.EnableLogFileValidation, ) } else { results.AddPassed(&trail) } } return }, )
Functions ¶
This section is empty.
Types ¶
This section is empty.
Source Files ¶
- enable_all_regions.cf.go
- enable_all_regions.go
- enable_all_regions.tf.go
- enable_at_rest_encryption.cf.go
- enable_at_rest_encryption.go
- enable_at_rest_encryption.tf.go
- enable_log_validation.cf.go
- enable_log_validation.go
- enable_log_validation.tf.go
- require_bucket_access_logging.cf.go
- require_bucket_access_logging.go
- require_bucket_access_logging.tf.go
Click to show internal directories.
Click to hide internal directories.