feat: Added queries for AWS CIS for Snowflake - Premium (#411)

* feat: Added queries for free AWS Compliance - Snowflake * feat: Added queries for AWS CIS for Snowflake - Premium --------- Co-authored-by: Erez Rokah <[email protected]>
cloudquery · Dec 12, 2023 · 0bbf153 · 0bbf153
1 parent 6376eba
commit 0bbf153
Show file tree

Hide file tree

Showing 24 changed files with 441 additions and 0 deletions.
diff --git a/transformations/aws/macros/cloudtrail/bucket_access_logging.sql b/transformations/aws/macros/cloudtrail/bucket_access_logging.sql
@@ -32,4 +32,19 @@ select
     end as status
 from {{ full_table_name("aws_cloudtrail_trails") }} t
 inner join {{ full_table_name("aws_s3_buckets") }} b on t.s3_bucket_name = b.name
+{% endmacro %}
+
+{% macro snowflake__bucket_access_logging(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket' as title,
+    t.account_id,
+    t.arn as resource_id,
+    case
+        when b.logging_target_bucket is null or b.logging_target_prefix is null then 'fail'
+        else 'pass'
+    end as status
+from aws_cloudtrail_trails t
+inner join aws_s3_buckets b on t.s3_bucket_name = b.name
 {% endmacro %}
diff --git a/transformations/aws/macros/cloudtrail/enabled_in_all_regions.sql b/transformations/aws/macros/cloudtrail/enabled_in_all_regions.sql
@@ -44,4 +44,26 @@ inner join
         aws_cloudtrail_trails.arn = aws_cloudtrail_trail_event_selectors.trail_arn
         and aws_cloudtrail_trails.region = aws_cloudtrail_trail_event_selectors.region
         and aws_cloudtrail_trails.account_id = aws_cloudtrail_trail_event_selectors.account_id
+{% endmacro %}
+
+{% macro snowflake__cloudtrail_enabled_all_regions(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'Ensure CloudTrail is enabled in all regions' as title,
+    aws_cloudtrail_trails.account_id,
+    arn as resource_id,
+    case
+        when is_multi_region_trail = FALSE or (
+                    is_multi_region_trail = TRUE and (
+                        read_write_type != 'All' or include_management_events = FALSE
+                )) then 'fail'
+        else 'pass'
+    end as status
+from aws_cloudtrail_trails
+inner join
+    aws_cloudtrail_trail_event_selectors on
+        aws_cloudtrail_trails.arn = aws_cloudtrail_trail_event_selectors.trail_arn
+        and aws_cloudtrail_trails.region = aws_cloudtrail_trail_event_selectors.region
+        and aws_cloudtrail_trails.account_id = aws_cloudtrail_trail_event_selectors.account_id
 {% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_aws_config_changes.sql b/transformations/aws/macros/cloudwatch/alarm_aws_config_changes.sql
@@ -37,3 +37,20 @@ select
     end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
+
+{% macro snowflake__alarm_aws_config_changes(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)' as title,
+    account_id,
+    cloud_watch_logs_log_group_arn as resource_id,
+    case
+      when pattern NOT LIKE '%NOT%'
+          AND pattern LIKE '%($.eventSource = kms.amazonaws.com)%'
+          AND pattern LIKE '%($.eventName = DisableKey)%'
+          AND pattern LIKE '%($.eventName = ScheduleKeyDeletion)%' then 'pass'
+      else 'fail'
+    end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_cloudtrail_config_changes.sql b/transformations/aws/macros/cloudwatch/alarm_cloudtrail_config_changes.sql
@@ -41,3 +41,22 @@ select
     end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
+
+{% macro snowflake__alarm_cloudtrail_config_changes(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)' as title,
+    account_id,
+    cloud_watch_logs_log_group_arn as resource_id,
+    case
+      when pattern NOT LIKE '%NOT%'
+          AND pattern LIKE '%($.eventName = CreateTrail)%'
+          AND pattern LIKE '%($.eventName = UpdateTrail)%'
+          AND pattern LIKE '%($.eventName = DeleteTrail)%'
+          AND pattern LIKE '%($.eventName = StartLogging)%'
+          AND pattern LIKE '%($.eventName = StopLogging)%' then 'pass'
+      else 'fail'
+    end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_console_auth_failure.sql b/transformations/aws/macros/cloudwatch/alarm_console_auth_failure.sql
@@ -34,4 +34,20 @@ select
       else 'fail'
     end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
+
+{% macro snowflake__alarm_console_auth_failure(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)' as title,
+    account_id,
+    cloud_watch_logs_log_group_arn as resource_id,
+    case
+      when pattern NOT LIKE '%NOT%'
+          AND pattern LIKE '%($.eventName = ConsoleLogin)%'
+          AND pattern LIKE '%($.errorMessage = "Failed authentication")%' then 'pass'
+      else 'fail'
+    end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_delete_customer_cmk.sql b/transformations/aws/macros/cloudwatch/alarm_delete_customer_cmk.sql
@@ -37,3 +37,20 @@ select
     end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
+
+{% macro snowflake__alarm_delete_customer_cmk(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)' as title,
+    account_id,
+    cloud_watch_logs_log_group_arn as resource_id,
+    case
+      when pattern NOT LIKE '%NOT%'
+          AND pattern LIKE '%($.eventSource = kms.amazonaws.com)%'
+          AND pattern LIKE '%($.eventName=DisableKey)%'
+          AND pattern LIKE '%($.eventName=ScheduleKeyDeletion)%' then 'pass'
+      else 'fail'
+    end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_iam_policy_change.sql b/transformations/aws/macros/cloudwatch/alarm_iam_policy_change.sql
@@ -60,4 +60,33 @@ select
       else 'fail'
   end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
+
+{% macro snowflake__alarm_iam_policy_change(framework, check_id) %}
+select
+    '{{framework}}' as framework,
+    '{{check_id}}' as check_id,
+    'Ensure a log metric filter and alarm exist for IAM policy changes (Score)' as title,
+    account_id,
+    cloud_watch_logs_log_group_arn as resource_id,
+  case
+      when pattern NOT LIKE '%NOT%'
+          AND pattern LIKE '%($.eventName = DeleteGroupPolicy)%'
+          AND pattern LIKE '%($.eventName = DeleteUserPolicy)%'
+          AND pattern LIKE '%($.eventName = PutGroupPolicy)%'
+          AND pattern LIKE '%($.eventName = PutRolePolicy)%'
+          AND pattern LIKE '%($.eventName = PutUserPolicy)%'
+          AND pattern LIKE '%($.eventName = CreatePolicy)%'
+          AND pattern LIKE '%($.eventName = DeletePolicy)%'
+          AND pattern LIKE '%($.eventName=CreatePolicyVersion)%'
+          AND pattern LIKE '%($.eventName=DeletePolicyVersion)%'
+          AND pattern LIKE '%($.eventName=AttachRolePolicy)%'
+          AND pattern LIKE '%($.eventName=DetachRolePolicy)%'
+          AND pattern LIKE '%($.eventName=AttachUserPolicy)%'
+          AND pattern LIKE '%($.eventName = DetachUserPolicy)%'
+          AND pattern LIKE '%($.eventName = AttachGroupPolicy)%'
+          AND pattern LIKE '%($.eventName = DetachGroupPolicy)%' then 'pass'
+      else 'fail'
+  end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_nacl_changes.sql b/transformations/aws/macros/cloudwatch/alarm_nacl_changes.sql
@@ -43,3 +43,23 @@ select
   end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
+
+{% macro snowflake__alarm_nacl_changes(framework, check_id) %}
+select
+  '{{framework}}' as framework,
+  '{{check_id}}' as check_id,
+  'Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)' as title,
+  account_id,
+  cloud_watch_logs_log_group_arn as resource_id,
+  case
+      when pattern NOT LIKE '%NOT%'
+          AND pattern LIKE '%($.eventName = CreateNetworkAcl)%'
+          AND pattern LIKE '%($.eventName = CreateNetworkAclEntry)%'
+          AND pattern LIKE '%($.eventName = DeleteNetworkAcl)%'
+          AND pattern LIKE '%($.eventName = DeleteNetworkAclEntry)%'
+          AND pattern LIKE '%($.eventName = ReplaceNetworkAclAssociation)%'
+          AND pattern LIKE '%($.eventName = ReplaceNetworkAclEntry)%' then 'pass'
+      else 'fail'
+  end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_network_gateways.sql b/transformations/aws/macros/cloudwatch/alarm_network_gateways.sql
@@ -43,3 +43,23 @@ select
   end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
+
+{% macro snowflake__alarm_network_gateways(framework, check_id) %}
+select
+  '{{framework}}' as framework,
+  '{{check_id}}' as check_id,
+  'Ensure a log metric filter and alarm exist for changes to network gateways (Scored)' as title,
+  account_id,
+  cloud_watch_logs_log_group_arn as resource_id,
+  case
+      when pattern NOT LIKE '%NOT%'
+          AND pattern LIKE '%($.eventName = CreateCustomerGateway)%'
+          AND pattern LIKE '%($.eventName = DeleteCustomerGateway)%'
+          AND pattern LIKE '%($.eventName = AttachInternetGateway)%'
+          AND pattern LIKE '%($.eventName = CreateInternetGateway)%'
+          AND pattern LIKE '%($.eventName = DeleteInternetGateway)%'
+          AND pattern LIKE '%($.eventName = DetachInternetGateway)%' then 'pass'
+      else 'fail'
+  end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_root_account.sql b/transformations/aws/macros/cloudwatch/alarm_root_account.sql
@@ -36,4 +36,21 @@ select
     else 'fail'
   end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
+
+{% macro snowflake__alarm_root_account(framework, check_id) %}
+select
+  '{{framework}}' as framework,
+  '{{check_id}}' as check_id,
+  'Ensure a log metric filter and alarm exist for usage of "root" account (Score)' as title,
+  account_id,
+  cloud_watch_logs_log_group_arn as resource_id,
+  case
+    when pattern NOT LIKE '%NOT%'
+        AND pattern LIKE '%$.userIdentity.type = "Root"%'
+        AND pattern LIKE '%$.userIdentity.invokedBy NOT EXISTS%'
+        AND pattern LIKE '%$.eventType != "AwsServiceEvent"%' then 'pass'
+    else 'fail'
+  end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_route_table_changes.sql b/transformations/aws/macros/cloudwatch/alarm_route_table_changes.sql
@@ -43,3 +43,23 @@ select
     end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
+
+{% macro snowflake__alarm_route_table_changes(framework, check_id) %}
+select
+  '{{framework}}' as framework,
+  '{{check_id}}' as check_id,
+  'Ensure a log metric filter and alarm exist for route table changes (Scored)' as title,
+  account_id,
+  cloud_watch_logs_log_group_arn,
+    case when  pattern NOT LIKE '%NOT%'
+         AND pattern LIKE '%($.eventName = CreateRoute)%'
+         AND pattern LIKE '%($.eventName = CreateRouteTable)%'
+         AND pattern LIKE '%($.eventName = ReplaceRoute)%'
+         AND pattern LIKE '%($.eventName = ReplaceRouteTableAssociation)%'
+         AND pattern LIKE '%($.eventName = DeleteRouteTable)%'
+         AND pattern LIKE '%($.eventName = DeleteRoute)%'
+         AND pattern LIKE '%(($.eventName = DisassociateRouteTable)%' then 'pass'
+        else 'fail'
+    end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_s3_bucket_policy_change.sql b/transformations/aws/macros/cloudwatch/alarm_s3_bucket_policy_change.sql
@@ -51,3 +51,27 @@ select
   end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
+
+{% macro snowflake__alarm_s3_bucket_policy_change(framework, check_id) %}
+select
+  '{{framework}}' as framework,
+  '{{check_id}}' as check_id,
+  'Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)' as title,
+  account_id,
+  cloud_watch_logs_log_group_arn as resource_id,
+  case 
+    when pattern NOT LIKE '%NOT%'
+        AND pattern LIKE '%($.eventSource = s3.amazonaws.com)%'
+        AND pattern LIKE '%($.eventName = PutBucketAcl)%'
+        AND pattern LIKE '%($.eventName = PutBucketPolicy)%'
+        AND pattern LIKE '%($.eventName = PutBucketCors)%'
+        AND pattern LIKE '%($.eventName = PutBucketLifecycle)%'
+        AND pattern LIKE '%($.eventName = PutBucketReplication)%'
+        AND pattern LIKE '%($.eventName = DeleteBucketPolicy)%'
+        AND pattern LIKE '%($.eventName = DeleteBucketCors)%'
+        AND pattern LIKE '%($.eventName = DeleteBucketLifecycle)%'
+        AND pattern LIKE '%($.eventName = DeleteBucketReplication)%' then 'pass'
+    else 'fail'
+  end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_security_group_changes.sql b/transformations/aws/macros/cloudwatch/alarm_security_group_changes.sql
@@ -41,3 +41,22 @@ select
   end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
+
+{% macro snowflake__alarm_security_group_changes(framework, check_id) %}
+select
+  '{{framework}}' as framework,
+  '{{check_id}}' as check_id,
+  'Ensure a log metric filter and alarm exist for security group changes (Scored)' as title,
+  account_id,
+  cloud_watch_logs_log_group_arn as resource_id,
+  case when pattern NOT LIKE '%NOT%'
+           AND pattern LIKE '%($.eventName = AuthorizeSecurityGroupIngress)%'
+           AND pattern LIKE '%($.eventName = AuthorizeSecurityGroupEgress)%'
+           AND pattern LIKE '%($.eventName = RevokeSecurityGroupIngress)%'
+           AND pattern LIKE '%($.eventName = RevokeSecurityGroupEgress)%'
+           AND pattern LIKE '%($.eventName = CreateSecurityGroup)%'
+           AND pattern LIKE '%($.eventName = DeleteSecurityGroup)%' then 'pass'
+      else 'fail'
+  end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_unauthorized_api.sql b/transformations/aws/macros/cloudwatch/alarm_unauthorized_api.sql
@@ -33,3 +33,18 @@ select
   end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
+
+{% macro snowflake__alarm_unauthorized_api(framework, check_id) %}
+select
+  '{{framework}}' as framework,
+  '{{check_id}}' as check_id,
+  'Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)' as title,
+  account_id,
+  cloud_watch_logs_log_group_arn as resource_id,
+  case when pattern NOT LIKE '%NOT%'
+           AND pattern LIKE '%($.errorCode = "*UnauthorizedOperation")%'
+           AND pattern LIKE '%($.errorCode = "AccessDenied*")%' then 'pass'
+      else 'fail'
+  end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
diff --git a/transformations/aws/macros/cloudwatch/alarm_vpc_changes.sql b/transformations/aws/macros/cloudwatch/alarm_vpc_changes.sql
@@ -53,3 +53,28 @@ select
   end as status
 from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
 {% endmacro %}
+
+{% macro snowflake__alarm_vpc_changes(framework, check_id) %}
+select
+  '{{framework}}' as framework,
+  '{{check_id}}' as check_id,
+  'Ensure a log metric filter and alarm exist for VPC changes (Scored)' as title,
+  account_id,
+  cloud_watch_logs_log_group_arn as resource_id,
+  case when pattern NOT LIKE '%NOT%'
+           AND pattern LIKE '%($.eventName = CreateVpc)%'
+           AND pattern LIKE '%($.eventName = DeleteVpc)%'
+           AND pattern LIKE '%($.eventName = ModifyVpcAttribute)%'
+           AND pattern LIKE '%($.eventName = AcceptVpcPeeringConnection)%'
+           AND pattern LIKE '%($.eventName = CreateVpcPeeringConnection)%'
+           AND pattern LIKE '%($.eventName = DeleteVpcPeeringConnection)%'
+           AND pattern LIKE '%($.eventName = RejectVpcPeeringConnection)%'
+           AND pattern LIKE '%($.eventName = AttachClassicLinkVpc)%'
+           AND pattern LIKE '%($.eventName = DetachClassicLinkVpc)%'
+           AND pattern LIKE '%($.eventName = DisableVpcClassicLink)%'
+           AND pattern LIKE '%($.eventName = EnableVpcClassicLink)%'
+      then 'pass'
+      else 'fail'
+  end as status
+from {{ ref('aws_compliance__log_metric_filter_and_alarm') }}
+{% endmacro %}
diff --git a/transformations/aws/macros/ec2/no_broad_public_ingress_on_port_22.sql b/transformations/aws/macros/ec2/no_broad_public_ingress_on_port_22.sql
@@ -39,4 +39,23 @@ select
       else 'pass'
   end
 from {{ ref('aws_compliance__security_group_ingress_rules') }}
+{% endmacro %}
+
+{% macro snowflake__no_broad_public_ingress_on_port_22(framework, check_id) %}
+-- uses view which uses aws_security_group_ingress_rules.sql query
+select
+  '{{framework}}' as framework,
+  '{{check_id}}' as check_id,
+  'Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)' as title,
+  account_id,
+  arn,
+  case when
+      (ip = '0.0.0.0/0' or ip = '::/0')
+      and (
+          (from_port is null and to_port is null) -- all ports
+          or 22 between from_port and to_port)
+      then 'fail'
+      else 'pass'
+  end
+from {{ ref('aws_compliance__security_group_ingress_rules') }}
 {% endmacro %}