From 0bbf153aaefc16f7ace4e295b5ccc400aa51df25 Mon Sep 17 00:00:00 2001 From: ronsh12 <101520407+ronsh12@users.noreply.github.com> Date: Tue, 12 Dec 2023 18:46:35 +0200 Subject: [PATCH] feat: Added queries for AWS CIS for Snowflake - Premium (#411) * feat: Added queries for free AWS Compliance - Snowflake * feat: Added queries for AWS CIS for Snowflake - Premium --------- Co-authored-by: Erez Rokah --- .../cloudtrail/bucket_access_logging.sql | 15 ++++++++++ .../cloudtrail/enabled_in_all_regions.sql | 22 ++++++++++++++ .../cloudwatch/alarm_aws_config_changes.sql | 17 +++++++++++ .../alarm_cloudtrail_config_changes.sql | 19 ++++++++++++ .../cloudwatch/alarm_console_auth_failure.sql | 16 ++++++++++ .../cloudwatch/alarm_delete_customer_cmk.sql | 17 +++++++++++ .../cloudwatch/alarm_iam_policy_change.sql | 29 +++++++++++++++++++ .../macros/cloudwatch/alarm_nacl_changes.sql | 20 +++++++++++++ .../cloudwatch/alarm_network_gateways.sql | 20 +++++++++++++ .../macros/cloudwatch/alarm_root_account.sql | 17 +++++++++++ .../cloudwatch/alarm_route_table_changes.sql | 20 +++++++++++++ .../alarm_s3_bucket_policy_change.sql | 24 +++++++++++++++ .../alarm_security_group_changes.sql | 19 ++++++++++++ .../cloudwatch/alarm_unauthorized_api.sql | 15 ++++++++++ .../macros/cloudwatch/alarm_vpc_changes.sql | 25 ++++++++++++++++ .../no_broad_public_ingress_on_port_22.sql | 19 ++++++++++++ .../no_broad_public_ingress_on_port_3389.sql | 18 ++++++++++++ .../aws/macros/iam/mfa_enabled_for_root.sql | 14 +++++++++ .../password_policy_expire_old_passwords.sql | 16 ++++++++++ .../macros/iam/password_policy_min_length.sql | 16 ++++++++++ .../macros/iam/password_policy_min_number.sql | 16 ++++++++++ .../iam/password_policy_min_one_symbol.sql | 16 ++++++++++ .../iam/password_policy_prevent_reuse.sql | 16 ++++++++++ .../kms/rotation_enabled_for_customer_key.sql | 15 ++++++++++ 24 files changed, 441 insertions(+) diff --git a/transformations/aws/macros/cloudtrail/bucket_access_logging.sql b/transformations/aws/macros/cloudtrail/bucket_access_logging.sql index a7469ceeb..75ca04ddb 100644 --- a/transformations/aws/macros/cloudtrail/bucket_access_logging.sql +++ b/transformations/aws/macros/cloudtrail/bucket_access_logging.sql @@ -32,4 +32,19 @@ select end as status from {{ full_table_name("aws_cloudtrail_trails") }} t inner join {{ full_table_name("aws_s3_buckets") }} b on t.s3_bucket_name = b.name +{% endmacro %} + +{% macro snowflake__bucket_access_logging(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket' as title, + t.account_id, + t.arn as resource_id, + case + when b.logging_target_bucket is null or b.logging_target_prefix is null then 'fail' + else 'pass' + end as status +from aws_cloudtrail_trails t +inner join aws_s3_buckets b on t.s3_bucket_name = b.name {% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/cloudtrail/enabled_in_all_regions.sql b/transformations/aws/macros/cloudtrail/enabled_in_all_regions.sql index e43c21741..09c8dbc96 100644 --- a/transformations/aws/macros/cloudtrail/enabled_in_all_regions.sql +++ b/transformations/aws/macros/cloudtrail/enabled_in_all_regions.sql @@ -44,4 +44,26 @@ inner join aws_cloudtrail_trails.arn = aws_cloudtrail_trail_event_selectors.trail_arn and aws_cloudtrail_trails.region = aws_cloudtrail_trail_event_selectors.region and aws_cloudtrail_trails.account_id = aws_cloudtrail_trail_event_selectors.account_id +{% endmacro %} + +{% macro snowflake__cloudtrail_enabled_all_regions(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure CloudTrail is enabled in all regions' as title, + aws_cloudtrail_trails.account_id, + arn as resource_id, + case + when is_multi_region_trail = FALSE or ( + is_multi_region_trail = TRUE and ( + read_write_type != 'All' or include_management_events = FALSE + )) then 'fail' + else 'pass' + end as status +from aws_cloudtrail_trails +inner join + aws_cloudtrail_trail_event_selectors on + aws_cloudtrail_trails.arn = aws_cloudtrail_trail_event_selectors.trail_arn + and aws_cloudtrail_trails.region = aws_cloudtrail_trail_event_selectors.region + and aws_cloudtrail_trails.account_id = aws_cloudtrail_trail_event_selectors.account_id {% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/cloudwatch/alarm_aws_config_changes.sql b/transformations/aws/macros/cloudwatch/alarm_aws_config_changes.sql index bea7e254a..2476f35fe 100644 --- a/transformations/aws/macros/cloudwatch/alarm_aws_config_changes.sql +++ b/transformations/aws/macros/cloudwatch/alarm_aws_config_changes.sql @@ -37,3 +37,20 @@ select end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} + +{% macro snowflake__alarm_aws_config_changes(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case + when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.eventSource = kms.amazonaws.com)%' + AND pattern LIKE '%($.eventName = DisableKey)%' + AND pattern LIKE '%($.eventName = ScheduleKeyDeletion)%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/cloudwatch/alarm_cloudtrail_config_changes.sql b/transformations/aws/macros/cloudwatch/alarm_cloudtrail_config_changes.sql index a061bbf4d..d5605d29b 100644 --- a/transformations/aws/macros/cloudwatch/alarm_cloudtrail_config_changes.sql +++ b/transformations/aws/macros/cloudwatch/alarm_cloudtrail_config_changes.sql @@ -41,3 +41,22 @@ select end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} + +{% macro snowflake__alarm_cloudtrail_config_changes(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case + when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.eventName = CreateTrail)%' + AND pattern LIKE '%($.eventName = UpdateTrail)%' + AND pattern LIKE '%($.eventName = DeleteTrail)%' + AND pattern LIKE '%($.eventName = StartLogging)%' + AND pattern LIKE '%($.eventName = StopLogging)%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/cloudwatch/alarm_console_auth_failure.sql b/transformations/aws/macros/cloudwatch/alarm_console_auth_failure.sql index 337062b15..dd28dd12c 100644 --- a/transformations/aws/macros/cloudwatch/alarm_console_auth_failure.sql +++ b/transformations/aws/macros/cloudwatch/alarm_console_auth_failure.sql @@ -34,4 +34,20 @@ select else 'fail' end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} + +{% macro snowflake__alarm_console_auth_failure(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case + when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.eventName = ConsoleLogin)%' + AND pattern LIKE '%($.errorMessage = "Failed authentication")%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/cloudwatch/alarm_delete_customer_cmk.sql b/transformations/aws/macros/cloudwatch/alarm_delete_customer_cmk.sql index 305f8e239..88f0804fd 100644 --- a/transformations/aws/macros/cloudwatch/alarm_delete_customer_cmk.sql +++ b/transformations/aws/macros/cloudwatch/alarm_delete_customer_cmk.sql @@ -37,3 +37,20 @@ select end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} + +{% macro snowflake__alarm_delete_customer_cmk(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case + when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.eventSource = kms.amazonaws.com)%' + AND pattern LIKE '%($.eventName=DisableKey)%' + AND pattern LIKE '%($.eventName=ScheduleKeyDeletion)%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/cloudwatch/alarm_iam_policy_change.sql b/transformations/aws/macros/cloudwatch/alarm_iam_policy_change.sql index 05fa46c8b..702df0f52 100644 --- a/transformations/aws/macros/cloudwatch/alarm_iam_policy_change.sql +++ b/transformations/aws/macros/cloudwatch/alarm_iam_policy_change.sql @@ -60,4 +60,33 @@ select else 'fail' end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} + +{% macro snowflake__alarm_iam_policy_change(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for IAM policy changes (Score)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case + when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.eventName = DeleteGroupPolicy)%' + AND pattern LIKE '%($.eventName = DeleteUserPolicy)%' + AND pattern LIKE '%($.eventName = PutGroupPolicy)%' + AND pattern LIKE '%($.eventName = PutRolePolicy)%' + AND pattern LIKE '%($.eventName = PutUserPolicy)%' + AND pattern LIKE '%($.eventName = CreatePolicy)%' + AND pattern LIKE '%($.eventName = DeletePolicy)%' + AND pattern LIKE '%($.eventName=CreatePolicyVersion)%' + AND pattern LIKE '%($.eventName=DeletePolicyVersion)%' + AND pattern LIKE '%($.eventName=AttachRolePolicy)%' + AND pattern LIKE '%($.eventName=DetachRolePolicy)%' + AND pattern LIKE '%($.eventName=AttachUserPolicy)%' + AND pattern LIKE '%($.eventName = DetachUserPolicy)%' + AND pattern LIKE '%($.eventName = AttachGroupPolicy)%' + AND pattern LIKE '%($.eventName = DetachGroupPolicy)%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/cloudwatch/alarm_nacl_changes.sql b/transformations/aws/macros/cloudwatch/alarm_nacl_changes.sql index 8b4d35b83..1477088ff 100644 --- a/transformations/aws/macros/cloudwatch/alarm_nacl_changes.sql +++ b/transformations/aws/macros/cloudwatch/alarm_nacl_changes.sql @@ -43,3 +43,23 @@ select end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} + +{% macro snowflake__alarm_nacl_changes(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case + when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.eventName = CreateNetworkAcl)%' + AND pattern LIKE '%($.eventName = CreateNetworkAclEntry)%' + AND pattern LIKE '%($.eventName = DeleteNetworkAcl)%' + AND pattern LIKE '%($.eventName = DeleteNetworkAclEntry)%' + AND pattern LIKE '%($.eventName = ReplaceNetworkAclAssociation)%' + AND pattern LIKE '%($.eventName = ReplaceNetworkAclEntry)%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/cloudwatch/alarm_network_gateways.sql b/transformations/aws/macros/cloudwatch/alarm_network_gateways.sql index d4a528a22..96a7e3981 100644 --- a/transformations/aws/macros/cloudwatch/alarm_network_gateways.sql +++ b/transformations/aws/macros/cloudwatch/alarm_network_gateways.sql @@ -43,3 +43,23 @@ select end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} + +{% macro snowflake__alarm_network_gateways(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for changes to network gateways (Scored)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case + when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.eventName = CreateCustomerGateway)%' + AND pattern LIKE '%($.eventName = DeleteCustomerGateway)%' + AND pattern LIKE '%($.eventName = AttachInternetGateway)%' + AND pattern LIKE '%($.eventName = CreateInternetGateway)%' + AND pattern LIKE '%($.eventName = DeleteInternetGateway)%' + AND pattern LIKE '%($.eventName = DetachInternetGateway)%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} diff --git a/transformations/aws/macros/cloudwatch/alarm_root_account.sql b/transformations/aws/macros/cloudwatch/alarm_root_account.sql index 3cc84c5ea..8131d4485 100644 --- a/transformations/aws/macros/cloudwatch/alarm_root_account.sql +++ b/transformations/aws/macros/cloudwatch/alarm_root_account.sql @@ -36,4 +36,21 @@ select else 'fail' end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} + +{% macro snowflake__alarm_root_account(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for usage of "root" account (Score)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case + when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%$.userIdentity.type = "Root"%' + AND pattern LIKE '%$.userIdentity.invokedBy NOT EXISTS%' + AND pattern LIKE '%$.eventType != "AwsServiceEvent"%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/cloudwatch/alarm_route_table_changes.sql b/transformations/aws/macros/cloudwatch/alarm_route_table_changes.sql index d1a321599..88b3c7646 100644 --- a/transformations/aws/macros/cloudwatch/alarm_route_table_changes.sql +++ b/transformations/aws/macros/cloudwatch/alarm_route_table_changes.sql @@ -43,3 +43,23 @@ select end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} + +{% macro snowflake__alarm_route_table_changes(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for route table changes (Scored)' as title, + account_id, + cloud_watch_logs_log_group_arn, + case when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.eventName = CreateRoute)%' + AND pattern LIKE '%($.eventName = CreateRouteTable)%' + AND pattern LIKE '%($.eventName = ReplaceRoute)%' + AND pattern LIKE '%($.eventName = ReplaceRouteTableAssociation)%' + AND pattern LIKE '%($.eventName = DeleteRouteTable)%' + AND pattern LIKE '%($.eventName = DeleteRoute)%' + AND pattern LIKE '%(($.eventName = DisassociateRouteTable)%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} diff --git a/transformations/aws/macros/cloudwatch/alarm_s3_bucket_policy_change.sql b/transformations/aws/macros/cloudwatch/alarm_s3_bucket_policy_change.sql index 818a3d60c..27f7430c5 100644 --- a/transformations/aws/macros/cloudwatch/alarm_s3_bucket_policy_change.sql +++ b/transformations/aws/macros/cloudwatch/alarm_s3_bucket_policy_change.sql @@ -51,3 +51,27 @@ select end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} + +{% macro snowflake__alarm_s3_bucket_policy_change(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case + when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.eventSource = s3.amazonaws.com)%' + AND pattern LIKE '%($.eventName = PutBucketAcl)%' + AND pattern LIKE '%($.eventName = PutBucketPolicy)%' + AND pattern LIKE '%($.eventName = PutBucketCors)%' + AND pattern LIKE '%($.eventName = PutBucketLifecycle)%' + AND pattern LIKE '%($.eventName = PutBucketReplication)%' + AND pattern LIKE '%($.eventName = DeleteBucketPolicy)%' + AND pattern LIKE '%($.eventName = DeleteBucketCors)%' + AND pattern LIKE '%($.eventName = DeleteBucketLifecycle)%' + AND pattern LIKE '%($.eventName = DeleteBucketReplication)%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/cloudwatch/alarm_security_group_changes.sql b/transformations/aws/macros/cloudwatch/alarm_security_group_changes.sql index 7c7396c45..1973350e4 100644 --- a/transformations/aws/macros/cloudwatch/alarm_security_group_changes.sql +++ b/transformations/aws/macros/cloudwatch/alarm_security_group_changes.sql @@ -41,3 +41,22 @@ select end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} + +{% macro snowflake__alarm_security_group_changes(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for security group changes (Scored)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.eventName = AuthorizeSecurityGroupIngress)%' + AND pattern LIKE '%($.eventName = AuthorizeSecurityGroupEgress)%' + AND pattern LIKE '%($.eventName = RevokeSecurityGroupIngress)%' + AND pattern LIKE '%($.eventName = RevokeSecurityGroupEgress)%' + AND pattern LIKE '%($.eventName = CreateSecurityGroup)%' + AND pattern LIKE '%($.eventName = DeleteSecurityGroup)%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} diff --git a/transformations/aws/macros/cloudwatch/alarm_unauthorized_api.sql b/transformations/aws/macros/cloudwatch/alarm_unauthorized_api.sql index 04a3b9d0c..510c440fb 100644 --- a/transformations/aws/macros/cloudwatch/alarm_unauthorized_api.sql +++ b/transformations/aws/macros/cloudwatch/alarm_unauthorized_api.sql @@ -33,3 +33,18 @@ select end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} + +{% macro snowflake__alarm_unauthorized_api(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.errorCode = "*UnauthorizedOperation")%' + AND pattern LIKE '%($.errorCode = "AccessDenied*")%' then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/cloudwatch/alarm_vpc_changes.sql b/transformations/aws/macros/cloudwatch/alarm_vpc_changes.sql index a56774499..bb1578865 100644 --- a/transformations/aws/macros/cloudwatch/alarm_vpc_changes.sql +++ b/transformations/aws/macros/cloudwatch/alarm_vpc_changes.sql @@ -53,3 +53,28 @@ select end as status from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} {% endmacro %} + +{% macro snowflake__alarm_vpc_changes(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure a log metric filter and alarm exist for VPC changes (Scored)' as title, + account_id, + cloud_watch_logs_log_group_arn as resource_id, + case when pattern NOT LIKE '%NOT%' + AND pattern LIKE '%($.eventName = CreateVpc)%' + AND pattern LIKE '%($.eventName = DeleteVpc)%' + AND pattern LIKE '%($.eventName = ModifyVpcAttribute)%' + AND pattern LIKE '%($.eventName = AcceptVpcPeeringConnection)%' + AND pattern LIKE '%($.eventName = CreateVpcPeeringConnection)%' + AND pattern LIKE '%($.eventName = DeleteVpcPeeringConnection)%' + AND pattern LIKE '%($.eventName = RejectVpcPeeringConnection)%' + AND pattern LIKE '%($.eventName = AttachClassicLinkVpc)%' + AND pattern LIKE '%($.eventName = DetachClassicLinkVpc)%' + AND pattern LIKE '%($.eventName = DisableVpcClassicLink)%' + AND pattern LIKE '%($.eventName = EnableVpcClassicLink)%' + then 'pass' + else 'fail' + end as status +from {{ ref('aws_compliance__log_metric_filter_and_alarm') }} +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/ec2/no_broad_public_ingress_on_port_22.sql b/transformations/aws/macros/ec2/no_broad_public_ingress_on_port_22.sql index 8cde79c80..01853a791 100644 --- a/transformations/aws/macros/ec2/no_broad_public_ingress_on_port_22.sql +++ b/transformations/aws/macros/ec2/no_broad_public_ingress_on_port_22.sql @@ -39,4 +39,23 @@ select else 'pass' end from {{ ref('aws_compliance__security_group_ingress_rules') }} +{% endmacro %} + +{% macro snowflake__no_broad_public_ingress_on_port_22(framework, check_id) %} +-- uses view which uses aws_security_group_ingress_rules.sql query +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)' as title, + account_id, + arn, + case when + (ip = '0.0.0.0/0' or ip = '::/0') + and ( + (from_port is null and to_port is null) -- all ports + or 22 between from_port and to_port) + then 'fail' + else 'pass' + end +from {{ ref('aws_compliance__security_group_ingress_rules') }} {% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/ec2/no_broad_public_ingress_on_port_3389.sql b/transformations/aws/macros/ec2/no_broad_public_ingress_on_port_3389.sql index 1e802fd2d..59b6070f8 100644 --- a/transformations/aws/macros/ec2/no_broad_public_ingress_on_port_3389.sql +++ b/transformations/aws/macros/ec2/no_broad_public_ingress_on_port_3389.sql @@ -41,3 +41,21 @@ select end from {{ ref('aws_compliance__security_group_ingress_rules') }} {% endmacro %} + +{% macro snowflake__no_broad_public_ingress_on_port_3389(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)' as title, + account_id, + arn, + case when + (ip = '0.0.0.0/0' or ip = '::/0') + and ( + (from_port is null and to_port is null) -- all ports + or 3389 between from_port and to_port + ) then 'fail' + else 'pass' + end +from {{ ref('aws_compliance__security_group_ingress_rules') }} +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/iam/mfa_enabled_for_root.sql b/transformations/aws/macros/iam/mfa_enabled_for_root.sql index 80dbcaf68..2c44313e7 100644 --- a/transformations/aws/macros/iam/mfa_enabled_for_root.sql +++ b/transformations/aws/macros/iam/mfa_enabled_for_root.sql @@ -31,3 +31,17 @@ select end as status from {{ full_table_name("aws_iam_credential_reports") }} {% endmacro %} + +{% macro snowflake__mfa_enabled_for_root(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure MFA is enabled for the "root" account' as title, + split_part(arn, ':', 5) as account_id, + arn as resource_id, + case + when user = '' and not mfa_active then 'fail' -- TODO check + when user = '' and mfa_active then 'pass' + end as status +from aws_iam_credential_reports +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/iam/password_policy_expire_old_passwords.sql b/transformations/aws/macros/iam/password_policy_expire_old_passwords.sql index 2bfd544a1..cfa2c79bd 100644 --- a/transformations/aws/macros/iam/password_policy_expire_old_passwords.sql +++ b/transformations/aws/macros/iam/password_policy_expire_old_passwords.sql @@ -35,3 +35,19 @@ select from {{ full_table_name("aws_iam_password_policies") }} {% endmacro %} + +{% macro snowflake__password_policy_expire_old_passwords(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure IAM password policy expires passwords within 90 days or less' as title, + account_id, + account_id, + case when + (max_password_age is null or max_password_age > 90) or policy_exists = false + then 'fail' + else 'pass' + end +from + aws_iam_password_policies +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/iam/password_policy_min_length.sql b/transformations/aws/macros/iam/password_policy_min_length.sql index 79267f247..12bf73151 100644 --- a/transformations/aws/macros/iam/password_policy_min_length.sql +++ b/transformations/aws/macros/iam/password_policy_min_length.sql @@ -35,3 +35,19 @@ select from {{ full_table_name("aws_iam_password_policies") }} {% endmacro %} + +{% macro snowflake__password_policy_min_length(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure IAM password policy requires minimum length of 14 or greater' as title, + account_id, + account_id, + case when + (minimum_password_length < 14) or policy_exists = FALSE + then 'fail' + else 'pass' + end +from + aws_iam_password_policies +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/iam/password_policy_min_number.sql b/transformations/aws/macros/iam/password_policy_min_number.sql index bbe894c72..4d97c3790 100644 --- a/transformations/aws/macros/iam/password_policy_min_number.sql +++ b/transformations/aws/macros/iam/password_policy_min_number.sql @@ -34,4 +34,20 @@ select end as status from {{ full_table_name("aws_iam_password_policies") }} +{% endmacro %} + +{% macro snowflake__password_policy_min_number(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure IAM password policy requires at least one number' as title, + account_id, + account_id, + case when + require_numbers = FALSE or policy_exists = FALSE + then 'fail' + else 'pass' + end as status +from + aws_iam_password_policies {% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/iam/password_policy_min_one_symbol.sql b/transformations/aws/macros/iam/password_policy_min_one_symbol.sql index a87f17e42..7ff24351b 100644 --- a/transformations/aws/macros/iam/password_policy_min_one_symbol.sql +++ b/transformations/aws/macros/iam/password_policy_min_one_symbol.sql @@ -34,4 +34,20 @@ select end as status from {{ full_table_name("aws_iam_password_policies") }} +{% endmacro %} + +{% macro snowflake__password_policy_min_one_symbol(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure IAM password policy requires at least one symbol' as title, + account_id, + account_id, + case when + require_symbols = false or policy_exists = false + then 'fail' + else 'pass' + end as status +from + aws_iam_password_policies {% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/iam/password_policy_prevent_reuse.sql b/transformations/aws/macros/iam/password_policy_prevent_reuse.sql index 5fe3eb9d4..0c5f23c56 100644 --- a/transformations/aws/macros/iam/password_policy_prevent_reuse.sql +++ b/transformations/aws/macros/iam/password_policy_prevent_reuse.sql @@ -35,3 +35,19 @@ select from {{ full_table_name("aws_iam_password_policies") }} {% endmacro %} + +{% macro snowflake__password_policy_prevent_reuse(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure IAM password policy prevents password reuse' as title, + account_id, + account_id, + case when + password_reuse_prevention is distinct from 24 + then 'fail' + else 'pass' + end +from + aws_iam_password_policies +{% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/kms/rotation_enabled_for_customer_key.sql b/transformations/aws/macros/kms/rotation_enabled_for_customer_key.sql index 703af914a..f4e1ac06f 100644 --- a/transformations/aws/macros/kms/rotation_enabled_for_customer_key.sql +++ b/transformations/aws/macros/kms/rotation_enabled_for_customer_key.sql @@ -33,3 +33,18 @@ select end from {{ full_table_name("aws_kms_keys") }} {% endmacro %} + +{% macro snowflake__rotation_enabled_for_customer_key(framework, check_id) %} +select + '{{framework}}' as framework, + '{{check_id}}' as check_id, + 'Ensure rotation for customer created custom master keys is enabled (Scored)' as title, + account_id, + arn, + case when + not rotation_enabled and key_manager = 'CUSTOMER' + then 'fail' + else 'pass' + end +from aws_kms_keys +{% endmacro %} \ No newline at end of file