fix: Added queries for AWS Foundational Security for Postgres - Free (#…

…433)
cloudquery · Dec 13, 2023 · 1899bb4 · 1899bb4
1 parent 94c8a5e
commit 1899bb4
Show file tree

Hide file tree

Showing 7 changed files with 149 additions and 1 deletion.
diff --git a/transformations/aws/compliance-free/models/aws_compliance__foundational_security_free.sql b/transformations/aws/compliance-free/models/aws_compliance__foundational_security_free.sql
@@ -1,4 +1,4 @@
-{{ config(enabled=block_bigquery() and block_postgres()) }}
+{{ config(enabled=block_bigquery()) }}
 
 with
     aggregated as (

diff --git a/transformations/aws/macros/apigateway/api_gw_access_logging_should_be_configured.sql b/transformations/aws/macros/apigateway/api_gw_access_logging_should_be_configured.sql
@@ -1,4 +1,25 @@
 {% macro api_gw_access_logging_should_be_configured(framework, check_id) %}
+  {{ return(adapter.dispatch('api_gw_access_logging_should_be_configured')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__api_gw_access_logging_should_be_configured(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__api_gw_access_logging_should_be_configured(framework, check_id) %}
+select
+    '{{framework}}' As framework,
+    '{{check_id}}' As check_id,
+    'Access logging should be configured for API Gateway V2 Stages' as title,
+    account_id, 
+    arn AS resource_id,
+    CASE
+        WHEN coalesce(cast(access_log_settings as TEXT), '') = '' THEN 'fail'
+        ELSE 'pass'
+    END AS status
+FROM 
+    aws_apigatewayv2_api_stages
+{% endmacro %}
+
+{% macro snowflake__api_gw_access_logging_should_be_configured(framework, check_id) %}
 select
     '{{framework}}' As framework,
     '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/apigateway/api_gw_associated_wth_waf.sql b/transformations/aws/macros/apigateway/api_gw_associated_wth_waf.sql
@@ -1,4 +1,25 @@
 {% macro api_gw_associated_wth_waf(framework, check_id) %}
+  {{ return(adapter.dispatch('api_gw_associated_wth_waf')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__api_gw_associated_wth_waf(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__api_gw_associated_wth_waf(framework, check_id) %}
+SELECT 
+    '{{framework}}' As framework,
+    '{{check_id}}' As check_id,
+    'API Gateway should be associated with a WAF We0ACL' as title,
+    account_id, 
+    arn as resource_id,
+    CASE
+        WHEN web_acl_arn is not null THEN 'pass'
+        ELSE 'fail'
+    END as status
+FROM 
+    aws_apigateway_rest_api_stages
+{% endmacro %}
+
+{% macro snowflake__api_gw_associated_wth_waf(framework, check_id) %}
 SELECT 
     '{{framework}}' As framework,
     '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/apigateway/api_gw_cache_data_encrypted.sql b/transformations/aws/macros/apigateway/api_gw_cache_data_encrypted.sql
@@ -1,4 +1,50 @@
 {% macro api_gw_cache_data_encrypted(framework, check_id) %}
+  {{ return(adapter.dispatch('api_gw_cache_data_encrypted')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__api_gw_cache_data_encrypted(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__api_gw_cache_data_encrypted(framework, check_id) %}
+with bad_methods as (
+	SELECT DISTINCT
+		s.arn
+	FROM
+		aws_apigateway_rest_api_stages s,
+		jsonb_each(COALESCE(s.method_settings, '{}'::jsonb)) as ms
+	WHERE
+		ms IS not NULL
+		AND
+		ms.value->>'CachingEnabled' = 'true'
+		AND
+		ms.value->>'CacheDataEncrypted' <> 'true'
+),
+cache_enabled AS (
+SELECT DISTINCT
+    s.arn,
+    s.account_id
+FROM
+    aws_apigateway_rest_api_stages s,
+    LATERAL jsonb_each(COALESCE(s.method_settings, '{}'::jsonb)) as ms
+WHERE
+    ms.value->>'CachingEnabled' = 'true'
+)
+SELECT
+    '{{framework}}' As framework,
+    '{{check_id}}' As check_id,
+    'API Gateway REST API cache data should be encrypted at rest' as title,
+    ce.account_id,
+    ce.arn as resource_id,
+    CASE
+        WHEN b.arn is not null THEN 'fail'
+        ELSE 'pass'
+    END as status
+FROM 
+    cache_enabled ce
+    LEFT JOIN bad_methods as b
+        ON ce.arn = b.arn
+{% endmacro %}
+
+{% macro snowflake__api_gw_cache_data_encrypted(framework, check_id) %}
 with bad_methods as (
 select DISTINCT
     arn

diff --git a/transformations/aws/macros/apigateway/api_gw_routes_should_specify_authorization_type.sql b/transformations/aws/macros/apigateway/api_gw_routes_should_specify_authorization_type.sql
@@ -1,4 +1,25 @@
 {% macro api_gw_routes_should_specify_authorization_type(framework, check_id) %}
+  {{ return(adapter.dispatch('api_gw_routes_should_specify_authorization_type')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__api_gw_routes_should_specify_authorization_type(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__api_gw_routes_should_specify_authorization_type(framework, check_id) %}
+select
+    '{{framework}}' As framework,
+    '{{check_id}}' As check_id,
+    'API Gateway routes should specify an authorization type' as title,
+    account_id,
+    arn as resource_id,
+    CASE
+        WHEN authorization_type IS NULL OR authorization_type = '' OR authorization_type = 'NONE' THEN 'fail'
+        ELSE 'pass'
+    END AS status
+FROM 
+    aws_apigatewayv2_api_routes
+{% endmacro %}
+
+{% macro snowflake__api_gw_routes_should_specify_authorization_type(framework, check_id) %}
 select
     '{{framework}}' As framework,
     '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/efs/access_point_enforce_user_identity.sql b/transformations/aws/macros/efs/access_point_enforce_user_identity.sql
@@ -38,4 +38,22 @@ select
     END as status
 FROM 
     {{ full_table_name("aws_efs_access_points") }}
+{% endmacro %}
+
+{% macro postgres__access_point_enforce_user_identity(framework, check_id) %}
+select 
+    '{{framework}}' As framework,
+    '{{check_id}}' As check_id,
+    'EFS access points should enforce a user identity' as title,
+    account_id,
+    arn as resource_id,
+    CASE
+      WHEN posix_user IS NULL 
+        OR posix_user->>'uid' IS NULL
+        OR posix_user->>'gid' IS NULL
+      THEN 'fail'
+      ELSE 'pass'
+    END as status
+FROM 
+    aws_efs_access_points
 {% endmacro %}
diff --git a/transformations/aws/macros/efs/access_point_path_should_not_be_root.sql b/transformations/aws/macros/efs/access_point_path_should_not_be_root.sql
@@ -1,4 +1,25 @@
 {% macro access_point_path_should_not_be_root(framework, check_id) %}
+  {{ return(adapter.dispatch('access_point_path_should_not_be_root')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__access_point_path_should_not_be_root(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__access_point_path_should_not_be_root(framework, check_id) %}
+select 
+    '{{framework}}' As framework,
+    '{{check_id}}' As check_id,
+    'EFS access points should enforce a root directory' as title,
+    account_id,
+    arn as resource_id,
+    CASE
+        WHEN root_directory->>'Path' = '/' THEN 'fail'
+        ELSE 'pass'
+    END as status
+FROM 
+    aws_efs_access_points
+{% endmacro %}
+
+{% macro snowflake__access_point_path_should_not_be_root(framework, check_id) %}
 select 
     '{{framework}}' As framework,
     '{{check_id}}' As check_id,