diff --git a/transformations/aws/compliance-free/models/aws_compliance__foundational_security_free.sql b/transformations/aws/compliance-free/models/aws_compliance__foundational_security_free.sql index e63305dba..1e3f3dca1 100644 --- a/transformations/aws/compliance-free/models/aws_compliance__foundational_security_free.sql +++ b/transformations/aws/compliance-free/models/aws_compliance__foundational_security_free.sql @@ -1,4 +1,4 @@ -{{ config(enabled=block_bigquery() and block_postgres()) }} +{{ config(enabled=block_bigquery()) }} with aggregated as ( diff --git a/transformations/aws/macros/apigateway/api_gw_access_logging_should_be_configured.sql b/transformations/aws/macros/apigateway/api_gw_access_logging_should_be_configured.sql index 7dc86da31..551742e01 100644 --- a/transformations/aws/macros/apigateway/api_gw_access_logging_should_be_configured.sql +++ b/transformations/aws/macros/apigateway/api_gw_access_logging_should_be_configured.sql @@ -1,4 +1,25 @@ {% macro api_gw_access_logging_should_be_configured(framework, check_id) %} + {{ return(adapter.dispatch('api_gw_access_logging_should_be_configured')(framework, check_id)) }} +{% endmacro %} + +{% macro default__api_gw_access_logging_should_be_configured(framework, check_id) %}{% endmacro %} + +{% macro postgres__api_gw_access_logging_should_be_configured(framework, check_id) %} +select + '{{framework}}' As framework, + '{{check_id}}' As check_id, + 'Access logging should be configured for API Gateway V2 Stages' as title, + account_id, + arn AS resource_id, + CASE + WHEN coalesce(cast(access_log_settings as TEXT), '') = '' THEN 'fail' + ELSE 'pass' + END AS status +FROM + aws_apigatewayv2_api_stages +{% endmacro %} + +{% macro snowflake__api_gw_access_logging_should_be_configured(framework, check_id) %} select '{{framework}}' As framework, '{{check_id}}' As check_id, diff --git a/transformations/aws/macros/apigateway/api_gw_associated_wth_waf.sql b/transformations/aws/macros/apigateway/api_gw_associated_wth_waf.sql index e56233ea4..6e8b25b19 100644 --- a/transformations/aws/macros/apigateway/api_gw_associated_wth_waf.sql +++ b/transformations/aws/macros/apigateway/api_gw_associated_wth_waf.sql @@ -1,4 +1,25 @@ {% macro api_gw_associated_wth_waf(framework, check_id) %} + {{ return(adapter.dispatch('api_gw_associated_wth_waf')(framework, check_id)) }} +{% endmacro %} + +{% macro default__api_gw_associated_wth_waf(framework, check_id) %}{% endmacro %} + +{% macro postgres__api_gw_associated_wth_waf(framework, check_id) %} +SELECT + '{{framework}}' As framework, + '{{check_id}}' As check_id, + 'API Gateway should be associated with a WAF We0ACL' as title, + account_id, + arn as resource_id, + CASE + WHEN web_acl_arn is not null THEN 'pass' + ELSE 'fail' + END as status +FROM + aws_apigateway_rest_api_stages +{% endmacro %} + +{% macro snowflake__api_gw_associated_wth_waf(framework, check_id) %} SELECT '{{framework}}' As framework, '{{check_id}}' As check_id, diff --git a/transformations/aws/macros/apigateway/api_gw_cache_data_encrypted.sql b/transformations/aws/macros/apigateway/api_gw_cache_data_encrypted.sql index 9f4be3b7c..374494316 100644 --- a/transformations/aws/macros/apigateway/api_gw_cache_data_encrypted.sql +++ b/transformations/aws/macros/apigateway/api_gw_cache_data_encrypted.sql @@ -1,4 +1,50 @@ {% macro api_gw_cache_data_encrypted(framework, check_id) %} + {{ return(adapter.dispatch('api_gw_cache_data_encrypted')(framework, check_id)) }} +{% endmacro %} + +{% macro default__api_gw_cache_data_encrypted(framework, check_id) %}{% endmacro %} + +{% macro postgres__api_gw_cache_data_encrypted(framework, check_id) %} +with bad_methods as ( + SELECT DISTINCT + s.arn + FROM + aws_apigateway_rest_api_stages s, + jsonb_each(COALESCE(s.method_settings, '{}'::jsonb)) as ms + WHERE + ms IS not NULL + AND + ms.value->>'CachingEnabled' = 'true' + AND + ms.value->>'CacheDataEncrypted' <> 'true' +), +cache_enabled AS ( +SELECT DISTINCT + s.arn, + s.account_id +FROM + aws_apigateway_rest_api_stages s, + LATERAL jsonb_each(COALESCE(s.method_settings, '{}'::jsonb)) as ms +WHERE + ms.value->>'CachingEnabled' = 'true' +) +SELECT + '{{framework}}' As framework, + '{{check_id}}' As check_id, + 'API Gateway REST API cache data should be encrypted at rest' as title, + ce.account_id, + ce.arn as resource_id, + CASE + WHEN b.arn is not null THEN 'fail' + ELSE 'pass' + END as status +FROM + cache_enabled ce + LEFT JOIN bad_methods as b + ON ce.arn = b.arn +{% endmacro %} + +{% macro snowflake__api_gw_cache_data_encrypted(framework, check_id) %} with bad_methods as ( select DISTINCT arn diff --git a/transformations/aws/macros/apigateway/api_gw_routes_should_specify_authorization_type.sql b/transformations/aws/macros/apigateway/api_gw_routes_should_specify_authorization_type.sql index 6f6267ace..2da757caf 100644 --- a/transformations/aws/macros/apigateway/api_gw_routes_should_specify_authorization_type.sql +++ b/transformations/aws/macros/apigateway/api_gw_routes_should_specify_authorization_type.sql @@ -1,4 +1,25 @@ {% macro api_gw_routes_should_specify_authorization_type(framework, check_id) %} + {{ return(adapter.dispatch('api_gw_routes_should_specify_authorization_type')(framework, check_id)) }} +{% endmacro %} + +{% macro default__api_gw_routes_should_specify_authorization_type(framework, check_id) %}{% endmacro %} + +{% macro postgres__api_gw_routes_should_specify_authorization_type(framework, check_id) %} +select + '{{framework}}' As framework, + '{{check_id}}' As check_id, + 'API Gateway routes should specify an authorization type' as title, + account_id, + arn as resource_id, + CASE + WHEN authorization_type IS NULL OR authorization_type = '' OR authorization_type = 'NONE' THEN 'fail' + ELSE 'pass' + END AS status +FROM + aws_apigatewayv2_api_routes +{% endmacro %} + +{% macro snowflake__api_gw_routes_should_specify_authorization_type(framework, check_id) %} select '{{framework}}' As framework, '{{check_id}}' As check_id, diff --git a/transformations/aws/macros/efs/access_point_enforce_user_identity.sql b/transformations/aws/macros/efs/access_point_enforce_user_identity.sql index ada9313ec..4cf2816e2 100644 --- a/transformations/aws/macros/efs/access_point_enforce_user_identity.sql +++ b/transformations/aws/macros/efs/access_point_enforce_user_identity.sql @@ -38,4 +38,22 @@ select END as status FROM {{ full_table_name("aws_efs_access_points") }} +{% endmacro %} + +{% macro postgres__access_point_enforce_user_identity(framework, check_id) %} +select + '{{framework}}' As framework, + '{{check_id}}' As check_id, + 'EFS access points should enforce a user identity' as title, + account_id, + arn as resource_id, + CASE + WHEN posix_user IS NULL + OR posix_user->>'uid' IS NULL + OR posix_user->>'gid' IS NULL + THEN 'fail' + ELSE 'pass' + END as status +FROM + aws_efs_access_points {% endmacro %} \ No newline at end of file diff --git a/transformations/aws/macros/efs/access_point_path_should_not_be_root.sql b/transformations/aws/macros/efs/access_point_path_should_not_be_root.sql index 689008bd6..0088cbcfb 100644 --- a/transformations/aws/macros/efs/access_point_path_should_not_be_root.sql +++ b/transformations/aws/macros/efs/access_point_path_should_not_be_root.sql @@ -1,4 +1,25 @@ {% macro access_point_path_should_not_be_root(framework, check_id) %} + {{ return(adapter.dispatch('access_point_path_should_not_be_root')(framework, check_id)) }} +{% endmacro %} + +{% macro default__access_point_path_should_not_be_root(framework, check_id) %}{% endmacro %} + +{% macro postgres__access_point_path_should_not_be_root(framework, check_id) %} +select + '{{framework}}' As framework, + '{{check_id}}' As check_id, + 'EFS access points should enforce a root directory' as title, + account_id, + arn as resource_id, + CASE + WHEN root_directory->>'Path' = '/' THEN 'fail' + ELSE 'pass' + END as status +FROM + aws_efs_access_points +{% endmacro %} + +{% macro snowflake__access_point_path_should_not_be_root(framework, check_id) %} select '{{framework}}' As framework, '{{check_id}}' As check_id,