feat: Added queries for AWS Foundational Security for Postgres - Prem…

…ium (#451) * feat: Added queries for AWS Foundational Security for Postgres - Premium * Change postgres version from 11 to 15 * Upated query neptune_cluster_snapshot_public_prohibited * Changed queries
cloudquery · Jan 3, 2024 · a2f23f0 · a2f23f0
1 parent ef8de33
commit a2f23f0
Show file tree

Hide file tree

Showing 120 changed files with 2,882 additions and 16 deletions.
diff --git a/transformations/aws/compliance-premium/models/aws_compliance__foundational_security.sql b/transformations/aws/compliance-premium/models/aws_compliance__foundational_security.sql
@@ -1,4 +1,4 @@
-{{ config(enabled=block_bigquery() and block_postgres()) }}
+{{ config(enabled=block_bigquery()) }}
 
 with
     aggregated as (
@@ -390,7 +390,7 @@ with
         union
         ({{ security_account_information_provided('foundational_security','account.1') }})
         union
-         ({{ security_groups_not_associated('foundational_security','ec2.22') }})
+        ({{ security_groups_not_associated('foundational_security','ec2.22') }})
         union 
         ({{ security_groups_with_access_to_unauthorized_ports('foundational_security','ec2.18') }})
         union

diff --git a/transformations/aws/macros/account/security_account_information_provided.sql b/transformations/aws/macros/account/security_account_information_provided.sql
@@ -28,6 +28,7 @@ select
   '{{check_id}}' as check_id,
   'Security contact information should be provided for an AWS account' as title,
   aws_iam_accounts.account_id,
+  aws_iam_accounts.account_id as resource_id,
   case when
     alternate_contact_type is null
     then 'fail'

diff --git a/transformations/aws/macros/acm/rsa_certificate_key_length_should_be_more_than_2048_bits.sql b/transformations/aws/macros/acm/rsa_certificate_key_length_should_be_more_than_2048_bits.sql
@@ -1,4 +1,26 @@
 {% macro rsa_certificate_key_length_should_be_more_than_2048_bits(framework, check_id) %}
+  {{ return(adapter.dispatch('rsa_certificate_key_length_should_be_more_than_2048_bits')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__rsa_certificate_key_length_should_be_more_than_2048_bits(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__rsa_certificate_key_length_should_be_more_than_2048_bits(framework, check_id) %}
+select
+  '{{framework}}' As framework,
+  '{{check_id}}' As check_id,
+  'rsa certificate key length is less than 2048 bits' as title,
+  account_id,
+  arn AS resource_id,
+  CASE
+  WHEN key_algorithm IN ('RSA-1024', 'RSA 1024', 'RSA_1024')
+  THEN 'fail' 
+  ELSE 'pass'
+  END AS status
+FROM aws_acm_certificates
+WHERE left(key_algorithm, 3) = 'RSA'
+{% endmacro %}
+
+{% macro snowflake__rsa_certificate_key_length_should_be_more_than_2048_bits(framework, check_id) %}
 select
   '{{framework}}' As framework,
   '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/apigateway/api_gw_stage_should_have_xray_tracing_enabled.sql b/transformations/aws/macros/apigateway/api_gw_stage_should_have_xray_tracing_enabled.sql
@@ -1,4 +1,25 @@
 {% macro api_gw_stage_should_have_xray_tracing_enabled(framework, check_id) %}
+  {{ return(adapter.dispatch('api_gw_stage_should_have_xray_tracing_enabled')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__api_gw_stage_should_have_xray_tracing_enabled(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__api_gw_stage_should_have_xray_tracing_enabled(framework, check_id) %}
+select 
+    '{{framework}}' As framework,
+    '{{check_id}}' As check_id,
+    'API Gateway REST API stages should have AWS X-Ray tracing enabled' as title,
+    account_id, 
+    arn as resource_id,
+    CASE
+        WHEN tracing_enabled = true THEN 'pass'
+        ELSE 'fail'
+    END as status
+FROM 
+    aws_apigateway_rest_api_stages
+{% endmacro %}
+
+{% macro snowflake__api_gw_stage_should_have_xray_tracing_enabled(framework, check_id) %}
 select 
     '{{framework}}' As framework,
     '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/apigateway/api_gw_stage_should_use_ssl.sql b/transformations/aws/macros/apigateway/api_gw_stage_should_use_ssl.sql
@@ -1,4 +1,25 @@
 {% macro api_gw_stage_should_use_ssl(framework, check_id) %}
+  {{ return(adapter.dispatch('api_gw_stage_should_use_ssl')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__api_gw_stage_should_use_ssl(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__api_gw_stage_should_use_ssl(framework, check_id) %}
+select
+    '{{framework}}' As framework,
+    '{{check_id}}' As check_id,
+    'API Gateway REST API stages should be configured to use SSL certificates for backend authentication' as title,
+    account_id,
+    arn as resource_id,
+    CASE
+        WHEN client_certificate_id is not null THEN 'pass'
+        ELSE 'fail'
+    END as status
+
+from aws_apigateway_rest_api_stages
+{% endmacro %}
+
+{% macro snowflake__api_gw_stage_should_use_ssl(framework, check_id) %}
 select
     '{{framework}}' As framework,
     '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/appsync/appsync_should_have_logging_turned_on.sql b/transformations/aws/macros/appsync/appsync_should_have_logging_turned_on.sql
@@ -1,4 +1,26 @@
 {% macro appsync_should_have_logging_turned_on(framework, check_id) %}
+  {{ return(adapter.dispatch('appsync_should_have_logging_turned_on')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__appsync_should_have_logging_turned_on(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__appsync_should_have_logging_turned_on(framework, check_id) %}
+select
+    '{{framework}}' As framework,
+    '{{check_id}}' As check_id,
+    'AWS AppSync should have request-level and field-level logging turned on' as title, 
+    account_id, 
+    arn as resource_id,
+    CASE
+        WHEN (log_config ->> 'cloudWatchLogsRoleArn' IS NULL OR log_config ->> 'cloudWatchLogsRoleArn' = '')
+            OR 
+            log_config ->> 'fieldLogLevel' = 'NONE' THEN 'fail'
+        ELSE 'pass'
+    END AS status
+FROM aws_appsync_graphql_apis
+{% endmacro %}
+
+{% macro snowflake__appsync_should_have_logging_turned_on(framework, check_id) %}
 select
     '{{framework}}' As framework,
     '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/athena/athena_workgroup_encrypted_at_rest.sql b/transformations/aws/macros/athena/athena_workgroup_encrypted_at_rest.sql
@@ -1,4 +1,23 @@
 {% macro athena_workgroup_encrypted_at_rest(framework, check_id) %}
+  {{ return(adapter.dispatch('athena_workgroup_encrypted_at_rest')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__athena_workgroup_encrypted_at_rest(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__athena_workgroup_encrypted_at_rest(framework, check_id) %}
+select
+  '{{framework}}' As framework,
+  '{{check_id}}' As check_id,
+  'Athena workgroups should be encrypted at rest' AS "title",
+  account_id,
+  arn as resource_id,
+  case  
+        WHEN CONFIGURATION -> 'ResultConfiguration' ->> 'EncryptionConfiguration' IS NULL THEN 'fail'
+        else 'pass' end as status
+from aws_athena_work_groups
+{% endmacro %}
+
+{% macro snowflake__athena_workgroup_encrypted_at_rest(framework, check_id) %}
 select
   '{{framework}}' As framework,
   '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/autoscaling/autoscaling_group_elb_healthcheck_required.sql b/transformations/aws/macros/autoscaling/autoscaling_group_elb_healthcheck_required.sql
@@ -1,4 +1,27 @@
 {% macro autoscaling_group_elb_healthcheck_required(framework, check_id) %}
+  {{ return(adapter.dispatch('autoscaling_group_elb_healthcheck_required')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__autoscaling_group_elb_healthcheck_required(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__autoscaling_group_elb_healthcheck_required(framework, check_id) %}
+select
+  '{{framework}}' As framework,
+  '{{check_id}}' As check_id,
+  'Auto Scaling groups associated with a Classic Load Balancer should use load balancer health checks' AS "title",
+  account_id,
+  arn AS resource_id,
+  case
+  when array_length(load_balancer_names, 1) = 0 and array_length(target_group_arns, 1) = 0 then 'fail'
+  when health_check_type not like '%ELB%' then 'fail'
+  else 'pass'
+  END
+    AS status
+FROM
+  aws_autoscaling_groups
+{% endmacro %}
+
+{% macro snowflake__autoscaling_group_elb_healthcheck_required(framework, check_id) %}
 select
   '{{framework}}' As framework,
   '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/autoscaling/autoscaling_launch_config_hop_limit.sql b/transformations/aws/macros/autoscaling/autoscaling_launch_config_hop_limit.sql
@@ -1,4 +1,26 @@
 {% macro autoscaling_launch_config_hop_limit(framework, check_id) %}
+  {{ return(adapter.dispatch('autoscaling_launch_config_hop_limit')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__autoscaling_launch_config_hop_limit(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__autoscaling_launch_config_hop_limit(framework, check_id) %}
+select
+  '{{framework}}' As framework,
+  '{{check_id}}' As check_id,
+  'Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1' AS "title",
+  account_id,
+  arn AS resource_id,
+  case
+  when (METADATA_OPTIONS ->> 'HttpPutResponseHopLimit')::integer > 1 then 'fail'
+    else 'pass'
+  END
+    AS status
+FROM
+  aws_autoscaling_launch_configurations
+{% endmacro %}
+
+{% macro snowflake__autoscaling_launch_config_hop_limit(framework, check_id) %}
 select
   '{{framework}}' As framework,
   '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/autoscaling/autoscaling_launch_config_public_ip_disabled.sql b/transformations/aws/macros/autoscaling/autoscaling_launch_config_public_ip_disabled.sql
@@ -1,4 +1,26 @@
 {% macro autoscaling_launch_config_public_ip_disabled(framework, check_id) %}
+  {{ return(adapter.dispatch('autoscaling_launch_config_public_ip_disabled')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__autoscaling_launch_config_public_ip_disabled(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__autoscaling_launch_config_public_ip_disabled(framework, check_id) %}
+select
+  '{{framework}}' As framework,
+  '{{check_id}}' As check_id,
+  'Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses' AS "title",
+  account_id,
+  arn AS resource_id,
+  case
+  when associate_public_ip_address = true then 'fail'
+    else 'pass'
+  END
+    AS status
+FROM
+  aws_autoscaling_launch_configurations
+{% endmacro %}
+
+{% macro snowflake__autoscaling_launch_config_public_ip_disabled(framework, check_id) %}
 select
   '{{framework}}' As framework,
   '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/autoscaling/autoscaling_launch_template.sql b/transformations/aws/macros/autoscaling/autoscaling_launch_template.sql
@@ -1,4 +1,26 @@
 {% macro autoscaling_launch_template(framework, check_id) %}
+  {{ return(adapter.dispatch('autoscaling_launch_template')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__autoscaling_launch_template(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__autoscaling_launch_template(framework, check_id) %}
+select
+  '{{framework}}' As framework,
+  '{{check_id}}' As check_id,
+  'Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates' AS "title",
+  account_id,
+  arn AS resource_id,
+  case
+  when (LAUNCH_TEMPLATE)::Text is null then 'fail'
+    else 'pass'
+  END
+    AS status
+FROM
+  aws_autoscaling_groups
+{% endmacro %}
+
+{% macro snowflake__autoscaling_launch_template(framework, check_id) %}
 select
   '{{framework}}' As framework,
   '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/autoscaling/autoscaling_launchconfig_requires_imdsv2.sql b/transformations/aws/macros/autoscaling/autoscaling_launchconfig_requires_imdsv2.sql
@@ -1,4 +1,26 @@
 {% macro autoscaling_launchconfig_requires_imdsv2(framework, check_id) %}
+  {{ return(adapter.dispatch('autoscaling_launchconfig_requires_imdsv2')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__autoscaling_launchconfig_requires_imdsv2(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__autoscaling_launchconfig_requires_imdsv2(framework, check_id) %}
+select
+  '{{framework}}' As framework,
+  '{{check_id}}' As check_id,
+  'Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2' AS "title",
+  account_id,
+  arn AS resource_id,
+  case
+  when METADATA_OPTIONS ->> 'HttpTokens' = 'required' then 'pass'
+    else 'fail'
+  END
+    AS status
+FROM
+  aws_autoscaling_launch_configurations
+{% endmacro %}
+
+{% macro snowflake__autoscaling_launchconfig_requires_imdsv2(framework, check_id) %}
 select
   '{{framework}}' As framework,
   '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/autoscaling/autoscaling_multiple_az.sql b/transformations/aws/macros/autoscaling/autoscaling_multiple_az.sql
@@ -1,4 +1,26 @@
 {% macro autoscaling_multiple_az(framework, check_id) %}
+  {{ return(adapter.dispatch('autoscaling_multiple_az')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__autoscaling_multiple_az(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__autoscaling_multiple_az(framework, check_id) %}
+select
+  '{{framework}}' As framework,
+  '{{check_id}}' As check_id,
+  'Amazon EC2 Auto Scaling group should cover multiple Availability Zones' AS "title",
+  account_id,
+  arn AS resource_id,
+  case
+  when array_length(availability_zones, 1) > 1 then 'pass'
+  else 'fail'
+  END
+    AS status
+FROM
+  aws_autoscaling_groups
+{% endmacro %}
+
+{% macro snowflake__autoscaling_multiple_az(framework, check_id) %}
 select
   '{{framework}}' As framework,
   '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/autoscaling/autoscaling_multiple_instance_types.sql b/transformations/aws/macros/autoscaling/autoscaling_multiple_instance_types.sql
@@ -1,4 +1,33 @@
 {% macro autoscaling_multiple_instance_types(framework, check_id) %}
+  {{ return(adapter.dispatch('autoscaling_multiple_instance_types')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__autoscaling_multiple_instance_types(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__autoscaling_multiple_instance_types(framework, check_id) %}
+select
+  '{{framework}}' As framework,
+  '{{check_id}}' As check_id,
+  'Auto Scaling groups should use multiple instance types in multiple Availability Zones' AS "title",
+  aag.account_id,
+  ditc.arn AS resource_id,
+  ditc.status
+FROM aws_autoscaling_groups as aag
+JOIN (
+  SELECT
+    arn,
+    CASE
+      WHEN COUNT(DISTINCT instance ->> 'InstanceType') > 1 THEN 'pass'
+      ELSE 'fail'
+    END AS status
+  FROM
+    aws_autoscaling_groups AS aag,
+    JSONB_ARRAY_ELEMENTS(aag.INSTANCES) as instance
+  GROUP BY arn
+) AS ditc ON aag.arn = ditc.arn
+{% endmacro %}
+
+{% macro snowflake__autoscaling_multiple_instance_types(framework, check_id) %}
 select
   '{{framework}}' As framework,
   '{{check_id}}' As check_id,

diff --git a/transformations/aws/macros/cloudformation/cloudformation_stack_notification_check.sql b/transformations/aws/macros/cloudformation/cloudformation_stack_notification_check.sql
@@ -1,4 +1,26 @@
 {% macro cloudformation_stack_notification_check(framework, check_id) %}
+  {{ return(adapter.dispatch('cloudformation_stack_notification_check')(framework, check_id)) }}
+{% endmacro %}
+
+{% macro default__cloudformation_stack_notification_check(framework, check_id) %}{% endmacro %}
+
+{% macro postgres__cloudformation_stack_notification_check(framework, check_id) %}
+select
+  '{{framework}}' As framework,
+  '{{check_id}}' As check_id,
+  'CloudFormation stacks should be integrated with Simple Notification Service (SNS)' AS "title",
+  account_id,
+  arn AS resource_id,
+  case
+  when array_length(notification_arns, 1) > 0 then 'pass'
+  else 'fail'
+  END
+    AS status
+FROM
+  aws_cloudformation_stacks
+{% endmacro %}
+
+{% macro snowflake__cloudformation_stack_notification_check(framework, check_id) %}
 select
   '{{framework}}' As framework,
   '{{check_id}}' As check_id,