Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Added queries for AWS Foundational Security for Postgres - Free #433

Merged
merged 3 commits into from
Dec 13, 2023
Merged

fix: Added queries for AWS Foundational Security for Postgres - Free #433

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6627a22
fix: Added queries for AWS Foundational Security for Postgres - Free
ronsh12 Dec 13, 2023
54a4183
Merge branch 'main' into private/ron/aws_snowflake_found_free
ronsh12 Dec 13, 2023
849f256
Merge branch 'main' into private/ron/aws_snowflake_found_free
ronsh12 Dec 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion transformations/aws/compliance-free/models/aws_compliance__foundational_security_free.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{ config(enabled=block_bigquery() and block_postgres()) }}
{{ config(enabled=block_bigquery()) }}

with
aggregated as (
Expand Down
21 changes: 21 additions & 0 deletions transformations/aws/macros/apigateway/api_gw_access_logging_should_be_configured.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,25 @@
{% macro api_gw_access_logging_should_be_configured(framework, check_id) %}
{{ return(adapter.dispatch('api_gw_access_logging_should_be_configured')(framework, check_id)) }}
{% endmacro %}

{% macro default__api_gw_access_logging_should_be_configured(framework, check_id) %}{% endmacro %}

{% macro postgres__api_gw_access_logging_should_be_configured(framework, check_id) %}
select
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'Access logging should be configured for API Gateway V2 Stages' as title,
account_id,
arn AS resource_id,
CASE
WHEN coalesce(cast(access_log_settings as TEXT), '') = '' THEN 'fail'
ELSE 'pass'
END AS status
FROM
aws_apigatewayv2_api_stages
{% endmacro %}

{% macro snowflake__api_gw_access_logging_should_be_configured(framework, check_id) %}
select
'{{framework}}' As framework,
'{{check_id}}' As check_id,
Expand Down
21 changes: 21 additions & 0 deletions transformations/aws/macros/apigateway/api_gw_associated_wth_waf.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,25 @@
{% macro api_gw_associated_wth_waf(framework, check_id) %}
{{ return(adapter.dispatch('api_gw_associated_wth_waf')(framework, check_id)) }}
{% endmacro %}

{% macro default__api_gw_associated_wth_waf(framework, check_id) %}{% endmacro %}

{% macro postgres__api_gw_associated_wth_waf(framework, check_id) %}
SELECT
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'API Gateway should be associated with a WAF We0ACL' as title,
account_id,
arn as resource_id,
CASE
WHEN web_acl_arn is not null THEN 'pass'
ELSE 'fail'
END as status
FROM
aws_apigateway_rest_api_stages
{% endmacro %}

{% macro snowflake__api_gw_associated_wth_waf(framework, check_id) %}
SELECT
'{{framework}}' As framework,
'{{check_id}}' As check_id,
Expand Down
46 changes: 46 additions & 0 deletions transformations/aws/macros/apigateway/api_gw_cache_data_encrypted.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,50 @@
{% macro api_gw_cache_data_encrypted(framework, check_id) %}
{{ return(adapter.dispatch('api_gw_cache_data_encrypted')(framework, check_id)) }}
{% endmacro %}

{% macro default__api_gw_cache_data_encrypted(framework, check_id) %}{% endmacro %}

{% macro postgres__api_gw_cache_data_encrypted(framework, check_id) %}
with bad_methods as (
SELECT DISTINCT
s.arn
FROM
aws_apigateway_rest_api_stages s,
jsonb_each(COALESCE(s.method_settings, '{}'::jsonb)) as ms
WHERE
ms IS not NULL
AND
ms.value->>'CachingEnabled' = 'true'
AND
ms.value->>'CacheDataEncrypted' <> 'true'
),
cache_enabled AS (
SELECT DISTINCT
s.arn,
s.account_id
FROM
aws_apigateway_rest_api_stages s,
LATERAL jsonb_each(COALESCE(s.method_settings, '{}'::jsonb)) as ms
WHERE
ms.value->>'CachingEnabled' = 'true'
)
SELECT
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'API Gateway REST API cache data should be encrypted at rest' as title,
ce.account_id,
ce.arn as resource_id,
CASE
WHEN b.arn is not null THEN 'fail'
ELSE 'pass'
END as status
FROM
cache_enabled ce
LEFT JOIN bad_methods as b
ON ce.arn = b.arn
{% endmacro %}

{% macro snowflake__api_gw_cache_data_encrypted(framework, check_id) %}
with bad_methods as (
select DISTINCT
arn
Expand Down
21 changes: 21 additions & 0 deletions transformations/aws/macros/apigateway/api_gw_routes_should_specify_authorization_type.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,25 @@
{% macro api_gw_routes_should_specify_authorization_type(framework, check_id) %}
{{ return(adapter.dispatch('api_gw_routes_should_specify_authorization_type')(framework, check_id)) }}
{% endmacro %}

{% macro default__api_gw_routes_should_specify_authorization_type(framework, check_id) %}{% endmacro %}

{% macro postgres__api_gw_routes_should_specify_authorization_type(framework, check_id) %}
select
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'API Gateway routes should specify an authorization type' as title,
account_id,
arn as resource_id,
CASE
WHEN authorization_type IS NULL OR authorization_type = '' OR authorization_type = 'NONE' THEN 'fail'
ELSE 'pass'
END AS status
FROM
aws_apigatewayv2_api_routes
{% endmacro %}

{% macro snowflake__api_gw_routes_should_specify_authorization_type(framework, check_id) %}
select
'{{framework}}' As framework,
'{{check_id}}' As check_id,
Expand Down
18 changes: 18 additions & 0 deletions transformations/aws/macros/efs/access_point_enforce_user_identity.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,4 +38,22 @@ select
END as status
FROM
{{ full_table_name("aws_efs_access_points") }}
{% endmacro %}

{% macro postgres__access_point_enforce_user_identity(framework, check_id) %}
select
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'EFS access points should enforce a user identity' as title,
account_id,
arn as resource_id,
CASE
WHEN posix_user IS NULL
OR posix_user->>'uid' IS NULL
OR posix_user->>'gid' IS NULL
THEN 'fail'
ELSE 'pass'
END as status
FROM
aws_efs_access_points
{% endmacro %}
21 changes: 21 additions & 0 deletions transformations/aws/macros/efs/access_point_path_should_not_be_root.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,25 @@
{% macro access_point_path_should_not_be_root(framework, check_id) %}
{{ return(adapter.dispatch('access_point_path_should_not_be_root')(framework, check_id)) }}
{% endmacro %}

{% macro default__access_point_path_should_not_be_root(framework, check_id) %}{% endmacro %}

{% macro postgres__access_point_path_should_not_be_root(framework, check_id) %}
select
'{{framework}}' As framework,
'{{check_id}}' As check_id,
'EFS access points should enforce a root directory' as title,
account_id,
arn as resource_id,
CASE
WHEN root_directory->>'Path' = '/' THEN 'fail'
ELSE 'pass'
END as status
FROM
aws_efs_access_points
{% endmacro %}

{% macro snowflake__access_point_path_should_not_be_root(framework, check_id) %}
select
'{{framework}}' As framework,
'{{check_id}}' As check_id,
Expand Down