From 64680549f51579c6a9458d634006ebdd126b7c85 Mon Sep 17 00:00:00 2001 From: Akash Babu Date: Tue, 25 Apr 2023 08:03:05 +0000 Subject: [PATCH] added changes for roleIdentifyingString generation and updated a policy --- installer/resources/pacbot_app/files/DB_Policy.sql | 4 +++- .../java/com/tmobile/pacman/common/PacmanSdkConstants.java | 3 +++ .../main/java/com/tmobile/pacman/executor/PolicyExecutor.java | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/installer/resources/pacbot_app/files/DB_Policy.sql b/installer/resources/pacbot_app/files/DB_Policy.sql index 29b53e839e..2caa514dfa 100644 --- a/installer/resources/pacbot_app/files/DB_Policy.sql +++ b/installer/resources/pacbot_app/files/DB_Policy.sql @@ -307,7 +307,7 @@ INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisp INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, status, userId, createdDate, modifiedDate, severity, category) VALUES ('S3AccessLogsRule_version-1_S3AccessLogsRule_s3','aws_s3_accesslogs','S3AccessLogsRule','Enable Private S3 Buckets with Access Logs','Protected S3 buckets should be server access logs enabled','Protected S3 buckets should be server access logs enabled',NULL,'s3','aws','S3AccessLogsRule','{\"params\":[{\"key\":\"policyKey\",\"value\":\"check-for-s3-access-logs\",\"encrypt\":false},{\"key\":\"esS3PubAccessIssueUrl\",\"value\":\"/aws_s3/issue_s3/_search\",\"encrypt\":false},{\"key\":\"s3PublicAccessRuleId\",\"value\":\"S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3\",\"encrypt\":false},{\"key\":\"splitterChar\",\"value\":\",\",\"isValueNew\":true,\"encrypt\":false},{\"key\":\"accessLogsEnabledRegions\",\"value\":\"\",\"isValueNew\":true,\"encrypt\":false,\"isEdit\":true,\"isMandatory\":true,\"description\":\"Access log enabled regions for s3\",\"defaultVal\":\"\",\"displayName\":\"Access log enabled regions\"},{\"key\":\"destinationBucketForAutofix\",\"value\":\"tmo-s3-accesslog-ACCOUNT_ID-REGION-dev\",\"isValueNew\":true,\"encrypt\":false,\"isEdit\":true,\"isMandatory\":true,\"description\":\"Destination bucket name for auto fix\",\"defaultVal\":\"tmo-s3-accesslog-ACCOUNT_ID-REGION-dev\",\"displayName\":\"Destination bucket for auto fix\"},{\"encrypt\":false,\"value\":\"high\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"governance\",\"key\":\"policyCategory\"}],\"environmentVariables\":[],\"policyId\":\"S3AccessLogsRule_version-1_S3AccessLogsRule_s3\",\"autofix\":false,\"alexaKeyword\":\"S3AccessLogsRule\",\"policyRestUrl\":\"\",\"targetType\":\"s3\",\"pac_ds\":\"aws\",\"assetGroup\":\"aws\",\"policyUUID\":\"aws_s3_accesslogs\",\"policyType\":\"ManagePolicy\"}','0 0 ? * MON *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/aws_s3_accesslogs','ENABLED','ASGC','2019-08-05','2019-08-05','high','operations'); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, status, userId, createdDate, modifiedDate, severity, category) VALUES ('S3BucketAllowHTTPRequest_version-1_S3BucketAllowHTTPRequest_s3','aws_s3_bucket_should_not_allow_http_requests','S3 bucket policy to deny HTTP requests','Deny HTTP Requests to S3 Bucket','Set S3 Bucket Policy to deny HTTP requests','Create a bucket policy that explicitly denies access when SecureTransport:false','https://github.com/PaladinCloud/CE/wiki/AWS-Policy#deny-http-requests-to-s3-bucket','s3','aws','S3BucketAllowHTTPRequest','{\"params\":[{\"key\":\"policyKey\",\"value\":\"check-for-s3-bucket-policy-denies-http\",\"encrypt\":false},{\"encrypt\":false,\"value\":\"high\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"security\",\"key\":\"policyCategory\"}],\"environmentVariables\":[],\"policyId\":\"S3BucketAllowHTTPRequest_version-1_S3BucketAllowHTTPRequest_s3\",\"autofix\":false,\"alexaKeyword\":\"S3BucketAllowHTTPRequest\",\"policyRestUrl\":\"\",\"targetType\":\"s3\",\"pac_ds\":\"aws\",\"assetGroup\":\"aws\",\"policyUUID\":\"aws_s3_bucket_should_not_allow_http_requests\",\"policyType\":\"ManagePolicy\"}','0 0 1/1 * ? *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/aws_s3_bucket_should_not_allow_http_requests','ENABLED','','2022-09-21','2022-09-21','high','security'); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, status, userId, createdDate, modifiedDate, severity, category) VALUES ('S3BucketEncryption_version-1_S3BucketWithoutEncryption_s3','aws_s3_bucket_should_be_encrypted','All S3 buckets should employ encryption-at-rest','Encrypt S3 Buckets at Rest','Encrypt all the s3 buckets at rest to protect the sensitive contents','Enable encryption for S3 buckets','https://github.com/PaladinCloud/CE/wiki/AWS-Policy#encrypt-s3-buckets-at-rest','s3','aws','S3BucketWithoutEncryption','{\"params\":[{\"key\":\"policyKey\",\"value\":\"check-for-s3-bucket-encryption\",\"encrypt\":false},{\"encrypt\":false,\"value\":\"high\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"security\",\"key\":\"policyCategory\"}],\"environmentVariables\":[],\"policyId\":\"S3BucketEncryption_version-1_S3BucketWithoutEncryption_s3\",\"autofix\":false,\"alexaKeyword\":\"S3BucketWithoutEncryption\",\"policyRestUrl\":\"\",\"targetType\":\"s3\",\"pac_ds\":\"aws\",\"assetGroup\":\"aws\",\"policyUUID\":\"aws_s3_bucket_should_be_encrypted\",\"policyType\":\"ManagePolicy\"}','0 0 1/1 * ? *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/aws_s3_bucket_should_be_encrypted','ENABLED','','2022-09-16','2022-09-16','high','security'); -INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, status, userId, createdDate, modifiedDate, severity, category) VALUES ('S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3','aws_s3_should_not_be_publicly_accessible','S3BucketShouldnotpubliclyaccessble','Deny Public Access to Non-Allow Listed S3 Buckets','Unprotected S3 buckets are one of the major causes for data theft and intrusions. Except for the S3 buckets used for hosting static website, none of the S3 buckets should be globally accessible for unauthenticated users or for Any AWS Authenticate Users.','S3 buckets should be protected by using the bucket ACL and bucket policies,If you want to share data via S3 buckets to other users,you could create pre-signed URLs which will be valid only for short duration.For all automation related work use the bucket policy and grant access to the required roles.',"https://github.com/PaladinCloud/CE/wiki/AWS-Policy#deny-public-access-to-non-allow-listed-s3-buckets-1",'s3','aws','s3GlobalAccess','{\"params\":[{\"defaultVal\":\"\",\"encrypt\":true,\"isEdit\":true,\"displayName\":\"API key value\",\"description\":\"API key value\",\"value\":\"\",\"key\":\"apiKeyValue\",\"isMandatory\":true},{\"defaultVal\":\"\",\"encrypt\":true,\"isEdit\":true,\"displayName\":\"API key name\",\"description\":\"API key Name\",\"value\":\"\",\"key\":\"apiKeyName\",\"isMandatory\":true},{\"key\":\"policyCategory\",\"value\":\"security\",\"encrypt\":false},{\"key\":\"severity\",\"value\":\"critical\",\"encrypt\":false},{\"key\":\"esServiceURL\",\"value\":\"/aws_checks/checks_resources/_search\",\"encrypt\":false},{\"key\":\"apiGWURL\",\"value\":\"\",\"encrypt\":false},{\"key\":\"policyKey\",\"value\":\"check-for-s3-global-access\",\"isValueNew\":true,\"encrypt\":false},{\"isValueNew\":true,\"defaultVal\":\"Pfx0RwqBli\",\"encrypt\":false,\"isEdit\":true,\"displayName\":\"Check Id\",\"description\":\"Check Id Keyword,\"value\":\"Pfx0RwqBli\",\"key\":\"checkId\",\"isMandatory\":true},{\"key\":\"roleIdentifyingString\",\"value\":\"role/paladincloud_ro\",\"isValueNew\":true,\"encrypt\":false},{\"key\":\"fixKey\",\"value\":\"s3-global-access-fix\",\"isValueNew\":true,\"encrypt\":false}],\"environmentVariables\":[],\"policyId\":\"S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3\",\"autofix\":false,\"alexaKeyword\":\"s3GlobalAccess\",\"policyRestUrl\":\"\",\"targetType\":\"s3\",\"pac_ds\":\"aws\",\"assetGroup\":\"aws\",\"policyUUID\":\"aws_s3_should_not_be_publicly_accessible\",\"policyType\":\"ManagePolicy\"}','0 0/2 * * ? *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/aws_s3_should_not_be_publicly_accessible','ENABLED','ASGC','2018-10-09','2018-12-03','critical','security'); +INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, status, userId, createdDate, modifiedDate, severity, category) VALUES ('S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3','aws_s3_should_not_be_publicly_accessible','S3BucketShouldnotpubliclyaccessble','Deny Public Access to Non-Allow Listed S3 Buckets','Unprotected S3 buckets are one of the major causes for data theft and intrusions. Except for the S3 buckets used for hosting static website, none of the S3 buckets should be globally accessible for unauthenticated users or for Any AWS Authenticate Users.','S3 buckets should be protected by using the bucket ACL and bucket policies,If you want to share data via S3 buckets to other users,you could create pre-signed URLs which will be valid only for short duration.For all automation related work use the bucket policy and grant access to the required roles.',"https://github.com/PaladinCloud/CE/wiki/AWS-Policy#deny-public-access-to-non-allow-listed-s3-buckets-1",'s3','aws','s3GlobalAccess','{\"params\":[{\"key\":\"policyCategory\",\"value\":\"security\",\"encrypt\":false},{\"key\":\"severity\",\"value\":\"critical\",\"encrypt\":false},{\"key\":\"esServiceURL\",\"value\":\"/aws_checks/checks_resources/_search\",\"encrypt\":false},{\"key\":\"apiGWURL\",\"value\":\"\",\"encrypt\":false},{\"key\":\"policyKey\",\"value\":\"check-for-s3-global-access\",\"isValueNew\":true,\"encrypt\":false},{\"isValueNew\":true,\"defaultVal\":\"Pfx0RwqBli\",\"encrypt\":false,\"isEdit\":true,\"displayName\":\"Check Id\",\"description\":\"Check Id Keyword,\"value\":\"Pfx0RwqBli\",\"key\":\"checkId\",\"isMandatory\":true},{\"key\":\"roleIdentifyingString\",\"value\":\"role/paladincloud_ro\",\"isValueNew\":true,\"encrypt\":false},{\"key\":\"fixKey\",\"value\":\"s3-global-access-fix\",\"isValueNew\":true,\"encrypt\":false}],\"environmentVariables\":[],\"policyId\":\"S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3\",\"autofix\":false,\"alexaKeyword\":\"s3GlobalAccess\",\"policyRestUrl\":\"\",\"targetType\":\"s3\",\"pac_ds\":\"aws\",\"assetGroup\":\"aws\",\"policyUUID\":\"aws_s3_should_not_be_publicly_accessible\",\"policyType\":\"ManagePolicy\"}','0 0/2 * * ? *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/aws_s3_should_not_be_publicly_accessible','ENABLED','ASGC','2018-10-09','2018-12-03','critical','security'); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, status, userId, createdDate, modifiedDate, severity, category) VALUES ('S3HostsWebsiteRule_version-1_S3HostsWebsiteRule_s3','s3_should_not_have_host_website_or_redirect_req','S3HostsWebsiteRule','Deny Hosting Website or Redirecting Requests for S3 Bucket','This rule checks for s3 bucket containing web-site configuration.If its true then its an issue.','',"https://github.com/PaladinCloud/CE/wiki/AWS-Policy#deny-public-access-to-non-allow-listed-s3-buckets-1",'s3','aws','S3HostsWebsiteRule','{\"params\":[{\"key\":\"policyKey\",\"value\":\"check-for-s3-hosting-website\",\"encrypt\":false},{\"encrypt\":false,\"value\":\"high\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"security\",\"key\":\"policyCategory\"}],\"environmentVariables\":[],\"policyId\":\"S3HostsWebsiteRule_version-1_S3HostsWebsiteRule_s3\",\"autofix\":false,\"alexaKeyword\":\"S3HostsWebsiteRule\",\"policyRestUrl\":\"\",\"targetType\":\"s3\",\"pac_ds\":\"aws\",\"assetGroup\":\"aws\",\"policyUUID\":\"s3_should_not_have_host_website_or_redirect_req\",\"policyType\":\"ManagePolicy\"}','0 0/2 * * ? *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/s3_should_not_have_host_website_or_redirect_req','ENABLED','ASGC','2019-06-10','2019-06-10','high','security'); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, status, userId, createdDate, modifiedDate, severity, category) VALUES ('S3MFADeleteEnabled_version-1_MFADeleteEnabled_s3','s3_mfa_delete_enabled','MFA delete should be enabled on S3 bucket','Enable MFA Delete for S3 Bucket','Enable MFA Delete on S3 buckets','Enable MFA Delete on S3 Bucket','https://github.com/PaladinCloud/CE/wiki/AWS-Policy#enable-mfa-delete-on-s3-bucket','s3','aws','S3MFADeleteEnabled','{\"params\":[{\"key\":\"policyKey\",\"value\":\"check-for-s3-MFA-delete-enabled\",\"encrypt\":false},{\"encrypt\":false,\"value\":\"role/paladincloud_ro\",\"key\":\"roleIdentifyingString\"},{\"encrypt\":false,\"value\":\"low\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"security\",\"key\":\"policyCategory\"}],\"environmentVariables\":[],\"policyId\":\"S3MFADeleteEnabled_version-1_MFADeleteEnabled_s3\",\"autofix\":false,\"alexaKeyword\":\"S3MFADeleteEnabled\",\"policyRestUrl\":\"\",\"targetType\":\"s3\",\"pac_ds\":\"aws\",\"assetGroup\":\"aws\",\"policyUUID\":\"s3_mfa_delete_enabled\",\"policyType\":\"ManagePolicy\"}','0 0 1/1 * ? *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/s3_mfa_delete_enabled','ENABLED','','2022-05-12','2022-05-12','low','security'); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, status, userId, createdDate, modifiedDate, severity, category) VALUES ('S3ObjectLevelReadLogging_version-1_ObjectLevelReadLogging_s3','aws_s3_object_level_read_logging','S3 object level read operations should be logged','Enable S3 bucket object-level logging for read events','Enabling object-level logging will help you meet data compliance requirements within your organization, perform comprehensive security analysis, monitor specific patterns of user behavior in your AWS account','Configure Object-level logging for S3 bucket read events','https://github.com/PaladinCloud/CE/wiki/AWS-Policy#enable-s3-bucket-object-level-read-operation-logging','s3','aws','S3ObjectLevelReadLogging','{\"params\":[{\"key\":\"policyKey\",\"value\":\"check-s3-object-level-read-logging-rule\",\"encrypt\":false},{\"encrypt\":false,\"value\":\"medium\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"operations\",\"key\":\"policyCategory\"}],\"environmentVariables\":[],\"policyId\":\"S3ObjectLevelReadLogging_version-1_ObjectLevelReadLogging_s3\",\"autofix\":false,\"alexaKeyword\":\"S3ObjectLevelReadLogging\",\"policyRestUrl\":\"\",\"targetType\":\"s3\",\"pac_ds\":\"aws\",\"assetGroup\":\"aws\",\"policyUUID\":\"aws_s3_object_level_read_logging\",\"policyType\":\"ManagePolicy\"}','0 0 1/1 * ? *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/aws_s3_object_level_read_logging','ENABLED','','2022-11-02','2022-11-02','medium','operations'); @@ -1238,3 +1238,5 @@ UPDATE cf_PolicyTable set policyParams = '{"assetGroup":"aws","policyId":"S3Acce UPDATE cf_PolicyTable set policyParams = '{"params":[{"key":"policyKey","value":"iam-serviceaccount-privileges-rule","encrypt":false},{"key":"splitterChar","value":",","encrypt":false},{"key":"roleIdentifyingString","value":"role/paladincloud_ro","encrypt":false},{"key":"unApprovedIamActions","value":"ec2:TerminateInstances,ec2:RunInstances,s3:DeleteBucket,s3:PutBucketPolicy,ec2:ModifyInstanceAttribute,s3:DeleteObject,ec2:*,*,s3:*,s3:Put*,cloudtrail:*,cloudtrail:DeleteTrail,config:*,config:DeleteConfigRule","isValueNew":true,"encrypt":false,"isEdit":true,"isMandatory":true,"description":"IAM roles should not have these permissions","defaultVal":"ec2:TerminateInstances,ec2:RunInstances,s3:DeleteBucket,s3:PutBucketPolicy,ec2:ModifyInstanceAttribute,s3:DeleteObject,ec2:*,*,s3:*,s3:Put*,cloudtrail:*,cloudtrail:DeleteTrail,config:*,config:DeleteConfigRule","displayName":"Unapproved IAM actions"},{"encrypt":false,"value":"critical","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"ServiceAccountPrivilegesRule_version-1_UnapprovedServiceAccountAccess_iamuser","autofix":false,"alexaKeyword":"UnapprovedServiceAccountAccess","policyRestUrl":"","targetType":"iamuser","pac_ds":"aws","assetGroup":"aws","policyUUID":"aws_iamuser_service-acc-shouldnothave_unauth_privileges","policyType":"ManagePolicy"}' where policyId = 'ServiceAccountPrivilegesRule_version-1_UnapprovedServiceAccountAccess_iamuser'; UPDATE cf_PolicyTable set policyParams = '{"params":[{"key":"policyKey","value":"iam-role-with-unapproved-access","encrypt":false},{"key":"roleIdentifyingString","value":"role/paladincloud_ro","encrypt":false},{"key":"unApprovedIamActions","value":"lambda:CreateFunction,lambda:Create*,*,lambda:*","encrypt":false,"isEdit":true,"isMandatory":true,"description":"IAM roles should not have these permissions","defaultVal":"lambda:CreateFunction,lambda:Create*,*,lambda:*","displayName":"Unapproved IAM actions"},{"key":"splitterChar","value":",","encrypt":false},{"encrypt":false,"value":"critical","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"UnapprovedIamRoleWithLambdaAccess_version-1_UnapprovedIamRoleLambdaAccess_iamrole","autofix":false,"alexaKeyword":"UnapprovedIamRoleWithLambdaAccess","policyRestUrl":"","targetType":"iamrole","pac_ds":"aws","assetGroup":"aws","policyUUID":"aws_iamrole_shouldnothave_lambda_privilege","policyType":"ManagePolicy"}' where policyId = 'UnapprovedIamRoleWithLambdaAccess_version-1_UnapprovedIamRoleLambdaAccess_iamrole'; UPDATE cf_PolicyTable set policyParams = '{"params":[{"key":"roleIdentifyingString","value":"role/paladincloud_ro","encrypt":false},{"key":"unApprovedIamActions","value":"ec2:CreateDefaultSubnet,ec2:CreateDefaultVpc,ec2:CreateInternetGateway,ec2:CreateSubnet,ec2:CreateVpc,ec2:CreateVpcEndpoint,ec2:CreateVpcEndpointConnectionNotification,ec2:CreateVpcEndpointServiceConfiguration,ec2:CreateVpcPeeringConnection,ec2:CreateVpnConnection,ec2:CreateVpnConnectionRoute,ec2:CreateVpnGateway,ec2:ModifySubnetAttribute,ec2:ModifyVpcAttribute,ec2:ModifyVpcEndpoint,ec2:ModifyVpcEndpointConnectionNotification,ec2:ModifyVpcEndpointServiceConfiguration,ec2:ModifyVpcEndpointServicePermissions,ec2:ModifyVpcPeeringConnectionOptions,ec2:ModifyVpcTenancy,ec2:MoveAddressToVpc,ec2:AttachInternetGateway,ec2:CreateEgressOnlyInternetGateway,ec2:AttachVpnGateway.ec2:*,*","encrypt":false,"isEdit":true,"isMandatory":true,"description":"IAM roles should not have these permissions","defaultVal":"ec2:CreateDefaultSubnet,ec2:CreateDefaultVpc,ec2:CreateInternetGateway,ec2:CreateSubnet,ec2:CreateVpc,ec2:CreateVpcEndpoint,ec2:CreateVpcEndpointConnectionNotification,ec2:CreateVpcEndpointServiceConfiguration,ec2:CreateVpcPeeringConnection,ec2:CreateVpnConnection,ec2:CreateVpnConnectionRoute,ec2:CreateVpnGateway,ec2:ModifySubnetAttribute,ec2:ModifyVpcAttribute,ec2:ModifyVpcEndpoint,ec2:ModifyVpcEndpointConnectionNotification,ec2:ModifyVpcEndpointServiceConfiguration,ec2:ModifyVpcEndpointServicePermissions,ec2:ModifyVpcPeeringConnectionOptions,ec2:ModifyVpcTenancy,ec2:MoveAddressToVpc,ec2:AttachInternetGateway,ec2:CreateEgressOnlyInternetGateway,ec2:AttachVpnGateway.ec2:*,*","displayName":"Unapproved IAM actions"},{"key":"splitterChar","value":",","encrypt":false},{"key":"policyKey","value":"iam-user-with-unapproved-access","isValueNew":true,"encrypt":false},{"encrypt":false,"value":"critical","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"}],"environmentVariables":[],"policyId":"core-networking-iam-user-with-unapproved-access_version-1_core-networking-iam-user-with-unapproved-access_iamuser","autofix":false,"alexaKeyword":"core-networking-iam-user-with-unapproved-access","policyRestUrl":"","targetType":"iamuser","pac_ds":"aws","assetGroup":"aws","policyUUID":"aws_iamuser_shouldnothave_corenetwork_privileges","policyType":"ManagePolicy"}' where policyId = 'core-networking-iam-user-with-unapproved-access_version-1_core-networking-iam-user-with-unapproved-access_iamuser'; + +UPDATE cf_PolicyTable set policyParams = '{"assetGroup":"aws","policyId":"S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3","policyRestUrl":"","environmentVariables":[],"policyUUID":"aws_s3_should_not_be_publicly_accessible","policyType":"ManagePolicy","pac_ds":"aws","targetType":"s3","params":[{"encrypt":false,"value":"security","key":"policyCategory"},{"encrypt":false,"value":"critical","key":"severity"},{"encrypt":false,"value":"/aws_checks/checks_resources/_search","key":"esServiceURL"},{"encrypt":false,"value":"","key":"apiGWURL"},{"isValueNew":true,"encrypt":false,"value":"check-for-s3-global-access","key":"policyKey"},{"isValueNew":true,"defaultVal":"Pfx0RwqBli","encrypt":false,"isEdit":true,"displayName":"Check Id","description":"Check Id Keyword","value":"Pfx0RwqBli","key":"checkId","isMandatory":true},{"isValueNew":true,"encrypt":false,"value":"role/paladincloud_ro","key":"roleIdentifyingString"},{"isValueNew":true,"encrypt":false,"value":"s3-global-access-fix","key":"fixKey"}],"autofix":false,"alexaKeyword":"s3GlobalAccess"}' where policyId = 'S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3'; diff --git a/jobs/pacman-rule-engine-2.0/src/main/java/com/tmobile/pacman/common/PacmanSdkConstants.java b/jobs/pacman-rule-engine-2.0/src/main/java/com/tmobile/pacman/common/PacmanSdkConstants.java index e54cd18c71..8564abfced 100644 --- a/jobs/pacman-rule-engine-2.0/src/main/java/com/tmobile/pacman/common/PacmanSdkConstants.java +++ b/jobs/pacman-rule-engine-2.0/src/main/java/com/tmobile/pacman/common/PacmanSdkConstants.java @@ -651,4 +651,7 @@ public interface PacmanSdkConstants extends com.tmobile.pacman.commons.PacmanSdk String NOTIFICATION_TIME_FORMAT = "yyyy-MM-dd hh:mm:ss"; String CLOUD_TYPE = "cloudType"; String TAG_DETAILS = "tagDetails"; + String APPLICATION_PREFIX = "application.prefix"; + String ROLE_PREFIX = "role/"; + String ROLE_SUFFIX = "_ro"; } diff --git a/jobs/pacman-rule-engine-2.0/src/main/java/com/tmobile/pacman/executor/PolicyExecutor.java b/jobs/pacman-rule-engine-2.0/src/main/java/com/tmobile/pacman/executor/PolicyExecutor.java index cab176ddec..904510ba1a 100755 --- a/jobs/pacman-rule-engine-2.0/src/main/java/com/tmobile/pacman/executor/PolicyExecutor.java +++ b/jobs/pacman-rule-engine-2.0/src/main/java/com/tmobile/pacman/executor/PolicyExecutor.java @@ -155,6 +155,8 @@ private void run(String[] args, String executionId) policyParam.put(PacmanSdkConstants.EXECUTION_ID, executionId); policyParam.put(PacmanSdkConstants.TAGGING_MANDATORY_TAGS,mandatoryTags); + policyParam.put(PacmanSdkConstants.Role_IDENTIFYING_STRING, PacmanSdkConstants.ROLE_PREFIX + + CommonUtils.getPropValue(PacmanSdkConstants.APPLICATION_PREFIX) + PacmanSdkConstants.ROLE_SUFFIX); if (Strings.isNullOrEmpty(policyParam.get(PacmanSdkConstants.DATA_SOURCE_KEY))) { logger.error( "data source is missing, will not be able to figure out the target index to post the policy evaluvation, please check rule configuration");