Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug : V2 policy desc changes #847

Merged
merged 1 commit into from
Feb 17, 2023
Merged

bug : V2 policy desc changes #847

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions installer/resources/pacbot_app/files/DB_Policy.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -888,3 +888,38 @@ DELETE FROM cf_PolicyTable WHERE policyId IN('UntaggedOrUnusedEbsRule_version-1_


delete from cf_PolicyCategoryWeightage where policyCategory in ('costOptimization', 'governance');


UPDATE cf_PolicyTable SET policyDesc = 'To enhance security and management of API activity in your AWS cloud account, ensure that your Amazon CloudTrail trails record regional and global events.' where policyId = 'AWS_CloudTrail_Global_Services_version-1_Enable_CloudTrail_Global_Services_cloudtrail';
UPDATE cf_PolicyTable SET policyDesc = 'It is crucial to enable encryption at rest to ensure the security and privacy of your sensitive data stored on Amazon Elasticsearch (ES) domains and their storage systems. This way, unauthorized access to the data is prevented. Utilizing this feature does not require any application changes, as Amazon Elasticsearch automatically handles encryption and decryption processes.' where policyId = 'AWS_ElasticSearch_Domain_At_Rest_Encryption_version-1_ElasticSearchDomainAtRestEncryption';
UPDATE cf_PolicyTable SET policyDesc = 'To meet security and compliance standards, it is important to ensure that all your Amazon Elastic Block Store (EBS) volumes are encrypted. You can confidently store sensitive, confidential, and critical data on your EBS volumes by enabling encryption.' where policyId = 'Attached-EBS-volumes-are-encrypted_version-1_Attached_EBS_volumes_should_be_encrypted';
UPDATE cf_PolicyTable SET policyDesc = 'Configuring your Amazon Classic Load Balancer listeners to use HTTPS or SSL encryption provides security for sensitive information transmitted between clients and the load balancer, authentication, meets regulatory requirements, and improves the user experience by avoiding browser warnings.' where policyId = 'AwsClassicELBListenerSecurity_version-1_AwsListenerSecurity_classicelb';
UPDATE cf_PolicyTable SET policyDesc = 'The default security groups on Amazon EC2 should restrict all inbound public traffic so that users (administrators, resource managers, etc.) are forced to create their own security groups using the Principle of Least Privilege (POLP).' where policyId = 'AwsPublicAccessDefaultSecurityGroup_version-1_AwsPublicAccessDefaultSecurityGroup_sg';
UPDATE cf_PolicyTable SET policyDesc = 'Use customer-managed Customer Master Keys (CMKs) instead of AWS-managed keys for Amazon EBS volumes for complete control of encryption and decryption. Once CMK-based encryption is enabled, it secures Amazon EBS volumes, volume snapshots, and disk I/O.' where policyId = 'Aws_Attached_EBS_volumes_are_custom_kms_key_encrypted_version-1_Attached_EBS_volumes_should_be_custom_kms_key_encrypted';
UPDATE cf_PolicyTable SET policyDesc = 'To ensure that your secrets stored in Amazon Elastic Kubernetes Service (EKS) meet security and compliance requirements, you can use AWS Key Management Service (KMS) keys to provide envelope encryption. Implementing envelope encryption of Kubernetes secrets is a security best practice for applications that handle sensitive and confidential data. To set this up, you must create your AWS KMS Customer Master Key (CMK) and link it to your Amazon EKS cluster. When you store secrets using the Kubernetes secrets API, they will first be encrypted using a data encryption key generated by Kubernetes and then further encrypted with the connected KMS CMK. This additional layer of encryption helps to protect your secrets and meet security and compliance requirements.' where policyId = 'Aws_EKS_secrets_should_be_encrypted_version-1_aws_enable_secret_encryption_eks';
UPDATE cf_PolicyTable SET policyDesc = 'To protect your private data and minimize security risks, it is important to ensure that your Amazon Database Migration Service (DMS) is not publicly accessible from the Internet. As long as both source and target databases are in the same network connected to the instance''s VPC through a VPN, VPC peering connection, or AWS Direct Connect dedicated connection, a DMS replication instance should have a private IP address the Publicly Accessible feature disabled. This helps to ensure that your DMS is not exposed to external threats and keeps your data secure.' where policyId = 'Aws_dms_should_not_be_publicly_accessible_version-1_aws_public_access_dms';
UPDATE cf_PolicyTable SET policyDesc = 'It is crucial to secure your Azure virtual machines associated with these NSGs by ensuring that Microsoft Azure network security groups (NSGs) do not permit unrestricted access on TCP ports 20 and 21, which are used for data transfer and communication by the File Transfer Protocol (FTP) client-server applications. Attackers might use brute-force methods to gain access to your Azure virtual machines through these ports, underscoring the importance of securing them.' where policyId = 'Azure_Enable_Network_Security_for_FTP';
UPDATE cf_PolicyTable SET policyDesc = 'The Microsoft Message Queuing (MSMQ) and other Microsoft Windows/Windows Server software use the Remote Procedure Call (RPC) TCP port 135 for client-server communications. Allowing unrestricted access to this port can lead to hacking, ransomware, and denial-of-service (DoS) attacks. To reduce the attack surface, it is essential to follow the principle of least privilege and ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access on TCP port 135. ' where policyId = 'Azure_Enable_Network_Security_for_RPC';
UPDATE cf_PolicyTable SET policyDesc = 'Secure remote login is achieved through TCP port 22, which connects an SSH client application with an SSH server. In order to minimize the possibility of a security breach and adhere to the principle of least privilege, it is essential to review the inbound rules of your Microsoft Azure network security groups (NSGs) for TCP port 22. It is recommended to restrict access to only the necessary IP addresses, instead of permitting unrestricted access (i.e., 0.0.0.0/0).' where policyId = 'Azure_Enable_Network_Security_for_SSH';
UPDATE cf_PolicyTable SET policyDesc = 'To reduce the attack surface and implement the principle of least privilege, ensure that Microsoft Azure network security groups (NSGs) do not allow unrestricted access(i.e., 0.0.0.0/0) to UDP ports. The User Datagram Protocol (UDP) is a communication protocol used on the internet for transmitting time-sensitive data, such as video streaming or Domain Name System (DNS) lookups. One of the main benefits of using UDP is that it allows for fast data transfer. However, it is also possible for packets to be lost during transmission, which can create vulnerabilities and potentially allow for malicious activities like Distributed Denial of Service (DDoS) attacks.' where policyId = 'Azure_Enable_Network_Security_for_UDP';
UPDATE cf_PolicyTable SET policyDesc = 'Unrestricted access (e.g., 0.0.0.0/0) on RDP port 3389 should not be allowed as it can open your system to malicious actors and increase the attack surface.To increase security, it is recommended to update your Azure Network Security Group (NSG) configuration to restrict Remote Desktop Protocol (RDP) access to specific IP addresses or IP ranges. ' where policyId = 'Azure_Security_Groups_with_RDP_port_3389_should_not_be_publicly_accessible';
UPDATE cf_PolicyTable SET policyDesc = 'To protect against malicious actors and reduce the attack surface, it is important to restrict firewall rules that permit unrestricted access (e.g., 0.0.0.0/0) on PostgreSQL port 5432. Restrict Azure Network Security Groups (NSGs) inbound access via TCP ports 5432 to trusted IP addresses only. ' where policyId = 'Check_for_Unrestricted_PostgreSQL_Database_Access';
UPDATE cf_PolicyTable SET policyDesc = 'Alpha clusters are temporary clusters that run stable Kubernetes releases with all Kubernetes APIs and features enabled. However, they are not recommended for production workloads as they are not covered by a Service level agreement (SLA), do not receive security updates, automatic upgrades, or repairs, expire in 30 days, and GKE does not automatically save data stored on alpha clusters.' where policyId = 'Disable_Alpha_Cluster';
UPDATE cf_PolicyTable SET policyDesc = 'It is recommended to disable Basic Authentication as it uses static passwords without any encryption. This security threat can lead to attacks like brute force and credential stuffing. OpenID Connect and other authentication methods can still be used to authenticate on the cluster.' where policyId = 'Disable_Basic_Authentication';
UPDATE cf_PolicyTable SET policyDesc = 'SSH (Secure Shell) port 22 should be restricted for inbound traffic from external IP addresses since unrestricted access could result in banner grabbing or brute force attacks. These risks can be minimized by configuring specific IP addresses for incoming connections.' where policyId = 'EC2WithPublicAccessSSHPort22_version-2_EC2WithPublicAccessForConfiguredPort22_ec2';
UPDATE cf_PolicyTable SET policyDesc = 'For optimal data security, AWS EBS volume snapshots should be kept private to avoid the risk of unauthorized data access. Sharing snapshots with external accounts can pose a potential risk, as they can create volumes from it and gain access to sensitive information. It is therefore recommended to restrict public visibility or share them only with specific accounts.' where policyId = 'EbsSnapShot_version-1_EbsSnapShot_snapshot';
UPDATE cf_PolicyTable SET policyDesc = 'Allowing all external IP addresses to SQL Browser port 1434 is a security vulnerability and should be avoided. To protect against Denial of Service, Buffer Overflow, and SQL Injection attacks, public access to the SQL server should be blocked, and only inbound traffic from specific IP addresses should be allowed for port 1434.' where policyId = 'Ec2WithPubAccPort1434_version-1_Ec2WithPubAccPort1434_ec2';
UPDATE cf_PolicyTable SET policyDesc = 'Allowing all external IP addresses to MySQL Browser port 3306 is a security vulnerability and should be avoided. To protect against Denial of Service, Buffer Overflow, and SQL Injection attacks, public access to the SQL server should be blocked, and only inbound traffic from specific IP addresses should be allowed for port 3306.' where policyId = 'Ec2WithPublicAccessMySqlPort3306_version-1_Ec2WithPubAccMySqlPort3306_ec2';
UPDATE cf_PolicyTable SET policyDesc = 'TCP port 139 and UDP ports 137 and 138 are used for NetBIOS name resolution (i.e., mapping a NetBIOS name to an IP address) by the services such as File and Printer Sharing service running on Microsoft Windows Server OS. Allowing unrestricted NetBIOS access can increase opportunities for malicious activity such as man-in-the-middle attacks (MITM), Denial of Service (DoS) attacks, or BadTunnel exploits. Review the inbound rules of your EC2 security groups that allow unrestricted access (i.e., 0.0.0.0/0) on TCP port 139 and UDP ports 137 and 138. If such rules are found, restrict them to only trusted IP addresses or IP ranges that require it to implement the principle of least privilege and reduce the attack surface. This will ensure that only authorized traffic is allowed access. ' where policyId = 'Ec2WithPublicAccessNetBIOSPort138_version-1_Ec2WithPubAccNetBIOS138_ec2';
UPDATE cf_PolicyTable SET policyDesc = 'AWS Elasticsearch should not be accessible to the public via the internet to prevent unauthorized user access, data loss, and the potential exposure of sensitive data.' where policyId = 'ElasticSearchPublicAccess_version-1_ElasticSearchPublicAccessRule_elasticsearch';
UPDATE cf_PolicyTable SET policyDesc = 'The security of a publicly accessible load balancer can be compromised by brute-force login attempts, potentially leading to data leaks or loss. To reduce security risks, it is important to prevent unauthorized access attempts. To restrict internet access to the application ELB, you can disable the ''Publicly Accessible/'' flag for the database and update the security group associated with the instance in the VPC' where policyId = 'ElbWithPublicAccess_version-1_ApplicationElbWithPublicAccess_appelb';
UPDATE cf_PolicyTable SET policyDesc = 'Enable private cluster when creating Kubernetes clusters. A private cluster prevents workloads from being accessible to the public internet by providing the nodes with reserved IP addresses.' where policyId = 'Ensure_clusters_created_with_pvt_endpoints';
UPDATE cf_PolicyTable SET policyDesc = 'To protect against malicious public data exposure, ensure that public access is not enabled for your S3 buckets. By default, S3 buckets and objects are created without public access, but an IAM principal with sufficient S3 permissions can grant public access at either the bucket or object level. ' where policyId = 'S3GlobalAccess_version-1_S3BucketShouldnotpubliclyaccessble_s3';
UPDATE cf_PolicyTable SET policyDesc = 'To ensure security against unauthorized connections, it is important to set up the Microsoft Azure SQL server firewall to only allow inbound access from authorized networks. This can be done by specifying the range of IP addresses from these networks and creating firewall rules with specific IP addresses. This will reduce the risk of attacks on your SQL servers.' where policyId = 'UnrestrictedSqlDatabaseAccessRule_version-1';
UPDATE cf_PolicyTable SET policyDesc = 'To protect against malicious actors and reduce the attack surface, it is important to ensure that Microsoft Azure network security groups (NSGs) do not permit unrestricted access (e.g., 0.0.0.0/0) on TCP port 3306.' where policyId = 'Unrestricted_MySQL_Database_Access';
UPDATE cf_PolicyTable SET policyDesc = 'To implement the principle of least privilege and enhance the security of your Microsoft Azure network, it is important to restrict inbound/ingress access on TCP port 1521 to trusted entities (i.e., specific IP addresses). By limiting access to trusted entities, you can reduce the attack surface and protect your network against potential threats.' where policyId = 'Unrestricted_Oracle_Database_Access';
UPDATE cf_PolicyTable SET policyDesc = 'A TCP/UDP port that is not included in the common service ports category is considered uncommon. A VPC network firewall rule that allows unrestricted access (0.0.0.0/0) to uncommon ports can increase the risk of hacking, data capture, and all kinds of attacks (brute-force attacks, man-in-the-middle attacks, and DDoS attacks). Configure your VPC network firewall rules to allow only trusted, authorized IP addresses or IP ranges to access uncommon TCP/UDP ports.' where policyId = 'VPC_UnCommon_ports_should_not_be_publicly_accessible';
UPDATE cf_PolicyTable SET policyDesc = 'To secure your Google Cloud Virtual Private Cloud (VPC) and reduce the attack surface, it is important to set firewall rules that restrict access to the PostgreSQL Server Port 5432 to trusted IP addresses or ranges only. Ensure only authorized traffic is allowed by blocking unrestricted access to this port (i.e., 0.0.0.0/0)' where policyId = 'VPC_firewall_POSTGRES_port_should_not_be_publicly_accessible';
UPDATE cf_PolicyTable SET policyDesc = 'To secure your Google Cloud Virtual Private Cloud (VPC) and reduce the attack surface, it is important to set firewall rules that restrict access to the Remote Desktop Protocol (RDP) on TCP port 3389 to trusted IP addresses or ranges only. Ensure only authorized traffic is allowed by blocking unrestricted access to this port (i.e., 0.0.0.0/0).' where policyId = 'VPC_firewall_RDP_port_3389_should_not_be_publicly_accessible';
UPDATE cf_PolicyTable SET policyDesc = 'To implement the principle of least privilege and reduce the attack surface, review the inbound rules of your Google Cloud Virtual Private Cloud (VPC) firewall for any rules that allow unrestricted access (i.e., 0.0.0.0/0) on TCP port 22. If such rules are found, restrict them to only trusted IP addresses or IP ranges to ensure that only authorized traffic is allowed access.' where policyId = 'VPC_firewall_SSH_port_22_should_not_be_publicly_accessible';