aquasecurity · simar7 · Aug 26, 2024 · Aug 21, 2024 · Aug 22, 2024 · Aug 22, 2024
@@ -1,8 +1,9 @@
 
 Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.
 
+
 ### Impact
-The ability to scan images is not being used and vulnerabilities will not be highlighted
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,10 +1,10 @@
 
 ECR images should be set to IMMUTABLE to prevent code injection through image mutation.
-
 This can be done by setting <code>image_tag_mutability</code> to <code>IMMUTABLE</code>
 
+
 ### Impact
-Image tags could be overwritten with compromised images
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Allowing public access to the ECR repository risks leaking sensitive of abusable information
 
+
 ### Impact
-Risk of potential data leakage of sensitive artifacts
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Images in the ECR repository are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.
 
+
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 If your organization is subject to corporate or regulatory policies that require encryption of data and metadata at rest, we recommend creating a file system that is encrypted at rest, and mounting your file system using encryption of data in transit.
 
+
 ### Impact
-Data can be read from the EFS if compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 By default cluster control plane logging is not turned on. Logging is available for audit, api, authenticator, controllerManager and scheduler. All logging should be turned on for cluster control plane.
 
+
 ### Impact
-Logging provides valuable information about access and usage
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 EKS cluster resources should have the encryption_config block set with protection of the secrets resource.
 
+
 ### Impact
-EKS secrets could be read if compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 EKS clusters are available publicly by default, this should be explicitly disabled in the vpc_config of the EKS cluster resource.
 
+
 ### Impact
-EKS can be access from the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 EKS Clusters have public access cidrs set to 0.0.0.0/0 by default which is wide open to the internet. This should be explicitly set to a more specific private CIDR range
 
+
 ### Impact
-EKS can be accessed from the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -33,7 +33,8 @@ var CheckEnableImageScans = rules.Register(
 			Links:               cloudFormationEnableImageScansLinks,
 			RemediationMarkdown: cloudFormationEnableImageScansRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, repo := range s.AWS.ECR.Repositories {

@@ -0,0 +1,41 @@
+# METADATA
+# title: ECR repository has image scans disabled.
+# description: |
+#   Repository image scans should be enabled to ensure vulnerable software can be discovered and remediated as soon as possible.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
+# custom:
+#   id: AVD-AWS-0030
+#   avd_id: AVD-AWS-0030
+#   provider: aws
+#   service: ecr
+#   severity: HIGH
+#   short_code: enable-image-scans
+#   recommended_action: Enable ECR image scanning
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: ecr
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#image_scanning_configuration
+#     good_examples: checks/cloud/aws/ecr/enable_image_scans.tf.go
+#     bad_examples: checks/cloud/aws/ecr/enable_image_scans.tf.go
+#   cloudformation:
+#     good_examples: checks/cloud/aws/ecr/enable_image_scans.cf.go
+#     bad_examples: checks/cloud/aws/ecr/enable_image_scans.cf.go
+package builtin.aws.ecr.aws0030
+
+import rego.v1
+
+deny contains res if {
+	some repo in input.aws.ecr.repositories
+	repo.imagescanning.scanonpush.value == false
+
+	res := result.new("Image scanning is not enabled", repo.imagescanning.scanonpush)
+}
@@ -0,0 +1,18 @@
+package builtin.aws.ecr.aws0030_test
+
+import rego.v1
+
+import data.builtin.aws.ecr.aws0030 as check
+import data.lib.test
+
+test_allow_image_scanning_enabled if {
+	inp := {"aws": {"ecr": {"repositories": [{"imagescanning": {"scanonpush": {"value": true}}}]}}}
+
+	test.assert_empty(check.deny) with input as inp
+}
+
+test_deny_image_scanning_disabled if {
+	inp := {"aws": {"ecr": {"repositories": [{"imagescanning": {"scanonpush": {"value": false}}}]}}}
+
+	test.assert_equal_message("Image scanning is not enabled", check.deny) with input as inp
+}
@@ -35,7 +35,8 @@ This can be done by setting <code>image_tag_mutability</code> to <code>IMMUTABLE
 			Links:               cloudFormationEnforceImmutableRepositoryLinks,
 			RemediationMarkdown: cloudFormationEnforceImmutableRepositoryRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, repo := range s.AWS.ECR.Repositories {

@@ -0,0 +1,42 @@
+# METADATA
+# title: ECR images tags shouldn't be mutable.
+# description: |
+#   ECR images should be set to IMMUTABLE to prevent code injection through image mutation.
+#   This can be done by setting <code>image_tag_mutability</code> to <code>IMMUTABLE</code>
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://sysdig.com/blog/toctou-tag-mutability/
+# custom:
+#   id: AVD-AWS-0031
+#   avd_id: AVD-AWS-0031
+#   provider: aws
+#   service: ecr
+#   severity: HIGH
+#   short_code: enforce-immutable-repository
+#   recommended_action: Only use immutable images in ECR
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: ecr
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository
+#     good_examples: checks/cloud/aws/ecr/enforce_immutable_repository.tf.go
+#     bad_examples: checks/cloud/aws/ecr/enforce_immutable_repository.tf.go
+#   cloudformation:
+#     good_examples: checks/cloud/aws/ecr/enforce_immutable_repository.cf.go
+#     bad_examples: checks/cloud/aws/ecr/enforce_immutable_repository.cf.go
+package builtin.aws.ecr.aws0031
+
+import rego.v1
+
+deny contains res if {
+	some repo in input.aws.ecr.repositories
+	repo.imagetagsimmutable.value == false
+
+	res := result.new("Repository tags are mutable.", repo.imagetagsimmutable)
+}
@@ -0,0 +1,18 @@
+package builtin.aws.ecr.aws0031_test
+
+import rego.v1
+
+import data.builtin.aws.ecr.aws0031 as check
+import data.lib.test
+
+test_allow_immutable_repository if {
+	inp := {"aws": {"ecr": {"repositories": [{"imagetagsimmutable": {"value": true}}]}}}
+
+	test.assert_empty(check.deny) with input as inp
+}
+
+test_deny_immutable_repository if {
+	inp := {"aws": {"ecr": {"repositories": [{"imagetagsimmutable": {"value": false}}]}}}
+
+	test.assert_equal_message("Repository tags are mutable.", check.deny) with input as inp
+}
@@ -39,7 +39,8 @@ var CheckNoPublicAccess = rules.Register(
 			Links:               cloudFormationNoPublicAccessLinks,
 			RemediationMarkdown: cloudFormationNoPublicAccessRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, repo := range s.AWS.ECR.Repositories {