aquasecurity · simar7 · Aug 26, 2024 · Aug 26, 2024 · Aug 26, 2024
@@ -1,8 +1,9 @@
 
 Cloudwatch Container Insights provide more metrics and logs for container based applications and micro services.
 
+
 ### Impact
-Not all metrics and logs may be gathered for containers when Container Insights isn't enabled
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 ECS task definitions that have volumes using EFS configuration should explicitly enable in transit encryption to prevent the risk of data loss due to interception.
 
+
 ### Impact
-Intercepted traffic to and from EFS may lead to data loss
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 You should not make secrets available to a user in plaintext in any scenario. Secrets can instead be pulled from a secure secret storage system by the service requiring them.
 
+
 ### Impact
-Sensitive data could be exposed in the AWS Management Console
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation
 
+
 ### Impact
-Without audit logging it is difficult to trace activity in the MQ broker
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation
 
+
 ### Impact
-Without logging it is difficult to trace issues
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Public access of the MQ broker should be disabled and only allow routes to applications that require access.
 
+
 ### Impact
-Publicly accessible MQ Broker may be vulnerable to compromise
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Encryption should be forced for Kafka clusters, including for communication between nodes. This ensure sensitive data is kept private.
 
+
 ### Impact
-Intercepted data can be read in transit
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Managed streaming for Kafka can log to Cloud Watch, Kinesis Firehose and S3, at least one of these locations should be logged to
 
+
 ### Impact
-Without logging it is difficult to trace issues
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Encryption should be forced for Kafka clusters, including at rest. This ensures sensitive data is kept private.
 
+
 ### Impact
-Intercepted data can be read at rest
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Neptune does not have auditing by default. To ensure that you are able to accurately audit the usage of your Neptune instance you should enable export logs.
 
+
 ### Impact
-Limited visibility of audit trail for changes to Neptune
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Encryption of Neptune storage ensures that if their is compromise of the disks, the data is still protected.
 
+
 ### Impact
-Unencrypted sensitive data is vulnerable to compromise.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 Encryption using AWS keys provides protection for your Neptune underlying storage. To increase control of the encryption and manage factors like rotation use customer managed keys.
 
+
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,8 +1,9 @@
 
 RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk.
 
+
 ### Impact
-Potential loss of data and short opportunity for recovery
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,10 +1,10 @@
 
 Amazon RDS uses the AWS managed key for your new DB instance. For complete control over KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, and rotating their cryptographic material, use a customer managed keys.
-
 The encryption key specified in `performance_insights_kms_key_id` references a KMS ARN
 
+
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,10 +1,10 @@
 
-Encryption should be enabled for an RDS Aurora cluster. 
-
+Encryption should be enabled for an RDS Aurora cluster.
 When enabling encryption by setting the kms_key_id, the storage_encrypted must also be set to true.
 
+
 ### Impact
-Data can be read from the RDS cluster if it is compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,10 +1,10 @@
 
-Encryption should be enabled for an RDS Database instances. 
-
+Encryption should be enabled for an RDS Database instances.
 When enabling encryption by setting the kms_key_id.
 
+
 ### Impact
-Data can be read from RDS instances if compromised
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -1,10 +1,10 @@
 
 Enabling Performance insights allows for greater depth in monitoring data.
-
 For example, information about active sessions could help diagose a compromise or assist in the investigation
 
+
 ### Impact
-Without adequate monitoring, performance related issues may go unreported and potentially lead to compromise.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

@@ -33,7 +33,8 @@ var CheckEnableContainerInsight = rules.Register(
 			Links:               cloudFormationEnableContainerInsightLinks,
 			RemediationMarkdown: cloudFormationEnableContainerInsightRemediationMarkdown,
 		},
-		Severity: severity.Low,
+		Severity:   severity.Low,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, cluster := range s.AWS.ECS.Clusters {

@@ -0,0 +1,43 @@
+# METADATA
+# title: ECS clusters should have container insights enabled
+# description: |
+#   Cloudwatch Container Insights provide more metrics and logs for container based applications and micro services.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ContainerInsights.html
+# custom:
+#   id: AVD-AWS-0034
+#   avd_id: AVD-AWS-0034
+#   provider: aws
+#   service: ecs
+#   severity: LOW
+#   short_code: enable-container-insight
+#   recommended_action: Enable Container Insights
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: ecs
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_cluster#setting
+#     good_examples: checks/cloud/aws/ecs/enable_container_insight.tf.go
+#     bad_examples: checks/cloud/aws/ecs/enable_container_insight.tf.go
+#   cloudformation:
+#     good_examples: checks/cloud/aws/ecs/enable_container_insight.cf.go
+#     bad_examples: checks/cloud/aws/ecs/enable_container_insight.cf.go
+package builtin.aws.ecs.aws0034
+
+import rego.v1
+
+deny contains res if {
+	some cluster in input.aws.ecs.clusters
+	cluster.settings.containerinsightsenabled.value == false
+	res := result.new(
+		"Cluster does not have container insights enabled.",
+		cluster.settings.containerinsightsenabled,
+	)
+}
@@ -0,0 +1,18 @@
+package builtin.aws.ecs.aws0034_test
+
+import rego.v1
+
+import data.builtin.aws.ecs.aws0034 as check
+import data.lib.test
+
+test_allow_cluster_with_container_insights if {
+	inp := {"aws": {"ecs": {"clusters": [{"settings": {"containerinsightsenabled": {"value": true}}}]}}}
+
+	test.assert_empty(check.deny) with input as inp
+}
+
+test_deny_cluster_without_container_insights if {
+	inp := {"aws": {"ecs": {"clusters": [{"settings": {"containerinsightsenabled": {"value": false}}}]}}}
+
+	test.assert_equal_message("Cluster does not have container insights enabled.", check.deny) with input as inp
+}
@@ -34,7 +34,8 @@ var CheckEnableInTransitEncryption = rules.Register(
 			Links:               cloudFormationEnableInTransitEncryptionLinks,
 			RemediationMarkdown: cloudFormationEnableInTransitEncryptionRemediationMarkdown,
 		},
-		Severity: severity.High,
+		Severity:   severity.High,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, definition := range s.AWS.ECS.TaskDefinitions {

@@ -0,0 +1,45 @@
+# METADATA
+# title: ECS Task Definitions with EFS volumes should use in-transit encryption
+# description: |
+#   ECS task definitions that have volumes using EFS configuration should explicitly enable in transit encryption to prevent the risk of data loss due to interception.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://docs.aws.amazon.com/AmazonECS/latest/userguide/efs-volumes.html
+#   - https://docs.aws.amazon.com/efs/latest/ug/encryption-in-transit.html
+# custom:
+#   id: AVD-AWS-0035
+#   avd_id: AVD-AWS-0035
+#   provider: aws
+#   service: ecs
+#   severity: HIGH
+#   short_code: enable-in-transit-encryption
+#   recommended_action: Enable in transit encryption when using efs
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: ecs
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecs_task_definition#transit_encryption
+#     good_examples: checks/cloud/aws/ecs/enable_in_transit_encryption.tf.go
+#     bad_examples: checks/cloud/aws/ecs/enable_in_transit_encryption.tf.go
+#   cloudformation:
+#     good_examples: checks/cloud/aws/ecs/enable_in_transit_encryption.cf.go
+#     bad_examples: checks/cloud/aws/ecs/enable_in_transit_encryption.cf.go
+package builtin.aws.ecs.aws0035
+
+import rego.v1
+
+deny contains res if {
+	some task_definition in input.aws.ecs.taskdefinitions
+	some volume in task_definition.volumes
+	volume.efsvolumeconfiguration.transitencryptionenabled.value == false
+	res := result.new(
+		"Task definition includes a volume which does not have in-transit-encryption enabled.",
+		volume.efsvolumeconfiguration.transitencryptionenabled,
+	)
+}