Merge branch 'main' into fix/root-modules

avd_docs/aws/accessanalyzer/AVD-AWS-0175/docs.md

@@ -0,0 +1,21 @@
+
+
+AWS IAM Access Analyzer helps you identify the resources in your organization and
+accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.
+This lets you identify unintended access to your resources and data. Access Analyzer
+identifies resources that are shared with external principals by using logic-based reasoning
+to analyze the resource-based policies in your AWS environment. IAM Access Analyzer
+continuously monitors all policies for S3 bucket, IAM roles, KMS(Key Management Service)
+keys, AWS Lambda functions, and Amazon SQS(Simple Queue Service) queues.
+
+
+### Impact
+Reduced visibility of externally shared resources.
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
+
+

avd_docs/aws/apigateway/AVD-AWS-0001/CloudFormation.md

@@ -0,0 +1,21 @@
+
+Enable logging for API Gateway stages
+
+```yaml---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Good Example of ApiGateway
+Resources:
+ GoodApi:
+ Type: AWS::ApiGatewayV2::Api
+ GoodApiStage:
+ Type: AWS::ApiGatewayV2::Stage
+ Properties:
+ AccessLogSettings:
+ DestinationArn: gateway-logging
+ Format: json
+ ApiId: !Ref GoodApi
+ StageName: GoodApiStage
+
+```
+
+

avd_docs/aws/apigateway/AVD-AWS-0001/Terraform.md

@@ -0,0 +1,30 @@
+
+Enable logging for API Gateway stages
+
+```hcl
+ resource "aws_apigatewayv2_stage" "good_example" {
+ api_id = aws_apigatewayv2_api.example.id
+ name = "example-stage"
+ 
+ access_log_settings {
+ destination_arn = "arn:aws:logs:region:0123456789:log-group:access_logging"
+ format = "json"
+ }
+ }
+ 
+ resource "aws_api_gateway_stage" "good_example" {
+ deployment_id = aws_api_gateway_deployment.example.id
+ rest_api_id = aws_api_gateway_rest_api.example.id
+ stage_name = "example"
+ 
+ access_log_settings {
+ destination_arn = "arn:aws:logs:region:0123456789:log-group:access_logging"
+ format = "json"
+ }
+ }
+ 
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apigatewayv2_stage#access_log_settings
+

avd_docs/aws/apigateway/AVD-AWS-0001/docs.md

@@ -0,0 +1,13 @@
+
+API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.
+
+### Impact
+Logging provides vital information about access and usage
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/apigateway/latest/developerguide/set-up-logging.html
+
+

avd_docs/aws/apigateway/AVD-AWS-0002/Terraform.md

@@ -0,0 +1,30 @@
+
+Enable cache encryption
+
+```hcl
+ resource "aws_api_gateway_rest_api" "example" {
+ 
+ }
+
+ resource "aws_api_gateway_stage" "example" {
+
+ }
+
+ resource "aws_api_gateway_method_settings" "good_example" {
+ rest_api_id = aws_api_gateway_rest_api.example.id
+ stage_name = aws_api_gateway_stage.example.stage_name
+ method_path = "path1/GET"
+ 
+ settings {
+ metrics_enabled = true
+ logging_level = "INFO"
+ caching_enabled = true
+ cache_data_encrypted = true
+ }
+ }
+ 
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_data_encrypted
+

avd_docs/aws/apigateway/AVD-AWS-0002/docs.md

@@ -0,0 +1,10 @@
+
+Method cache encryption ensures that any sensitive data in the cache is not vulnerable to compromise in the event of interception
+
+### Impact
+Data stored in the cache that is unencrypted may be vulnerable to compromise
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+

avd_docs/aws/apigateway/AVD-AWS-0003/Terraform.md

@@ -0,0 +1,20 @@
+
+Enable tracing
+
+```hcl
+ resource "aws_api_gateway_rest_api" "test" {
+ 
+ }
+
+ resource "aws_api_gateway_stage" "good_example" {
+ stage_name = "prod"
+ rest_api_id = aws_api_gateway_rest_api.test.id
+ deployment_id = aws_api_gateway_deployment.test.id
+ xray_tracing_enabled = true
+ }
+ 
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_stage#xray_tracing_enabled
+

avd_docs/aws/apigateway/AVD-AWS-0003/docs.md

@@ -0,0 +1,10 @@
+
+X-Ray tracing enables end-to-end debugging and analysis of all API Gateway HTTP requests.
+
+### Impact
+Without full tracing enabled it is difficult to trace the flow of logs
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+

avd_docs/aws/apigateway/AVD-AWS-0004/Terraform.md

@@ -0,0 +1,59 @@
+
+Use and authorization method or require API Key
+
+```hcl
+ resource "aws_api_gateway_rest_api" "MyDemoAPI" {
+ 
+ }
+
+ resource "aws_api_gateway_resource" "MyDemoResource" {
+ rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
+ }
+
+ resource "aws_api_gateway_method" "good_example" {
+ rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
+ resource_id = aws_api_gateway_resource.MyDemoResource.id
+ http_method = "GET"
+ authorization = "AWS_IAM"
+ }
+ 
+```
+```hcl
+ resource "aws_api_gateway_rest_api" "MyDemoAPI" {
+ 
+ }
+
+ resource "aws_api_gateway_resource" "MyDemoResource" {
+ rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
+ }
+
+ resource "aws_api_gateway_method" "good_example" {
+ rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
+ resource_id = aws_api_gateway_resource.MyDemoResource.id
+ http_method = "GET"
+ authorization = "NONE"
+ api_key_required = true
+ }
+ 
+```
+```hcl
+ resource "aws_api_gateway_rest_api" "MyDemoAPI" {
+ 
+ }
+
+ resource "aws_api_gateway_resource" "MyDemoResource" {
+ rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
+ }
+
+ resource "aws_api_gateway_method" "good_example" {
+ rest_api_id = aws_api_gateway_rest_api.MyDemoAPI.id
+ resource_id = aws_api_gateway_resource.MyDemoResource.id
+ http_method = "OPTION"
+ authorization = "NONE"
+ }
+ 
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method#authorization
+

avd_docs/aws/apigateway/AVD-AWS-0004/docs.md

@@ -0,0 +1,10 @@
+
+API Gateway methods should generally be protected by authorization or api key. OPTION verb calls can be used without authorization
+
+### Impact
+API gateway methods can be accessed without authorization.
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+

avd_docs/aws/apigateway/AVD-AWS-0005/Terraform.md

@@ -0,0 +1,13 @@
+
+Use the most modern TLS/SSL policies available
+
+```hcl
+ resource "aws_api_gateway_domain_name" "good_example" {
+ security_policy = "TLS_1_2"
+ }
+ 
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_domain_name#security_policy
+

avd_docs/aws/apigateway/AVD-AWS-0005/docs.md

@@ -0,0 +1,13 @@
+
+You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
+
+### Impact
+Outdated SSL policies increase exposure to known vulnerabilities
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.html
+
+

avd_docs/aws/apigateway/AVD-AWS-0190/Terraform.md

@@ -0,0 +1,29 @@
+
+Enable cache
+
+```hcl
+ resource "aws_api_gateway_rest_api" "example" {
+ 
+ }
+
+ resource "aws_api_gateway_stage" "example" {
+
+ }
+
+ resource "aws_api_gateway_method_settings" "good_example" {
+ rest_api_id = aws_api_gateway_rest_api.example.id
+ stage_name = aws_api_gateway_stage.example.stage_name
+ method_path = "path1/GET"
+ 
+ settings {
+ metrics_enabled = true
+ logging_level = "INFO"
+ caching_enabled = true
+ }
+ }
+ 
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_settings#cache_enabled
+

avd_docs/aws/apigateway/AVD-AWS-0190/docs.md

@@ -0,0 +1,13 @@
+
+A REST API in API Gateway is a collection of resources and methods that are integrated with backend HTTP endpoints, Lambda functions, or other AWS services. You can enable API caching in Amazon API Gateway to cache your endpoint responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.
+
+### Impact
+Reduce the number of calls made to your API endpoint and also improve the latency of requests to your API with response caching.
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html
+
+

avd_docs/aws/athena/AVD-AWS-0006/CloudFormation.md

@@ -0,0 +1,17 @@
+
+Enable encryption at rest for Athena databases and workgroup configurations
+
+```yaml---
+Resources:
+ GoodExample:
+ Properties:
+ Name: goodExample
+ WorkGroupConfiguration:
+ ResultConfiguration:
+ EncryptionConfiguration:
+ EncryptionOption: SSE_KMS
+ Type: AWS::Athena::WorkGroup
+
+```
+
+

avd_docs/aws/athena/AVD-AWS-0006/Terraform.md

@@ -0,0 +1,39 @@
+
+Enable encryption at rest for Athena databases and workgroup configurations
+
+```hcl
+ resource "aws_athena_database" "good_example" {
+ name = "database_name"
+ bucket = aws_s3_bucket.hoge.bucket
+ 
+ encryption_configuration {
+ encryption_option = "SSE_KMS"
+ kms_key_arn = aws_kms_key.example.arn
+ }
+ }
+ 
+ resource "aws_athena_workgroup" "good_example" {
+ name = "example"
+ 
+ configuration {
+ enforce_workgroup_configuration = true
+ publish_cloudwatch_metrics_enabled = true
+ 
+ result_configuration {
+ output_location = "s3://${aws_s3_bucket.example.bucket}/output/"
+ 
+ encryption_configuration {
+ encryption_option = "SSE_KMS"
+ kms_key_arn = aws_kms_key.example.arn
+ }
+ }
+ }
+ }
+ 
+```
+
+#### Remediation Links
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup#encryption_configuration
+
+ - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database#encryption_configuration
+

avd_docs/aws/athena/AVD-AWS-0006/docs.md

@@ -0,0 +1,13 @@
+
+Athena databases and workspace result sets should be encrypted at rests. These databases and query sets are generally derived from data in S3 buckets and should have the same level of at rest protection.
+
+### Impact
+Data can be read if the Athena Database is compromised
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/athena/latest/ug/encryption.html
+
+

avd_docs/aws/athena/AVD-AWS-0007/CloudFormation.md

@@ -0,0 +1,18 @@
+
+Enforce the configuration to prevent client overrides
+
+```yaml---
+Resources:
+ GoodExample:
+ Properties:
+ Name: goodExample
+ WorkGroupConfiguration:
+ EnforceWorkGroupConfiguration: true
+ ResultConfiguration:
+ EncryptionConfiguration:
+ EncryptionOption: SSE_KMS
+ Type: AWS::Athena::WorkGroup
+
+```
+
+