From afb7ec5d9d41d0c9e14765ba85ae6d02bc0ecc1e Mon Sep 17 00:00:00 2001 From: harkirat22 Date: Sat, 30 Jan 2021 14:50:04 +1100 Subject: [PATCH] new set of policies for EC2 instance --- .../aws/aws_instance/AC-AW-IA-IN-H-0442.json | 12 ++++++ .../aws/aws_instance/AC-AW-IS-IN-H-0443.json | 12 ++++++ .../aws/aws_instance/AC-AWS-NS-IN-M-1172.json | 4 +- .../instanceExposedToInternet.rego | 35 +++++++++++++++++ .../overlyPermissiveInstance.rego | 39 +++++++++++++++++++ 5 files changed, 100 insertions(+), 2 deletions(-) create mode 100644 pkg/policies/opa/rego/aws/aws_instance/AC-AW-IA-IN-H-0442.json create mode 100644 pkg/policies/opa/rego/aws/aws_instance/AC-AW-IS-IN-H-0443.json create mode 100644 pkg/policies/opa/rego/aws/aws_instance/instanceExposedToInternet.rego create mode 100644 pkg/policies/opa/rego/aws/aws_instance/overlyPermissiveInstance.rego diff --git a/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IA-IN-H-0442.json b/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IA-IN-H-0442.json new file mode 100644 index 000000000..868cd822b --- /dev/null +++ b/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IA-IN-H-0442.json @@ -0,0 +1,12 @@ +{ + "name": "overlyPermissiveInstance", + "file": "overlyPermissiveInstance.rego", + "template_args": { + "prefix": "" + }, + "severity": "HIGH", + "description": "Ensure that instance launched follows the least privilege principle as this can be related to delivery-exploitation-Installation phases of kill chain", + "reference_id": "AC-AW-IA-LC-H-0442", + "category": "Identity and Access Management", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IS-IN-H-0443.json b/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IS-IN-H-0443.json new file mode 100644 index 000000000..02c05b388 --- /dev/null +++ b/pkg/policies/opa/rego/aws/aws_instance/AC-AW-IS-IN-H-0443.json @@ -0,0 +1,12 @@ +{ + "name": "instanceExposedToInternet", + "file": "instanceExposedToInternet.rego", + "template_args": { + "prefix": "" + }, + "severity": "HIGH", + "description": "Security group attached to launch configuration is wide open to internet and this can be related to reconnaissance phase", + "reference_id": "AC-AW-IS-LC-H-0443", + "category": "Infrastructure Security", + "version": 1 +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json b/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json index cafa390a5..0a0b86936 100644 --- a/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json +++ b/pkg/policies/opa/rego/aws/aws_instance/AC-AWS-NS-IN-M-1172.json @@ -3,8 +3,8 @@ "file": "ec2UsingIMDSv1.rego", "template_args": null, "severity": "MEDIUM", - "description": "EC2 instances should disable IMDS or require IMDSv2", + "description": "EC2 instances should disable IMDS or require IMDSv2 as this can be related to the weaponization phase of kill chain", "reference_id": "AC-AWS-NS-IN-M-1172", "category": "Network Security", "version": 1 -} +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_instance/instanceExposedToInternet.rego b/pkg/policies/opa/rego/aws/aws_instance/instanceExposedToInternet.rego new file mode 100644 index 000000000..80ec8bbb7 --- /dev/null +++ b/pkg/policies/opa/rego/aws/aws_instance/instanceExposedToInternet.rego @@ -0,0 +1,35 @@ +package accurics + +instanceExposedToInternet[ins.id] { + ins = input.aws_instance[_] + sec_groups := [ sg | sg := split(ins.config.vpc_security_group_ids[_], ".")[1] ] + sec_group := sec_groups[_] + checkSecurityGroupWideOpen(sec_group) + + sub = ins.config.subnet_id + route_table_association = input.aws_route_table_association[_] + route_table_association.config.subnet_id == sub + route_table := split(route_table_association.config.route_table_id, ".")[1] + checkRouteInternet(ins, route_table) +} + +checkSecurityGroupWideOpen(sgName) { + security_group := input.aws_security_group[_] + sgName == security_group.name + + some i + ingress = security_group.config.ingress[i] + + # Checks if the cidr block is not a private IP + ingress.cidr_blocks[_] == "0.0.0.0/0" + + ports_open = (ingress.to_port - ingress.from_port) + ports_open > 0 +} + +checkRouteInternet(instance, arg) { + rt = input.aws_route_table[_] + rt.name == arg + routes = rt.config.route[_] + routes.gateway_id != "" +} \ No newline at end of file diff --git a/pkg/policies/opa/rego/aws/aws_instance/overlyPermissiveInstance.rego b/pkg/policies/opa/rego/aws/aws_instance/overlyPermissiveInstance.rego new file mode 100644 index 000000000..db3c53148 --- /dev/null +++ b/pkg/policies/opa/rego/aws/aws_instance/overlyPermissiveInstance.rego @@ -0,0 +1,39 @@ + +package accurics + +overlyPermissiveInstance[res.id] { + res = input.aws_instance[_] + ins_profile_name := split(res.config.iam_instance_profile, ".")[1] + iam_instance_profile := input.aws_iam_instance_profile[_] + ins_profile_name == iam_instance_profile.name + + role_name := split(iam_instance_profile.config.role, ".")[1] + role_policy_attachment := input.aws_iam_role_policy_attachment[_] + role_name == split(role_policy_attachment.config.role, ".")[1] + policy_name := split(role_policy_attachment.config.policy_arn, ".")[1] + + iam_policy := input.aws_iam_policy[_] + policy_name == iam_policy.name + policy := json_unmarshal(iam_policy.config.policy) + statement = policy.Statement[_] + ac := statement.Action[_] + action := split(ac, ":")[0] + policyCheck(statement, "*", "Allow", "*") +} + +json_unmarshal(s) = result { + s != null + result := json.unmarshal(s) +} + +policyCheck(s, a, e ,r) { + split(s.Action[_], ":")[1] == a + s.Effect == e + s.Resource == r +} + +policyCheck(s, a, e ,r) { + s.Action[_] == a + s.Effect == e + s.Resource == r +}