Merge pull request #152 from anusha94/tf-config-chart-update

Update AWS S3 and ECS tf config charts

charts/best-practices-ecs-tf-config/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: best-practices-ecs-tf-config
 description: Best practices ECS terraform config policy set
 type: application
-version: 0.1.0
-appVersion: 0.1.0
+version: 0.1.1
+appVersion: 0.1.1
 keywords:
   - kubernetes
   - nirmata

charts/best-practices-ecs-tf-config/pols/check-aws-vpc-network-mode.yaml

@@ -18,15 +18,11 @@ spec:
     - name: check-awsvpc-network-mode
       match:
         all:
-        - ($analyzer):
-            resource:
-              type: terraform-config
-        - (resource.aws_ecs_task_definition && length(resource.aws_ecs_task_definition) > `0`): true
+        - ($analyzer.resource.type): terraform-config
+        - (resource.aws_ecs_task_definition != null): true
       assert:
         all:
         - message: ECS services and tasks are required to use awsvpc network mode.
           check:
-            resource:
-              ~.(aws_ecs_task_definition):
-                ~.(@):
-                  network_mode: awsvpc
+            ~.(resource.aws_ecs_task_definition.values(@)[]):
+                network_mode: awsvpc

charts/best-practices-ecs-tf-config/pols/validate-ecs-container-insights-enabled.yaml

@@ -11,19 +11,16 @@ metadata:
       insights enabled.
 spec:
   rules:
-    - name: container-insights
+    - name: validate-ecs-container-insights-enabled
       match:
         all:
-        - ($analyzer):
-            resource:
-              type: terraform-config
-        - (resource.aws_ecs_cluster && length(resource.aws_ecs_cluster) > `0`): true
+        - ($analyzer.resource.type): terraform-config
+        - (resource.aws_ecs_cluster != null): true
       assert:
         all:
         - message: ECS container insights are not enabled
           check:
-            resource:
-              ~.(aws_ecs_cluster):
-                ~.(@):
-                  (setting[?name == 'containerInsights']):
-                    - value: enabled
+            ~.(resource.aws_ecs_cluster.values(@)[]):
+                ~.(setting || `[{}]`):
+                    value: enabled
+

charts/best-practices-ecs-tf-config/pols/validate-ecs-task-definition-pid-mode-check.yaml

@@ -0,0 +1,25 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-pid-mode-check
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS task definition PID mode check
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that ECS task definitions do not share the host's process namespace
+spec:
+  rules:
+    - name: validate-ecs-task-definition-pid-mode-check
+      match:
+        all:
+        - ($analyzer.resource.type): terraform-config
+        - (resource.aws_ecs_task_definition != null): true
+      assert:
+        all:
+        - message: ECS task definitions shares the host's process namespace
+          check:
+            ~.(resource.aws_ecs_task_definition.values(@)[]):
+                (pid_mode || 'task'): task

charts/best-practices-ecs-tf-config/pols/validate-ecs-task-public-ip.yaml

@@ -0,0 +1,28 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-public-ip
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Public IP
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      ECS tasks with public IP address enabled, are easily reachable from the internet. 
+      This policy validates whether public IP address is enabled on the ECS task
+spec:
+  rules:
+    - name: validate-ecs-task-public-ip
+      match:
+        all:
+        - ($analyzer.resource.type): terraform-config
+        - (resource.aws_ecs_service != null): true
+      assert:
+        any:
+        - message: Public IP address should not be enabled
+          check:
+            ~.(resource.aws_ecs_service.values(@)[]):
+                ~.(network_configuration[?assign_public_ip] || `[]`):
+                    assign_public_ip: false
+

charts/best-practices-ecs-tf-config/pols/validate-efs-volume-encryption.yaml

@@ -0,0 +1,28 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-public-ip
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Public IP
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      ECS tasks with public IP address enabled, are easily reachable from the internet. 
+      This policy validates whether public IP address is enabled on the ECS task
+spec:
+  rules:
+    - name: validate-ecs-task-public-ip
+      match:
+        all:
+        - ($analyzer.resource.type): terraform-config
+        - (resource.aws_ecs_service != null): true
+      assert:
+        any:
+        - message: Public IP address should not be enabled
+          check:
+            ~.(resource.aws_ecs_service.values(@)[]):
+                ~.(network_configuration[?assign_public_ip] || `[]`):
+                    assign_public_ip: false
+

charts/best-practices-s3-tf-config/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: best-practices-s3-tf-config
 description: Best practices S3 terraform-config
 type: application
-version: 0.1.0
-appVersion: 0.1.0
+version: 0.1.1
+appVersion: 0.1.1
 keywords:
   - kubernetes
   - nirmata

charts/best-practices-s3-tf-config/pols/abort-incomplete-uploads.yaml

@@ -0,0 +1,28 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-public-ip
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Public IP
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      ECS tasks with public IP address enabled, are easily reachable from the internet. 
+      This policy validates whether public IP address is enabled on the ECS task
+spec:
+  rules:
+    - name: validate-ecs-task-public-ip
+      match:
+        all:
+        - ($analyzer.resource.type): terraform-config
+        - (resource.aws_ecs_service != null): true
+      assert:
+        any:
+        - message: Public IP address should not be enabled
+          check:
+            ~.(resource.aws_ecs_service.values(@)[]):
+                ~.(network_configuration[?assign_public_ip] || `[]`):
+                    assign_public_ip: false
+

charts/best-practices-s3-tf-config/pols/disable-s3-acl.yaml

@@ -18,13 +18,13 @@ spec:
     - name: disable-s3-access-control-list
       match:
         all:
-        - ($analyzer):
-            resource:
-              type: terraform-config
-        - (planned_values.root_module.resources[?type=='aws_s3_bucket_ownership_controls' || type=='aws_s3_bucket'] | length(@) > `0`): true
+        - ($analyzer.resource.type): terraform-config
+        - (resource.aws_s3_bucket_ownership_controls != null): true
       assert:
         all:
         - message: Access Control List(ACL) should be disabled for an S3 Bucket
           check:
-            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_ownership_controls'].values.rule[]):
-                  object_ownership: BucketOwnerEnforced 
+            ~.(resource.aws_s3_bucket_ownership_controls.values(@)[]):
+              ~.(rule):
+                  object_ownership: BucketOwnerEnforced 
+

charts/best-practices-s3-tf-config/pols/enable-aws-cloudtrail.yaml

@@ -0,0 +1,27 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: enable-aws-cloudtrail
+  annotations:
+    policies.kyverno.io/title: enable-aws-cloudtrail
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      CloudTrail stores Amazon S3 data event logs in an S3 bucket of your choosing.
+      Consider using a bucket in a separate AWS account to better organize events from 
+      multiple buckets that you might own into a central place for easier querying and
+      analysis. AWS Organizations helps you create an AWS account that is linked to 
+      the account that owns the bucket that you're monitoring.
+spec:
+  rules:
+    - name: check-aws-cloudtrail-logging
+      match:
+        all:
+        - ($analyzer.resource.type): terraform-config
+        - (resource.aws_cloudtrail != null): true
+      assert:
+        all:
+        - message: Set the enable_logging argument in aws_cloudtrail resource to true
+          check:
+            ~.(resource.aws_cloudtrail.values(@)[]):
+              (!contains(keys(@), 'enable_logging') || enable_logging == `true`): true

charts/best-practices-s3-tf-config/pols/enable-kms-encryption.yaml

@@ -0,0 +1,32 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: s3-enable-kms-encryption
+  annotations:
+    policies.kyverno.io/title: s3-enable-kms-encryption 
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      All Amazon S3 buckets have encryption configured by default,
+      and all new objects that are uploaded to an S3 bucket are automatically 
+      encrypted at rest. Server-side encryption with Amazon S3 managed keys (SSE-S3) 
+      is the default encryption configuration for every bucket in Amazon S3. To use a
+      different type of encryption, you can either specify the type of server-side encryption
+      to use in your S3 PUT requests, or you can set the default encryption configuration in 
+      the destination bucket.
+spec:
+  rules:
+    - name: check-encryption-setting
+      match:
+        all:
+        - ($analyzer.resource.type): terraform-config
+        - (resource.aws_s3_bucket_server_side_encryption_configuration != null): true
+      assert:
+        all:
+        - message: S3 server side encryption is not set to KMS
+          check:
+            ~.(resource.aws_s3_bucket_server_side_encryption_configuration.values(@)[]):
+                ~.(rule):
+                    ~.(apply_server_side_encryption_by_default || `[{}]`):
+                        (sse_algorithm == 'aws:kms'): true
+

charts/best-practices-s3-tf-config/pols/enable-lifecycle-configuration.yaml

@@ -15,16 +15,13 @@ spec:
     - name: check-s3-lifecycle-configuration
       match:
         all:
-        - ($analyzer):
-            resource:
-              type: terraform-config
-        - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true
+        - ($analyzer.resource.type): terraform-config
+        - (resource.aws_s3_bucket_lifecycle_configuration != null): true
       assert:
         all:
-        - message: Use the `aws_s3_bucket_lifecycle_configuration` resource to enable lifecycle configuration.
-          check:
-            (planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration'] | length(@) > `0`): true
         - message: S3 Bucket Lifecycle Configuration 'status' needs to be set to 'Enabled'
           check:
-            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration']):
-              (values.rule[?status=='Enabled'] | length(@) > `0`): true
+            ~.(resource.aws_s3_bucket_lifecycle_configuration.values(@)[]):
+                ~.(rule):
+                    status: Enabled
+

terraform/config/s3-best-practices/enable-aws-cloudtrail/enable-aws-cloudtrail.yaml

@@ -25,4 +25,3 @@ spec:
           check:
             ~.(resource.aws_cloudtrail.values(@)[]):
               (!contains(keys(@), 'enable_logging') || enable_logging == `true`): true
-