Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(cis): add subsections if needed #6559

Merged
merged 2 commits into from
Jan 16, 2025
Merged

fix(cis): add subsections if needed #6559

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9da0e54
fix(cis): add subsections if needed
pedrooot Jan 16, 2025
a7440d7
feat(compliance): add remaining changes for cis azure
pedrooot Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 14 additions & 7 deletions prowler/compliance/aws/cis_1.4_aws.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -455,7 +455,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 2",
"AssessmentStatus": "Automated",
"Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.",
Expand All @@ -476,7 +477,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 2",
"AssessmentStatus": "Automated",
"Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
Expand All @@ -497,7 +499,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
Expand All @@ -518,7 +521,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 2",
"AssessmentStatus": "Manual",
"Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
Expand All @@ -540,7 +544,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
Expand All @@ -561,7 +566,8 @@
],
"Attributes": [
{
"Section": "2.2. Elastic Compute Cloud (EC2)",
"Section": "2. Storage",
"SubSection": "2.2. Elastic Compute Cloud (EC2)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
Expand All @@ -582,7 +588,8 @@
],
"Attributes": [
{
"Section": "2.3. Relational Database Service (RDS)",
"Section": "2. Storage",
"SubSection": "2.3. Relational Database Service (RDS)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.",
Expand Down
30 changes: 20 additions & 10 deletions prowler/compliance/aws/cis_1.5_aws.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -455,7 +455,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 2",
"AssessmentStatus": "Automated",
"Description": "Amazon S3 provides a variety of no, or low, cost encryption options to protect data at rest.",
Expand All @@ -476,7 +477,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 2",
"AssessmentStatus": "Automated",
"Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
Expand All @@ -497,7 +499,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
Expand All @@ -518,7 +521,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 2",
"AssessmentStatus": "Manual",
"Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
Expand All @@ -540,7 +544,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
Expand All @@ -561,7 +566,8 @@
],
"Attributes": [
{
"Section": "2.2. Elastic Compute Cloud (EC2)",
"Section": "2. Storage",
"SubSection": "2.2. Elastic Compute Cloud (EC2)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
Expand All @@ -582,7 +588,8 @@
],
"Attributes": [
{
"Section": "2.3. Relational Database Service (RDS)",
"Section": "2. Storage",
"SubSection": "2.3. Relational Database Service (RDS)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.",
Expand All @@ -603,7 +610,8 @@
],
"Attributes": [
{
"Section": "2.3. Relational Database Service (RDS)",
"Section": "2. Storage",
"SubSection": "2.3. Relational Database Service (RDS)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.",
Expand All @@ -624,7 +632,8 @@
],
"Attributes": [
{
"Section": "2.3. Relational Database Service (RDS)",
"Section": "2. Storage",
"SubSection": "2.3. Relational Database Service (RDS)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.",
Expand All @@ -645,7 +654,8 @@
],
"Attributes": [
{
"Section": "2.4 Elastic File System (EFS)",
"Section": "2. Storage",
"SubSection": "2.4 Elastic File System (EFS)",
"Profile": "Level 1",
"AssessmentStatus": "Manual",
"Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).",
Expand Down
27 changes: 18 additions & 9 deletions prowler/compliance/aws/cis_2.0_aws.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -474,7 +474,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 2",
"AssessmentStatus": "Automated",
"Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
Expand All @@ -495,7 +496,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
Expand All @@ -516,7 +518,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 2",
"AssessmentStatus": "Manual",
"Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
Expand All @@ -538,7 +541,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
Expand All @@ -559,7 +563,8 @@
],
"Attributes": [
{
"Section": "2.2. Elastic Compute Cloud (EC2)",
"Section": "2. Storage",
"SubSection": "2.2. Elastic Compute Cloud (EC2)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
Expand All @@ -580,7 +585,8 @@
],
"Attributes": [
{
"Section": "2.3. Relational Database Service (RDS)",
"Section": "2. Storage",
"SubSection": "2.3. Relational Database Service (RDS)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.",
Expand All @@ -601,7 +607,8 @@
],
"Attributes": [
{
"Section": "2.3. Relational Database Service (RDS)",
"Section": "2. Storage",
"SubSection": "2.3. Relational Database Service (RDS)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.",
Expand All @@ -622,7 +629,8 @@
],
"Attributes": [
{
"Section": "2.3. Relational Database Service (RDS)",
"Section": "2. Storage",
"SubSection": "2.3. Relational Database Service (RDS)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to any publicly accessible RDS database instance, you must disable the database Publicly Accessible flag and update the VPC security group associated with the instance.",
Expand All @@ -643,7 +651,8 @@
],
"Attributes": [
{
"Section": "2.4 Elastic File System (EFS)",
"Section": "2. Storage",
"SubSection": "2.4 Elastic File System (EFS)",
"Profile": "Level 1",
"AssessmentStatus": "Manual",
"Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).",
Expand Down
27 changes: 18 additions & 9 deletions prowler/compliance/aws/cis_3.0_aws.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -474,7 +474,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 2",
"AssessmentStatus": "Automated",
"Description": "At the Amazon S3 bucket level, you can configure permissions through a bucket policy making the objects accessible only through HTTPS.",
Expand All @@ -495,7 +496,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication.",
Expand All @@ -516,7 +518,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 2",
"AssessmentStatus": "Manual",
"Description": "Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an inventory of Amazon S3 buckets.",
Expand All @@ -538,7 +541,8 @@
],
"Attributes": [
{
"Section": "2.1. Simple Storage Service (S3)",
"Section": "2. Storage",
"SubSection": "2.1. Simple Storage Service (S3)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Amazon S3 provides `Block public access (bucket settings)` and `Block public access (account settings)` to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, `Block public access (bucket settings)` prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, `Block public access (account settings)` prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.",
Expand All @@ -559,7 +563,8 @@
],
"Attributes": [
{
"Section": "2.2. Elastic Compute Cloud (EC2)",
"Section": "2. Storage",
"SubSection": "2.2. Elastic Compute Cloud (EC2)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported.",
Expand All @@ -580,7 +585,8 @@
],
"Attributes": [
{
"Section": "2.3. Relational Database Service (RDS)",
"Section": "2. Storage",
"SubSection": "2.3. Relational Database Service (RDS)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS DB instances. After your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance.",
Expand All @@ -601,7 +607,8 @@
],
"Attributes": [
{
"Section": "2.3. Relational Database Service (RDS)",
"Section": "2. Storage",
"SubSection": "2.3. Relational Database Service (RDS)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Ensure that RDS database instances have the Auto Minor Version Upgrade flag enabled in order to receive automatically minor engine upgrades during the specified maintenance window. So, RDS instances can get the new features, bug fixes, and security patches for their database engines.",
Expand All @@ -622,7 +629,8 @@
],
"Attributes": [
{
"Section": "2.3. Relational Database Service (RDS)",
"Section": "2. Storage",
"SubSection": "2.3. Relational Database Service (RDS)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "Ensure and verify that RDS database instances provisioned in your AWS account do restrict unauthorized access in order to minimize security risks. To restrict access to anypublicly accessible RDS database instance, you must disable the database PubliclyAccessible flag and update the VPC security group associated with the instance",
Expand All @@ -643,7 +651,8 @@
],
"Attributes": [
{
"Section": "2.4 Elastic File System (EFS)",
"Section": "2. Storage",
"SubSection": "2.4 Elastic File System (EFS)",
"Profile": "Level 1",
"AssessmentStatus": "Automated",
"Description": "EFS data should be encrypted at rest using AWS KMS (Key Management Service).",
Expand Down
Loading
Loading