-
Notifications
You must be signed in to change notification settings - Fork 30
/
inspec.yml
219 lines (186 loc) · 5.48 KB
/
inspec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
---
name: "aws-foundations-cis-baseline"
title: "aws-foundations-cis-baseline"
maintainer: "MITRE SAF Team"
copyright: "MITRE, 2023"
copyright_email: "saf@groups.mitre.org"
license: "Apache-2.0"
summary: "InSpec Validation Profile for the CIS AWS Foundations Benchmark v2.0"
version: 2.0.5
inspec_version: ">= 4.0"
supports:
- platform: aws
depends:
- name: inspec-aws
# path: ../inspec-aws
git: https://github.com/mitre/inspec-aws.git
branch: al_resource_updates
inputs:
- name: disable_slow_controls
description: "Don't Run Long Running Controls (dev/testing only)"
type: Boolean
value: false
- name: default_aws_region
description: "Primary aws region your resources are deployed."
type: String
value: "us-east-1"
sensitive: true
- name: ignore_other_regions
description: "Ignore all regions except your 'default_aws_region'"
type: Boolean
value: false
- name: exempt_regions
description: "The AWS Regions exempted from inspection"
type: Array
value:
- us-east-2
- us-west-2
- eu-central-1
- eu-west-1
- eu-west-2
- eu-west-3
- eu-north-1
- ap-south-1
- ap-southeast-2
- ap-southeast-1
- sa-east-1
- ca-central-1
- ap-northeast-1
- ap-northeast-2
- ap-northeast-3
- name: exempt_ports
description: "List of ports that you wish to exclude from validation (allow connections from these ports)"
type: Array
value: []
- name: exempt_protocols
description: "List of protocols that you wish to exclude from validation (allow connections over these protocols)"
type: Array
value: []
- name: exempt_kms_keys
description: "List of KMS keys exempted from inspection"
type: Array
value: []
- name: exempt_routes
description: "List of route tables exempted from inspection"
type: Array
value: []
- name: pwd_length
description: "Required password length"
type: Numeric
value: 14
- name: aws_cred_age
description: "The maximum allowed IAM account age"
type: Numeric
value: 90
- name: exempt_vpcs
description: "List of vpcs exempted from inspection"
type: Array
value: []
- name: exempt_buckets
description: "List of buckets exempted from inspection"
type: Array
value:
- "factor-test"
- name: single_bucket
description: "Name of the single bucket you want to be inspected"
type: String
value: ""
- name: exempt_ec2s
description: "List of ec2 exempted from inspection"
type: Array
value: []
- name: exempt_efs
description: "List of efs exempted from inspection"
type: Array
value: []
- name: single_efs
description: "Name of the single EFS you want to be inspected"
type: String
value: ""
- name: exempt_rds
description: "List of RDS DB identifiers exempted from inspection"
type: Array
value: []
- name: single_rds
description: "Name of the single RDS instance you want to be inspected"
type: String
value: ""
- name: skip_stopped_ec2s
description: "Ignore non-running ec2s durning verification"
type: Boolean
value: false
- name: exempt_security_groups
description: "List of security groups exempted from inspection"
type: Array
value: []
- name: exempt_sg_patterns
description: "An array of ruby regex patterns to exempt from evaluation"
type: Array
value: []
- name: service_account_mfa_exceptions
description: "List of service accounts from the MFA requirement"
type: Array
value: []
- name: single_trail
description: "Name of the single CloudTrail you want to be inspected"
type: String
value: ""
- name: exempt_acl_ids
description: "IDs of network ACLs to exempt from evaluation"
type: Array
value: []
- name: remote_management_port_ranges
description: "Port ranges used in the environment for remote access management (can be given as a single integer or as a Ruby range with double-period syntax, ex 1..1024)"
type: Array
value:
- 22
- 3389
- name: remote_management_protocols
description: "Protocols used in the environment for remote access management (note AWS parses '-1' as 'all')"
type: Array
value:
- 6
- 17
- -1
- name: config_delivery_channels
description: "Config service settings"
type: Hash
value:
us-east-1:
s3_bucket_name: ""
sns_topic_arn: ""
us-east-2:
s3_bucket_name: ""
sns_topic_arn: ""
us-west-1:
s3_bucket_name: ""
sns_topic_arn: ""
us-west-2:
s3_bucket_name: ""
sns_topic_arn: ""
- name: primary_contact
description: "Primary Account contact information"
type: Hash
sensitive: true
value:
email_address: "me@you.com"
phone_number: "555-557-6309"
- name: security_contact
description: "Account security contact information"
type: Hash
sensitive: true
value:
phone_number: "555-857-6309"
email_address: "me@you.com"
- name: last_root_login_date
description: "(19700101) Last date that root account should have logged in."
type: numeric
value: 20231209
- name: third_party_data_management_tool
description: "Name of the data management tool other than Amazon Macie"
type: String
value: ""
- name: third_party_api_monitoring_tool
description: "Name of the API call monitoring tool other than AWS CloudTrail/AWS CloudWatch"
type: String
value: ""