Merge pull request #838 from turbot/release/v1.1.0

Release/v1.1.0

CHANGELOG.md

@@ -1,3 +1,26 @@
+## v1.1.0 [2024-10-25]
+
+_What's new?_
+
+- Added CIS v4.0.0 benchmark (`steampipe check benchmark.cis_v400`). ([#836](https://github.com/turbot/steampipe-mod-aws-compliance/pull/836))
+- Added `ebs_encryption_by_default_enabled` and `vpc_security_group_restrict_ingress_cifs_port_all` controls to the `All Controls` benchmark. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835))
+
+_Enhancements_
+
+- Added the `ebs_encryption_by_default_enabled` control to the `rbi_cyber_security_annex_i_1_3` benchmark. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835))
+- Set `python3.8` as deprecated Lambda runtime in `lambda_function_use_latest_runtime` control. ([#833](https://github.com/turbot/steampipe-mod-aws-compliance/pull/833)) (Thanks to [@sbldevnet](https://github.com/sbldevnet) for the contribution!)
+- Updated `iam_access_analyzer_enabled_without_findings` and `ssm_document_prohibit_public_access` controls to use latest columns and tables from the AWS plugin. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835))
+
+_Bug fixes_
+
+- VPC security group rule controls that check for restricted port access now correctly detect rules with ports in a port range instead of only exact port matches. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835))
+- Fixed the 2.2.1 control in CIS v1.5.0, v2.0.0, v3.0.0 benchmarks to check if EBS encryption by default is enabled instead of individual volume encryption settings. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835))
+- Fixed the `fedramp_moderate_rev_4_sc_28` benchmark to check if EBS encryption by default is enabled instead of individual volume encryption settings. ([#835](https://github.com/turbot/steampipe-mod-aws-compliance/pull/835))
+
+_Deprecated_
+
+- Deprecated the `ec2_ebs_default_encryption_enabled` control and query. Please use the `ebs_encryption_by_default` control and query instead.
+
 ## v1.0.1 [2024-10-24]
 
 _Bug fixes_
@@ -8,6 +31,10 @@ _Bug fixes_
 
 This mod now requires [Powerpipe](https://powerpipe.io). [Steampipe](https://steampipe.io) users should check the [migration guide](https://powerpipe.io/blog/migrating-from-steampipe).
 
+_Bug fixes_
+
+- Cleanup various typos in CIS docs. ([#828](https://github.com/turbot/steampipe-mod-aws-compliance/pull/828)) (Thanks to [@vil02](https://github.com/vil02) for the contribution!)
+
 ## v0.98 [2024-08-30]
 
 _What's new?_

README.md

@@ -1,6 +1,6 @@
 # AWS Compliance Mod for Powerpipe
 
-540+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including **the latest (v3.0.0) CIS benchmark**, CIS AWS Compute Services, PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA Final Omnibus Security Rule 2013, HIPAA Security Rule 2003, NIST 800-53, NIST CSF, NIST 800-172, Reserve Bank of India, Audit Manager Control Tower, Australian Cyber Security Center (ACSC) Essential Eight, and more!
+540+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including **the latest (v4.0.0) CIS benchmark**, CIS AWS Compute Services, PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA Final Omnibus Security Rule 2013, HIPAA Security Rule 2003, NIST 800-53, NIST CSF, NIST 800-172, Reserve Bank of India, Audit Manager Control Tower, Australian Cyber Security Center (ACSC) Essential Eight, and more!
 
 Run checks in a dashboard:
 ![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v300_dashboard.png)
@@ -71,7 +71,7 @@ powerpipe benchmark list
 Run a benchmark:
 
 ```sh
-powerpipe benchmark run aws_compliance.benchmark.cis_v300
+powerpipe benchmark run aws_compliance.benchmark.cis_v400
 ```
 
 Different output formats are also available, for more information please see
@@ -91,15 +91,15 @@ vi powerpipe.ppvars
 Alternatively you can pass variables on the command line:
 
 ```sh
-powerpipe benchmark run aws_compliance.benchmark.cis_v300 --var 'tag_dimensions=["Environment", "Owner"]'
+powerpipe benchmark run aws_compliance.benchmark.cis_v400 --var 'tag_dimensions=["Environment", "Owner"]'
 ```
 
 Or through environment variables:
 
 ```sh
 export PP_VAR_common_dimensions='["account_id", "connection_name", "region"]'
 export PP_VAR_tag_dimensions='["Environment", "Owner"]'
-powerpipe benchmark run aws_compliance.benchmark.cis_v300
+powerpipe benchmark run aws_compliance.benchmark.cis_v400
 ```
 
 ## Open Source & Contributing

all_controls/ebs.pp

@@ -10,6 +10,7 @@
   children = [
     control.ebs_attached_volume_delete_on_termination_enabled,
     control.ebs_attached_volume_encryption_enabled,
+    control.ebs_encryption_by_default_enabled,
     control.ebs_snapshot_encryption_enabled,
     control.ebs_snapshot_not_publicly_restorable,
     control.ebs_volume_encryption_at_rest_enabled,

all_controls/vpc.pp

@@ -32,6 +32,7 @@
     control.vpc_security_group_remote_administration_ipv4,
     control.vpc_security_group_remote_administration_ipv6,
     control.vpc_security_group_remote_administration,
+    control.vpc_security_group_restrict_ingress_cifs_port_all,
     control.vpc_security_group_restrict_ingress_common_ports_all,
     control.vpc_security_group_restrict_ingress_kafka_port,
     control.vpc_security_group_restrict_ingress_kibana_port,

cis_compute_service_v100/section_2.pp

@@ -146,7 +146,7 @@
 control "cis_compute_service_v100_2_2_1" {
   title         = "2.2.1 Ensure EBS volume encryption is enabled"
   description   = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported."
-  query         = query.ebs_volume_encryption_at_rest_enabled
+  query         = query.ebs_encryption_by_default_enabled
   documentation = file("./cis_compute_service_v100/docs/cis_compute_service_v100_2_2_1.md")
 
   tags = merge(local.cis_compute_service_v100_2_2_common_tags, {
@@ -365,4 +365,4 @@
     cis_type    = "automated"
     service     = "AWS/EC2"
   })
-}
+}

cis_controls_v8_ig1/cis_controls_v8_ig1_11.pp

@@ -36,7 +36,7 @@
   description = "Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements."
   children = [
     control.ebs_attached_volume_encryption_enabled,
-    control.ec2_ebs_default_encryption_enabled,
+    control.ebs_encryption_by_default_enabled,
     control.rds_db_instance_encryption_at_rest_enabled
   ]
 

cis_controls_v8_ig1/cis_controls_v8_ig1_4.pp

@@ -37,7 +37,7 @@
     control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
     control.cloudtrail_trail_validation_enabled,
     control.ebs_attached_volume_encryption_enabled,
-    control.ec2_ebs_default_encryption_enabled,
+    control.ebs_encryption_by_default_enabled,
     control.ec2_instance_iam_profile_attached,
     control.iam_account_password_policy_strong_min_reuse_24,
     control.iam_group_user_role_no_inline_policies,

cis_v130/section_2.pp

@@ -85,7 +85,7 @@
   title         = "2.2.1 Ensure EBS volume encryption is enabled"
   description   = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported."
   documentation = file("./cis_v130/docs/cis_v130_2_2_1.md")
-  query         = query.ebs_volume_encryption_at_rest_enabled
+  query         = query.ebs_encryption_by_default_enabled
 
   tags = merge(local.cis_v130_2_2_common_tags, {
     cis_item_id = "2.2.1"

cis_v140/section_2.pp

@@ -134,7 +134,7 @@
   title         = "2.2.1 Ensure EBS volume encryption is enabled"
   description   = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported."
   documentation = file("./cis_v140/docs/cis_v140_2_2_1.md")
-  query         = query.ebs_volume_encryption_at_rest_enabled
+  query         = query.ebs_encryption_by_default_enabled
 
   tags = merge(local.cis_v140_2_2_common_tags, {
     cis_item_id = "2.2.1"

cis_v150/section_2.pp

@@ -138,7 +138,7 @@
   title         = "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions"
   description   = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported."
   documentation = file("./cis_v150/docs/cis_v150_2_2_1.md")
-  query         = query.ebs_volume_encryption_at_rest_enabled
+  query         = query.ebs_encryption_by_default_enabled
 
   tags = merge(local.cis_v150_2_2_common_tags, {
     cis_item_id = "2.2.1"

cis_v200/section_2.pp

@@ -123,7 +123,7 @@
   title         = "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions"
   description   = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported."
   documentation = file("./cis_v200/docs/cis_v200_2_2_1.md")
-  query         = query.ebs_volume_encryption_at_rest_enabled
+  query         = query.ebs_encryption_by_default_enabled
 
   tags = merge(local.cis_v200_2_2_common_tags, {
     cis_item_id = "2.2.1"

cis_v300/section_2.pp

@@ -123,7 +123,7 @@
   title         = "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions"
   description   = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported."
   documentation = file("./cis_v300/docs/cis_v300_2_2_1.md")
-  query         = query.ebs_volume_encryption_at_rest_enabled
+  query         = query.ebs_encryption_by_default_enabled
 
   tags = merge(local.cis_v300_2_2_common_tags, {
     cis_item_id = "2.2.1"

cis_v400/cis.pp

@@ -0,0 +1,23 @@
+locals {
+  cis_v400_common_tags = merge(local.aws_compliance_common_tags, {
+    cis         = "true"
+    cis_version = "v4.0.0"
+  })
+}
+
+benchmark "cis_v400" {
+  title         = "CIS v4.0.0"
+  description   = "The CIS Amazon Web Services Foundations Benchmark provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings."
+  documentation = file("./cis_v400/docs/cis_overview.md")
+  children = [
+    benchmark.cis_v400_1,
+    benchmark.cis_v400_2,
+    benchmark.cis_v400_3,
+    benchmark.cis_v400_4,
+    benchmark.cis_v400_5
+  ]
+
+  tags = merge(local.cis_v400_common_tags, {
+    type = "Benchmark"
+  })
+}

cis_v400/docs/cis_overview.md

@@ -0,0 +1,82 @@
+To obtain the latest version of the official guide, please visit http://benchmarks.cisecurity.org.
+
+## Overview
+
+All CIS BenchmarksTM focus on technical configuration settings used to maintain and/or increase the security of the addressed technology, and they should be used in conjunction with other essential cyber hygiene tasks like:
+
+-  Monitoring the base operating system and applications for vulnerabilities and quickly updating with the latest security patches.
+- End-point protection (Antivirus software, Endpoint Detection and Response (EDR), etc.).
+- Logging and monitoring user and system activity.
+
+In the end, the CIS BenchmarksTM are designed to be a key component of a comprehensive cybersecurity program.
+
+### Important Usage Information
+
+All CIS BenchmarksTM are available free for non-commercial use from the [CIS Website](https://www.cisecurity.org/cis-benchmarks). They can be used to manually assess and remediate systems and applications. In lieu of manual assessment and remediation, there are several tools available to assist with assessment:
+- [CIS Configuration Assessment Tool (CIS-CAT® Pro Assessor)](https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro)
+- [CIS BenchmarksTM Certified 3rd Party Tooling](https://www.cisecurity.org/cis-securesuite/members/vendors)
+
+These tools make the hardening process much more scalable for large numbers of systems and applications.
+
+### NOTE:
+Some tooling focuses only on the CIS BenchmarksTM Recommendations that can be fully automated (skipping ones marked Manual). It is important that ALL Recommendations (Automated and Manual) be addressed, since all are important for properly securing systems and are typically in scope for audits.
+
+In addition, CIS has developed CIS [Build Kits](https://www.cisecurity.org/cis-securesuite/cis-securesuite-build-kit-content) for some common technologies to assist in applying CIS BenchmarksTM Recommendations.
+
+When remediating systems (changing configuration settings on deployed systems as per the CIS BenchmarksTM Recommendations), please approach this with caution and test thoroughly.
+
+
+The following is a reasonable remediation approach to follow:
+
+1. NEVER deploy a CIS Build Kit, or any internally developed remediation method, to production systems without proper testing.
+2. Proper testing consists of the following:
+  - Understand the configuration (including installed applications) of the targeted systems.
+  - Read the Impact section of the given Recommendation to help determine if there might be an issue with the targeted systems.
+  - Test the configuration changes on representative lab system(s). This way if there is some issue it can be resolved prior to deploying to any production systems.
+  - When confident, initially deploy to a small sub-set of users and monitor closely for issues. This way if there is some issue it can be resolved prior to deploying more broadly.
+  - When confident, iteratively deploy to additional groups and monitor closely for issues until deployment is complete. This way if there is some issue it can be resolved prior to continuing deployment.
+
+### NOTE:
+CIS and the CIS BenchmarksTM development communities in CIS WorkBench do their best to test and have high confidence in the Recommendations, but they cannot test potential conflicts with all possible system deployments. Known potential issues identified during CIS BenchmarksTM development are documented in the Impact section of each Recommendation.
+
+By using CIS and/or CIS BenchmarksTM Certified tools, and being careful with remediation deployment, it is possible to harden large numbers of deployed systems in a cost effective, efficient, and safe manner.
+
+### NOTE:
+As previously stated, the PDF versions of the CIS BenchmarksTM are available for free, non-commercial use on the [CIS Website](https://www.cisecurity.org/cis-benchmarks). All other formats of the CIS BenchmarksTM (MS Word, Excel, and [Build Kits](https://www.cisecurity.org/cis-securesuite/cis-securesuite-build-kit-content)) are available for CIS [SecureSuite®](https://www.cisecurity.org/cis-securesuite) members.
+
+CIS-CAT® Pro is also available to CIS [SecureSuite®](https://www.cisecurity.org/cis-securesuite) members.
+
+### Target Technology Details
+
+This document provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings. Some of the specific Amazon Web Services in scope for this document include:
+
+- AWS Identity and Access Management (IAM)
+- IAM Access Analyzer
+- AWS Config
+- AWS CloudTrail
+- AWS CloudWatch
+- AWS Simple Notification Service (SNS)
+- AWS Simple Storage Service (S3)
+- Elastic Compute Cloud (EC2)
+- Relational Database Service (RDS)
+- AWS VPC
+
+## Profiles Definitions
+
+The following configuration profiles are defined by this Benchmark:
+
+### Level 1
+
+Items in this profile intend to:
+  - be practical and prudent;
+  - provide security focused best practice hardening of a technology; and
+  - limit impact to the utility of the technology beyond acceptable means.
+
+### Level 2
+
+This profile extends the "Level 1" profile. Items in this profile exhibit one or more
+of the following characteristics:
+  - are intended for environments or use cases where security is more critical than manageability and usability
+  - acts as defense in depth measure
+  - may impact the utility or performance of the technology
+  - may include additional licensing, cost, or addition of third party software

cis_v400/docs/cis_v400_1.md

@@ -0,0 +1,3 @@
+## Overview
+
+This section contains recommendations for configuring identity and access management related options.

cis_v400/docs/cis_v400_1_1.md

@@ -0,0 +1,19 @@
+## Description
+
+Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.
+
+An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.
+
+If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers' and AWS' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.
+
+## Remediation
+
+This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing).
+1. Sign in to the AWS Management Console and open the `Billing and Cost Management` console at https://console.aws.amazon.com/billing/home#/.
+2. On the navigation bar, choose your account name, and then choose `Account`.
+3. On the `Account Settings` page, next to `Account Settings`, choose `Edit`.
+4. Next to the field that you need to update, choose `Edit`.
+5. After you have entered your changes, choose `Save changes`.
+6. After you have made your changes, choose `Done`.
+7. To edit your contact information, under `Contact Information`, choose `Edit`.
+8. For the fields that you want to change, type your updated information, and then choose `Update`.