Merge pull request #841 from turbot/release/v1.1.1

Release/v1.1.1
turbot · Oct 30, 2024 · c781267 · c781267
2 parents 522f715 + 108ac92
commit c781267
Show file tree

Hide file tree

Showing 10 changed files with 29 additions and 19 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,11 @@
+## v1.1.1 [2024-10-30]
+
+_Bug fixes_
+
+- Fixed the `elb_application_lb_waf_enabled` query to correctly flag ELB application load balancers as alarm when the associated WAF is disabled. ([#840](https://github.com/turbot/steampipe-mod-aws-compliance/pull/840))
+- Fixed the `cloudfront_distribution_custom_origins_encryption_in_transit_enabled` query to remove duplicate AWS CloudFront distributions from the result. ([#829](https://github.com/turbot/steampipe-mod-aws-compliance/pull/829)) (Thanks to [@sbldevnet](https://github.com/sbldevnet) for the contribution!)
+- Fixed the `where` clause of the `cloudfront_distribution_use_secure_cipher` query to correctly check if the CloudFront distributions have insecure cipher protocols. ([#827](https://github.com/turbot/steampipe-mod-aws-compliance/pull/827)) (Thanks to [@sbldevnet](https://github.com/sbldevnet) for the contribution!)
+
 ## v1.1.0 [2024-10-25]
 
 _What's new?_

diff --git a/README.md b/README.md
@@ -3,10 +3,10 @@
 540+ checks covering industry defined security best practices across all AWS regions. Includes full support for multiple best practice benchmarks including **the latest (v4.0.0) CIS benchmark**, CIS AWS Compute Services, PCI DSS, AWS Foundational Security, CISA Cyber Essentials, FedRAMP, FFIEC, GxP 21 CFR Part 11, GxP EU Annex 11, HIPAA Final Omnibus Security Rule 2013, HIPAA Security Rule 2003, NIST 800-53, NIST CSF, NIST 800-172, Reserve Bank of India, Audit Manager Control Tower, Australian Cyber Security Center (ACSC) Essential Eight, and more!
 
 Run checks in a dashboard:
-![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v300_dashboard.png)
+![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v400_dashboard.png)
 
 Or in a terminal:
-![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v300_console.png)
+![image](https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v400_console.png)
 
 ## Documentation
 

diff --git a/conformance_pack/cloudfront.pp b/conformance_pack/cloudfront.pp
@@ -229,16 +229,17 @@
         aws_cloudfront_distribution,
         jsonb_array_elements(origins) as o
       where
-        o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["TLSv1.2%", "TLSv1.1%"]'
+        o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["TLSv1"]'
+        or o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["SSLv3"]'
     )
     select
-      b.arn as resource,
+      distinct b.arn as resource,
       case
-        when o.arn is not null then 'ok'
+        when o.arn is null then 'ok'
         else 'alarm'
       end as status,
       case
-        when o.arn is not null then title || ' use secure cipher.'
+        when o.arn is null then title || ' uses secure cipher.'
         else title || ' does not use secure cipher.'
       end as reason
       ${local.tag_dimensions_sql}
@@ -354,7 +355,7 @@
         or o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'match-viewer'
     )
     select
-      b.arn as resource,
+      distinct b.arn as resource,
       case
         when o.arn is not null and o.origin_protocol_policy = 'http-only' then 'alarm'
         when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then 'alarm'
@@ -592,4 +593,4 @@
     from
       aws_cloudfront_distribution;
   EOQ
-}
+}
diff --git a/conformance_pack/elb.pp b/conformance_pack/elb.pp
@@ -444,19 +444,20 @@
 query "elb_application_lb_waf_enabled" {
   sql = <<-EOQ
     select
-      arn as resource,
+      alb.arn as resource,
       case
-        when load_balancer_attributes @> '[{"Key":"waf.fail_open.enabled","Value":"true"}]' then 'ok'
+        when waf.web_acl_id is not null or wafv2.id is not null then 'ok'
         else 'alarm'
       end as status,
-      case
-        when load_balancer_attributes @> '[{"Key":"waf.fail_open.enabled","Value":"true"}]' then title || ' WAF enabled.'
-        else title || ' WAF disabled.'
+        case
+        when waf.web_acl_id is not null or wafv2.id is not null then alb.title || ' WAF enabled.'
+        else alb.title || ' WAF disabled.'
       end as reason
-      ${local.tag_dimensions_sql}
-      ${local.common_dimensions_sql}
-    from
-      aws_ec2_application_load_balancer;
+      ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "alb.")}
+      ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "alb.")}
+    from aws_ec2_application_load_balancer as alb
+    left join aws_wafregional_web_acl as waf on waf.resources @> jsonb_build_array(alb.arn)
+    left join aws_wafv2_web_acl as wafv2 on wafv2.associated_resources @> jsonb_build_array(alb.arn)
   EOQ
 }
 

diff --git a/docs/aws_cis_v300_console.png b/docs/aws_cis_v300_console.png
diff --git a/docs/aws_cis_v300_dashboard.png b/docs/aws_cis_v300_dashboard.png
diff --git a/docs/aws_cis_v400_console.png b/docs/aws_cis_v400_console.png
diff --git a/docs/aws_cis_v400_dashboard.png b/docs/aws_cis_v400_dashboard.png
diff --git a/docs/aws_compliance_dashboard.png b/docs/aws_compliance_dashboard.png
diff --git a/docs/index.md b/docs/index.md
@@ -3,8 +3,8 @@
 Run individual configuration, compliance and security controls or full compliance benchmarks for `Audit Manager Control Tower`, `AWS Foundational Security Best Practices`, `CIS`, `CIS AWS Compute Services`, `CISA Cyber Essentials`, `FedRAMP`, `FFIEC`, `GDPR`, `GxP 21 CFR Part 11`, `GxP EU Annex 11`, `HIPAA Final Omnibus Security Rule 2013`, `HIPAA Security Rule 2003`, `NIST 800-53`, `NIST CSF`, `NIST 800-172`, `PCI DSS`, `RBI Cyber Security Framework`, `SOC 2`, `Australian Cyber Security Center (ACSC) Essential Eight` and more across all your AWS accounts.
 
 <img src="https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_compliance_dashboard.png" width="50%" type="thumbnail"/>
-<img src="https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v300_dashboard.png" width="50%" type="thumbnail"/>
-<img src="https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v300_console.png" width="50%" type="thumbnail"/>
+<img src="https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v400_dashboard.png" width="50%" type="thumbnail"/>
+<img src="https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_cis_v400_console.png" width="50%" type="thumbnail"/>
 <img src="https://raw.githubusercontent.com/turbot/steampipe-mod-aws-compliance/main/docs/aws_fsbp_dashboard.png" width="50%" type="thumbnail"/>
 
 ## Documentation