turbot · madhushreeray30 · Nov 30, 2023 · Nov 23, 2023 · Nov 23, 2023 · Nov 29, 2023
diff --git a/controls/docdb.sp b/controls/docdb.sp
@@ -10,6 +10,7 @@ benchmark "docdb" {
 
   children = [
     control.docdb_cluster_audit_logs_enabled,
+    control.docdb_cluster_backup_retention_period_7,
     control.docdb_cluster_encrypted_with_kms,
     control.docdb_cluster_log_exports_enabled,
     control.docdb_cluster_paramater_group_logging_enabled,
@@ -69,3 +70,11 @@ control "docdb_cluster_parameter_group_tls_enabled" {
 
   tags = local.docdb_compliance_common_tags
 }
+
+control "docdb_cluster_backup_retention_period_7" {
+  title       = "DocDB cluster backup retention period should be at least 7 days"
+  description = "This control checks whether DocDB cluster backup retention is set to 7 or greater than 7."
+  query       = query.docdb_cluster_backup_retention_period_7
+
+  tags = local.docdb_compliance_common_tags
+}
diff --git a/controls/lambda.sp b/controls/lambda.sp
@@ -17,7 +17,8 @@ benchmark "lambda" {
     control.lambda_function_url_auth_type_configured,
     control.lambda_function_use_latest_runtime,
     control.lambda_function_variables_no_sensitive_data,
-    control.lambda_function_xray_tracing_enabled
+    control.lambda_function_xray_tracing_enabled,
+    control.lambda_permission_restricted_service_permission
   ]
 
   tags = merge(local.lambda_compliance_common_tags, {
@@ -112,3 +113,11 @@ control "lambda_function_environment_encryption_enabled" {
 
   tags = local.lambda_compliance_common_tags
 }
+
+control "lambda_permission_restricted_service_permission" {
+  title       = "Lambda permissions should restrict service permission by source account or source arn"
+  description = "Ensure that Lambda permissions restricts service permission by source account or source arn."
+  query       = query.lambda_permission_restricted_service_permission
+
+  tags = local.lambda_compliance_common_tags
+}
diff --git a/controls/neptune.sp b/controls/neptune.sp
@@ -9,8 +9,11 @@ benchmark "neptune" {
   description = "This benchmark provides a set of controls that detect Terraform AWS Neptune resources deviating from security best practices."
 
   children = [
+    control.neptune_cluster_backup_retention_period_7,
+    control.neptune_cluster_copy_tags_to_snapshot_enabled,
     control.neptune_cluster_encrypted_with_kms_cmk,
     control.neptune_cluster_encryption_at_rest_enabled,
+    control.neptune_cluster_iam_authentication_enabled,
     control.neptune_cluster_instance_publicly_accessible,
     control.neptune_cluster_logging_enabled,
     control.neptune_snapshot_encrypted_with_kms_cmk,
@@ -69,3 +72,27 @@ control "neptune_snapshot_encrypted_with_kms_cmk" {
 
   tags = local.neptune_compliance_common_tags
 }
+
+control "neptune_cluster_backup_retention_period_7" {
+  title       = "Neptune cluster backup retention period should be at least 7 days"
+  description = "This control checks whether Neptune cluster backup retention is set to 7 or greater than 7."
+  query       = query.neptune_cluster_backup_retention_period_7
+
+  tags = local.neptune_compliance_common_tags
+}
+
+control "neptune_cluster_copy_tags_to_snapshot_enabled" {
+  title       = "Neptune clusters should be configured to copy tags to snapshots"
+  description = "This control checks whether Neptune clusters are configured to copy all tags to snapshots when the snapshots are created."
+  query       = query.neptune_cluster_copy_tags_to_snapshot_enabled
+
+  tags = local.neptune_compliance_common_tags
+}
+
+control "neptune_cluster_iam_authentication_enabled" {
+  title       = "Neptune clusters should have IAM authentication enabled"
+  description = "Checks if an Neptune cluster has AWS Identity and Access Management (IAM) authentication enabled."
+  query       = query.neptune_cluster_iam_authentication_enabled
+
+  tags = local.neptune_compliance_common_tags
+}
diff --git a/query/docdb.sp b/query/docdb.sp
@@ -151,3 +151,25 @@ query "docdb_cluster_parameter_group_tls_enabled" {
       type = 'aws_docdb_cluster_parameter_group';
   EOQ
 }
+
+query "docdb_cluster_backup_retention_period_7" {
+  sql = <<-EOQ
+    select
+      address as resource,
+      case
+        when (attributes_std -> 'backup_retention_period') is null then 'alarm'
+        when ((attributes_std ->> 'backup_retention_period'))::int >= 7 then 'ok'
+        else 'alarm'
+      end as status,
+      split_part(address, '.', 2) || case
+        when (attributes_std -> 'backup_retention_period') is null then ' backup retention not set'
+        else ' backup retention set to ' || (attributes_std ->> 'backup_retention_period')
+      end || '.' as reason
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      terraform_resource
+    where
+      type = 'aws_docdb_cluster';
+  EOQ
+}
diff --git a/query/lambda.sp b/query/lambda.sp
@@ -212,3 +212,32 @@ query "lambda_function_environment_encryption_enabled" {
       type = 'aws_lambda_function';
   EOQ
 }
+
+query "lambda_permission_restricted_service_permission" {
+  sql = <<-EOQ
+    select
+      address as resource,
+      split_part((attributes_std ->> 'principal'), '.', 2),
+      case
+        when not (split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws' and split_part((attributes_std ->> 'principal'), '.', 3)= 'com') then 'info'
+        when split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws'
+          and split_part((attributes_std ->> 'principal'), '.', 3)= 'com'
+          and ((attributes_std -> 'source_arn') is not null
+            or (attributes_std -> 'source_account') is not null ) then 'ok'
+        else 'alarm'
+      end as status,
+      split_part(address, '.', 2) || case
+        when not (split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws' and split_part((attributes_std ->> 'principal'), '.', 3) = 'com') then ' principal not set as service'
+        when split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws'
+          and split_part((attributes_std ->> 'principal'), '.', 3)= 'com'
+          and ((attributes_std -> 'source_arn') is not null
+            or (attributes_std -> 'source_account') is not null ) then ' permissions to AWS services restricted by SourceArn or SourceAccount'
+        else  ' permissions to AWS services not restricted by SourceArn or SourceAccount'
+      end || '.' as reason
+      ${local.common_dimensions_sql}
+    from
+      terraform_resource
+    where
+      type = 'aws_lambda_permission';
+  EOQ
+}
diff --git a/query/neptune.sp b/query/neptune.sp
@@ -122,4 +122,72 @@ query "neptune_snapshot_encrypted_with_kms_cmk" {
     where
       type = 'aws_neptune_cluster_snapshot';
   EOQ
+}
+
+query "neptune_cluster_backup_retention_period_7" {
+  sql = <<-EOQ
+    select
+      address as resource,
+      case
+        when (attributes_std -> 'backup_retention_period') is null then 'alarm'
+        when ((attributes_std ->> 'backup_retention_period'))::int >= 7 then 'ok'
+        else 'alarm'
+      end as status,
+      split_part(address, '.', 2) || case
+        when (attributes_std -> 'backup_retention_period') is null then ' backup retention not set'
+        else ' backup retention set to ' || (attributes_std ->> 'backup_retention_period')
+      end || '.' as reason
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      terraform_resource
+    where
+      type = 'aws_neptune_cluster';
+  EOQ
+}
+
+query "neptune_cluster_copy_tags_to_snapshot_enabled" {
+  sql = <<-EOQ
+    select
+      address as resource,
+      case
+        when (attributes_std -> 'copy_tags_to_snapshot') is null then 'alarm'
+        when (attributes_std -> 'copy_tags_to_snapshot')::bool then 'ok'
+        else 'alarm'
+      end status,
+      split_part(address, '.', 2) || case
+        when (attributes_std -> 'copy_tags_to_snapshot') is null then ' ''copy_tags_to_snapshot'' not set'
+        when (attributes_std -> 'copy_tags_to_snapshot')::bool then ' ''copy_tags_to_snapshot'' enabled'
+        else ' ''copy_tags_to_snapshot'' disabled'
+      end || '.' as reason
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      terraform_resource
+    where
+      type = 'aws_neptune_cluster';
+  EOQ
+}
+
+query "neptune_cluster_iam_authentication_enabled" {
+  sql = <<-EOQ
+    select
+      address as resource,
+      case
+        when (attributes_std -> 'iam_database_authentication_enabled') is null then 'alarm'
+        when (attributes_std -> 'iam_database_authentication_enabled')::bool then 'ok'
+        else 'alarm'
+      end status,
+      split_part(address, '.', 2) || case
+        when (attributes_std -> 'iam_database_authentication_enabled') is null then ' IAM database authentication disabled'
+        when (attributes_std -> 'iam_database_authentication_enabled')::bool then ' IAM database authentication enabled'
+        else ' ''iam_database_authentication_enabled'' disabled'
+      end || '.' as reason
+      ${local.tag_dimensions_sql}
+      ${local.common_dimensions_sql}
+    from
+      terraform_resource
+    where
+      type = 'aws_neptune_cluster';
+  EOQ
 }