├── checkov AWS rules.xlsx ├── checkov-rules ├── ses │ └── security-reqs.json ├── bedrock │ └── security-reqs.json ├── apigatewayv2 │ └── security-reqs.json ├── appflow │ └── security-reqs.json ├── cloudsearch │ └── security-reqs.json ├── guardduty │ └── security-reqs.json ├── workspaces │ └── security-reqs.json ├── sns │ └── security-reqs.json ├── acm │ └── security-reqs.json ├── glue │ └── security-reqs.json ├── mskcluster │ └── security-reqs.json ├── memorydb │ └── security-reqs.json ├── athena │ └── security-reqs.json ├── backup │ └── security-reqs.json ├── fsx │ └── security-reqs.json ├── secretsmanager │ └── security-reqs.json ├── autoscaling │ └── security-reqs.json ├── ecr │ └── security-reqs.json ├── kms │ └── security-reqs.json ├── efs │ └── security-reqs.json ├── mwaa │ └── security-reqs.json ├── vpc │ └── security-reqs.json ├── dlm │ └── security-reqs.json ├── sqs │ └── security-reqs.json ├── cloudwatch │ └── security-reqs.json ├── route53 │ └── security-reqs.json ├── networkfirewall │ └── security-reqs.json ├── appsync │ └── security-reqs.json ├── ebs │ └── security-reqs.json ├── ssm │ └── security-reqs.json ├── mq │ └── security-reqs.json ├── eks │ └── security-reqs.json ├── dms │ └── security-reqs.json ├── dynamodb │ └── security-reqs.json ├── securitygroup │ └── security-reqs.json ├── ec2 │ └── security-reqs.json ├── documentdb │ └── security-reqs.json ├── cloudtrail │ └── security-reqs.json ├── emr │ └── security-reqs.json ├── neptune │ └── security-reqs.json ├── ecs │ └── security-reqs.json ├── elasticache │ └── security-reqs.json ├── lambda │ └── security-reqs.json ├── redshift │ └── security-reqs.json ├── elasticsearch │ └── security-reqs.json └── sagemaker │ └── security-reqs.json ├── prowler-rules ├── dlm │ └── security-reqs.json ├── mq │ └── security-reqs.json ├── fms │ └── security-reqs.json ├── kinesis │ └── security-reqs.json ├── ses │ └── security-reqs.json ├── datasync │ └── security-reqs.json ├── sqs │ └── security-reqs.json ├── apigatewayv2 │ └── security-reqs.json ├── emr │ └── security-reqs.json ├── fsx │ └── security-reqs.json ├── sns │ └── security-reqs.json ├── ssm │ └── security-reqs.json ├── workspaces │ └── security-reqs.json ├── secretsmanager │ └── security-reqs.json ├── kms │ └── security-reqs.json ├── acm │ └── security-reqs.json ├── route53 │ └── security-reqs.json ├── dms │ └── security-reqs.json ├── elasticbeanstalk │ └── security-reqs.json ├── athena │ └── security-reqs.json ├── appstream │ └── security-reqs.json ├── documentdb │ └── security-reqs.json ├── eventbridge │ └── security-reqs.json ├── backup │ └── security-reqs.json ├── bedrock │ └── security-reqs.json ├── organizations │ └── security-reqs.json ├── ecr │ └── security-reqs.json ├── efs │ └── security-reqs.json ├── eks │ └── security-reqs.json ├── elasticache │ └── security-reqs.json ├── guardduty │ └── security-reqs.json └── apigatewayv1 │ └── security-reqs.json ├── aws-terraform ├── organizations │ └── variables.tf ├── bedrock │ └── variables.tf ├── ebs │ ├── variables.tf │ └── notes.md ├── guardduty │ └── variables.tf ├── iam │ └── variables.tf ├── cloudsearch │ └── variables.tf ├── cloudwatch │ └── variables.tf ├── acm │ ├── variables.tf │ ├── main.tf │ └── notes.md ├── networkfirewall │ └── variables.tf ├── dms │ └── variables.tf ├── cloudtrail │ ├── variables.tf │ └── notes.md ├── fms │ ├── variables.tf │ └── main.tf ├── datasync │ ├── variables.tf │ └── notes.md ├── athena │ └── variables.tf ├── ses │ ├── variables.tf │ └── notes.md ├── ecr │ └── variables.tf ├── appsync │ └── variables.tf ├── kms │ ├── variables.tf │ ├── main.tf │ └── notes.md ├── securitygroup │ ├── variables.tf │ └── main.tf ├── secretsmanager │ ├── variables.tf │ └── main.tf ├── sns │ ├── variables.tf │ └── notes.md ├── autoscaling │ └── variables.tf ├── s3 │ └── variables.tf ├── eventbridge │ └── variables.tf ├── kinesis │ ├── variables.tf │ └── notes.md ├── mskcluster │ └── variables.tf ├── backup │ └── variables.tf ├── cloudfront │ └── variables.tf ├── appflow │ └── variables.tf ├── mwaa │ └── variables.tf ├── lambda │ └── variables.tf ├── memorydb │ └── variables.tf ├── kafka │ └── variables.tf ├── redshift │ └── variables.tf ├── mq │ └── variables.tf ├── route53 │ ├── variables.tf │ └── notes.md ├── elasticache │ └── variables.tf ├── appstream │ └── variables.tf ├── elasticbeanstalk │ └── variables.tf ├── ec2 │ └── variables.tf ├── neptune │ └── variables.tf ├── dlm │ └── variables.tf ├── sqs │ └── variables.tf ├── fsx │ └── variables.tf ├── efs │ └── variables.tf └── vpc │ └── variables.tf ├── checkov-requirements.py └── prowler-requirements.py /checkov AWS rules.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/naman16/AWS-Security-Guardrails-TF/HEAD/checkov AWS rules.xlsx -------------------------------------------------------------------------------- /checkov-rules/ses/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Ses-001", 4 | "name": "Ensure SES Configuration Set enforces TLS usage", 5 | "cloudProvider": "AWS", 6 | "service name": "ses" 7 | } 8 | ] -------------------------------------------------------------------------------- /checkov-rules/bedrock/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Bedrock-001", 4 | "name": "Ensure Bedrock Agent is encrypted with a CMK", 5 | "cloudProvider": "AWS", 6 | "service name": "bedrock" 7 | } 8 | ] -------------------------------------------------------------------------------- /checkov-rules/apigatewayv2/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Apigatewayv2-001", 4 | "name": "Ensure API GatewayV2 routes specify an authorization type", 5 | "cloudProvider": "AWS", 6 | "service name": "apigatewayv2" 7 | } 8 | ] -------------------------------------------------------------------------------- /prowler-rules/dlm/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Dlm-001", 4 | "name": "Ensure EBS Snapshot lifecycle policies are defined.", 5 | "description": "Ensure EBS Snapshot lifecycle policies are defined.", 6 | "cloudProvider": "AWS", 7 | "service name": "dlm" 8 | } 9 | ] -------------------------------------------------------------------------------- /prowler-rules/mq/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Mq-001", 4 | "name": "MQ Broker Auto Minor Version Upgrades should be enabled.", 5 | "description": "Ensure that automatic minor version upgrades are enabled on Amazon MQ brokers.", 6 | "cloudProvider": "AWS", 7 | "service name": "mq" 8 | } 9 | ] -------------------------------------------------------------------------------- /prowler-rules/fms/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Fms-001", 4 | "name": "Ensure that all FMS policies inside an admin account are compliant", 5 | "description": "This check ensures all FMS policies inside an admin account are compliant", 6 | "cloudProvider": "AWS", 7 | "service name": "fms" 8 | } 9 | ] -------------------------------------------------------------------------------- /prowler-rules/kinesis/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Kinesis-001", 4 | "name": "Kinesis streams should be encrypted at rest.", 5 | "description": "Ensure Kinesis streams use server-side encryption with AWS KMS keys for data protection.", 6 | "cloudProvider": "AWS", 7 | "service name": "kinesis" 8 | } 9 | ] -------------------------------------------------------------------------------- /prowler-rules/ses/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Ses-001", 4 | "name": "Ensure that SES identities are not publicly accessible", 5 | "description": "This control checks whether SES identities are not publicly accessible via resource policies.", 6 | "cloudProvider": "AWS", 7 | "service name": "ses" 8 | } 9 | ] -------------------------------------------------------------------------------- /prowler-rules/datasync/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Datasync-001", 4 | "name": "DataSync tasks should have logging enabled", 5 | "description": "This control checks if AWS DataSync tasks have logging enabled. The control fails if the task doesn't have the CloudWatchLogGroupArn property defined.", 6 | "cloudProvider": "AWS", 7 | "service name": "datasync" 8 | } 9 | ] -------------------------------------------------------------------------------- /checkov-rules/appflow/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Appflow-001", 4 | "name": "Ensure AppFlow connector profile uses CMK", 5 | "cloudProvider": "AWS", 6 | "service name": "appflow" 7 | }, 8 | { 9 | "ID": "Appflow-002", 10 | "name": "Ensure AppFlow flow uses CMK", 11 | "cloudProvider": "AWS", 12 | "service name": "appflow" 13 | } 14 | ] -------------------------------------------------------------------------------- /checkov-rules/cloudsearch/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Cloudsearch-001", 4 | "name": "Ensure that CloudSearch is using https", 5 | "cloudProvider": "AWS", 6 | "service name": "cloudsearch" 7 | }, 8 | { 9 | "ID": "Cloudsearch-002", 10 | "name": "Ensure that CloudSearch is using latest TLS", 11 | "cloudProvider": "AWS", 12 | "service name": "cloudsearch" 13 | } 14 | ] -------------------------------------------------------------------------------- /checkov-rules/guardduty/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Guardduty-001", 4 | "name": "Ensure GuardDuty is enabled to specific org/region", 5 | "cloudProvider": "AWS", 6 | "service name": "guardduty" 7 | }, 8 | { 9 | "ID": "Guardduty-002", 10 | "name": "Ensure that GuardDuty detector is enabled", 11 | "cloudProvider": "AWS", 12 | "service name": "guardduty" 13 | } 14 | ] -------------------------------------------------------------------------------- /checkov-rules/workspaces/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Workspaces-001", 4 | "name": "Ensure that Workspace root volumes are encrypted", 5 | "cloudProvider": "AWS", 6 | "service name": "workspaces" 7 | }, 8 | { 9 | "ID": "Workspaces-002", 10 | "name": "Ensure that Workspace user volumes are encrypted", 11 | "cloudProvider": "AWS", 12 | "service name": "workspaces" 13 | } 14 | ] -------------------------------------------------------------------------------- /checkov-rules/sns/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Sns-001", 4 | "name": "Ensure all data stored in the SNS topic is encrypted", 5 | "cloudProvider": "AWS", 6 | "service name": "sns" 7 | }, 8 | { 9 | "ID": "Sns-002", 10 | "name": "Ensure SNS topic policy is not public by only allowing specific services or principals to access it", 11 | "cloudProvider": "AWS", 12 | "service name": "sns" 13 | } 14 | ] -------------------------------------------------------------------------------- /prowler-rules/sqs/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Sqs-001", 4 | "name": "Check if SQS queues have policy set as Public", 5 | "description": "Check if SQS queues have policy set as Public", 6 | "cloudProvider": "AWS", 7 | "service name": "sqs" 8 | }, 9 | { 10 | "ID": "Sqs-002", 11 | "name": "Check if SQS queues have Server Side Encryption enabled", 12 | "description": "Check if SQS queues have Server Side Encryption enabled", 13 | "cloudProvider": "AWS", 14 | "service name": "sqs" 15 | } 16 | ] -------------------------------------------------------------------------------- /aws-terraform/organizations/variables.tf: -------------------------------------------------------------------------------- 1 | variable "organization_id" { 2 | description = "The ID of the AWS Organization" 3 | type = string 4 | } 5 | 6 | variable "allowed_regions" { 7 | description = "List of allowed AWS regions" 8 | type = list(string) 9 | default = ["us-east-1", "us-west-2"] 10 | } 11 | 12 | variable "config_aggregator_role_arn" { 13 | description = "The ARN of the IAM role for Config Aggregator" 14 | type = string 15 | } 16 | 17 | variable "backup_role_arn" { 18 | description = "The ARN of the IAM role for AWS Backup" 19 | type = string 20 | } -------------------------------------------------------------------------------- /aws-terraform/bedrock/variables.tf: -------------------------------------------------------------------------------- 1 | variable "kms_key_id" { 2 | description = "The ARN of the KMS key to use for encryption" 3 | type = string 4 | } 5 | 6 | variable "agent_role_arn" { 7 | description = "The ARN of the IAM role for the Bedrock agent" 8 | type = string 9 | } 10 | 11 | variable "allowed_account_ids" { 12 | description = "List of AWS account IDs allowed to access the Bedrock agent" 13 | type = list(string) 14 | } 15 | 16 | variable "log_retention_days" { 17 | description = "Number of days to retain Bedrock logs" 18 | type = number 19 | default = 90 20 | } -------------------------------------------------------------------------------- /prowler-rules/apigatewayv2/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Apigateway-001", 4 | "name": "Ensure API Gateway V2 has Access Logging enabled.", 5 | "description": "Ensure API Gateway V2 has Access Logging enabled.", 6 | "cloudProvider": "AWS", 7 | "service name": "apigateway" 8 | }, 9 | { 10 | "ID": "Apigateway-002", 11 | "name": "Checks if API Gateway V2 has configured authorizers.", 12 | "description": "Checks if API Gateway V2 has configured authorizers.", 13 | "cloudProvider": "AWS", 14 | "service name": "apigateway" 15 | } 16 | ] -------------------------------------------------------------------------------- /checkov-rules/acm/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Acm-001", 4 | "name": "Ensure AWS ACM Certificate domain name does not include wildcards", 5 | "cloudProvider": "AWS", 6 | "service name": "acm" 7 | }, 8 | { 9 | "ID": "Acm-002", 10 | "name": "Ensure Create before destroy for ACM certificates", 11 | "cloudProvider": "AWS", 12 | "service name": "acm" 13 | }, 14 | { 15 | "ID": "Acm-003", 16 | "name": "Verify logging preference for ACM certificates", 17 | "cloudProvider": "AWS", 18 | "service name": "acm" 19 | } 20 | ] -------------------------------------------------------------------------------- /checkov-rules/glue/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Glue-001", 4 | "name": "Ensure Glue component has a security configuration associated", 5 | "cloudProvider": "AWS", 6 | "service name": "glue" 7 | }, 8 | { 9 | "ID": "Glue-002", 10 | "name": "Ensure Glue Data Catalog Encryption is enabled", 11 | "cloudProvider": "AWS", 12 | "service name": "glue" 13 | }, 14 | { 15 | "ID": "Glue-003", 16 | "name": "Ensure Glue Security Configuration Encryption is enabled", 17 | "cloudProvider": "AWS", 18 | "service name": "glue" 19 | } 20 | ] -------------------------------------------------------------------------------- /checkov-rules/mskcluster/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Mskcluster-001", 4 | "name": "Ensure MSK Cluster encryption in rest and transit is enabled", 5 | "cloudProvider": "AWS", 6 | "service name": "mskcluster" 7 | }, 8 | { 9 | "ID": "Mskcluster-002", 10 | "name": "Ensure MSK Cluster logging is enabled", 11 | "cloudProvider": "AWS", 12 | "service name": "mskcluster" 13 | }, 14 | { 15 | "ID": "Mskcluster-003", 16 | "name": "Ensure MSK nodes are private", 17 | "cloudProvider": "AWS", 18 | "service name": "mskcluster" 19 | } 20 | ] -------------------------------------------------------------------------------- /checkov-rules/memorydb/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Memorydb-001", 4 | "name": "Ensure MemoryDB data is encrypted in transit", 5 | "cloudProvider": "AWS", 6 | "service name": "memorydb" 7 | }, 8 | { 9 | "ID": "Memorydb-002", 10 | "name": "Ensure MemoryDB is encrypted at rest using KMS CMKs", 11 | "cloudProvider": "AWS", 12 | "service name": "memorydb" 13 | }, 14 | { 15 | "ID": "Memorydb-003", 16 | "name": "Ensure MemoryDB snapshot is encrypted by KMS using a customer managed Key (CMK)", 17 | "cloudProvider": "AWS", 18 | "service name": "memorydb" 19 | } 20 | ] -------------------------------------------------------------------------------- /checkov-rules/athena/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Athena-001", 4 | "name": "Ensure Athena Database is encrypted at rest (default is unencrypted)", 5 | "cloudProvider": "AWS", 6 | "service name": "athena" 7 | }, 8 | { 9 | "ID": "Athena-002", 10 | "name": "Ensure Athena Workgroup should enforce configuration to prevent client disabling encryption", 11 | "cloudProvider": "AWS", 12 | "service name": "athena" 13 | }, 14 | { 15 | "ID": "Athena-003", 16 | "name": "Ensure that Athena Workgroup is encrypted", 17 | "cloudProvider": "AWS", 18 | "service name": "athena" 19 | } 20 | ] -------------------------------------------------------------------------------- /checkov-rules/backup/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Backup-001", 4 | "name": "Ensure that EBS are added in the backup plans of AWS Backup", 5 | "cloudProvider": "AWS", 6 | "service name": "backup" 7 | }, 8 | { 9 | "ID": "Backup-002", 10 | "name": "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup", 11 | "cloudProvider": "AWS", 12 | "service name": "backup" 13 | }, 14 | { 15 | "ID": "Backup-003", 16 | "name": "Ensure Backup Vault is encrypted at rest using KMS CMK", 17 | "cloudProvider": "AWS", 18 | "service name": "backup" 19 | } 20 | ] -------------------------------------------------------------------------------- /checkov-rules/fsx/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Fsx-001", 4 | "name": "Ensure lustre file systems is encrypted by KMS using a customer managed Key (CMK)", 5 | "cloudProvider": "AWS", 6 | "service name": "fsx" 7 | }, 8 | { 9 | "ID": "Fsx-002", 10 | "name": "Ensure fx ontap file system is encrypted by KMS using a customer managed Key (CMK)", 11 | "cloudProvider": "AWS", 12 | "service name": "fsx" 13 | }, 14 | { 15 | "ID": "Fsx-003", 16 | "name": "Ensure FSX Windows filesystem is encrypted by KMS using a customer managed Key (CMK)", 17 | "cloudProvider": "AWS", 18 | "service name": "fsx" 19 | } 20 | ] -------------------------------------------------------------------------------- /aws-terraform/ebs/variables.tf: -------------------------------------------------------------------------------- 1 | variable "kms_key_arn" { 2 | description = "ARN of the KMS key to use for EBS encryption" 3 | type = string 4 | } 5 | 6 | variable "backup_vault_name" { 7 | description = "Name of the AWS Backup vault to use for EBS backups" 8 | type = string 9 | } 10 | 11 | variable "backup_role_arn" { 12 | description = "ARN of the IAM role to be used by AWS Backup" 13 | type = string 14 | } 15 | 16 | variable "sns_topic_arn" { 17 | description = "ARN of the SNS topic for CloudWatch alarms" 18 | type = string 19 | } 20 | 21 | variable "dlm_role_arn" { 22 | description = "ARN of the IAM role to be used by DLM for snapshot management" 23 | type = string 24 | } -------------------------------------------------------------------------------- /checkov-rules/secretsmanager/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Secretsmanager-001", 4 | "name": "Ensure Secrets Manager secrets should have automatic rotation enabled", 5 | "cloudProvider": "AWS", 6 | "service name": "secretsmanager" 7 | }, 8 | { 9 | "ID": "Secretsmanager-002", 10 | "name": "Ensure that Secrets Manager secret is encrypted using KMS CMK", 11 | "cloudProvider": "AWS", 12 | "service name": "secretsmanager" 13 | }, 14 | { 15 | "ID": "Secretsmanager-003", 16 | "name": "Ensure Secrets Manager secrets should be rotated within 90 days", 17 | "cloudProvider": "AWS", 18 | "service name": "secretsmanager" 19 | } 20 | ] -------------------------------------------------------------------------------- /checkov-rules/autoscaling/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Autoscaling-001", 4 | "name": "Autoscaling groups should supply tags to launch configurations", 5 | "cloudProvider": "AWS", 6 | "service name": "autoscaling" 7 | }, 8 | { 9 | "ID": "Autoscaling-002", 10 | "name": "Ensure EC2 Auto Scaling groups use EC2 launch templates", 11 | "cloudProvider": "AWS", 12 | "service name": "autoscaling" 13 | }, 14 | { 15 | "ID": "Autoscaling-003", 16 | "name": "Ensure that auto Scaling groups that are associated with a load balancer are using Elastic Load Balancing health checks.", 17 | "cloudProvider": "AWS", 18 | "service name": "autoscaling" 19 | } 20 | ] -------------------------------------------------------------------------------- /prowler-rules/emr/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Emr-001", 4 | "name": "EMR Account Public Access Block enabled.", 5 | "description": "EMR Account Public Access Block enabled.", 6 | "cloudProvider": "AWS", 7 | "service name": "emr" 8 | }, 9 | { 10 | "ID": "Emr-002", 11 | "name": "EMR Cluster without Public IP.", 12 | "description": "EMR Cluster without Public IP.", 13 | "cloudProvider": "AWS", 14 | "service name": "emr" 15 | }, 16 | { 17 | "ID": "Emr-003", 18 | "name": "Publicly accessible EMR Cluster.", 19 | "description": "Publicly accessible EMR Cluster.", 20 | "cloudProvider": "AWS", 21 | "service name": "emr" 22 | } 23 | ] -------------------------------------------------------------------------------- /prowler-rules/fsx/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Fsx-001", 4 | "name": "Check if FSx file systems are configured to copy tags to backups.", 5 | "description": "Check if an Amazon FSx file system is configured to copy tags to backups. The control fails if this configuration isn't enabled.", 6 | "cloudProvider": "AWS", 7 | "service name": "fsx" 8 | }, 9 | { 10 | "ID": "Fsx-002", 11 | "name": "Check if FSx file systems are configured to copy tags to volumes.", 12 | "description": "Check if an Amazon FSx file system is configured to copy tags to volumes. The control fails if this configuration isn't enabled.", 13 | "cloudProvider": "AWS", 14 | "service name": "fsx" 15 | } 16 | ] -------------------------------------------------------------------------------- /checkov-rules/ecr/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Ecr-001", 4 | "name": "Ensure ECR image scanning on push is enabled", 5 | "cloudProvider": "AWS", 6 | "service name": "ecr" 7 | }, 8 | { 9 | "ID": "Ecr-002", 10 | "name": "Ensure ECR Image Tags are immutable", 11 | "cloudProvider": "AWS", 12 | "service name": "ecr" 13 | }, 14 | { 15 | "ID": "Ecr-003", 16 | "name": "Ensure that ECR repositories are encrypted using KMS", 17 | "cloudProvider": "AWS", 18 | "service name": "ecr" 19 | }, 20 | { 21 | "ID": "Ecr-004", 22 | "name": "Ensure ECR policy is not set to public", 23 | "cloudProvider": "AWS", 24 | "service name": "ecr" 25 | } 26 | ] -------------------------------------------------------------------------------- /checkov-rules/kms/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Kms-001", 4 | "name": "Ensure KMS key is enabled", 5 | "cloudProvider": "AWS", 6 | "service name": "kms" 7 | }, 8 | { 9 | "ID": "Kms-002", 10 | "name": "Ensure KMS key policy does not contain wildcard (*) principal", 11 | "cloudProvider": "AWS", 12 | "service name": "kms" 13 | }, 14 | { 15 | "ID": "Kms-003", 16 | "name": "Ensure KMS key Policy is defined", 17 | "cloudProvider": "AWS", 18 | "service name": "kms" 19 | }, 20 | { 21 | "ID": "Kms-004", 22 | "name": "Ensure rotation for customer created CMKs is enabled", 23 | "cloudProvider": "AWS", 24 | "service name": "kms" 25 | } 26 | ] -------------------------------------------------------------------------------- /checkov-rules/efs/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Efs-001", 4 | "name": "EFS access points should enforce a root directory", 5 | "cloudProvider": "AWS", 6 | "service name": "efs" 7 | }, 8 | { 9 | "ID": "Efs-002", 10 | "name": "EFS access points should enforce a user identity", 11 | "cloudProvider": "AWS", 12 | "service name": "efs" 13 | }, 14 | { 15 | "ID": "Efs-003", 16 | "name": "Ensure EFS is securely encrypted", 17 | "cloudProvider": "AWS", 18 | "service name": "efs" 19 | }, 20 | { 21 | "ID": "Efs-004", 22 | "name": "Ensure resource is encrypted by KMS using a customer managed Key (CMK)", 23 | "cloudProvider": "AWS", 24 | "service name": "efs" 25 | } 26 | ] -------------------------------------------------------------------------------- /checkov-rules/mwaa/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Mwaa-001", 4 | "name": "Ensure MWAA environment has scheduler logs enabled", 5 | "cloudProvider": "AWS", 6 | "service name": "mwaa" 7 | }, 8 | { 9 | "ID": "Mwaa-002", 10 | "name": "Ensure MWAA environment has webserver logs enabled", 11 | "cloudProvider": "AWS", 12 | "service name": "mwaa" 13 | }, 14 | { 15 | "ID": "Mwaa-003", 16 | "name": "Ensure MWAA environment has worker logs enabled", 17 | "cloudProvider": "AWS", 18 | "service name": "mwaa" 19 | }, 20 | { 21 | "ID": "Mwaa-004", 22 | "name": "Ensure MWAA environment is not publicly accessible", 23 | "cloudProvider": "AWS", 24 | "service name": "mwaa" 25 | } 26 | ] -------------------------------------------------------------------------------- /checkov-rules/vpc/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Vpc-001", 4 | "name": "Ensure no default VPC is planned to be provisioned", 5 | "cloudProvider": "AWS", 6 | "service name": "vpc" 7 | }, 8 | { 9 | "ID": "Vpc-002", 10 | "name": "Ensure VPC subnets do not assign public IP by default", 11 | "cloudProvider": "AWS", 12 | "service name": "vpc" 13 | }, 14 | { 15 | "ID": "Vpc-003", 16 | "name": "Ensure VPC flow logging is enabled in all VPCs", 17 | "cloudProvider": "AWS", 18 | "service name": "vpc" 19 | }, 20 | { 21 | "ID": "Vpc-004", 22 | "name": "Ensure that VPC Endpoint Service is configured for Manual Acceptance", 23 | "cloudProvider": "AWS", 24 | "service name": "vpc" 25 | } 26 | ] -------------------------------------------------------------------------------- /checkov-rules/dlm/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Dlm-001", 4 | "name": "Ensure DLM cross region events are encrypted", 5 | "cloudProvider": "AWS", 6 | "service name": "dlm" 7 | }, 8 | { 9 | "ID": "Dlm-002", 10 | "name": "Ensure DLM cross region events are encrypted with Customer Managed Key", 11 | "cloudProvider": "AWS", 12 | "service name": "dlm" 13 | }, 14 | { 15 | "ID": "Dlm-003", 16 | "name": "Ensure DLM cross region schedules are encrypted", 17 | "cloudProvider": "AWS", 18 | "service name": "dlm" 19 | }, 20 | { 21 | "ID": "Dlm-004", 22 | "name": "Ensure DLM cross region schedules are encrypted using a Customer Managed Key", 23 | "cloudProvider": "AWS", 24 | "service name": "dlm" 25 | } 26 | ] -------------------------------------------------------------------------------- /prowler-rules/sns/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Sns-001", 4 | "name": "Ensure there are no SNS subscriptions using HTTP endpoints", 5 | "description": "Ensure there are no SNS subscriptions using HTTP endpoints", 6 | "cloudProvider": "AWS", 7 | "service name": "sns" 8 | }, 9 | { 10 | "ID": "Sns-002", 11 | "name": "Ensure there are no SNS Topics unencrypted", 12 | "description": "Ensure there are no SNS Topics unencrypted", 13 | "cloudProvider": "AWS", 14 | "service name": "sns" 15 | }, 16 | { 17 | "ID": "Sns-003", 18 | "name": "Check if SNS topics have policy set as Public", 19 | "description": "Check if SNS topics have policy set as Public", 20 | "cloudProvider": "AWS", 21 | "service name": "sns" 22 | } 23 | ] -------------------------------------------------------------------------------- /checkov-rules/sqs/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Sqs-001", 4 | "name": "Ensure all data stored in the SQS queue is encrypted", 5 | "cloudProvider": "AWS", 6 | "service name": "sqs" 7 | }, 8 | { 9 | "ID": "Sqs-002", 10 | "name": "Ensure AWS SQS uses CMK not AWS default keys for encryption", 11 | "cloudProvider": "AWS", 12 | "service name": "sqs" 13 | }, 14 | { 15 | "ID": "Sqs-003", 16 | "name": "Ensure SQS queue policy is not public by only allowing specific services or principals to access it", 17 | "cloudProvider": "AWS", 18 | "service name": "sqs" 19 | }, 20 | { 21 | "ID": "Sqs-004", 22 | "name": "Ensure SQS policy does not allow ALL (*) actions.", 23 | "cloudProvider": "AWS", 24 | "service name": "sqs" 25 | } 26 | ] -------------------------------------------------------------------------------- /checkov-rules/cloudwatch/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Cloudwatch-001", 4 | "name": "Ensure CloudWatch log groups retains logs for at least 1 year", 5 | "cloudProvider": "AWS", 6 | "service name": "cloudwatch" 7 | }, 8 | { 9 | "ID": "Cloudwatch-002", 10 | "name": "Ensure that CloudWatch Log Group is encrypted by KMS", 11 | "cloudProvider": "AWS", 12 | "service name": "cloudwatch" 13 | }, 14 | { 15 | "ID": "Cloudwatch-003", 16 | "name": "Ensure that CloudWatch Log Group specifies retention days", 17 | "cloudProvider": "AWS", 18 | "service name": "cloudwatch" 19 | }, 20 | { 21 | "ID": "Cloudwatch-004", 22 | "name": "Ensure that CloudWatch alarm actions are enabled", 23 | "cloudProvider": "AWS", 24 | "service name": "cloudwatch" 25 | } 26 | ] -------------------------------------------------------------------------------- /prowler-rules/ssm/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Ssm-001", 4 | "name": "Check if there are SSM Documents set as public.", 5 | "description": "Check if there are SSM Documents set as public.", 6 | "cloudProvider": "AWS", 7 | "service name": "ssm" 8 | }, 9 | { 10 | "ID": "Ssm-002", 11 | "name": "Find secrets in SSM Documents.", 12 | "description": "Find secrets in SSM Documents.", 13 | "cloudProvider": "AWS", 14 | "service name": "ssm" 15 | }, 16 | { 17 | "ID": "Ssm-003", 18 | "name": "Check if EC2 instances managed by Systems Manager are compliant with patching requirements.", 19 | "description": "Check if EC2 instances managed by Systems Manager are compliant with patching requirements.", 20 | "cloudProvider": "AWS", 21 | "service name": "ssm" 22 | } 23 | ] -------------------------------------------------------------------------------- /prowler-rules/workspaces/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Workspaces-001", 4 | "name": "Ensure that the Workspaces VPC are deployed following the best practices using 1 public subnet and 2 private subnets with a NAT Gateway attached", 5 | "description": "Ensure that the Workspaces VPC are deployed following the best practices using 1 public subnet and 2 private subnets with a NAT Gateway attached", 6 | "cloudProvider": "AWS", 7 | "service name": "workspaces" 8 | }, 9 | { 10 | "ID": "Workspaces-002", 11 | "name": "Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements", 12 | "description": "Ensure that your Amazon WorkSpaces storage volumes are encrypted in order to meet security and compliance requirements", 13 | "cloudProvider": "AWS", 14 | "service name": "workspaces" 15 | } 16 | ] -------------------------------------------------------------------------------- /checkov-rules/route53/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Route53-001", 4 | "name": "Route53 A Record has Attached Resource", 5 | "cloudProvider": "AWS", 6 | "service name": "route53" 7 | }, 8 | { 9 | "ID": "Route53-002", 10 | "name": "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones", 11 | "cloudProvider": "AWS", 12 | "service name": "route53" 13 | }, 14 | { 15 | "ID": "Route53-003", 16 | "name": "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones", 17 | "cloudProvider": "AWS", 18 | "service name": "route53" 19 | }, 20 | { 21 | "ID": "Route53-004", 22 | "name": "Ensure Route 53 domains have transfer lock protection", 23 | "cloudProvider": "AWS", 24 | "service name": "route53" 25 | } 26 | ] -------------------------------------------------------------------------------- /aws-terraform/guardduty/variables.tf: -------------------------------------------------------------------------------- 1 | variable "finding_publishing_frequency" { 2 | description = "Specifies the frequency of notifications sent for subsequent finding occurrences." 3 | type = string 4 | default = "FIFTEEN_MINUTES" 5 | } 6 | 7 | variable "admin_account_id" { 8 | description = "AWS account ID for centralized GuardDuty management" 9 | type = string 10 | } 11 | 12 | variable "sns_topic_arn" { 13 | description = "ARN of the SNS topic for GuardDuty notifications" 14 | type = string 15 | } 16 | 17 | variable "findings_s3_bucket_arn" { 18 | description = "ARN of the S3 bucket for exporting GuardDuty findings" 19 | type = string 20 | } 21 | 22 | variable "kms_key_arn" { 23 | description = "ARN of the KMS key for encrypting GuardDuty findings" 24 | type = string 25 | } 26 | 27 | variable "threat_intel_set_location" { 28 | description = "S3 URI of the custom threat intel set" 29 | type = string 30 | } -------------------------------------------------------------------------------- /checkov-rules/networkfirewall/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Networkfirewall-001", 4 | "name": "Ensure Network firewall has logging configuration defined", 5 | "cloudProvider": "AWS", 6 | "service name": "networkfirewall" 7 | }, 8 | { 9 | "ID": "Networkfirewall-002", 10 | "name": "Ensure that Network firewall encryption is via a CMK", 11 | "cloudProvider": "AWS", 12 | "service name": "networkfirewall" 13 | }, 14 | { 15 | "ID": "Networkfirewall-003", 16 | "name": "Ensure that Network firewalls have deletion protection enabled", 17 | "cloudProvider": "AWS", 18 | "service name": "networkfirewall" 19 | }, 20 | { 21 | "ID": "Networkfirewall-004", 22 | "name": "Ensure Network Firewall Policy defines an encryption configuration that uses a customer managed Key (CMK)", 23 | "cloudProvider": "AWS", 24 | "service name": "networkfirewall" 25 | } 26 | ] -------------------------------------------------------------------------------- /prowler-rules/secretsmanager/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Secretsmanager-001", 4 | "name": "Check if Secrets Manager secret rotation is enabled.", 5 | "description": "Check if Secrets Manager secret rotation is enabled.", 6 | "cloudProvider": "AWS", 7 | "service name": "secretsmanager" 8 | }, 9 | { 10 | "ID": "Secretsmanager-002", 11 | "name": "Ensure Secrets Manager secrets are not publicly accessible.", 12 | "description": "This control checks whether Secrets Manager secrets are not publicly accessible via resource policies.", 13 | "cloudProvider": "AWS", 14 | "service name": "secretsmanager" 15 | }, 16 | { 17 | "ID": "Secretsmanager-003", 18 | "name": "Ensure secrets manager secrets are not unused", 19 | "description": "Checks whether Secrets Manager secrets are unused.", 20 | "cloudProvider": "AWS", 21 | "service name": "secretsmanager" 22 | } 23 | ] -------------------------------------------------------------------------------- /checkov-rules/appsync/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Appsync-001", 4 | "name": "Ensure AppSync API Cache is encrypted at rest", 5 | "cloudProvider": "AWS", 6 | "service name": "appsync" 7 | }, 8 | { 9 | "ID": "Appsync-002", 10 | "name": "Ensure AppSync API Cache is encrypted in transit", 11 | "cloudProvider": "AWS", 12 | "service name": "appsync" 13 | }, 14 | { 15 | "ID": "Appsync-003", 16 | "name": "Ensure AppSync has Field-Level logs enabled", 17 | "cloudProvider": "AWS", 18 | "service name": "appsync" 19 | }, 20 | { 21 | "ID": "Appsync-004", 22 | "name": "Ensure AppSync has Logging enabled", 23 | "cloudProvider": "AWS", 24 | "service name": "appsync" 25 | }, 26 | { 27 | "ID": "Appsync-005", 28 | "name": "Ensure AppSync is protected by WAF", 29 | "cloudProvider": "AWS", 30 | "service name": "appsync" 31 | } 32 | ] -------------------------------------------------------------------------------- /aws-terraform/iam/variables.tf: -------------------------------------------------------------------------------- 1 | variable "iam_users" { 2 | type = list(string) 3 | description = "List of IAM users to create" 4 | default = [] 5 | } 6 | 7 | variable "allowed_ip_ranges" { 8 | type = list(string) 9 | description = "List of allowed IP ranges for IAM policy condition" 10 | default = [] 11 | } 12 | 13 | variable "trusted_account_id" { 14 | type = string 15 | description = "AWS account ID trusted for cross-account access" 16 | } 17 | 18 | variable "external_id" { 19 | type = string 20 | description = "External ID for cross-account role assumption" 21 | } 22 | 23 | variable "cloudwatch_log_group_name" { 24 | type = string 25 | description = "CloudWatch Log Group name for IAM credential report monitoring" 26 | } 27 | 28 | variable "sns_topic_arn" { 29 | type = string 30 | description = "SNS Topic ARN for IAM credential report alarm" 31 | } 32 | 33 | variable "saml_metadata_file" { 34 | type = string 35 | description = "Path to SAML metadata file for federated access" 36 | } -------------------------------------------------------------------------------- /checkov-rules/ebs/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Ebs-001", 4 | "name": "Ensure EBS default encryption is enabled", 5 | "cloudProvider": "AWS", 6 | "service name": "ebs" 7 | }, 8 | { 9 | "ID": "Ebs-002", 10 | "name": "Ensure EBS Snapshot Copy is encrypted by KMS using a customer managed Key (CMK)", 11 | "cloudProvider": "AWS", 12 | "service name": "ebs" 13 | }, 14 | { 15 | "ID": "Ebs-003", 16 | "name": "Ensure all data stored in the EBS is securely encrypted", 17 | "cloudProvider": "AWS", 18 | "service name": "ebs" 19 | }, 20 | { 21 | "ID": "Ebs-004", 22 | "name": "Ensure EBS Volume is encrypted by KMS using a customer managed Key (CMK)", 23 | "cloudProvider": "AWS", 24 | "service name": "ebs" 25 | }, 26 | { 27 | "ID": "Ebs-005", 28 | "name": "Ensure that only encrypted EBS volumes are attached to EC2 instances", 29 | "cloudProvider": "AWS", 30 | "service name": "ebs" 31 | } 32 | ] -------------------------------------------------------------------------------- /prowler-rules/kms/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Kms-001", 4 | "name": "Check if there are CMK KMS keys not used.", 5 | "description": "Check if there are CMK KMS keys not used.", 6 | "cloudProvider": "AWS", 7 | "service name": "kms" 8 | }, 9 | { 10 | "ID": "Kms-002", 11 | "name": "Check exposed KMS keys", 12 | "description": "Check exposed KMS keys", 13 | "cloudProvider": "AWS", 14 | "service name": "kms" 15 | }, 16 | { 17 | "ID": "Kms-003", 18 | "name": "Ensure rotation for customer created KMS CMKs is enabled.", 19 | "description": "Ensure rotation for customer created KMS CMKs is enabled.", 20 | "cloudProvider": "AWS", 21 | "service name": "kms" 22 | }, 23 | { 24 | "ID": "Kms-004", 25 | "name": "AWS KMS keys should not be deleted unintentionally", 26 | "description": "Ensure there is no customer keys scheduled for deletion.", 27 | "cloudProvider": "AWS", 28 | "service name": "kms" 29 | } 30 | ] -------------------------------------------------------------------------------- /aws-terraform/cloudsearch/variables.tf: -------------------------------------------------------------------------------- 1 | variable "domain_name" { 2 | description = "The name of the CloudSearch domain" 3 | type = string 4 | } 5 | 6 | variable "kms_key_id" { 7 | description = "The ARN of the KMS key to use for encryption at rest" 8 | type = string 9 | } 10 | 11 | variable "subnet_ids" { 12 | description = "List of subnet IDs for the CloudSearch domain VPC configuration" 13 | type = list(string) 14 | } 15 | 16 | variable "security_group_ids" { 17 | description = "List of security group IDs for the CloudSearch domain VPC configuration" 18 | type = list(string) 19 | } 20 | 21 | variable "allowed_aws_accounts" { 22 | description = "List of AWS account IDs allowed to access the CloudSearch domain" 23 | type = list(string) 24 | } 25 | 26 | variable "search_latency_threshold" { 27 | description = "The threshold for search latency alarm (in seconds)" 28 | type = number 29 | default = 1 30 | } 31 | 32 | variable "sns_topic_arn" { 33 | description = "The ARN of the SNS topic for CloudWatch alarms" 34 | type = string 35 | } -------------------------------------------------------------------------------- /aws-terraform/cloudwatch/variables.tf: -------------------------------------------------------------------------------- 1 | variable "log_group_name" { 2 | description = "Name of the CloudWatch Log Group" 3 | type = string 4 | } 5 | 6 | variable "retention_in_days" { 7 | description = "Number of days to retain log events in the log group" 8 | type = number 9 | default = 365 10 | } 11 | 12 | variable "kms_key_arn" { 13 | description = "ARN of the KMS key to use for encrypting log data" 14 | type = string 15 | } 16 | 17 | variable "tags" { 18 | description = "A map of tags to add to all resources" 19 | type = map(string) 20 | default = {} 21 | } 22 | 23 | variable "alarm_configurations" { 24 | description = "List of CloudWatch Alarm configurations" 25 | type = list(object({ 26 | name = string 27 | comparison_operator = string 28 | evaluation_periods = number 29 | metric_name = string 30 | namespace = string 31 | period = number 32 | statistic = string 33 | threshold = number 34 | description = string 35 | alarm_actions = list(string) 36 | })) 37 | default = [] 38 | } -------------------------------------------------------------------------------- /prowler-rules/acm/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Acm-001", 4 | "name": "Check if ACM Certificates use a secure key algorithm", 5 | "description": "Check if ACM Certificates use a secure key algorithm (RSA 2048 bits or more, or ECDSA 256 bits or more). For example certificates that use RSA-1024 can be compromised because the encryption could be broken in no more than 2^80 guesses making it vulnerable to a factorization attack.", 6 | "cloudProvider": "AWS", 7 | "service name": "acm" 8 | }, 9 | { 10 | "ID": "Acm-002", 11 | "name": "Check if ACM Certificates are about to expire in specific days or less", 12 | "description": "Check if ACM Certificates are about to expire in specific days or less", 13 | "cloudProvider": "AWS", 14 | "service name": "acm" 15 | }, 16 | { 17 | "ID": "Acm-003", 18 | "name": "Check if ACM certificates have Certificate Transparency logging enabled", 19 | "description": "Check if ACM certificates have Certificate Transparency logging enabled", 20 | "cloudProvider": "AWS", 21 | "service name": "acm" 22 | } 23 | ] -------------------------------------------------------------------------------- /checkov-rules/ssm/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Ssm-001", 4 | "name": "Ensure Session Manager data is encrypted in transit", 5 | "cloudProvider": "AWS", 6 | "service name": "ssm" 7 | }, 8 | { 9 | "ID": "Ssm-002", 10 | "name": "Ensure Session Manager logs are enabled and encrypted", 11 | "cloudProvider": "AWS", 12 | "service name": "ssm" 13 | }, 14 | { 15 | "ID": "Ssm-003", 16 | "name": "Ensure SSM documents are not Public", 17 | "cloudProvider": "AWS", 18 | "service name": "ssm" 19 | }, 20 | { 21 | "ID": "Ssm-004", 22 | "name": "AWS SSM Parameter should be Encrypted", 23 | "cloudProvider": "AWS", 24 | "service name": "ssm" 25 | }, 26 | { 27 | "ID": "Ssm-005", 28 | "name": "Ensure SSM parameters are using KMS CMK", 29 | "cloudProvider": "AWS", 30 | "service name": "ssm" 31 | }, 32 | { 33 | "ID": "Ssm-006", 34 | "name": "Ensure terraform is not sending SSM secrets to untrusted domains over HTTP", 35 | "cloudProvider": "AWS", 36 | "service name": "ssm" 37 | } 38 | ] -------------------------------------------------------------------------------- /prowler-rules/route53/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Route53-001", 4 | "name": "Check if Route53 public hosted zones are logging queries to CloudWatch Logs.", 5 | "description": "Check if Route53 public hosted zones are logging queries to CloudWatch Logs.", 6 | "cloudProvider": "AWS", 7 | "service name": "route53" 8 | }, 9 | { 10 | "ID": "Route53-002", 11 | "name": "Enable Transfer Lock for a Route53 Domain.", 12 | "description": "Enable Transfer Lock for a Route53 Domain.", 13 | "cloudProvider": "AWS", 14 | "service name": "route53" 15 | }, 16 | { 17 | "ID": "Route53-003", 18 | "name": "Enable Privacy Protection for for a Route53 Domain.", 19 | "description": "Enable Privacy Protection for for a Route53 Domain.", 20 | "cloudProvider": "AWS", 21 | "service name": "route53" 22 | }, 23 | { 24 | "ID": "Route53-004", 25 | "name": "Check if Route53 Records contains dangling IPs.", 26 | "description": "Check if Route53 Records contains dangling IPs.", 27 | "cloudProvider": "AWS", 28 | "service name": "route53" 29 | } 30 | ] -------------------------------------------------------------------------------- /checkov-rules/mq/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Mqbroker-001", 4 | "name": "Ensure MQ Broker Audit logging is enabled", 5 | "cloudProvider": "AWS", 6 | "service name": "mqbroker" 7 | }, 8 | { 9 | "ID": "Mqbroker-002", 10 | "name": "Ensure MQ broker encrypted by KMS using a customer managed Key (CMK)", 11 | "cloudProvider": "AWS", 12 | "service name": "mqbroker" 13 | }, 14 | { 15 | "ID": "Mqbroker-003", 16 | "name": "Ensure MQ Broker is not publicly exposed", 17 | "cloudProvider": "AWS", 18 | "service name": "mqbroker" 19 | }, 20 | { 21 | "ID": "Mqbroker-004", 22 | "name": "Ensure MQ Broker logging is enabled", 23 | "cloudProvider": "AWS", 24 | "service name": "mqbroker" 25 | }, 26 | { 27 | "ID": "Mqbroker-005", 28 | "name": "Ensure MQ Broker minor version updates are enabled", 29 | "cloudProvider": "AWS", 30 | "service name": "mqbroker" 31 | }, 32 | { 33 | "ID": "Mqbroker-006", 34 | "name": "Ensure MQ Broker version is current", 35 | "cloudProvider": "AWS", 36 | "service name": "mqbroker" 37 | } 38 | ] -------------------------------------------------------------------------------- /checkov-rules/eks/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Eks-001", 4 | "name": "Ensure Amazon EKS control plane logging is enabled for all log types", 5 | "cloudProvider": "AWS", 6 | "service name": "eks" 7 | }, 8 | { 9 | "ID": "Eks-002", 10 | "name": "Ensure Amazon EKS public endpoint disabled", 11 | "cloudProvider": "AWS", 12 | "service name": "eks" 13 | }, 14 | { 15 | "ID": "Eks-003", 16 | "name": "Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0", 17 | "cloudProvider": "AWS", 18 | "service name": "eks" 19 | }, 20 | { 21 | "ID": "Eks-004", 22 | "name": "Ensure EKS Cluster has Secrets Encryption Enabled", 23 | "cloudProvider": "AWS", 24 | "service name": "eks" 25 | }, 26 | { 27 | "ID": "Eks-005", 28 | "name": "Ensure EKS clusters run on a supported Kubernetes version", 29 | "cloudProvider": "AWS", 30 | "service name": "eks" 31 | }, 32 | { 33 | "ID": "Eks-006", 34 | "name": "Ensure AWS EKS node group does not have implicit SSH access from 0.0.0.0/0", 35 | "cloudProvider": "AWS", 36 | "service name": "eks" 37 | } 38 | ] -------------------------------------------------------------------------------- /prowler-rules/dms/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Dms-001", 4 | "name": "Ensure DMS instances have multi az enabled.", 5 | "description": "Ensure DMS instances have multi az enabled.", 6 | "cloudProvider": "AWS", 7 | "service name": "dms" 8 | }, 9 | { 10 | "ID": "Dms-002", 11 | "name": "Ensure DMS instances are not publicly accessible.", 12 | "description": "Ensure DMS instances are not publicly accessible.", 13 | "cloudProvider": "AWS", 14 | "service name": "dms" 15 | }, 16 | { 17 | "ID": "Dms-003", 18 | "name": "Ensure DMS instances have auto minor version upgrade enabled.", 19 | "description": "Ensure DMS instances have auto minor version upgrade enabled.", 20 | "cloudProvider": "AWS", 21 | "service name": "dms" 22 | }, 23 | { 24 | "ID": "Dms-004", 25 | "name": "Ensure SSL mode is enabled in DMS endpoint", 26 | "description": "This check ensures that SSL mode is enabled for all AWS Database Migration Service (DMS) endpoints. Enabling SSL provides encryption in transit for data transferred through these endpoints.", 27 | "cloudProvider": "AWS", 28 | "service name": "dms" 29 | } 30 | ] -------------------------------------------------------------------------------- /checkov-rules/dms/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Dms-001", 4 | "name": "Ensure AWS Database Migration Service endpoints have SSL configured", 5 | "cloudProvider": "AWS", 6 | "service name": "dms" 7 | }, 8 | { 9 | "ID": "Dms-002", 10 | "name": "Ensure DMS endpoint uses Customer Managed Key (CMK)", 11 | "cloudProvider": "AWS", 12 | "service name": "dms" 13 | }, 14 | { 15 | "ID": "Dms-003", 16 | "name": "DMS replication instance should not be publicly accessible", 17 | "cloudProvider": "AWS", 18 | "service name": "dms" 19 | }, 20 | { 21 | "ID": "Dms-004", 22 | "name": "Ensure DMS replication instance gets all minor upgrade automatically", 23 | "cloudProvider": "AWS", 24 | "service name": "dms" 25 | }, 26 | { 27 | "ID": "Dms-005", 28 | "name": "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)", 29 | "cloudProvider": "AWS", 30 | "service name": "dms" 31 | }, 32 | { 33 | "ID": "Dms-006", 34 | "name": "Ensure DMS S3 uses Customer Managed Key (CMK)", 35 | "cloudProvider": "AWS", 36 | "service name": "dms" 37 | } 38 | ] -------------------------------------------------------------------------------- /aws-terraform/acm/variables.tf: -------------------------------------------------------------------------------- 1 | variable "domain_name" { 2 | description = "The domain name for the ACM certificate" 3 | type = string 4 | } 5 | 6 | variable "subject_alternative_names" { 7 | description = "A list of domains that should be SANs in the issued certificate" 8 | type = list(string) 9 | default = [] 10 | } 11 | 12 | variable "key_algorithm" { 13 | description = "Specifies the algorithm of the public and private key pair that the certificate uses" 14 | type = string 15 | default = "RSA_2048" 16 | validation { 17 | condition = contains(["RSA_2048", "RSA_4096", "EC_prime256v1", "EC_secp384r1"], var.key_algorithm) 18 | error_message = "Invalid key algorithm. Must be one of RSA_2048, RSA_4096, EC_prime256v1, or EC_secp384r1." 19 | } 20 | } 21 | 22 | variable "tags" { 23 | description = "A map of tags to add to all resources" 24 | type = map(string) 25 | default = {} 26 | } 27 | 28 | variable "create_private_ca" { 29 | description = "Whether to create a private Certificate Authority" 30 | type = bool 31 | default = false 32 | } 33 | 34 | variable "private_ca_common_name" { 35 | description = "Common name for the private CA" 36 | type = string 37 | default = "example.com" 38 | } -------------------------------------------------------------------------------- /aws-terraform/networkfirewall/variables.tf: -------------------------------------------------------------------------------- 1 | variable "firewall_name" { 2 | description = "Name of the AWS Network Firewall" 3 | type = string 4 | } 5 | 6 | variable "policy_name" { 7 | description = "Name of the AWS Network Firewall Policy" 8 | type = string 9 | } 10 | 11 | variable "vpc_id" { 12 | description = "ID of the VPC where the Network Firewall will be deployed" 13 | type = string 14 | } 15 | 16 | variable "subnet_mappings" { 17 | description = "List of subnet IDs for Network Firewall deployment" 18 | type = list(string) 19 | } 20 | 21 | variable "kms_key_arn" { 22 | description = "ARN of the KMS key for encryption" 23 | type = string 24 | } 25 | 26 | variable "cloudwatch_log_group_arn" { 27 | description = "ARN of the CloudWatch Log Group for Network Firewall logging" 28 | type = string 29 | } 30 | 31 | variable "s3_bucket_name" { 32 | description = "Name of the S3 bucket for Network Firewall logging" 33 | type = string 34 | } 35 | 36 | variable "malicious_ip_ranges" { 37 | description = "List of IP ranges to be blocked" 38 | type = list(string) 39 | default = [] 40 | } 41 | 42 | variable "sns_topic_arn" { 43 | description = "ARN of the SNS topic for CloudWatch alarms" 44 | type = string 45 | } -------------------------------------------------------------------------------- /aws-terraform/dms/variables.tf: -------------------------------------------------------------------------------- 1 | variable "kms_key_arn" { 2 | description = "ARN of the KMS key for encryption" 3 | type = string 4 | } 5 | 6 | variable "replication_instance_class" { 7 | description = "The compute and memory capacity of the replication instance" 8 | type = string 9 | default = "dms.t3.micro" 10 | } 11 | 12 | variable "security_group_ids" { 13 | description = "List of security group IDs to associate with the replication instance" 14 | type = list(string) 15 | } 16 | 17 | variable "replication_subnet_group_id" { 18 | description = "ID of the replication subnet group" 19 | type = string 20 | } 21 | 22 | variable "tags" { 23 | description = "A map of tags to add to all resources" 24 | type = map(string) 25 | default = {} 26 | } 27 | 28 | variable "secrets_manager_role_arn" { 29 | description = "ARN of the IAM role that allows DMS to access Secrets Manager" 30 | type = string 31 | } 32 | 33 | variable "secrets_manager_arn" { 34 | description = "ARN of the secret in Secrets Manager containing the endpoint credentials" 35 | type = string 36 | } 37 | 38 | variable "cdc_start_time" { 39 | description = "The start time for CDC (Change Data Capture) operation" 40 | type = string 41 | default = null 42 | } -------------------------------------------------------------------------------- /checkov-rules/dynamodb/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Dynamodb-001", 4 | "name": "Ensure DAX cluster endpoint is using TLS", 5 | "cloudProvider": "AWS", 6 | "service name": "dynamodb" 7 | }, 8 | { 9 | "ID": "Dynamodb-002", 10 | "name": "Ensure DAX is encrypted at rest (default is unencrypted)", 11 | "cloudProvider": "AWS", 12 | "service name": "dynamodb" 13 | }, 14 | { 15 | "ID": "Dynamodb-003", 16 | "name": "Ensure DynamoDB point in time recovery (backup) is enabled for global tables", 17 | "cloudProvider": "AWS", 18 | "service name": "dynamodb" 19 | }, 20 | { 21 | "ID": "Dynamodb-004", 22 | "name": "Ensure DynamoDB point in time recovery (backup) is enabled", 23 | "cloudProvider": "AWS", 24 | "service name": "dynamodb" 25 | }, 26 | { 27 | "ID": "Dynamodb-005", 28 | "name": "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK", 29 | "cloudProvider": "AWS", 30 | "service name": "dynamodb" 31 | }, 32 | { 33 | "ID": "Dynamodb-006", 34 | "name": "Ensure DynamoDB table replica KMS encryption uses CMK", 35 | "cloudProvider": "AWS", 36 | "service name": "dynamodb" 37 | } 38 | ] -------------------------------------------------------------------------------- /prowler-rules/elasticbeanstalk/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Elasticbeanstalk-001", 4 | "name": "Elastic Beanstalk managed platform updates should be enabled", 5 | "description": "This control checks whether managed platform updates are enabled for an Elastic Beanstalk environment. The control fails if no managed platform updates are enabled.", 6 | "cloudProvider": "AWS", 7 | "service name": "elasticbeanstalk" 8 | }, 9 | { 10 | "ID": "Elasticbeanstalk-002", 11 | "name": "Elastic Beanstalk environments should have enhanced health reporting enabled", 12 | "description": "This control checks whether enhanced health reporting is enabled for your AWS Elastic Beanstalk environments.", 13 | "cloudProvider": "AWS", 14 | "service name": "elasticbeanstalk" 15 | }, 16 | { 17 | "ID": "Elasticbeanstalk-003", 18 | "name": "Elastic Beanstalk environment should stream logs to CloudWatch", 19 | "description": "This control checks whether an Elastic Beanstalk environment is configured to send logs to CloudWatch Logs. The control fails if an Elastic Beanstalk environment isn't configured to send logs to CloudWatch Logs.", 20 | "cloudProvider": "AWS", 21 | "service name": "elasticbeanstalk" 22 | } 23 | ] -------------------------------------------------------------------------------- /aws-terraform/cloudtrail/variables.tf: -------------------------------------------------------------------------------- 1 | variable "trail_name" { 2 | description = "Name of the CloudTrail trail" 3 | type = string 4 | } 5 | 6 | variable "s3_bucket_name" { 7 | description = "Name of the S3 bucket for CloudTrail logs" 8 | type = string 9 | } 10 | 11 | variable "kms_key_arn" { 12 | description = "ARN of the KMS key for encrypting CloudTrail logs" 13 | type = string 14 | } 15 | 16 | variable "cloudwatch_log_group_arn" { 17 | description = "ARN of the CloudWatch log group for CloudTrail logs" 18 | type = string 19 | } 20 | 21 | variable "cloudwatch_log_role_arn" { 22 | description = "ARN of the IAM role for CloudTrail to CloudWatch logs integration" 23 | type = string 24 | } 25 | 26 | variable "sns_topic_name" { 27 | description = "Name of the SNS topic for CloudTrail notifications" 28 | type = string 29 | } 30 | 31 | variable "event_data_store_name" { 32 | description = "Name of the CloudTrail Event Data Store" 33 | type = string 34 | } 35 | 36 | variable "retention_period" { 37 | description = "Retention period for CloudTrail Event Data Store in days" 38 | type = number 39 | default = 2555 # 7 years 40 | } 41 | 42 | variable "tags" { 43 | description = "A map of tags to add to all resources" 44 | type = map(string) 45 | default = {} 46 | } -------------------------------------------------------------------------------- /aws-terraform/fms/variables.tf: -------------------------------------------------------------------------------- 1 | variable "policy_name" { 2 | description = "The name of the AWS Firewall Manager policy" 3 | type = string 4 | } 5 | 6 | variable "exclude_resource_tags" { 7 | description = "Whether to exclude resources with specified tags from the policy" 8 | type = bool 9 | default = false 10 | } 11 | 12 | variable "remediation_enabled" { 13 | description = "Whether automatic remediation is enabled" 14 | type = bool 15 | default = true 16 | } 17 | 18 | variable "resource_type" { 19 | description = "The type of resource protected by or in scope of the policy" 20 | type = string 21 | } 22 | 23 | variable "security_service_policy_type" { 24 | description = "The type of security service policy" 25 | type = string 26 | } 27 | 28 | variable "managed_service_data" { 29 | description = "Details about the service that are specific to the service type" 30 | type = object({ 31 | type = string 32 | data = map(string) 33 | }) 34 | default = null 35 | } 36 | 37 | variable "include_account_ids" { 38 | description = "List of AWS account IDs to include in the policy" 39 | type = list(string) 40 | default = [] 41 | } 42 | 43 | variable "sns_topic_arn" { 44 | description = "The ARN of the SNS topic for notifications" 45 | type = string 46 | default = null 47 | } -------------------------------------------------------------------------------- /prowler-rules/athena/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Athena-001", 4 | "name": "Ensure that logging is enabled for Amazon Athena workgroups to capture query activity.", 5 | "description": "Enabling logging for a workgroup provides valuable insights into query activity, including user actions, query execution details, and potential security events.", 6 | "cloudProvider": "AWS", 7 | "service name": "athena" 8 | }, 9 | { 10 | "ID": "Athena-002", 11 | "name": "Ensure that workgroup configuration is enforced so it cannot be overriden by client-side settings.", 12 | "description": "Ensure that workgroup configuration is enforced so it cannot be overriden by client-side settings.", 13 | "cloudProvider": "AWS", 14 | "service name": "athena" 15 | }, 16 | { 17 | "ID": "Athena-003", 18 | "name": "Ensure that encryption at rest is enabled for Amazon Athena query results stored in Amazon S3 in order to secure data and meet compliance requirements for data-at-rest encryption.", 19 | "description": "Ensure that encryption at rest is enabled for Amazon Athena query results stored in Amazon S3 in order to secure data and meet compliance requirements for data-at-rest encryption.", 20 | "cloudProvider": "AWS", 21 | "service name": "athena" 22 | } 23 | ] -------------------------------------------------------------------------------- /aws-terraform/datasync/variables.tf: -------------------------------------------------------------------------------- 1 | variable "source_location_arn" { 2 | description = "ARN of the source location for the DataSync task" 3 | type = string 4 | } 5 | 6 | variable "destination_location_arn" { 7 | description = "ARN of the destination location for the DataSync task" 8 | type = string 9 | } 10 | 11 | variable "task_name" { 12 | description = "Name of the DataSync task" 13 | type = string 14 | } 15 | 16 | variable "cloudwatch_log_group_arn" { 17 | description = "ARN of the CloudWatch log group for DataSync task logging" 18 | type = string 19 | } 20 | 21 | variable "bytes_per_second" { 22 | description = "Limits the bandwidth utilized in the data transfer" 23 | type = number 24 | default = -1 # No limit by default 25 | } 26 | 27 | variable "include_pattern" { 28 | description = "Pattern to include specific files/folders in the data transfer" 29 | type = string 30 | default = "**" # Include everything by default 31 | } 32 | 33 | variable "source_vpc_endpoint_arns" { 34 | description = "List of VPC endpoint ARNs for the source location" 35 | type = list(string) 36 | default = [] 37 | } 38 | 39 | variable "destination_vpc_endpoint_arns" { 40 | description = "List of VPC endpoint ARNs for the destination location" 41 | type = list(string) 42 | default = [] 43 | } -------------------------------------------------------------------------------- /aws-terraform/athena/variables.tf: -------------------------------------------------------------------------------- 1 | variable "workgroup_name" { 2 | description = "Name of the Athena workgroup" 3 | type = string 4 | } 5 | 6 | variable "kms_key_arn" { 7 | description = "ARN of the KMS key for encrypting Athena query results and databases" 8 | type = string 9 | } 10 | 11 | variable "query_output_location" { 12 | description = "S3 location for storing Athena query results" 13 | type = string 14 | } 15 | 16 | variable "query_result_reuse_ttl" { 17 | description = "Time to live (in seconds) for cached query results" 18 | type = number 19 | default = 3600 # 1 hour 20 | } 21 | 22 | variable "query_timeout" { 23 | description = "Query timeout in seconds" 24 | type = number 25 | default = 1800 # 30 minutes 26 | } 27 | 28 | variable "log_retention_days" { 29 | description = "Number of days to retain Athena logs" 30 | type = number 31 | default = 90 32 | } 33 | 34 | variable "log_group_kms_key_arn" { 35 | description = "ARN of the KMS key for encrypting CloudWatch log group" 36 | type = string 37 | } 38 | 39 | variable "database_name" { 40 | description = "Name of the Athena database" 41 | type = string 42 | } 43 | 44 | variable "catalog_id" { 45 | description = "ID of the Data Catalog in which the database resides" 46 | type = string 47 | default = null 48 | } -------------------------------------------------------------------------------- /prowler-rules/appstream/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Appstream-001", 4 | "name": "Ensure user maximum session duration is no longer than 10 hours.", 5 | "description": "Ensure user maximum session duration is no longer than 10 hours.", 6 | "cloudProvider": "AWS", 7 | "service name": "appstream" 8 | }, 9 | { 10 | "ID": "Appstream-002", 11 | "name": "Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked.", 12 | "description": "Ensure default Internet Access from your Amazon AppStream fleet streaming instances should remain unchecked.", 13 | "cloudProvider": "AWS", 14 | "service name": "appstream" 15 | }, 16 | { 17 | "ID": "Appstream-003", 18 | "name": "Ensure session idle disconnect timeout is set to 10 minutes or less.", 19 | "description": "Ensure session idle disconnect timeout is set to 10 minutes or less.", 20 | "cloudProvider": "AWS", 21 | "service name": "appstream" 22 | }, 23 | { 24 | "ID": "Appstream-004", 25 | "name": "Ensure session disconnect timeout is set to 5 minutes or less.", 26 | "description": "Ensure session disconnect timeout is set to 5 minutes or less", 27 | "cloudProvider": "AWS", 28 | "service name": "appstream" 29 | } 30 | ] -------------------------------------------------------------------------------- /aws-terraform/ses/variables.tf: -------------------------------------------------------------------------------- 1 | variable "enable_ses_identity_policy" { 2 | description = "Enable SES identity policy" 3 | type = bool 4 | default = true 5 | } 6 | 7 | variable "ses_identity_arn" { 8 | description = "ARN of the SES identity" 9 | type = string 10 | } 11 | 12 | variable "allowed_principals" { 13 | description = "List of AWS principals allowed to use the SES identity" 14 | type = list(string) 15 | default = [] 16 | } 17 | 18 | variable "configuration_set_name" { 19 | description = "Name of the SES configuration set" 20 | type = string 21 | default = "secure-ses-config-set" 22 | } 23 | 24 | variable "domain_name" { 25 | description = "Domain name for SES identity" 26 | type = string 27 | } 28 | 29 | variable "enable_sending_authorization" { 30 | description = "Enable SES sending authorization policy" 31 | type = bool 32 | default = true 33 | } 34 | 35 | variable "authorized_senders" { 36 | description = "List of AWS principals authorized to send emails" 37 | type = list(string) 38 | default = [] 39 | } 40 | 41 | variable "sns_topic_arn" { 42 | description = "ARN of the SNS topic for SES feedback notifications" 43 | type = string 44 | } 45 | 46 | variable "s3_bucket_name" { 47 | description = "Name of the S3 bucket for content filtering" 48 | type = string 49 | } -------------------------------------------------------------------------------- /aws-terraform/ecr/variables.tf: -------------------------------------------------------------------------------- 1 | variable "repository_name" { 2 | description = "Name of the ECR repository" 3 | type = string 4 | } 5 | 6 | variable "kms_key_arn" { 7 | description = "ARN of the KMS key for ECR encryption" 8 | type = string 9 | } 10 | 11 | variable "allowed_pull_principals" { 12 | description = "List of AWS principals allowed to pull images" 13 | type = list(string) 14 | default = [] 15 | } 16 | 17 | variable "allowed_push_principals" { 18 | description = "List of AWS principals allowed to push images" 19 | type = list(string) 20 | default = [] 21 | } 22 | 23 | variable "replication_region" { 24 | description = "AWS region for ECR replication" 25 | type = string 26 | default = "" 27 | } 28 | 29 | variable "replication_registry_id" { 30 | description = "Registry ID for ECR replication" 31 | type = string 32 | default = "" 33 | } 34 | 35 | variable "tags" { 36 | description = "Tags to apply to the ECR repository" 37 | type = map(string) 38 | default = {} 39 | } 40 | 41 | variable "pull_through_cache_prefix" { 42 | description = "Repository prefix for pull through cache" 43 | type = string 44 | default = "" 45 | } 46 | 47 | variable "upstream_registry_url" { 48 | description = "URL of the upstream registry for pull through cache" 49 | type = string 50 | default = "" 51 | } -------------------------------------------------------------------------------- /checkov-rules/securitygroup/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Securitygroup-001", 4 | "name": "Ensure the default security group of every VPC restricts all traffic", 5 | "cloudProvider": "AWS", 6 | "service name": "securitygroup" 7 | }, 8 | { 9 | "ID": "Securitygroup-002", 10 | "name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port -1", 11 | "cloudProvider": "AWS", 12 | "service name": "securitygroup" 13 | }, 14 | { 15 | "ID": "Securitygroup-003", 16 | "name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22", 17 | "cloudProvider": "AWS", 18 | "service name": "securitygroup" 19 | }, 20 | { 21 | "ID": "Securitygroup-004", 22 | "name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389", 23 | "cloudProvider": "AWS", 24 | "service name": "securitygroup" 25 | }, 26 | { 27 | "ID": "Securitygroup-005", 28 | "name": "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80", 29 | "cloudProvider": "AWS", 30 | "service name": "securitygroup" 31 | }, 32 | { 33 | "ID": "Securitygroup-006", 34 | "name": "Ensure that Security Groups are attached to another resource", 35 | "cloudProvider": "AWS", 36 | "service name": "securitygroup" 37 | } 38 | ] -------------------------------------------------------------------------------- /checkov-rules/ec2/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Ec2-001", 4 | "name": "EC2 instance should not have public IP.", 5 | "cloudProvider": "AWS", 6 | "service name": "ec2" 7 | }, 8 | { 9 | "ID": "Ec2-002", 10 | "name": "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted", 11 | "cloudProvider": "AWS", 12 | "service name": "ec2" 13 | }, 14 | { 15 | "ID": "Ec2-003", 16 | "name": "Ensure an IAM role is attached to EC2 instance", 17 | "cloudProvider": "AWS", 18 | "service name": "ec2" 19 | }, 20 | { 21 | "ID": "Ec2-004", 22 | "name": "Ensure Instance Metadata Service Version 1 is not enabled", 23 | "cloudProvider": "AWS", 24 | "service name": "ec2" 25 | }, 26 | { 27 | "ID": "Ec2-005", 28 | "name": "Ensure no hard-coded secrets exist in EC2 user data", 29 | "cloudProvider": "AWS", 30 | "service name": "ec2" 31 | }, 32 | { 33 | "ID": "Ec2-006", 34 | "name": "Ensure that detailed monitoring is enabled for EC2 instances", 35 | "cloudProvider": "AWS", 36 | "service name": "ec2" 37 | }, 38 | { 39 | "ID": "Ec2-007", 40 | "name": "Ensure that EC2 is EBS optimized", 41 | "cloudProvider": "AWS", 42 | "service name": "ec2" 43 | } 44 | ] -------------------------------------------------------------------------------- /checkov-rules/documentdb/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Docdb-001", 4 | "name": "Ensure DocumentDB has an adequate backup retention period", 5 | "cloudProvider": "AWS", 6 | "service name": "docdb" 7 | }, 8 | { 9 | "ID": "Docdb-002", 10 | "name": "Ensure DocumentDB is encrypted at rest (default is unencrypted)", 11 | "cloudProvider": "AWS", 12 | "service name": "docdb" 13 | }, 14 | { 15 | "ID": "Docdb-003", 16 | "name": "Ensure DocumentDB is encrypted by KMS using a customer managed Key (CMK)", 17 | "cloudProvider": "AWS", 18 | "service name": "docdb" 19 | }, 20 | { 21 | "ID": "Docdb-004", 22 | "name": "Ensure DocumentDB Logging is enabled", 23 | "cloudProvider": "AWS", 24 | "service name": "docdb" 25 | }, 26 | { 27 | "ID": "Docdb-005", 28 | "name": "Ensure DocumentDB has audit logs enabled", 29 | "cloudProvider": "AWS", 30 | "service name": "docdb" 31 | }, 32 | { 33 | "ID": "Docdb-006", 34 | "name": "Ensure DocumentDB TLS is not disabled", 35 | "cloudProvider": "AWS", 36 | "service name": "docdb" 37 | }, 38 | { 39 | "ID": "Docdb-007", 40 | "name": "Ensure DocumentDB Global Cluster is encrypted at rest (default is unencrypted)", 41 | "cloudProvider": "AWS", 42 | "service name": "docdb" 43 | } 44 | ] -------------------------------------------------------------------------------- /checkov-rules/cloudtrail/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Cloudtrail-001", 4 | "name": "Ensure CloudTrail defines an SNS Topic", 5 | "cloudProvider": "AWS", 6 | "service name": "cloudtrail" 7 | }, 8 | { 9 | "ID": "Cloudtrail-002", 10 | "name": "Ensure CloudTrail is enabled in all Regions", 11 | "cloudProvider": "AWS", 12 | "service name": "cloudtrail" 13 | }, 14 | { 15 | "ID": "Cloudtrail-003", 16 | "name": "Ensure CloudTrail log file validation is enabled", 17 | "cloudProvider": "AWS", 18 | "service name": "cloudtrail" 19 | }, 20 | { 21 | "ID": "Cloudtrail-004", 22 | "name": "Ensure CloudTrail logging is enabled", 23 | "cloudProvider": "AWS", 24 | "service name": "cloudtrail" 25 | }, 26 | { 27 | "ID": "Cloudtrail-005", 28 | "name": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs", 29 | "cloudProvider": "AWS", 30 | "service name": "cloudtrail" 31 | }, 32 | { 33 | "ID": "Cloudtrail-006", 34 | "name": "Ensure CloudTrail trails are integrated with CloudWatch Logs", 35 | "cloudProvider": "AWS", 36 | "service name": "cloudtrail" 37 | }, 38 | { 39 | "ID": "Cloudtrail-007", 40 | "name": "Ensure CloudTrail Event Data Store uses CMK", 41 | "cloudProvider": "AWS", 42 | "service name": "cloudtrail" 43 | } 44 | ] -------------------------------------------------------------------------------- /aws-terraform/appsync/variables.tf: -------------------------------------------------------------------------------- 1 | variable "api_name" { 2 | description = "Name of the AppSync API" 3 | type = string 4 | } 5 | 6 | variable "authentication_type" { 7 | description = "Authentication type for the AppSync API" 8 | type = string 9 | default = "AWS_IAM" 10 | } 11 | 12 | variable "schema_file_path" { 13 | description = "Path to the GraphQL schema file" 14 | type = string 15 | } 16 | 17 | variable "api_caching_behavior" { 18 | description = "Caching behavior of the AppSync API" 19 | type = string 20 | default = "PER_RESOLVER_CACHING" 21 | } 22 | 23 | variable "cache_type" { 24 | description = "Cache type for AppSync API" 25 | type = string 26 | default = "SMALL" 27 | } 28 | 29 | variable "cache_size" { 30 | description = "Cache size for AppSync API" 31 | type = number 32 | default = 1 33 | } 34 | 35 | variable "cache_ttl" { 36 | description = "Cache TTL for AppSync API (in seconds)" 37 | type = number 38 | default = 3600 39 | } 40 | 41 | variable "cloudwatch_logs_role_arn" { 42 | description = "ARN of the IAM role for CloudWatch logs" 43 | type = string 44 | } 45 | 46 | variable "max_requests_per_second" { 47 | description = "Maximum requests per second for API throttling" 48 | type = number 49 | default = 1000 50 | } 51 | 52 | variable "max_burst" { 53 | description = "Maximum burst for API throttling" 54 | type = number 55 | default = 2000 56 | } -------------------------------------------------------------------------------- /checkov-rules/emr/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Emr-001", 4 | "name": "Ensure AWS EMR cluster is configured with security configuration", 5 | "cloudProvider": "AWS", 6 | "service name": "emr" 7 | }, 8 | { 9 | "ID": "Emr-002", 10 | "name": "Ensure that Amazon EMR clusters\u2019 security groups are not open to the world", 11 | "cloudProvider": "AWS", 12 | "service name": "emr" 13 | }, 14 | { 15 | "ID": "Emr-003", 16 | "name": "Ensure that EMR clusters with Kerberos have Kerberos Realm set", 17 | "cloudProvider": "AWS", 18 | "service name": "emr" 19 | }, 20 | { 21 | "ID": "Emr-004", 22 | "name": "Ensure EMR Cluster security configuration encryption is using SSE-KMS", 23 | "cloudProvider": "AWS", 24 | "service name": "emr" 25 | }, 26 | { 27 | "ID": "Emr-005", 28 | "name": "Ensure EMR Cluster security configuration encrypts EBS disks", 29 | "cloudProvider": "AWS", 30 | "service name": "emr" 31 | }, 32 | { 33 | "ID": "Emr-006", 34 | "name": "Ensure EMR Cluster security configuration encrypts InTransit", 35 | "cloudProvider": "AWS", 36 | "service name": "emr" 37 | }, 38 | { 39 | "ID": "Emr-007", 40 | "name": "Ensure EMR Cluster security configuration encrypts local disks", 41 | "cloudProvider": "AWS", 42 | "service name": "emr" 43 | } 44 | ] -------------------------------------------------------------------------------- /aws-terraform/kms/variables.tf: -------------------------------------------------------------------------------- 1 | variable "key_description" { 2 | description = "The description of the KMS key" 3 | type = string 4 | default = "KMS key for secure encryption" 5 | } 6 | 7 | variable "deletion_window_in_days" { 8 | description = "Duration in days after which the key is deleted after destruction of the resource" 9 | type = number 10 | default = 30 11 | } 12 | 13 | variable "multi_region" { 14 | description = "Indicates whether the KMS key is a multi-Region key" 15 | type = bool 16 | default = false 17 | } 18 | 19 | variable "key_policy" { 20 | description = "A valid policy JSON document for the KMS key" 21 | type = string 22 | default = null 23 | } 24 | 25 | variable "tags" { 26 | description = "A map of tags to add to all resources" 27 | type = map(string) 28 | default = {} 29 | } 30 | 31 | variable "key_alias" { 32 | description = "The alias name for the KMS key" 33 | type = string 34 | } 35 | 36 | variable "use_imported_key" { 37 | description = "Whether to use an imported key material" 38 | type = bool 39 | default = false 40 | } 41 | 42 | variable "imported_key_material" { 43 | description = "The key material to import. This is a base64-encoded string" 44 | type = string 45 | default = null 46 | } 47 | 48 | variable "imported_key_valid_to" { 49 | description = "The time at which the imported key material expires" 50 | type = string 51 | default = null 52 | } -------------------------------------------------------------------------------- /prowler-rules/documentdb/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Documentdb-001", 4 | "name": "Check if DocumentDB cluster storage is encrypted.", 5 | "description": "Check if DocumentDB cluster storage is encrypted.", 6 | "cloudProvider": "AWS", 7 | "service name": "documentdb" 8 | }, 9 | { 10 | "ID": "Documentdb-002", 11 | "name": "Check if DocumentDB Clusters have backup enabled.", 12 | "description": "Check if DocumentDB Clusters have backup enabled.", 13 | "cloudProvider": "AWS", 14 | "service name": "DocumentDB" 15 | }, 16 | { 17 | "ID": "Documentdb-003", 18 | "name": "Check if DocumentDB manual cluster snapshot is public.", 19 | "description": "Check if DocumentDB manual cluster snapshot is public.", 20 | "cloudProvider": "AWS", 21 | "service name": "documentdb" 22 | }, 23 | { 24 | "ID": "Documentdb-004", 25 | "name": "Check if DocumentDB clusters are using the log export feature.", 26 | "description": "Check if DocumentDB clusters are using the log export feature.", 27 | "cloudProvider": "AWS", 28 | "service name": "documentdb" 29 | }, 30 | { 31 | "ID": "Documentdb-005", 32 | "name": "Check if DocumentDB Clusters has deletion protection enabled.", 33 | "description": "Check if DocumentDB Clusters has deletion protection enabled.", 34 | "cloudProvider": "AWS", 35 | "service name": "documentdb" 36 | } 37 | ] -------------------------------------------------------------------------------- /aws-terraform/securitygroup/variables.tf: -------------------------------------------------------------------------------- 1 | variable "vpc_id" { 2 | description = "The ID of the VPC where the security group will be created" 3 | type = string 4 | } 5 | 6 | variable "security_group_name" { 7 | description = "The name of the security group" 8 | type = string 9 | } 10 | 11 | variable "security_group_description" { 12 | description = "The description of the security group" 13 | type = string 14 | } 15 | 16 | variable "ingress_rules" { 17 | description = "List of ingress rules to create" 18 | type = list(object({ 19 | description = string 20 | from_port = number 21 | to_port = number 22 | protocol = string 23 | cidr_blocks = list(string) 24 | security_groups = list(string) 25 | })) 26 | default = [] 27 | } 28 | 29 | variable "egress_rules" { 30 | description = "List of egress rules to create" 31 | type = list(object({ 32 | description = string 33 | from_port = number 34 | to_port = number 35 | protocol = string 36 | cidr_blocks = list(string) 37 | security_groups = list(string) 38 | })) 39 | default = [{ 40 | description = "Allow all outbound traffic" 41 | from_port = 0 42 | to_port = 0 43 | protocol = "-1" 44 | cidr_blocks = ["0.0.0.0/0"] 45 | security_groups = [] 46 | }] 47 | } 48 | 49 | variable "tags" { 50 | description = "A map of tags to add to all resources" 51 | type = map(string) 52 | default = {} 53 | } -------------------------------------------------------------------------------- /aws-terraform/secretsmanager/variables.tf: -------------------------------------------------------------------------------- 1 | variable "secret_name" { 2 | description = "Name of the Secrets Manager secret" 3 | type = string 4 | } 5 | 6 | variable "secret_description" { 7 | description = "Description of the Secrets Manager secret" 8 | type = string 9 | default = "Managed by Terraform" 10 | } 11 | 12 | variable "kms_key_id" { 13 | description = "ARN or ID of the AWS KMS customer master key (CMK) to be used to encrypt the secret values in the versions stored in this secret" 14 | type = string 15 | } 16 | 17 | variable "recovery_window_in_days" { 18 | description = "Number of days that AWS Secrets Manager waits before it can delete the secret" 19 | type = number 20 | default = 30 21 | } 22 | 23 | variable "tags" { 24 | description = "A map of tags to assign to the secret" 25 | type = map(string) 26 | default = {} 27 | } 28 | 29 | variable "secret_policy" { 30 | description = "Valid JSON document representing a resource policy" 31 | type = string 32 | } 33 | 34 | variable "rotation_lambda_arn" { 35 | description = "ARN of the Lambda function that can rotate the secret" 36 | type = string 37 | } 38 | 39 | variable "rotation_days" { 40 | description = "Number of days between automatic scheduled rotations of the secret" 41 | type = number 42 | default = 30 43 | } 44 | 45 | variable "db_credentials" { 46 | description = "Map of database credentials to be stored in the secret" 47 | type = map(string) 48 | default = {} 49 | } -------------------------------------------------------------------------------- /prowler-rules/eventbridge/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Eventbridge-001", 4 | "name": "Ensure that your AWS EventBridge event bus is not exposed to everyone", 5 | "description": "Ensure that your AWS EventBridge event bus is not exposed to everyone.", 6 | "cloudProvider": "AWS", 7 | "service name": "eventbridge" 8 | }, 9 | { 10 | "ID": "Eventbridge-002", 11 | "name": "Ensure that AWS EventBridge event buses do not allow unknown cross-account access for delivery of events.", 12 | "description": "Ensure that AWS EventBridge event buses do not allow unknown cross-account access for delivery of events.", 13 | "cloudProvider": "AWS", 14 | "service name": "eventbridge" 15 | }, 16 | { 17 | "ID": "Eventbridge-003", 18 | "name": "Check if EventBridge global endpoints have event replication enabled.", 19 | "description": "Check if event replication is enabled for an Amazon EventBridge global endpoint. The control fails if event replication isn't enabled.", 20 | "cloudProvider": "AWS", 21 | "service name": "eventbridge" 22 | }, 23 | { 24 | "ID": "Eventbridge-004", 25 | "name": "Ensure that AWS EventBridge schema registries do not allow unknown cross-account access for delivery of events.", 26 | "description": "Ensure that AWS EventBridge schema registries do not allow unknown cross-account access for delivery of events.", 27 | "cloudProvider": "AWS", 28 | "service name": "eventbridge" 29 | } 30 | ] -------------------------------------------------------------------------------- /aws-terraform/sns/variables.tf: -------------------------------------------------------------------------------- 1 | variable "topic_name" { 2 | description = "Name of the SNS topic" 3 | type = string 4 | } 5 | 6 | variable "kms_master_key_id" { 7 | description = "The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK" 8 | type = string 9 | } 10 | 11 | variable "tags" { 12 | description = "A map of tags to add to all resources" 13 | type = map(string) 14 | default = {} 15 | } 16 | 17 | variable "https_endpoints" { 18 | description = "List of HTTPS endpoints to subscribe to the SNS topic" 19 | type = list(string) 20 | default = [] 21 | } 22 | 23 | variable "account_id" { 24 | description = "The AWS account ID" 25 | type = string 26 | } 27 | 28 | variable "filtered_subscriptions" { 29 | description = "List of filtered subscriptions" 30 | type = list(object({ 31 | protocol = string 32 | endpoint = string 33 | filter_policy = map(list(string)) 34 | })) 35 | default = [] 36 | } 37 | 38 | variable "enable_dlq" { 39 | description = "Enable Dead Letter Queue for the SNS topic" 40 | type = bool 41 | default = false 42 | } 43 | 44 | variable "dlq_arn" { 45 | description = "ARN of the Dead Letter Queue" 46 | type = string 47 | default = "" 48 | } 49 | 50 | variable "attribute_subscriptions" { 51 | description = "List of subscriptions with message attribute filtering" 52 | type = list(object({ 53 | protocol = string 54 | endpoint = string 55 | filter_policy = map(list(string)) 56 | })) 57 | default = [] 58 | } -------------------------------------------------------------------------------- /prowler-rules/backup/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Backup-001", 4 | "name": "Check if AWS Backup recovery points are encrypted at rest.", 5 | "description": "This control checks if an AWS Backup recovery point is encrypted at rest. The control fails if the recovery point isn't encrypted at rest.", 6 | "cloudProvider": "AWS", 7 | "service name": "backup" 8 | }, 9 | { 10 | "ID": "Backup-002", 11 | "name": "Ensure that there is at least one AWS Backup report plan", 12 | "description": "This check ensures that there is at least one backup report plan in place.", 13 | "cloudProvider": "AWS", 14 | "service name": "backup" 15 | }, 16 | { 17 | "ID": "Backup-003", 18 | "name": "Ensure AWS Backup vaults exist", 19 | "description": "This check ensures that AWS Backup vaults exist to provide a secure and durable storage location for backup data.", 20 | "cloudProvider": "AWS", 21 | "service name": "backup" 22 | }, 23 | { 24 | "ID": "Backup-004", 25 | "name": "Ensure that AWS Backup vaults are encrypted with AWS KMS", 26 | "description": "This check ensures that AWS Backup vaults are encrypted with AWS KMS.", 27 | "cloudProvider": "AWS", 28 | "service name": "backup" 29 | }, 30 | { 31 | "ID": "Backup-005", 32 | "name": "Ensure that there is at least one AWS Backup plan", 33 | "description": "This check ensures that there is at least one backup plan in place.", 34 | "cloudProvider": "AWS", 35 | "service name": "backup" 36 | } 37 | ] -------------------------------------------------------------------------------- /aws-terraform/autoscaling/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name_prefix" { 2 | description = "Prefix for resource names" 3 | type = string 4 | } 5 | 6 | variable "ami_id" { 7 | description = "ID of the AMI to use for the instances" 8 | type = string 9 | } 10 | 11 | variable "instance_type" { 12 | description = "Instance type to use for the instances" 13 | type = string 14 | default = "t3.micro" 15 | } 16 | 17 | variable "subnet_ids" { 18 | description = "List of subnet IDs to launch resources in" 19 | type = list(string) 20 | } 21 | 22 | variable "target_group_arns" { 23 | description = "List of target group ARNs to associate with the ASG" 24 | type = list(string) 25 | default = [] 26 | } 27 | 28 | variable "min_size" { 29 | description = "Minimum size of the Auto Scaling Group" 30 | type = number 31 | default = 1 32 | } 33 | 34 | variable "max_size" { 35 | description = "Maximum size of the Auto Scaling Group" 36 | type = number 37 | default = 3 38 | } 39 | 40 | variable "desired_capacity" { 41 | description = "Desired capacity of the Auto Scaling Group" 42 | type = number 43 | default = 2 44 | } 45 | 46 | variable "on_demand_percentage" { 47 | description = "Percentage of On-Demand instances in the ASG" 48 | type = number 49 | default = 100 50 | } 51 | 52 | variable "ssm_instance_profile_name" { 53 | description = "Name of the IAM instance profile for Systems Manager" 54 | type = string 55 | } 56 | 57 | variable "tags" { 58 | description = "Tags to apply to resources" 59 | type = map(string) 60 | default = {} 61 | } -------------------------------------------------------------------------------- /aws-terraform/s3/variables.tf: -------------------------------------------------------------------------------- 1 | variable "bucket_name" { 2 | description = "Name of the S3 bucket" 3 | type = string 4 | } 5 | 6 | variable "enable_object_lock" { 7 | description = "Enable S3 object lock" 8 | type = bool 9 | default = true 10 | } 11 | 12 | variable "enable_mfa_delete" { 13 | description = "Enable MFA delete for versioned bucket" 14 | type = bool 15 | default = true 16 | } 17 | 18 | variable "log_bucket" { 19 | description = "Name of the bucket to store access logs" 20 | type = string 21 | } 22 | 23 | variable "kms_key_arn" { 24 | description = "ARN of the KMS key for encryption" 25 | type = string 26 | } 27 | 28 | variable "enable_replication" { 29 | description = "Enable cross-region replication" 30 | type = bool 31 | default = false 32 | } 33 | 34 | variable "replication_role_arn" { 35 | description = "ARN of the IAM role for replication" 36 | type = string 37 | default = "" 38 | } 39 | 40 | variable "destination_bucket_arn" { 41 | description = "ARN of the destination bucket for replication" 42 | type = string 43 | default = "" 44 | } 45 | 46 | variable "sns_topic_arn" { 47 | description = "ARN of the SNS topic for event notifications" 48 | type = string 49 | } 50 | 51 | variable "vpc_id" { 52 | description = "ID of the VPC for access point" 53 | type = string 54 | } 55 | 56 | variable "inventory_bucket_arn" { 57 | description = "ARN of the bucket to store inventory reports" 58 | type = string 59 | } 60 | 61 | variable "lambda_function_arn" { 62 | description = "ARN of the Lambda function for Object Lambda Access Point" 63 | type = string 64 | } -------------------------------------------------------------------------------- /aws-terraform/eventbridge/variables.tf: -------------------------------------------------------------------------------- 1 | variable "event_bus_name" { 2 | description = "Name of the EventBridge event bus" 3 | type = string 4 | } 5 | 6 | variable "allowed_account_ids" { 7 | description = "List of AWS account IDs allowed to put events on the event bus" 8 | type = list(string) 9 | } 10 | 11 | variable "enable_replication" { 12 | description = "Enable event replication for global endpoints" 13 | type = bool 14 | default = false 15 | } 16 | 17 | variable "replication_source_account" { 18 | description = "AWS account ID of the replication source" 19 | type = string 20 | default = "" 21 | } 22 | 23 | variable "rule_name" { 24 | description = "Name of the EventBridge rule" 25 | type = string 26 | } 27 | 28 | variable "rule_description" { 29 | description = "Description of the EventBridge rule" 30 | type = string 31 | } 32 | 33 | variable "event_pattern" { 34 | description = "Event pattern for the rule" 35 | type = string 36 | } 37 | 38 | variable "target_arn" { 39 | description = "ARN of the target for the rule" 40 | type = string 41 | } 42 | 43 | variable "dead_letter_arn" { 44 | description = "ARN of the dead letter queue for failed event processing" 45 | type = string 46 | } 47 | 48 | variable "input_paths" { 49 | description = "Map of key-value pairs for input transformation" 50 | type = map(string) 51 | default = {} 52 | } 53 | 54 | variable "input_template" { 55 | description = "Input template for transformation" 56 | type = string 57 | default = "" 58 | } 59 | 60 | variable "tags" { 61 | description = "Tags to apply to EventBridge resources" 62 | type = map(string) 63 | default = {} 64 | } -------------------------------------------------------------------------------- /prowler-rules/bedrock/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Bedrock-001", 4 | "name": "Ensure that Amazon Bedrock model invocation logs are encrypted with KMS.", 5 | "description": "Ensure that Amazon Bedrock model invocation logs are encrypted using AWS KMS to protect sensitive data in the request and response logs for all model invocations.", 6 | "cloudProvider": "AWS", 7 | "service name": "bedrock" 8 | }, 9 | { 10 | "ID": "Bedrock-002", 11 | "name": "Configure Prompt Attack Filter with the highest strength for Amazon Bedrock Guardrails.", 12 | "description": "Ensure that prompt attack filter strength is set to HIGH for Amazon Bedrock guardrails to mitigate prompt injection and bypass techniques.", 13 | "cloudProvider": "AWS", 14 | "service name": "bedrock" 15 | }, 16 | { 17 | "ID": "Bedrock-003", 18 | "name": "Ensure that model invocation logging is enabled for Amazon Bedrock.", 19 | "description": "Ensure that model invocation logging is enabled for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.", 20 | "cloudProvider": "AWS", 21 | "service name": "bedrock" 22 | }, 23 | { 24 | "ID": "Bedrock-004", 25 | "name": "Configure Sensitive Information Filters for Amazon Bedrock Guardrails.", 26 | "description": "Ensure that sensitive information filters are enabled for Amazon Bedrock guardrails to prevent the leakage of sensitive data such as personally identifiable information (PII), financial data, or confidential corporate information.", 27 | "cloudProvider": "AWS", 28 | "service name": "bedrock" 29 | } 30 | ] -------------------------------------------------------------------------------- /aws-terraform/kinesis/variables.tf: -------------------------------------------------------------------------------- 1 | variable "stream_name" { 2 | description = "The name of the Kinesis stream" 3 | type = string 4 | } 5 | 6 | variable "shard_count" { 7 | description = "The number of shards for the Kinesis stream" 8 | type = number 9 | default = 1 10 | } 11 | 12 | variable "retention_period" { 13 | description = "The number of hours to retain data records in the stream" 14 | type = number 15 | default = 24 16 | } 17 | 18 | variable "kms_key_id" { 19 | description = "The ARN of the KMS key to use for encryption" 20 | type = string 21 | } 22 | 23 | variable "tags" { 24 | description = "A map of tags to add to all resources" 25 | type = map(string) 26 | default = {} 27 | } 28 | 29 | variable "enable_enhanced_fanout" { 30 | description = "Enable enhanced fan-out for Kinesis Data Streams consumers" 31 | type = bool 32 | default = false 33 | } 34 | 35 | variable "create_firehose_delivery_stream" { 36 | description = "Whether to create a Kinesis Firehose delivery stream" 37 | type = bool 38 | default = false 39 | } 40 | 41 | variable "firehose_role_arn" { 42 | description = "The ARN of the IAM role for Kinesis Firehose" 43 | type = string 44 | default = "" 45 | } 46 | 47 | variable "firehose_s3_bucket_arn" { 48 | description = "The ARN of the S3 bucket for Kinesis Firehose delivery" 49 | type = string 50 | default = "" 51 | } 52 | 53 | variable "error_rate_threshold" { 54 | description = "The threshold for the error rate alarm" 55 | type = number 56 | default = 0.01 57 | } 58 | 59 | variable "sns_topic_arn" { 60 | description = "The ARN of the SNS topic for alarm notifications" 61 | type = string 62 | } -------------------------------------------------------------------------------- /prowler-rules/organizations/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Organizations-001", 4 | "name": "Ensure that AWS Organizations opt-out of AI services policy is enabled.", 5 | "description": "This control checks whether the AWS Organizations opt-out of AI services policy is enabled. The control fails if the policy is not enabled.", 6 | "cloudProvider": "AWS", 7 | "service name": "organizations" 8 | }, 9 | { 10 | "ID": "Organizations-002", 11 | "name": "Check if AWS Regions are restricted with SCP policies", 12 | "description": "As best practice, AWS Regions should be restricted and only allow the ones that are needed.", 13 | "cloudProvider": "AWS", 14 | "service name": "organizations" 15 | }, 16 | { 17 | "ID": "Organizations-003", 18 | "name": "Check if an AWS Organization has tags policies enabled and attached.", 19 | "description": "Check if an AWS Organization has tags policies enabled and attached.", 20 | "cloudProvider": "AWS", 21 | "service name": "organizations" 22 | }, 23 | { 24 | "ID": "Organizations-004", 25 | "name": "Check if AWS Organizations delegated administrators are trusted", 26 | "description": "This check verify if there are AWS Organizations delegated administrators and if they are trusted (you can define your trusted delegated administrator in Prowler configuration)", 27 | "cloudProvider": "AWS", 28 | "service name": "organizations" 29 | }, 30 | { 31 | "ID": "Organizations-005", 32 | "name": "Check if account is part of an AWS Organizations", 33 | "description": "Ensure that AWS Organizations service is currently in use.", 34 | "cloudProvider": "AWS", 35 | "service name": "organizations" 36 | } 37 | ] -------------------------------------------------------------------------------- /prowler-rules/ecr/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Ecr-001", 4 | "name": "ECR repositories should have tag immutability configured", 5 | "description": "This control checks whether a ECR repository has tag immutability enabled. The control fails if a ECR repository has tag immutability disabled and passes if tag immutability is set to IMMUTABLE.", 6 | "cloudProvider": "AWS", 7 | "service name": "ecr" 8 | }, 9 | { 10 | "ID": "Ecr-002", 11 | "name": "Check if ECR Registry has scan on push enabled", 12 | "description": "Check if ECR Registry has scan on push enabled", 13 | "cloudProvider": "AWS", 14 | "service name": "ecr" 15 | }, 16 | { 17 | "ID": "Ecr-003", 18 | "name": "[DEPRECATED] Check if ECR image scan on push is enabled", 19 | "description": "[DEPRECATED] Check if ECR image scan on push is enabled", 20 | "cloudProvider": "AWS", 21 | "service name": "ecr" 22 | }, 23 | { 24 | "ID": "Ecr-004", 25 | "name": "Check if ECR repositories have lifecycle policies enabled", 26 | "description": "Check if ECR repositories have lifecycle policies enabled", 27 | "cloudProvider": "AWS", 28 | "service name": "ecr" 29 | }, 30 | { 31 | "ID": "Ecr-005", 32 | "name": "Ensure there are no ECR repositories set as Public", 33 | "description": "Ensure there are no ECR repositories set as Public", 34 | "cloudProvider": "AWS", 35 | "service name": "ecr" 36 | }, 37 | { 38 | "ID": "Ecr-006", 39 | "name": "Check if ECR image scan found vulnerabilities in the newest image version", 40 | "description": "Check if ECR image scan found vulnerabilities in the newest image version", 41 | "cloudProvider": "AWS", 42 | "service name": "ecr" 43 | } 44 | ] -------------------------------------------------------------------------------- /checkov-requirements.py: -------------------------------------------------------------------------------- 1 | import pandas as pd 2 | import json 3 | import os 4 | 5 | # Load Excel file containing AWS rules into a DataFrame 6 | df = pd.read_excel('checkov AWS rules.xlsx') 7 | 8 | # Initialize ID counter for unique requirement IDs 9 | id_counter = 1 10 | 11 | # Group data by 'Service Name' column to process each service's requirements separately 12 | for service, group in df.groupby('Service Name'): 13 | # Initialize a list to hold requirement dictionaries for the current service 14 | requirements = [] 15 | 16 | # Reset ID counter for each service to ensure unique IDs 17 | id_counter = 1 18 | 19 | # Iterate over each row in the grouped DataFrame 20 | for index, row in group.iterrows(): 21 | # Create a dictionary for the current requirement with necessary fields 22 | requirement = { 23 | "ID": f"{service.capitalize()}-{str(id_counter).zfill(3)}", # Format ID as 'Service-###' 24 | "name": row['Name'], # Extract requirement name from the current row 25 | "cloudProvider": "AWS", # Specify the cloud provider 26 | "service name": service # Include the service name 27 | } 28 | 29 | # Append the requirement dictionary to the requirements list 30 | requirements.append(requirement) 31 | 32 | # Increment the ID counter for the next requirement 33 | id_counter += 1 34 | 35 | # Define the output file path for the current service's requirements 36 | output_file = "checkov-rules/"+service+"/security-reqs.json" 37 | 38 | # Create the output directory structure if it doesn't already exist 39 | os.makedirs(os.path.dirname(output_file), exist_ok=True) 40 | 41 | # Write the list of requirements to the specified JSON output file with pretty formatting 42 | with open(output_file, 'w') as f: 43 | json.dump(requirements, f, indent=4) -------------------------------------------------------------------------------- /aws-terraform/mskcluster/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_name" { 2 | description = "Name of the MSK cluster" 3 | type = string 4 | } 5 | 6 | variable "kafka_version" { 7 | description = "Kafka version for the MSK cluster" 8 | type = string 9 | default = "2.8.1" 10 | } 11 | 12 | variable "number_of_broker_nodes" { 13 | description = "Number of broker nodes in the cluster" 14 | type = number 15 | default = 3 16 | } 17 | 18 | variable "instance_type" { 19 | description = "Instance type for the MSK broker nodes" 20 | type = string 21 | default = "kafka.m5.large" 22 | } 23 | 24 | variable "client_subnets" { 25 | description = "List of subnet IDs for the MSK cluster" 26 | type = list(string) 27 | } 28 | 29 | variable "security_group_ids" { 30 | description = "List of security group IDs for the MSK cluster" 31 | type = list(string) 32 | } 33 | 34 | variable "ebs_volume_size" { 35 | description = "Size of EBS volume for each broker node (in GB)" 36 | type = number 37 | default = 1000 38 | } 39 | 40 | variable "kms_key_arn" { 41 | description = "ARN of the KMS key for encryption at rest" 42 | type = string 43 | } 44 | 45 | variable "cloudwatch_log_group" { 46 | description = "Name of the CloudWatch log group for MSK logs" 47 | type = string 48 | } 49 | 50 | variable "s3_logs_bucket" { 51 | description = "Name of the S3 bucket for MSK logs" 52 | type = string 53 | } 54 | 55 | variable "acm_certificate_arn" { 56 | description = "ARN of the ACM certificate for TLS authentication" 57 | type = string 58 | } 59 | 60 | variable "scram_secret_arns" { 61 | description = "List of ARNs for SCRAM secrets" 62 | type = list(string) 63 | default = [] 64 | } 65 | 66 | variable "tags" { 67 | description = "Tags to apply to the MSK cluster" 68 | type = map(string) 69 | default = {} 70 | } -------------------------------------------------------------------------------- /aws-terraform/backup/variables.tf: -------------------------------------------------------------------------------- 1 | variable "vault_name" { 2 | description = "Name of the AWS Backup vault" 3 | type = string 4 | } 5 | 6 | variable "kms_key_arn" { 7 | description = "ARN of the KMS key to use for encrypting backups" 8 | type = string 9 | } 10 | 11 | variable "report_plan_name" { 12 | description = "Name of the AWS Backup report plan" 13 | type = string 14 | } 15 | 16 | variable "report_bucket_name" { 17 | description = "Name of the S3 bucket to store backup reports" 18 | type = string 19 | } 20 | 21 | variable "report_s3_key" { 22 | description = "S3 key prefix for backup reports" 23 | type = string 24 | default = "backup-reports/" 25 | } 26 | 27 | variable "backup_plan_name" { 28 | description = "Name of the AWS Backup plan" 29 | type = string 30 | } 31 | 32 | variable "backup_schedule" { 33 | description = "Cron expression for backup schedule" 34 | type = string 35 | default = "cron(0 1 * * ? *)" # Daily at 1 AM UTC 36 | } 37 | 38 | variable "retention_period" { 39 | description = "Number of days to retain backups" 40 | type = number 41 | default = 30 42 | } 43 | 44 | variable "cross_region_vault_arn" { 45 | description = "ARN of the cross-region backup vault" 46 | type = string 47 | } 48 | 49 | variable "backup_tags" { 50 | description = "Tags to apply to backup recovery points" 51 | type = map(string) 52 | default = {} 53 | } 54 | 55 | variable "ebs_volume_arns" { 56 | description = "List of EBS volume ARNs to include in the backup plan" 57 | type = list(string) 58 | default = [] 59 | } 60 | 61 | variable "efs_filesystem_arns" { 62 | description = "List of EFS file system ARNs to include in the backup plan" 63 | type = list(string) 64 | default = [] 65 | } 66 | 67 | variable "sns_topic_arn" { 68 | description = "ARN of the SNS topic for backup notifications" 69 | type = string 70 | } -------------------------------------------------------------------------------- /aws-terraform/cloudfront/variables.tf: -------------------------------------------------------------------------------- 1 | variable "distribution_comment" { 2 | description = "Comment for the CloudFront distribution" 3 | type = string 4 | } 5 | 6 | variable "default_root_object" { 7 | description = "Default root object for the CloudFront distribution" 8 | type = string 9 | default = "index.html" 10 | } 11 | 12 | variable "price_class" { 13 | description = "Price class for the CloudFront distribution" 14 | type = string 15 | default = "PriceClass_100" 16 | } 17 | 18 | variable "s3_origin_domain_name" { 19 | description = "Domain name of the S3 bucket origin" 20 | type = string 21 | } 22 | 23 | variable "s3_origin_id" { 24 | description = "ID for the S3 origin" 25 | type = string 26 | } 27 | 28 | variable "secondary_s3_origin_id" { 29 | description = "ID for the secondary S3 origin (for failover)" 30 | type = string 31 | } 32 | 33 | variable "geo_restriction_type" { 34 | description = "Type of geo restriction (whitelist or blacklist)" 35 | type = string 36 | default = "none" 37 | } 38 | 39 | variable "geo_restriction_locations" { 40 | description = "List of country codes for geo restriction" 41 | type = list(string) 42 | default = [] 43 | } 44 | 45 | variable "acm_certificate_arn" { 46 | description = "ARN of the ACM certificate for SSL/TLS" 47 | type = string 48 | } 49 | 50 | variable "waf_web_acl_id" { 51 | description = "ID of the AWS WAF WebACL to associate with the distribution" 52 | type = string 53 | } 54 | 55 | variable "log_bucket" { 56 | description = "S3 bucket for CloudFront access logs" 57 | type = string 58 | } 59 | 60 | variable "tags" { 61 | description = "Tags to apply to the CloudFront distribution" 62 | type = map(string) 63 | default = {} 64 | } 65 | 66 | variable "field_level_encryption_public_key_id" { 67 | description = "ID of the public key for field-level encryption" 68 | type = string 69 | } -------------------------------------------------------------------------------- /aws-terraform/appflow/variables.tf: -------------------------------------------------------------------------------- 1 | variable "connector_profile_name" { 2 | description = "Name of the AppFlow connector profile" 3 | type = string 4 | } 5 | 6 | variable "connector_type" { 7 | description = "Type of the AppFlow connector" 8 | type = string 9 | } 10 | 11 | variable "kms_key_arn" { 12 | description = "ARN of the KMS key for encryption" 13 | type = string 14 | } 15 | 16 | variable "flow_name" { 17 | description = "Name of the AppFlow flow" 18 | type = string 19 | } 20 | 21 | variable "source_connector_type" { 22 | description = "Type of the source connector" 23 | type = string 24 | } 25 | 26 | variable "destination_connector_type" { 27 | description = "Type of the destination connector" 28 | type = string 29 | } 30 | 31 | variable "source_fields" { 32 | description = "List of source fields for the flow task" 33 | type = list(string) 34 | } 35 | 36 | variable "destination_field" { 37 | description = "Destination field for the flow task" 38 | type = string 39 | } 40 | 41 | variable "trigger_type" { 42 | description = "Type of trigger for the flow" 43 | type = string 44 | } 45 | 46 | variable "cloudwatch_log_stream_arn" { 47 | description = "ARN of the CloudWatch log stream for flow logging" 48 | type = string 49 | } 50 | 51 | variable "fail_on_first_destination_error" { 52 | description = "Whether to fail on first destination error" 53 | type = bool 54 | default = true 55 | } 56 | 57 | variable "error_handling_bucket_prefix" { 58 | description = "Prefix for the S3 bucket used for error handling" 59 | type = string 60 | default = "appflow-errors/" 61 | } 62 | 63 | variable "error_handling_bucket_name" { 64 | description = "Name of the S3 bucket used for error handling" 65 | type = string 66 | } 67 | 68 | variable "tags" { 69 | description = "Tags to apply to AppFlow resources" 70 | type = map(string) 71 | default = {} 72 | } -------------------------------------------------------------------------------- /aws-terraform/mwaa/variables.tf: -------------------------------------------------------------------------------- 1 | variable "environment_name" { 2 | description = "Name of the MWAA environment" 3 | type = string 4 | } 5 | 6 | variable "airflow_version" { 7 | description = "Version of Apache Airflow to use" 8 | type = string 9 | default = "2.5.1" # Use the latest stable version 10 | } 11 | 12 | variable "environment_class" { 13 | description = "Environment class for the MWAA environment" 14 | type = string 15 | default = "mw1.small" 16 | } 17 | 18 | variable "max_workers" { 19 | description = "Maximum number of workers for the MWAA environment" 20 | type = number 21 | default = 10 22 | } 23 | 24 | variable "min_workers" { 25 | description = "Minimum number of workers for the MWAA environment" 26 | type = number 27 | default = 1 28 | } 29 | 30 | variable "dag_s3_path" { 31 | description = "S3 path for DAGs" 32 | type = string 33 | } 34 | 35 | variable "execution_role_arn" { 36 | description = "ARN of the IAM execution role for MWAA" 37 | type = string 38 | } 39 | 40 | variable "source_bucket_arn" { 41 | description = "ARN of the S3 bucket containing DAGs and supporting files" 42 | type = string 43 | } 44 | 45 | variable "security_group_ids" { 46 | description = "List of security group IDs for the MWAA environment" 47 | type = list(string) 48 | } 49 | 50 | variable "subnet_ids" { 51 | description = "List of subnet IDs for the MWAA environment" 52 | type = list(string) 53 | } 54 | 55 | variable "kms_key_arn" { 56 | description = "ARN of the KMS key for MWAA environment encryption" 57 | type = string 58 | } 59 | 60 | variable "tags" { 61 | description = "Tags to apply to the MWAA environment" 62 | type = map(string) 63 | default = {} 64 | } 65 | 66 | variable "dag_s3_bucket" { 67 | description = "Name of the S3 bucket containing DAGs" 68 | type = string 69 | } 70 | 71 | variable "waf_web_acl_arn" { 72 | description = "ARN of the WAF Web ACL to associate with MWAA" 73 | type = string 74 | } -------------------------------------------------------------------------------- /prowler-rules/efs/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Efs-001", 4 | "name": "EFS mount targets should not be publicly accessible", 5 | "description": "This control checks whether an Amazon EFS mount target is associated with a public subnet since it can be accessed from the internet.", 6 | "cloudProvider": "AWS", 7 | "service name": "efs" 8 | }, 9 | { 10 | "ID": "Efs-002", 11 | "name": "Check if EFS have policies which allow access to any client within the VPC", 12 | "description": "Check if EFS have policies which allow access to any client within the VPC", 13 | "cloudProvider": "AWS", 14 | "service name": "efs" 15 | }, 16 | { 17 | "ID": "Efs-003", 18 | "name": "Check if EFS protects sensitive data with encryption at rest", 19 | "description": "Check if EFS protects sensitive data with encryption at rest", 20 | "cloudProvider": "AWS", 21 | "service name": "efs" 22 | }, 23 | { 24 | "ID": "Efs-004", 25 | "name": "EFS access points should enforce a user identity", 26 | "description": "This control checks whether Amazon EFS access points are configured to enforce a user identity. This control fails if a POSIX user identity is not defined while creating the EFS access point.", 27 | "cloudProvider": "AWS", 28 | "service name": "efs" 29 | }, 30 | { 31 | "ID": "Efs-005", 32 | "name": "Check if EFS File systems have backup enabled", 33 | "description": "Check if EFS File systems have backup enabled", 34 | "cloudProvider": "AWS", 35 | "service name": "efs" 36 | }, 37 | { 38 | "ID": "Efs-006", 39 | "name": "EFS access points should enforce a root directory", 40 | "description": "This control checks if Amazon EFS access points are configured to enforce a root directory. The control fails if the value of Path is set to / (the default root directory of the file system).", 41 | "cloudProvider": "AWS", 42 | "service name": "efs" 43 | } 44 | ] -------------------------------------------------------------------------------- /checkov-rules/neptune/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Neptune-001", 4 | "name": "Ensure AWS Neptune cluster deletion protection is enabled", 5 | "cloudProvider": "AWS", 6 | "service name": "neptune" 7 | }, 8 | { 9 | "ID": "Neptune-002", 10 | "name": "Ensure Neptune is encrypted by KMS using a customer managed Key (CMK)", 11 | "cloudProvider": "AWS", 12 | "service name": "neptune" 13 | }, 14 | { 15 | "ID": "Neptune-003", 16 | "name": "Ensure Neptune logging is enabled", 17 | "cloudProvider": "AWS", 18 | "service name": "neptune" 19 | }, 20 | { 21 | "ID": "Neptune-004", 22 | "name": "Ensure Neptune storage is securely encrypted", 23 | "cloudProvider": "AWS", 24 | "service name": "neptune" 25 | }, 26 | { 27 | "ID": "Neptune-005", 28 | "name": "Ensure that Neptune DB cluster has automated backups enabled with adequate retention", 29 | "cloudProvider": "AWS", 30 | "service name": "neptune" 31 | }, 32 | { 33 | "ID": "Neptune-006", 34 | "name": "Neptune DB clusters should be configured to copy tags to snapshots", 35 | "cloudProvider": "AWS", 36 | "service name": "neptune" 37 | }, 38 | { 39 | "ID": "Neptune-007", 40 | "name": "Neptune DB clusters should have IAM database authentication enabled", 41 | "cloudProvider": "AWS", 42 | "service name": "neptune" 43 | }, 44 | { 45 | "ID": "Neptune-008", 46 | "name": "Ensure Neptune Cluster instance is not publicly available", 47 | "cloudProvider": "AWS", 48 | "service name": "neptune" 49 | }, 50 | { 51 | "ID": "Neptune-009", 52 | "name": "Ensure Neptune snapshot is encrypted by KMS using a customer managed Key (CMK)", 53 | "cloudProvider": "AWS", 54 | "service name": "neptune" 55 | }, 56 | { 57 | "ID": "Neptune-010", 58 | "name": "Ensure Neptune snapshot is securely encrypted", 59 | "cloudProvider": "AWS", 60 | "service name": "neptune" 61 | } 62 | ] -------------------------------------------------------------------------------- /checkov-rules/ecs/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Ecs-001", 4 | "name": "Ensure container insights are enabled on ECS cluster", 5 | "cloudProvider": "AWS", 6 | "service name": "ecs" 7 | }, 8 | { 9 | "ID": "Ecs-002", 10 | "name": "Ensure ECS Cluster enables logging of ECS Exec", 11 | "cloudProvider": "AWS", 12 | "service name": "ecs" 13 | }, 14 | { 15 | "ID": "Ecs-003", 16 | "name": "Ensure ECS Cluster logging is enabled and client to container communication uses CMK", 17 | "cloudProvider": "AWS", 18 | "service name": "ecs" 19 | }, 20 | { 21 | "ID": "Ecs-004", 22 | "name": "Ensure ECS Fargate services run on the latest Fargate platform version", 23 | "cloudProvider": "AWS", 24 | "service name": "ecs" 25 | }, 26 | { 27 | "ID": "Ecs-005", 28 | "name": "Ensure ECS services do not have public IP addresses assigned to them automatically", 29 | "cloudProvider": "AWS", 30 | "service name": "ecs" 31 | }, 32 | { 33 | "ID": "Ecs-006", 34 | "name": "Ensure ECS containers are limited to read-only access to root filesystems", 35 | "cloudProvider": "AWS", 36 | "service name": "ecs" 37 | }, 38 | { 39 | "ID": "Ecs-007", 40 | "name": "Ensure ECS containers should run as non-privileged", 41 | "cloudProvider": "AWS", 42 | "service name": "ecs" 43 | }, 44 | { 45 | "ID": "Ecs-008", 46 | "name": "Ensure ECS task definitions should not share the host\u2019s process namespace", 47 | "cloudProvider": "AWS", 48 | "service name": "ecs" 49 | }, 50 | { 51 | "ID": "Ecs-009", 52 | "name": "Ensure Encryption in transit is enabled for EFS volumes in ECS Task definitions", 53 | "cloudProvider": "AWS", 54 | "service name": "ecs" 55 | }, 56 | { 57 | "ID": "Ecs-010", 58 | "name": "Ensure that the Execution Role ARN and the Task Role ARN are different in ECS Task definitions", 59 | "cloudProvider": "AWS", 60 | "service name": "ecs" 61 | } 62 | ] -------------------------------------------------------------------------------- /aws-terraform/lambda/variables.tf: -------------------------------------------------------------------------------- 1 | variable "function_name" { 2 | description = "The name of the Lambda function" 3 | type = string 4 | } 5 | 6 | variable "lambda_filename" { 7 | description = "The path to the Lambda deployment package" 8 | type = string 9 | } 10 | 11 | variable "lambda_handler" { 12 | description = "The function entrypoint in your code" 13 | type = string 14 | } 15 | 16 | variable "lambda_runtime" { 17 | description = "The runtime for the Lambda function" 18 | type = string 19 | default = "nodejs14.x" 20 | } 21 | 22 | variable "environment_variables" { 23 | description = "Environment variables for the Lambda function" 24 | type = map(string) 25 | default = {} 26 | } 27 | 28 | variable "kms_key_arn" { 29 | description = "The ARN of the KMS key for encrypting environment variables" 30 | type = string 31 | } 32 | 33 | variable "dead_letter_queue_arn" { 34 | description = "The ARN of the SQS queue or SNS topic for the dead letter queue" 35 | type = string 36 | } 37 | 38 | variable "reserved_concurrent_executions" { 39 | description = "The amount of reserved concurrent executions for this Lambda function" 40 | type = number 41 | default = -1 42 | } 43 | 44 | variable "subnet_ids" { 45 | description = "The list of subnet IDs for VPC configuration" 46 | type = list(string) 47 | } 48 | 49 | variable "security_group_ids" { 50 | description = "The list of security group IDs for VPC configuration" 51 | type = list(string) 52 | } 53 | 54 | variable "signing_profile_version_arns" { 55 | description = "The list of ARNs of the signing profile versions for code signing" 56 | type = list(string) 57 | } 58 | 59 | variable "invoking_service_principal" { 60 | description = "The service principal of the AWS service invoking the function" 61 | type = string 62 | } 63 | 64 | variable "invoking_service_source_arn" { 65 | description = "The source ARN of the invoking service" 66 | type = string 67 | } 68 | 69 | variable "secrets" { 70 | description = "Map of secrets to store in AWS Secrets Manager" 71 | type = map(string) 72 | default = {} 73 | } -------------------------------------------------------------------------------- /aws-terraform/memorydb/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_name" { 2 | description = "Name of the MemoryDB cluster" 3 | type = string 4 | } 5 | 6 | variable "node_type" { 7 | description = "Node type for the MemoryDB cluster" 8 | type = string 9 | } 10 | 11 | variable "num_shards" { 12 | description = "Number of shards in the MemoryDB cluster" 13 | type = number 14 | default = 1 15 | } 16 | 17 | variable "num_replicas_per_shard" { 18 | description = "Number of replica nodes in each shard" 19 | type = number 20 | default = 2 21 | } 22 | 23 | variable "subnet_group_name" { 24 | description = "Name of the subnet group to use for the MemoryDB cluster" 25 | type = string 26 | } 27 | 28 | variable "security_group_ids" { 29 | description = "List of security group IDs to associate with the MemoryDB cluster" 30 | type = list(string) 31 | } 32 | 33 | variable "kms_key_arn" { 34 | description = "ARN of the KMS key to use for encryption" 35 | type = string 36 | } 37 | 38 | variable "engine_version" { 39 | description = "Version of the MemoryDB engine to use" 40 | type = string 41 | default = "6.2" 42 | } 43 | 44 | variable "snapshot_retention_limit" { 45 | description = "Number of days for which MemoryDB retains automatic snapshots" 46 | type = number 47 | default = 7 48 | } 49 | 50 | variable "snapshot_window" { 51 | description = "Daily time range during which automated backups are created" 52 | type = string 53 | default = "05:00-09:00" 54 | } 55 | 56 | variable "maintenance_window" { 57 | description = "Weekly time range during which system maintenance can occur" 58 | type = string 59 | default = "sun:23:00-mon:01:30" 60 | } 61 | 62 | variable "port" { 63 | description = "Port number on which the MemoryDB cluster accepts connections" 64 | type = number 65 | default = 6379 66 | } 67 | 68 | variable "sns_topic_arn" { 69 | description = "ARN of the SNS topic for event notifications" 70 | type = string 71 | } 72 | 73 | variable "tags" { 74 | description = "A map of tags to add to all resources" 75 | type = map(string) 76 | default = {} 77 | } -------------------------------------------------------------------------------- /aws-terraform/securitygroup/main.tf: -------------------------------------------------------------------------------- 1 | # AWS Security Group Terraform Module 2 | 3 | # securitygroup:001: Restrict all traffic in default security group for every VPC 4 | resource "aws_default_security_group" "default" { 5 | vpc_id = var.vpc_id 6 | 7 | # No ingress rules 8 | ingress = [] 9 | 10 | # No egress rules 11 | egress = [] 12 | 13 | tags = merge(var.tags, { 14 | Name = "Default Security Group" 15 | }) 16 | } 17 | 18 | # securitygroup:002: Prevent unrestricted inbound access on all ports 19 | # securitygroup:003: Prevent unrestricted inbound SSH access 20 | # securitygroup:004: Prevent unrestricted inbound RDP access 21 | # securitygroup:005: Prevent unrestricted inbound HTTP access 22 | # securitygroup:007: Implement least privilege access in security group rules 23 | # securitygroup:009: Limit number of rules per security group 24 | # securitygroup:011: Implement security group egress rules 25 | # securitygroup:012: Use security groups as sources in rules 26 | resource "aws_security_group" "main" { 27 | name = var.security_group_name 28 | description = var.security_group_description 29 | vpc_id = var.vpc_id 30 | 31 | dynamic "ingress" { 32 | for_each = var.ingress_rules 33 | content { 34 | description = ingress.value.description 35 | from_port = ingress.value.from_port 36 | to_port = ingress.value.to_port 37 | protocol = ingress.value.protocol 38 | cidr_blocks = ingress.value.cidr_blocks 39 | security_groups = ingress.value.security_groups 40 | } 41 | } 42 | 43 | dynamic "egress" { 44 | for_each = var.egress_rules 45 | content { 46 | description = egress.value.description 47 | from_port = egress.value.from_port 48 | to_port = egress.value.to_port 49 | protocol = egress.value.protocol 50 | cidr_blocks = egress.value.cidr_blocks 51 | security_groups = egress.value.security_groups 52 | } 53 | } 54 | 55 | # securitygroup:008: Use security group names and descriptions effectively 56 | # securitygroup:015: Tag security groups for better management 57 | tags = merge(var.tags, { 58 | Name = var.security_group_name 59 | }) 60 | } -------------------------------------------------------------------------------- /checkov-rules/elasticache/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Elasticache-001", 4 | "name": "Ensure ElastiCache clusters do not use the default subnet group", 5 | "cloudProvider": "AWS", 6 | "service name": "elasticache" 7 | }, 8 | { 9 | "ID": "Elasticache-002", 10 | "name": "Ensure ElastiCache for Redis cache clusters have auto minor version upgrades enabled", 11 | "cloudProvider": "AWS", 12 | "service name": "elasticache" 13 | }, 14 | { 15 | "ID": "Elasticache-003", 16 | "name": "Ensure that Amazon ElastiCache Redis clusters have automatic backup turned on", 17 | "cloudProvider": "AWS", 18 | "service name": "elasticache" 19 | }, 20 | { 21 | "ID": "Elasticache-004", 22 | "name": "Ensure all data stored in the ElastiCache Replication Group is securely encrypted at rest", 23 | "cloudProvider": "AWS", 24 | "service name": "elasticache" 25 | }, 26 | { 27 | "ID": "Elasticache-005", 28 | "name": "Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit", 29 | "cloudProvider": "AWS", 30 | "service name": "elasticache" 31 | }, 32 | { 33 | "ID": "Elasticache-006", 34 | "name": "Ensure all data stored in the ElastiCache Replication Group is securely encrypted at transit and has auth token", 35 | "cloudProvider": "AWS", 36 | "service name": "elasticache" 37 | }, 38 | { 39 | "ID": "Elasticache-007", 40 | "name": "Ensure AWS ElastiCache Redis cluster with Multi-AZ Automatic Failover feature set to enabled", 41 | "cloudProvider": "AWS", 42 | "service name": "elasticache" 43 | }, 44 | { 45 | "ID": "Elasticache-008", 46 | "name": "Ensure ElastiCache replication group is encrypted by KMS using a customer managed Key (CMK)", 47 | "cloudProvider": "AWS", 48 | "service name": "elasticache" 49 | }, 50 | { 51 | "ID": "Elasticache-009", 52 | "name": "Ensure no aws_elasticache_security_group resources exist", 53 | "cloudProvider": "AWS", 54 | "service name": "elasticache" 55 | } 56 | ] -------------------------------------------------------------------------------- /prowler-rules/eks/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Eks-001", 4 | "name": "Ensure Network Policy is Enabled and Set as Appropriate", 5 | "description": "Ensure that Network Policy is enabled and set as appropriate in Amazon EKS clusters. Network Policy provides pod-level firewalling to restrict traffic between sources, enhancing network security within the cluster.", 6 | "cloudProvider": "AWS", 7 | "service name": "eks" 8 | }, 9 | { 10 | "ID": "Eks-002", 11 | "name": "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs)", 12 | "description": "Ensure Kubernetes Secrets are encrypted using Customer Master Keys (CMKs)", 13 | "cloudProvider": "AWS", 14 | "service name": "eks" 15 | }, 16 | { 17 | "ID": "Eks-003", 18 | "name": "Ensure Kubernetes cluster runs on a supported Kubernetes version", 19 | "description": "Ensure Kubernetes cluster runs on a supported Kubernetes version", 20 | "cloudProvider": "AWS", 21 | "service name": "eks" 22 | }, 23 | { 24 | "ID": "Eks-004", 25 | "name": "Ensure EKS Clusters are not publicly accessible", 26 | "description": "Ensure that your Amazon EKS cluster's Kubernetes API server endpoint is not publicly accessible from the Internet in order to avoid exposing private data and minimizing security risks.", 27 | "cloudProvider": "AWS", 28 | "service name": "eks" 29 | }, 30 | { 31 | "ID": "Eks-005", 32 | "name": "Ensure Clusters are created with Private Nodes", 33 | "description": "Ensure that clusters are created with private nodes, disabling public IP addresses for cluster nodes. Private nodes have no public IP addresses, restricting access to internal networks and enhancing security.", 34 | "cloudProvider": "AWS", 35 | "service name": "eks" 36 | }, 37 | { 38 | "ID": "Eks-006", 39 | "name": "Ensure EKS Control Plane Logging is enabled for all required log types", 40 | "description": "Ensure EKS Control Plane Logging is enabled for all required log types", 41 | "cloudProvider": "AWS", 42 | "service name": "eks" 43 | } 44 | ] -------------------------------------------------------------------------------- /aws-terraform/kafka/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_name" { 2 | description = "Name of the MSK cluster" 3 | type = string 4 | } 5 | 6 | variable "kafka_version" { 7 | description = "The version of Kafka to use" 8 | type = string 9 | default = "2.8.1" # Use the latest stable version 10 | } 11 | 12 | variable "number_of_broker_nodes" { 13 | description = "The number of broker nodes in the cluster" 14 | type = number 15 | default = 3 # Recommended for multi-AZ deployment 16 | } 17 | 18 | variable "instance_type" { 19 | description = "The instance type to use for the Kafka brokers" 20 | type = string 21 | default = "kafka.m5.large" 22 | } 23 | 24 | variable "private_subnet_ids" { 25 | description = "List of private subnet IDs for MSK deployment" 26 | type = list(string) 27 | } 28 | 29 | variable "security_group_id" { 30 | description = "ID of the security group for MSK cluster" 31 | type = string 32 | } 33 | 34 | variable "kms_key_arn" { 35 | description = "ARN of the KMS key for encryption at rest" 36 | type = string 37 | } 38 | 39 | variable "cloudwatch_log_group_name" { 40 | description = "Name of the CloudWatch log group for MSK logs" 41 | type = string 42 | } 43 | 44 | variable "s3_logs_bucket" { 45 | description = "Name of the S3 bucket for MSK logs" 46 | type = string 47 | } 48 | 49 | variable "acm_certificate_arn" { 50 | description = "ARN of the ACM certificate for mutual TLS authentication" 51 | type = string 52 | } 53 | 54 | variable "scram_secret_arn" { 55 | description = "ARN of the Secrets Manager secret for SASL/SCRAM authentication" 56 | type = string 57 | } 58 | 59 | variable "sns_topic_arn" { 60 | description = "ARN of the SNS topic for CloudWatch alarms" 61 | type = string 62 | } 63 | 64 | variable "allowed_principal_arns" { 65 | description = "List of ARNs allowed to perform specific topic operations" 66 | type = list(string) 67 | } 68 | 69 | variable "region" { 70 | description = "AWS region" 71 | type = string 72 | } 73 | 74 | variable "account_id" { 75 | description = "AWS account ID" 76 | type = string 77 | } 78 | 79 | variable "tags" { 80 | description = "A map of tags to add to all resources" 81 | type = map(string) 82 | default = {} 83 | } -------------------------------------------------------------------------------- /aws-terraform/kms/main.tf: -------------------------------------------------------------------------------- 1 | # AWS KMS Terraform Module 2 | 3 | # KMS:001 Enable Key Rotation for Customer Managed Keys (CMK) 4 | # KMS:002 Prevent Unintentional Deletion of KMS Keys 5 | # KMS:007 Implement Multi-Region KMS Keys for Critical Data 6 | resource "aws_kms_key" "main" { 7 | description = var.key_description 8 | deletion_window_in_days = var.deletion_window_in_days 9 | enable_key_rotation = true 10 | multi_region = var.multi_region 11 | policy = var.key_policy 12 | 13 | tags = var.tags 14 | } 15 | 16 | # KMS:010 Implement KMS Key Aliases for Simplified Management 17 | resource "aws_kms_alias" "main" { 18 | name = "alias/${var.key_alias}" 19 | target_key_id = aws_kms_key.main.key_id 20 | } 21 | 22 | # KMS:009 Enable Automatic Key Deletion for Imported Key Material 23 | resource "aws_kms_external_key" "imported" { 24 | count = var.use_imported_key ? 1 : 0 25 | description = "${var.key_description} (Imported)" 26 | deletion_window_in_days = var.deletion_window_in_days 27 | enabled = true 28 | key_material_base64 = var.imported_key_material 29 | valid_to = var.imported_key_valid_to 30 | 31 | tags = var.tags 32 | } 33 | 34 | # KMS:004 Implement Least Privilege Access for KMS Keys 35 | resource "aws_iam_policy" "kms_read" { 36 | name = "${var.key_alias}-kms-read-policy" 37 | description = "Read-only policy for KMS key ${var.key_alias}" 38 | 39 | policy = jsonencode({ 40 | Version = "2012-10-17" 41 | Statement = [ 42 | { 43 | Effect = "Allow" 44 | Action = [ 45 | "kms:Describe*", 46 | "kms:Get*", 47 | "kms:List*" 48 | ] 49 | Resource = aws_kms_key.main.arn 50 | } 51 | ] 52 | }) 53 | } 54 | 55 | resource "aws_iam_policy" "kms_write" { 56 | name = "${var.key_alias}-kms-write-policy" 57 | description = "Write policy for KMS key ${var.key_alias}" 58 | 59 | policy = jsonencode({ 60 | Version = "2012-10-17" 61 | Statement = [ 62 | { 63 | Effect = "Allow" 64 | Action = [ 65 | "kms:Encrypt", 66 | "kms:Decrypt", 67 | "kms:ReEncrypt*", 68 | "kms:GenerateDataKey*" 69 | ] 70 | Resource = aws_kms_key.main.arn 71 | } 72 | ] 73 | }) 74 | } -------------------------------------------------------------------------------- /checkov-rules/lambda/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Lambda-001", 4 | "name": "Check encryption settings for Lambda environmental variable", 5 | "cloudProvider": "AWS", 6 | "service name": "lambda" 7 | }, 8 | { 9 | "ID": "Lambda-002", 10 | "name": "Ensure AWS Lambda function is configured to validate code-signing", 11 | "cloudProvider": "AWS", 12 | "service name": "lambda" 13 | }, 14 | { 15 | "ID": "Lambda-003", 16 | "name": "Ensure Lambda Runtime is not deprecated", 17 | "cloudProvider": "AWS", 18 | "service name": "lambda" 19 | }, 20 | { 21 | "ID": "Lambda-004", 22 | "name": "Ensure no hard-coded secrets exist in lambda environment", 23 | "cloudProvider": "AWS", 24 | "service name": "lambda" 25 | }, 26 | { 27 | "ID": "Lambda-005", 28 | "name": "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)", 29 | "cloudProvider": "AWS", 30 | "service name": "lambda" 31 | }, 32 | { 33 | "ID": "Lambda-006", 34 | "name": "Ensure that AWS Lambda function is configured for function-level concurrent execution limit", 35 | "cloudProvider": "AWS", 36 | "service name": "lambda" 37 | }, 38 | { 39 | "ID": "Lambda-007", 40 | "name": "Ensure that AWS Lambda function is configured inside a VPC", 41 | "cloudProvider": "AWS", 42 | "service name": "lambda" 43 | }, 44 | { 45 | "ID": "Lambda-008", 46 | "name": "X-Ray tracing is enabled for Lambda", 47 | "cloudProvider": "AWS", 48 | "service name": "lambda" 49 | }, 50 | { 51 | "ID": "Lambda-009", 52 | "name": "Ensure that Lambda function URLs AuthType is not None", 53 | "cloudProvider": "AWS", 54 | "service name": "lambda" 55 | }, 56 | { 57 | "ID": "Lambda-010", 58 | "name": "Ensure that AWS Lambda function is not publicly accessible", 59 | "cloudProvider": "AWS", 60 | "service name": "lambda" 61 | }, 62 | { 63 | "ID": "Lambda-011", 64 | "name": "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount", 65 | "cloudProvider": "AWS", 66 | "service name": "lambda" 67 | } 68 | ] -------------------------------------------------------------------------------- /aws-terraform/redshift/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_identifier" { 2 | description = "The name of the Redshift cluster" 3 | type = string 4 | } 5 | 6 | variable "database_name" { 7 | description = "The name of the first database to be created when the cluster is created" 8 | type = string 9 | } 10 | 11 | variable "master_username" { 12 | description = "Username for the master DB user" 13 | type = string 14 | } 15 | 16 | variable "master_password" { 17 | description = "Password for the master DB user" 18 | type = string 19 | sensitive = true 20 | } 21 | 22 | variable "node_type" { 23 | description = "The node type to be provisioned for the cluster" 24 | type = string 25 | } 26 | 27 | variable "cluster_type" { 28 | description = "The cluster type to use" 29 | type = string 30 | default = "multi-node" 31 | } 32 | 33 | variable "number_of_nodes" { 34 | description = "The number of compute nodes in the cluster" 35 | type = number 36 | default = 2 37 | } 38 | 39 | variable "kms_key_id" { 40 | description = "The ARN for the KMS encryption key" 41 | type = string 42 | } 43 | 44 | variable "snapshot_retention_period" { 45 | description = "The number of days to retain automated snapshots" 46 | type = number 47 | default = 7 48 | } 49 | 50 | variable "security_group_id" { 51 | description = "The ID of the VPC security group to associate with the cluster" 52 | type = string 53 | } 54 | 55 | variable "subnet_group_name" { 56 | description = "The name of a cluster subnet group to be associated with this cluster" 57 | type = string 58 | } 59 | 60 | variable "serverless_namespace_name" { 61 | description = "The name of the Redshift Serverless namespace" 62 | type = string 63 | } 64 | 65 | variable "serverless_admin_username" { 66 | description = "The admin username for Redshift Serverless" 67 | type = string 68 | } 69 | 70 | variable "serverless_admin_password" { 71 | description = "The admin password for Redshift Serverless" 72 | type = string 73 | sensitive = true 74 | } 75 | 76 | variable "serverless_db_name" { 77 | description = "The name of the first database to be created in Redshift Serverless" 78 | type = string 79 | } 80 | 81 | variable "sns_topic_arn" { 82 | description = "The ARN of the SNS topic for query logging" 83 | type = string 84 | } -------------------------------------------------------------------------------- /aws-terraform/mq/variables.tf: -------------------------------------------------------------------------------- 1 | variable "broker_name" { 2 | description = "Name of the MQ broker" 3 | type = string 4 | } 5 | 6 | variable "engine_type" { 7 | description = "Type of broker engine" 8 | type = string 9 | default = "ActiveMQ" 10 | } 11 | 12 | variable "engine_version" { 13 | description = "Version of the broker engine" 14 | type = string 15 | } 16 | 17 | variable "instance_type" { 18 | description = "Instance type of the broker" 19 | type = string 20 | } 21 | 22 | variable "security_group_ids" { 23 | description = "List of security group IDs" 24 | type = list(string) 25 | } 26 | 27 | variable "subnet_ids" { 28 | description = "List of subnet IDs" 29 | type = list(string) 30 | } 31 | 32 | variable "kms_key_id" { 33 | description = "ID of the KMS key for encryption" 34 | type = string 35 | } 36 | 37 | variable "maintenance_day_of_week" { 38 | description = "Day of week for maintenance window" 39 | type = string 40 | default = "SUNDAY" 41 | } 42 | 43 | variable "maintenance_time_of_day" { 44 | description = "Time of day for maintenance window" 45 | type = string 46 | default = "03:00" 47 | } 48 | 49 | variable "maintenance_time_zone" { 50 | description = "Time zone for maintenance window" 51 | type = string 52 | default = "UTC" 53 | } 54 | 55 | variable "admin_username" { 56 | description = "Username for the admin user" 57 | type = string 58 | } 59 | 60 | variable "admin_password" { 61 | description = "Password for the admin user" 62 | type = string 63 | sensitive = true 64 | } 65 | 66 | variable "keystore_path" { 67 | description = "Path to the keystore file" 68 | type = string 69 | } 70 | 71 | variable "keystore_password" { 72 | description = "Password for the keystore" 73 | type = string 74 | sensitive = true 75 | } 76 | 77 | variable "truststore_path" { 78 | description = "Path to the truststore file" 79 | type = string 80 | } 81 | 82 | variable "truststore_password" { 83 | description = "Password for the truststore" 84 | type = string 85 | sensitive = true 86 | } 87 | 88 | variable "cpu_utilization_threshold" { 89 | description = "Threshold for CPU utilization alarm" 90 | type = number 91 | default = 80 92 | } 93 | 94 | variable "sns_topic_arn" { 95 | description = "ARN of the SNS topic for CloudWatch alarms" 96 | type = string 97 | } -------------------------------------------------------------------------------- /aws-terraform/fms/main.tf: -------------------------------------------------------------------------------- 1 | # AWS Firewall Manager Security Policy Module 2 | 3 | # fms:001: Ensure AWS Firewall Manager security policies are compliant 4 | resource "aws_fms_policy" "main" { 5 | name = var.policy_name 6 | exclude_resource_tags = var.exclude_resource_tags 7 | remediation_enabled = var.remediation_enabled 8 | resource_type = var.resource_type 9 | 10 | security_service_policy_data { 11 | type = var.security_service_policy_type 12 | 13 | dynamic "managed_service_data" { 14 | for_each = var.managed_service_data != null ? [var.managed_service_data] : [] 15 | content { 16 | type = managed_service_data.value.type 17 | data = jsonencode(managed_service_data.value.data) 18 | } 19 | } 20 | } 21 | 22 | # fms:004: Implement AWS Firewall Manager policies for WAF 23 | # fms:005: Implement AWS Firewall Manager policies for Shield Advanced 24 | # fms:006: Implement AWS Firewall Manager policies for Security Groups 25 | # fms:008: Implement AWS Firewall Manager policies for Network Firewall 26 | # fms:010: Implement AWS Firewall Manager policies for DNS Firewall 27 | # These are implemented by setting the appropriate security_service_policy_type and managed_service_data 28 | 29 | # fms:003: Enable AWS Firewall Manager logging 30 | include_map { 31 | account = var.include_account_ids 32 | } 33 | 34 | # fms:009: Configure AWS Firewall Manager notifications 35 | dynamic "policy_option" { 36 | for_each = var.sns_topic_arn != null ? [1] : [] 37 | content { 38 | notification_channel = var.sns_topic_arn 39 | notification_type = "ALL" 40 | } 41 | } 42 | } 43 | 44 | # fms:002: Implement least privilege access for AWS Firewall Manager 45 | resource "aws_iam_role" "fms_admin" { 46 | name = "fms-admin-role" 47 | assume_role_policy = jsonencode({ 48 | Version = "2012-10-17" 49 | Statement = [ 50 | { 51 | Action = "sts:AssumeRole" 52 | Effect = "Allow" 53 | Principal = { 54 | Service = "fms.amazonaws.com" 55 | } 56 | } 57 | ] 58 | }) 59 | } 60 | 61 | resource "aws_iam_role_policy_attachment" "fms_admin" { 62 | role = aws_iam_role.fms_admin.name 63 | policy_arn = "arn:aws:iam::aws:policy/service-role/AWSFMAdminFullAccess" 64 | } 65 | 66 | # fms:007: Regularly review and update AWS Firewall Manager policies 67 | # This is a process recommendation and cannot be directly implemented in Terraform -------------------------------------------------------------------------------- /aws-terraform/route53/variables.tf: -------------------------------------------------------------------------------- 1 | variable "domain_name" { 2 | description = "The domain name for the Route 53 hosted zone" 3 | type = string 4 | } 5 | 6 | variable "enable_query_logging" { 7 | description = "Enable query logging for Route 53" 8 | type = bool 9 | default = true 10 | } 11 | 12 | variable "cloudwatch_log_group_arn" { 13 | description = "ARN of the CloudWatch Log Group for Route 53 query logging" 14 | type = string 15 | default = "" 16 | } 17 | 18 | variable "enable_dnssec" { 19 | description = "Enable DNSSEC for the hosted zone" 20 | type = bool 21 | default = true 22 | } 23 | 24 | variable "kms_key_arn" { 25 | description = "ARN of the KMS key for DNSSEC signing" 26 | type = string 27 | default = "" 28 | } 29 | 30 | variable "key_signing_key_name" { 31 | description = "Name of the key-signing key for DNSSEC" 32 | type = string 33 | default = "route53-dnssec-key" 34 | } 35 | 36 | variable "is_private_zone" { 37 | description = "Whether the hosted zone is private" 38 | type = bool 39 | default = false 40 | } 41 | 42 | variable "vpc_id" { 43 | description = "VPC ID for private hosted zone" 44 | type = string 45 | default = "" 46 | } 47 | 48 | variable "enable_health_check" { 49 | description = "Enable Route 53 health check" 50 | type = bool 51 | default = true 52 | } 53 | 54 | variable "health_check_fqdn" { 55 | description = "FQDN for the health check" 56 | type = string 57 | default = "" 58 | } 59 | 60 | variable "health_check_port" { 61 | description = "Port for the health check" 62 | type = number 63 | default = 80 64 | } 65 | 66 | variable "health_check_type" { 67 | description = "Type of health check" 68 | type = string 69 | default = "HTTP" 70 | } 71 | 72 | variable "health_check_resource_path" { 73 | description = "Resource path for the health check" 74 | type = string 75 | default = "/" 76 | } 77 | 78 | variable "health_check_failure_threshold" { 79 | description = "Failure threshold for the health check" 80 | type = number 81 | default = 3 82 | } 83 | 84 | variable "health_check_request_interval" { 85 | description = "Request interval for the health check" 86 | type = number 87 | default = 30 88 | } 89 | 90 | variable "tags" { 91 | description = "Tags to apply to resources" 92 | type = map(string) 93 | default = {} 94 | } -------------------------------------------------------------------------------- /aws-terraform/elasticache/variables.tf: -------------------------------------------------------------------------------- 1 | variable "replication_group_id" { 2 | description = "The ID of the ElastiCache replication group" 3 | type = string 4 | } 5 | 6 | variable "node_type" { 7 | description = "The compute and memory capacity of the nodes" 8 | type = string 9 | default = "cache.t3.micro" 10 | } 11 | 12 | variable "num_cache_clusters" { 13 | description = "The number of cache clusters (primary and replicas) this replication group will have" 14 | type = number 15 | default = 2 16 | } 17 | 18 | variable "parameter_group_name" { 19 | description = "The name of the parameter group to associate with this replication group" 20 | type = string 21 | } 22 | 23 | variable "engine_version" { 24 | description = "The version number of the cache engine" 25 | type = string 26 | default = "6.x" 27 | } 28 | 29 | variable "kms_key_id" { 30 | description = "The ARN of the key that you wish to use if encrypting at rest" 31 | type = string 32 | } 33 | 34 | variable "auth_token" { 35 | description = "The password used to access a password protected server" 36 | type = string 37 | sensitive = true 38 | } 39 | 40 | variable "snapshot_retention_limit" { 41 | description = "The number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them" 42 | type = number 43 | default = 7 44 | } 45 | 46 | variable "snapshot_window" { 47 | description = "The daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster" 48 | type = string 49 | default = "05:00-09:00" 50 | } 51 | 52 | variable "subnet_ids" { 53 | description = "List of VPC Subnet IDs for the cache subnet group" 54 | type = list(string) 55 | } 56 | 57 | variable "security_group_id" { 58 | description = "ID of the Security Group to associate with the ElastiCache cluster" 59 | type = string 60 | } 61 | 62 | variable "maintenance_window" { 63 | description = "Specifies the weekly time range for when maintenance on the cache cluster is performed" 64 | type = string 65 | default = "sun:05:00-sun:09:00" 66 | } 67 | 68 | variable "cpu_threshold" { 69 | description = "The CPU utilization threshold for the CloudWatch alarm" 70 | type = number 71 | default = 75 72 | } 73 | 74 | variable "sns_topic_arn" { 75 | description = "The ARN of the SNS topic to send CloudWatch alarms" 76 | type = string 77 | } -------------------------------------------------------------------------------- /aws-terraform/appstream/variables.tf: -------------------------------------------------------------------------------- 1 | variable "fleet_name" { 2 | description = "Name of the AppStream 2.0 fleet" 3 | type = string 4 | } 5 | 6 | variable "instance_type" { 7 | description = "The instance type to use for the fleet" 8 | type = string 9 | } 10 | 11 | variable "fleet_type" { 12 | description = "The fleet type (ALWAYS_ON or ON_DEMAND)" 13 | type = string 14 | default = "ON_DEMAND" 15 | } 16 | 17 | variable "max_user_duration_in_seconds" { 18 | description = "The maximum amount of time that a streaming session can remain active" 19 | type = number 20 | default = 36000 # 10 hours 21 | } 22 | 23 | variable "disconnect_timeout_in_seconds" { 24 | description = "The amount of time that a streaming session remains active after users disconnect" 25 | type = number 26 | default = 300 # 5 minutes 27 | } 28 | 29 | variable "idle_disconnect_timeout_in_seconds" { 30 | description = "The amount of time that users can be idle before they are disconnected" 31 | type = number 32 | default = 600 # 10 minutes 33 | } 34 | 35 | variable "kms_key_arn" { 36 | description = "The ARN of the KMS key to use for encryption" 37 | type = string 38 | } 39 | 40 | variable "subnet_ids" { 41 | description = "List of subnet IDs for the AppStream fleet" 42 | type = list(string) 43 | } 44 | 45 | variable "security_group_ids" { 46 | description = "List of security group IDs for the AppStream fleet" 47 | type = list(string) 48 | } 49 | 50 | variable "tags" { 51 | description = "A map of tags to add to all resources" 52 | type = map(string) 53 | default = {} 54 | } 55 | 56 | variable "stack_name" { 57 | description = "Name of the AppStream 2.0 stack" 58 | type = string 59 | } 60 | 61 | variable "stack_description" { 62 | description = "Description of the AppStream 2.0 stack" 63 | type = string 64 | default = "Managed by Terraform" 65 | } 66 | 67 | variable "stack_display_name" { 68 | description = "Display name of the AppStream 2.0 stack" 69 | type = string 70 | } 71 | 72 | variable "home_folder_s3_arn" { 73 | description = "The ARN of the S3 bucket to use for home folders" 74 | type = string 75 | } 76 | 77 | variable "usage_reports_s3_bucket_arn" { 78 | description = "The ARN of the S3 bucket to use for usage reports" 79 | type = string 80 | } 81 | 82 | variable "user_name" { 83 | description = "The username for the AppStream 2.0 user" 84 | type = string 85 | } -------------------------------------------------------------------------------- /aws-terraform/elasticbeanstalk/variables.tf: -------------------------------------------------------------------------------- 1 | variable "environment_name" { 2 | description = "Name of the Elastic Beanstalk environment" 3 | type = string 4 | } 5 | 6 | variable "application_name" { 7 | description = "Name of the Elastic Beanstalk application" 8 | type = string 9 | } 10 | 11 | variable "solution_stack_name" { 12 | description = "Solution stack name for the Elastic Beanstalk environment" 13 | type = string 14 | } 15 | 16 | variable "managed_actions_start_time" { 17 | description = "Start time for managed actions" 18 | type = string 19 | default = "Tue:10:00" 20 | } 21 | 22 | variable "vpc_id" { 23 | description = "ID of the VPC to use for the Elastic Beanstalk environment" 24 | type = string 25 | } 26 | 27 | variable "subnet_ids" { 28 | description = "List of subnet IDs to use for the Elastic Beanstalk environment" 29 | type = list(string) 30 | } 31 | 32 | variable "ssl_certificate_arn" { 33 | description = "ARN of the SSL certificate to use for HTTPS" 34 | type = string 35 | } 36 | 37 | variable "instance_profile_name" { 38 | description = "Name of the IAM instance profile to use for EC2 instances" 39 | type = string 40 | } 41 | 42 | variable "root_volume_size" { 43 | description = "Size of the root volume for EC2 instances" 44 | type = number 45 | default = 20 46 | } 47 | 48 | variable "security_group_id" { 49 | description = "ID of the security group to use for EC2 instances" 50 | type = string 51 | } 52 | 53 | variable "environment_variables" { 54 | description = "Map of environment variables for the Elastic Beanstalk environment" 55 | type = map(string) 56 | default = {} 57 | } 58 | 59 | variable "autoscaling_min_size" { 60 | description = "Minimum number of instances in the auto scaling group" 61 | type = number 62 | default = 1 63 | } 64 | 65 | variable "autoscaling_max_size" { 66 | description = "Maximum number of instances in the auto scaling group" 67 | type = number 68 | default = 4 69 | } 70 | 71 | variable "rds_engine_version" { 72 | description = "Version of the RDS engine to use" 73 | type = string 74 | } 75 | 76 | variable "waf_web_acl_arn" { 77 | description = "ARN of the WAF Web ACL to associate with the Elastic Beanstalk environment" 78 | type = string 79 | } 80 | 81 | variable "eb_bucket_name" { 82 | description = "Name of the S3 bucket for Elastic Beanstalk application versions" 83 | type = string 84 | } -------------------------------------------------------------------------------- /aws-terraform/ec2/variables.tf: -------------------------------------------------------------------------------- 1 | variable "ami_id" { 2 | description = "The AMI ID to use for the EC2 instance" 3 | type = string 4 | } 5 | 6 | variable "instance_type" { 7 | description = "The instance type to use for the EC2 instance" 8 | type = string 9 | default = "t3.micro" # Use the latest generation instance type as default 10 | } 11 | 12 | variable "subnet_id" { 13 | description = "The subnet ID to launch the instance in" 14 | type = string 15 | } 16 | 17 | variable "security_group_ids" { 18 | description = "A list of security group IDs to associate with the instance" 19 | type = list(string) 20 | } 21 | 22 | variable "iam_instance_profile" { 23 | description = "The IAM instance profile to associate with the instance" 24 | type = string 25 | } 26 | 27 | variable "kms_key_id" { 28 | description = "The KMS key ID to use for EBS volume encryption" 29 | type = string 30 | } 31 | 32 | variable "tags" { 33 | description = "A map of tags to add to the instance" 34 | type = map(string) 35 | default = {} 36 | } 37 | 38 | variable "user_data" { 39 | description = "The user data to provide when launching the instance" 40 | type = string 41 | default = "" 42 | } 43 | 44 | variable "enable_termination_protection" { 45 | description = "Enable termination protection for the instance" 46 | type = bool 47 | default = true 48 | } 49 | 50 | variable "use_dedicated_instance" { 51 | description = "Use a dedicated instance" 52 | type = bool 53 | default = false 54 | } 55 | 56 | variable "ingress_rules" { 57 | description = "List of ingress rules for the security group" 58 | type = list(object({ 59 | from_port = number 60 | to_port = number 61 | protocol = string 62 | cidr_blocks = list(string) 63 | })) 64 | default = [] 65 | } 66 | 67 | variable "security_group_id" { 68 | description = "The ID of the security group to add ingress rules to" 69 | type = string 70 | } 71 | 72 | variable "flow_log_role_arn" { 73 | description = "The ARN of the IAM role for VPC flow logs" 74 | type = string 75 | } 76 | 77 | variable "flow_log_destination" { 78 | description = "The ARN of the destination for VPC flow logs" 79 | type = string 80 | } 81 | 82 | variable "vpc_id" { 83 | description = "The ID of the VPC for flow logs" 84 | type = string 85 | } 86 | 87 | variable "ssm_service_role_arn" { 88 | description = "The ARN of the IAM role for SSM to perform maintenance tasks" 89 | type = string 90 | } -------------------------------------------------------------------------------- /checkov-rules/redshift/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Redshift-001", 4 | "name": "Ensure all data stored in the Redshift cluster is securely encrypted at rest", 5 | "cloudProvider": "AWS", 6 | "service name": "redshift" 7 | }, 8 | { 9 | "ID": "Redshift-002", 10 | "name": "Ensure Amazon Redshift clusters should have automatic snapshots enabled", 11 | "cloudProvider": "AWS", 12 | "service name": "redshift" 13 | }, 14 | { 15 | "ID": "Redshift-003", 16 | "name": "Ensure Redshift Cluster logging is enabled", 17 | "cloudProvider": "AWS", 18 | "service name": "redshift" 19 | }, 20 | { 21 | "ID": "Redshift-004", 22 | "name": "Ensure Redshift clusters do not use the default database name", 23 | "cloudProvider": "AWS", 24 | "service name": "redshift" 25 | }, 26 | { 27 | "ID": "Redshift-005", 28 | "name": "Ensure Redshift clusters use enhanced VPC routing", 29 | "cloudProvider": "AWS", 30 | "service name": "redshift" 31 | }, 32 | { 33 | "ID": "Redshift-006", 34 | "name": "Ensure Redshift is not deployed outside of a VPC", 35 | "cloudProvider": "AWS", 36 | "service name": "redshift" 37 | }, 38 | { 39 | "ID": "Redshift-007", 40 | "name": "Ensure that Redshift cluster is encrypted by KMS", 41 | "cloudProvider": "AWS", 42 | "service name": "redshift" 43 | }, 44 | { 45 | "ID": "Redshift-008", 46 | "name": "Ensured that Redshift cluster allowing version upgrade by default", 47 | "cloudProvider": "AWS", 48 | "service name": "redshift" 49 | }, 50 | { 51 | "ID": "Redshift-009", 52 | "name": "Redshift cluster should not be publicly accessible", 53 | "cloudProvider": "AWS", 54 | "service name": "redshift" 55 | }, 56 | { 57 | "ID": "Redshift-010", 58 | "name": "Ensure Redshift uses SSL", 59 | "cloudProvider": "AWS", 60 | "service name": "redshift" 61 | }, 62 | { 63 | "ID": "Redshift-011", 64 | "name": "Ensure RedShift snapshot copy is encrypted by KMS using a customer managed Key (CMK)", 65 | "cloudProvider": "AWS", 66 | "service name": "redshift" 67 | }, 68 | { 69 | "ID": "Redshift-012", 70 | "name": "Ensure that Redshift Serverless namespace is encrypted by KMS using a customer managed key (CMK)", 71 | "cloudProvider": "AWS", 72 | "service name": "redshift" 73 | } 74 | ] -------------------------------------------------------------------------------- /aws-terraform/acm/main.tf: -------------------------------------------------------------------------------- 1 | # ACM:001: Use secure key algorithms for ACM certificates 2 | resource "aws_acm_certificate" "main" { 3 | domain_name = var.domain_name 4 | validation_method = "DNS" 5 | 6 | # ACM:003: Enable Certificate Transparency logging for ACM certificates 7 | certificate_transparency_logging_preference = "ENABLED" 8 | 9 | # ACM:004: Avoid wildcard domains in ACM certificates 10 | subject_alternative_names = var.subject_alternative_names 11 | 12 | key_algorithm = var.key_algorithm 13 | 14 | # ACM:005: Implement 'create before destroy' for ACM certificates 15 | lifecycle { 16 | create_before_destroy = true 17 | } 18 | 19 | tags = var.tags 20 | } 21 | 22 | # ACM:002: Set up automated renewal for ACM certificates 23 | # ACM automatically renews certificates. No additional configuration needed. 24 | 25 | # ACM:006: Use ACM Private Certificate Authority for internal services 26 | resource "aws_acmpca_certificate_authority" "private_ca" { 27 | count = var.create_private_ca ? 1 : 0 28 | 29 | certificate_authority_configuration { 30 | key_algorithm = "RSA_4096" 31 | signing_algorithm = "SHA512WITHRSA" 32 | 33 | subject { 34 | common_name = var.private_ca_common_name 35 | } 36 | } 37 | 38 | permanent_deletion_time_in_days = 7 39 | type = "ROOT" 40 | 41 | tags = var.tags 42 | } 43 | 44 | # ACM:009: Use ACM certificates with AWS services that integrate with ACM 45 | # This is handled by associating the ACM certificate with supported services in their respective resource configurations. 46 | 47 | # ACM:010: Implement access controls for ACM certificate management 48 | data "aws_iam_policy_document" "acm_read_only" { 49 | statement { 50 | effect = "Allow" 51 | actions = [ 52 | "acm:DescribeCertificate", 53 | "acm:ListCertificates", 54 | "acm:GetCertificate", 55 | "acm:ListTagsForCertificate", 56 | ] 57 | resources = ["*"] 58 | } 59 | } 60 | 61 | data "aws_iam_policy_document" "acm_full_access" { 62 | statement { 63 | effect = "Allow" 64 | actions = [ 65 | "acm:*", 66 | ] 67 | resources = ["*"] 68 | } 69 | } 70 | 71 | resource "aws_iam_policy" "acm_read_only" { 72 | name = "ACMReadOnlyPolicy" 73 | path = "/" 74 | description = "ACM read-only access policy" 75 | policy = data.aws_iam_policy_document.acm_read_only.json 76 | } 77 | 78 | resource "aws_iam_policy" "acm_full_access" { 79 | name = "ACMFullAccessPolicy" 80 | path = "/" 81 | description = "ACM full access policy" 82 | policy = data.aws_iam_policy_document.acm_full_access.json 83 | } -------------------------------------------------------------------------------- /aws-terraform/neptune/variables.tf: -------------------------------------------------------------------------------- 1 | variable "cluster_identifier" { 2 | description = "The identifier for the Neptune cluster" 3 | type = string 4 | } 5 | 6 | variable "engine_version" { 7 | description = "The engine version for Neptune" 8 | type = string 9 | default = "1.2.1.0" 10 | } 11 | 12 | variable "backup_retention_period" { 13 | description = "The number of days to retain backups" 14 | type = number 15 | default = 35 16 | } 17 | 18 | variable "preferred_backup_window" { 19 | description = "The daily time range during which automated backups are created" 20 | type = string 21 | default = "02:00-03:00" 22 | } 23 | 24 | variable "vpc_security_group_ids" { 25 | description = "List of VPC security group IDs to associate with the cluster" 26 | type = list(string) 27 | } 28 | 29 | variable "db_subnet_group_name" { 30 | description = "Name of DB subnet group" 31 | type = string 32 | } 33 | 34 | variable "kms_key_arn" { 35 | description = "The ARN of the KMS key for encryption" 36 | type = string 37 | } 38 | 39 | variable "snapshot_identifier" { 40 | description = "The identifier for the DB snapshot or DB cluster snapshot to restore from" 41 | type = string 42 | default = null 43 | } 44 | 45 | variable "availability_zones" { 46 | description = "List of Availability Zones for the cluster" 47 | type = list(string) 48 | } 49 | 50 | variable "min_capacity" { 51 | description = "The minimum capacity for the Neptune cluster" 52 | type = number 53 | default = 1 54 | } 55 | 56 | variable "max_capacity" { 57 | description = "The maximum capacity for the Neptune cluster" 58 | type = number 59 | default = 16 60 | } 61 | 62 | variable "tags" { 63 | description = "A map of tags to add to all resources" 64 | type = map(string) 65 | default = {} 66 | } 67 | 68 | variable "allowed_cidr_blocks" { 69 | description = "List of CIDR blocks allowed to access Neptune" 70 | type = list(string) 71 | } 72 | 73 | variable "neptune_security_group_id" { 74 | description = "ID of the security group for Neptune" 75 | type = string 76 | } 77 | 78 | variable "cpu_utilization_threshold" { 79 | description = "The threshold for CPU utilization alarm" 80 | type = number 81 | default = 80 82 | } 83 | 84 | variable "failed_login_threshold" { 85 | description = "The threshold for failed login attempts alarm" 86 | type = number 87 | default = 5 88 | } 89 | 90 | variable "sns_topic_arn" { 91 | description = "The ARN of the SNS topic for CloudWatch alarms" 92 | type = string 93 | } -------------------------------------------------------------------------------- /aws-terraform/dlm/variables.tf: -------------------------------------------------------------------------------- 1 | variable "execution_role_arn" { 2 | description = "The ARN of the IAM role used to run the EBS snapshot policy" 3 | type = string 4 | } 5 | 6 | variable "retention_count" { 7 | description = "The number of snapshots to retain" 8 | type = number 9 | default = 7 10 | } 11 | 12 | variable "target_tags" { 13 | description = "Tags to use for identifying volumes to snapshot" 14 | type = map(string) 15 | default = {} 16 | } 17 | 18 | variable "cross_region_copy_rules" { 19 | description = "List of cross-region copy rules" 20 | type = list(object({ 21 | target_region = string 22 | cmk_arn = string 23 | retain_interval = number 24 | })) 25 | default = [] 26 | } 27 | 28 | variable "tags" { 29 | description = "Tags to apply to the DLM lifecycle policy" 30 | type = map(string) 31 | default = {} 32 | } 33 | 34 | variable "enable_cross_account_sharing" { 35 | description = "Enable cross-account snapshot sharing" 36 | type = bool 37 | default = false 38 | } 39 | 40 | variable "cross_account_target_region" { 41 | description = "Target region for cross-account snapshot sharing" 42 | type = string 43 | default = "" 44 | } 45 | 46 | variable "cross_account_cmk_arn" { 47 | description = "CMK ARN for encrypting cross-account shared snapshots" 48 | type = string 49 | default = "" 50 | } 51 | 52 | variable "cross_account_target_accounts" { 53 | description = "List of AWS account IDs to share snapshots with" 54 | type = list(string) 55 | default = [] 56 | } 57 | 58 | variable "cross_account_target_tags" { 59 | description = "Tags to use for identifying volumes for cross-account sharing" 60 | type = map(string) 61 | default = {} 62 | } 63 | 64 | variable "enable_fast_snapshot_restore" { 65 | description = "Enable Fast Snapshot Restore for critical volumes" 66 | type = bool 67 | default = false 68 | } 69 | 70 | variable "fast_restore_availability_zones" { 71 | description = "List of Availability Zones to enable Fast Snapshot Restore" 72 | type = list(string) 73 | default = [] 74 | } 75 | 76 | variable "fast_restore_count" { 77 | description = "Number of snapshots to be enabled for Fast Snapshot Restore" 78 | type = number 79 | default = 1 80 | } 81 | 82 | variable "fast_restore_target_tags" { 83 | description = "Tags to use for identifying volumes for Fast Snapshot Restore" 84 | type = map(string) 85 | default = {} 86 | } 87 | 88 | variable "sns_topic_arn" { 89 | description = "ARN of the SNS topic for DLM policy execution alerts" 90 | type = string 91 | } -------------------------------------------------------------------------------- /prowler-rules/elasticache/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Elasticache-001", 4 | "name": "Ensure Elasticache Redis clusters have automatic failover enabled.", 5 | "description": "Ensure Elasticache Redis OSS cache clusters use automatic failover.", 6 | "cloudProvider": "AWS", 7 | "service name": "elasticache" 8 | }, 9 | { 10 | "ID": "Elasticache-002", 11 | "name": "Ensure Elasticache Cluster is not using a public subnet", 12 | "description": "Ensure Elasticache Cluster is not using a public subnet", 13 | "cloudProvider": "AWS", 14 | "service name": "elasticache" 15 | }, 16 | { 17 | "ID": "Elasticache-003", 18 | "name": "Ensure Elasticache Redis cache cluster has automatic backups enabled.", 19 | "description": "Ensure Elasticache Redis cache cluster has automatic backups enabled.", 20 | "cloudProvider": "AWS", 21 | "service name": "elasticache" 22 | }, 23 | { 24 | "ID": "Elasticache-004", 25 | "name": "Ensure Elasticache Redis cache cluster has Multi-AZ enabled.", 26 | "description": "Ensure Elasticache Redis cache cluster has Multi-AZ enabled.", 27 | "cloudProvider": "AWS", 28 | "service name": "elasticache" 29 | }, 30 | { 31 | "ID": "Elasticache-005", 32 | "name": "Ensure Elasticache Redis cache clusters have in transit encryption enabled.", 33 | "description": "Ensure Elasticache Redis cache clusters have in transit encryption enabled.", 34 | "cloudProvider": "AWS", 35 | "service name": "elasticache" 36 | }, 37 | { 38 | "ID": "Elasticache-006", 39 | "name": "Ensure Elasticache Redis cache clusters have at rest encryption enabled.", 40 | "description": "Ensure Elasticache Redis cache clusters have at rest encryption enabled.", 41 | "cloudProvider": "AWS", 42 | "service name": "elasticache" 43 | }, 44 | { 45 | "ID": "Elasticache-007", 46 | "name": "Ensure Elasticache Elasticache Redis replication groups of earlier versions should have Redis OSS AUTH enabled.", 47 | "description": "Ensure Elasticache Redis replication groups of earlier versions use Redis OSS AUTH.", 48 | "cloudProvider": "AWS", 49 | "service name": "elasticache" 50 | }, 51 | { 52 | "ID": "Elasticache-008", 53 | "name": "Ensure Elasticache Redis cache clusters have automatic minor upgrades enabled.", 54 | "description": "Ensure Elasticache Redis cache clusters have automatic minor upgrades enabled.", 55 | "cloudProvider": "AWS", 56 | "service name": "elasticache" 57 | } 58 | ] -------------------------------------------------------------------------------- /aws-terraform/kms/notes.md: -------------------------------------------------------------------------------- 1 | # AWS KMS Security Requirements Implementation Notes 2 | 3 | 1. KMS:001: Enable Key Rotation for Customer Managed Keys (CMK) 4 | - Implemented in Terraform code using `enable_key_rotation = true` in the `aws_kms_key` resource. 5 | 6 | 2. KMS:002: Prevent Unintentional Deletion of KMS Keys 7 | - Implemented in Terraform code by setting `deletion_window_in_days` in the `aws_kms_key` resource. Default is set to 30 days. 8 | 9 | 3. KMS:003: Ensure KMS Keys Are Actively Used 10 | - Not directly implementable in Terraform. Requires operational monitoring and auditing. 11 | 12 | 4. KMS:004: Implement Least Privilege Access for KMS Keys 13 | - Partially implemented by creating separate read and write IAM policies. The actual key policy needs to be provided by the user. 14 | 15 | 5. KMS:005: Enable Logging for KMS Key Usage 16 | - Not directly implementable in Terraform. AWS CloudTrail logs KMS events by default when enabled for all AWS services. 17 | 18 | 6. KMS:006: Use Separate KMS Keys for Different Applications or Data Classifications 19 | - Not directly implementable in Terraform. This is a design decision that should be reflected in how the module is used. 20 | 21 | 7. KMS:007: Implement Multi-Region KMS Keys for Critical Data 22 | - Implemented in Terraform code using `multi_region = true` in the `aws_kms_key` resource. 23 | 24 | 8. KMS:008: Regular Review and Rotation of KMS Key Policies 25 | - Not directly implementable in Terraform. Requires operational processes for regular review and updates. 26 | 27 | 9. KMS:009: Enable Automatic Key Deletion for Imported Key Material 28 | - Implemented in Terraform code using `aws_kms_external_key` resource with `valid_to` parameter. 29 | 30 | 10. KMS:010: Implement KMS Key Aliases for Simplified Management 31 | - Implemented in Terraform code using `aws_kms_alias` resource. 32 | 33 | Additional security measures and best practices: 34 | - All configurable parameters are exposed as variables to make the module reusable and flexible. 35 | - The module uses secure defaults, such as enabling key rotation and setting a 30-day deletion window. 36 | - The module allows for the creation of both standard and imported key material KMS keys. 37 | - Consider implementing additional access controls and monitoring for the KMS keys. 38 | - Implement least privilege access principles when defining IAM policies for key access. 39 | - Regularly review and audit key policies and access logs to ensure compliance with security requirements. 40 | - For multi-region keys, ensure that proper controls are in place in all regions where the key is replicated. 41 | - When using imported key material, ensure secure processes for key generation and import. -------------------------------------------------------------------------------- /aws-terraform/route53/notes.md: -------------------------------------------------------------------------------- 1 | # AWS Route 53 Security Requirements Implementation Notes 2 | 3 | 1. route53:001: Enable Query Logging for Route 53 Public Hosted Zones 4 | - Implemented in Terraform code using `aws_route53_query_log` resource. 5 | 6 | 2. route53:002: Enable Transfer Lock for Route 53 Domains 7 | - Cannot be directly implemented in Terraform. This is managed at the domain registrar level. 8 | 9 | 3. route53:003: Enable Privacy Protection for Route 53 Domains 10 | - Cannot be directly implemented in Terraform. This is managed at the domain registrar level. 11 | 12 | 4. route53:004: Remove Dangling DNS Records in Route 53 13 | - Cannot be directly implemented in Terraform. This requires regular auditing and manual removal of outdated records. 14 | 15 | 5. route53:005: Enable DNSSEC Signing for Route 53 Public Hosted Zones 16 | - Implemented in Terraform code using `aws_route53_key_signing_key` and `aws_route53_hosted_zone_dnssec` resources. 17 | 18 | 6. route53:006: Implement Least Privilege Access for Route 53 Management 19 | - Partially implemented by creating separate read-only and write IAM policies. Users should attach these policies as needed. 20 | 21 | 7. route53:007: Use AWS KMS Customer Managed Keys for DNSSEC Signing 22 | - Partially implemented by allowing users to provide a custom KMS key ARN for DNSSEC signing. 23 | 24 | 8. route53:008: Implement Monitoring for Critical DNS Changes 25 | - Cannot be directly implemented in Terraform. This requires setting up CloudWatch alarms, which should be done in a separate monitoring module. 26 | 27 | 9. route53:009: Use Private Hosted Zones for Internal DNS Resolution 28 | - Implemented in Terraform code by allowing the creation of private hosted zones with the `aws_route53_zone` resource. 29 | 30 | 10. route53:010: Implement Health Checks for DNS Failover 31 | - Implemented in Terraform code using the `aws_route53_health_check` resource. 32 | 33 | Additional security measures and best practices: 34 | - All configurable parameters are exposed as variables to make the module reusable and flexible. 35 | - The module uses secure defaults where possible (e.g., query logging and DNSSEC are enabled by default). 36 | - The module assumes that CloudWatch log groups and KMS keys already exist and requires their ARNs as input. 37 | - Consider implementing additional monitoring and alerting for Route 53 changes and activities. 38 | - Regularly review and audit DNS records and access logs to ensure compliance with security requirements. 39 | - Implement proper change management processes for DNS changes. 40 | - Consider using AWS Organizations and Service Control Policies (SCPs) for additional control over Route 53 usage across the organization. -------------------------------------------------------------------------------- /aws-terraform/sns/notes.md: -------------------------------------------------------------------------------- 1 | # AWS SNS Security Requirements Implementation Notes 2 | 3 | 1. SNS:001: Use HTTPS endpoints for SNS subscriptions 4 | - Implemented in Terraform code using `aws_sns_topic_subscription` resource with protocol set to "https". 5 | 6 | 2. SNS:002: Enable server-side encryption for SNS topics using KMS CMK 7 | - Implemented in Terraform code using `aws_sns_topic` resource with `kms_master_key_id` attribute. 8 | 9 | 3. SNS:003: Implement least privilege access for SNS topics 10 | - Partially implemented in Terraform code using `aws_sns_topic_policy` resource with a basic policy. Users should customize this policy based on their specific requirements. 11 | 12 | 4. SNS:004: Enable SNS topic encryption in transit 13 | - Implemented inherently by using HTTPS endpoints for subscriptions and enabling server-side encryption. 14 | 15 | 5. SNS:005: Implement SNS access logging 16 | - Not directly implemented in Terraform. This requires enabling CloudTrail logging for SNS API calls, which is typically done at the account level. 17 | 18 | 6. SNS:006: Implement SNS message filtering 19 | - Implemented in Terraform code using `aws_sns_topic_subscription` resource with `filter_policy` attribute. 20 | 21 | 7. SNS:007: Enable SNS topic tagging 22 | - Implemented in Terraform code by adding tags to the `aws_sns_topic` resource. 23 | 24 | 8. SNS:008: Implement SNS dead-letter queues 25 | - Implemented in Terraform code using `aws_sns_topic_subscription` resource with `redrive_policy` attribute. 26 | 27 | 9. SNS:009: Implement SNS message attributes for enhanced security 28 | - Implemented in Terraform code using `aws_sns_topic_subscription` resource with `filter_policy_scope` set to "MessageAttributes". 29 | 30 | 10. SNS:010: Regularly review and rotate SNS access keys 31 | - Not directly implemented in Terraform. This is an operational task that should be managed outside of infrastructure code. 32 | 33 | Additional security measures and best practices: 34 | - All configurable parameters are exposed as variables to make the module reusable and flexible. 35 | - The module uses secure options by default, such as enabling encryption and using HTTPS endpoints. 36 | - The module assumes that KMS keys and SQS queues (for DLQ) already exist and requires their IDs/ARNs as input. 37 | - Consider implementing additional access controls and monitoring for the SNS topics and their associated resources. 38 | - Implement least privilege access principles when defining IAM policies for topic access. 39 | - Regularly review and audit topic policies and access patterns to ensure compliance with security requirements. 40 | - Enable and configure AWS CloudTrail to log SNS API calls for comprehensive auditing and monitoring. -------------------------------------------------------------------------------- /prowler-rules/guardduty/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Guardduty-001", 4 | "name": "There are High severity GuardDuty findings ", 5 | "description": "There are High severity GuardDuty findings ", 6 | "cloudProvider": "AWS", 7 | "service name": "guardduty" 8 | }, 9 | { 10 | "ID": "Guardduty-002", 11 | "name": "Ensure that GuardDuty Malware Protection for EC2 is enabled.", 12 | "description": "GuardDuty Malware Protection for EC2 helps you detect the potential presence of malware by scanning the Amazon Elastic Block Store (Amazon EBS) volumes that are attached to Amazon Elastic Compute Cloud (Amazon EC2) instances and container workloads.", 13 | "cloudProvider": "AWS", 14 | "service name": "guardduty" 15 | }, 16 | { 17 | "ID": "Guardduty-003", 18 | "name": "Check if GuardDuty is enabled", 19 | "description": "Check if GuardDuty is enabled", 20 | "cloudProvider": "AWS", 21 | "service name": "guardduty" 22 | }, 23 | { 24 | "ID": "Guardduty-004", 25 | "name": "Check if GuardDuty S3 Protection is enabled.", 26 | "description": "This control checks whether GuardDuty S3 Protection is enabled in the account.", 27 | "cloudProvider": "AWS", 28 | "service name": "guardduty" 29 | }, 30 | { 31 | "ID": "Guardduty-005", 32 | "name": "Check if GuardDuty RDS Protection is enabled.", 33 | "description": "Check if GuardDuty RDS Protection is enabled to ensure monitoring and threat detection for RDS activity.", 34 | "cloudProvider": "AWS", 35 | "service name": "guardduty" 36 | }, 37 | { 38 | "ID": "Guardduty-006", 39 | "name": "GuardDuty EKS Audit Log Monitoring Enabled", 40 | "description": "Checks whether GuardDuty EKS Audit Log Monitoring is enabled as source in a detector.", 41 | "cloudProvider": "AWS", 42 | "service name": "guardduty" 43 | }, 44 | { 45 | "ID": "Guardduty-007", 46 | "name": "Check if GuardDuty Lambda Protection is enabled.", 47 | "description": "GuardDuty Lambda Protection helps you identify potential security threats when an AWS Lambda function gets invoked. After you enable Lambda Protection, GuardDuty starts monitoring Lambda network activity logs associated with the Lambda functions in your AWS account.", 48 | "cloudProvider": "AWS", 49 | "service name": "guardduty" 50 | }, 51 | { 52 | "ID": "Guardduty-008", 53 | "name": "GuardDuty is centrally managed", 54 | "description": "GuardDuty is centrally managed", 55 | "cloudProvider": "AWS", 56 | "service name": "guardduty" 57 | } 58 | ] -------------------------------------------------------------------------------- /aws-terraform/ses/notes.md: -------------------------------------------------------------------------------- 1 | # AWS SES Security Requirements Implementation Notes 2 | 3 | 1. ses:001: Restrict SES identity access to known principals or accounts 4 | - Implemented in Terraform code using `aws_ses_identity_policy` resource. 5 | 6 | 2. ses:002: Enforce TLS for SES Configuration Sets 7 | - Implemented in Terraform code using `aws_ses_configuration_set` resource with TLS policy set to "Require". 8 | 9 | 3. ses:003: Enable DKIM signing for SES identities 10 | - Implemented in Terraform code using `aws_ses_domain_dkim` resource. 11 | 12 | 4. ses:004: Implement SPF records for SES domains 13 | - Not directly implementable in Terraform. This requires manual DNS configuration or use of a DNS provider's Terraform module. 14 | 15 | 5. ses:005: Enable SES event publishing to CloudWatch 16 | - Implemented in Terraform code using `aws_ses_event_destination` resource with CloudWatch as the destination. 17 | 18 | 6. ses:006: Implement SES suppression list management 19 | - Not directly implementable in Terraform. This requires operational processes or custom scripts to manage the suppression list. 20 | 21 | 7. ses:007: Use SES API v2 for enhanced security features 22 | - This is a best practice recommendation and doesn't require a specific Terraform resource. It should be implemented at the application level. 23 | 24 | 8. ses:008: Implement SES sending authorization policies 25 | - Implemented in Terraform code using `aws_ses_identity_policy` resource with a policy allowing specific principals to send emails. 26 | 27 | 9. ses:009: Enable SES feedback notifications 28 | - Implemented in Terraform code using `aws_ses_identity_notification_topic` resource for bounce, complaint, and delivery notifications. 29 | 30 | 10. ses:010: Implement SES content filtering 31 | - Partially implemented in Terraform code using `aws_ses_receipt_rule_set` and `aws_ses_receipt_rule` resources with scan_enabled set to true. 32 | 33 | Additional security measures and best practices: 34 | - All configurable parameters are exposed as variables to make the module reusable and flexible. 35 | - The module uses secure options by default, such as enforcing TLS and enabling DKIM signing. 36 | - Consider implementing additional access controls and monitoring for SES and its associated resources. 37 | - Implement least privilege access principles when defining IAM policies for SES usage. 38 | - Regularly review and audit SES configurations, policies, and logs to ensure compliance with security requirements. 39 | - Ensure that SPF records are manually configured for all domains used with SES. 40 | - Implement a process for managing the SES suppression list outside of Terraform. 41 | - Use SES API v2 in your applications when interacting with SES for enhanced security features. -------------------------------------------------------------------------------- /prowler-rules/apigatewayv1/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Apigateway-001", 4 | "name": "Check if API Gateway endpoint is public or private.", 5 | "description": "Check if API Gateway endpoint is public or private.", 6 | "cloudProvider": "AWS", 7 | "service name": "apigateway" 8 | }, 9 | { 10 | "ID": "Apigateway-002", 11 | "name": "Check if AWS X-Ray tracing is enabled for API Gateway REST API stages.", 12 | "description": "This control checks whether AWS X-Ray active tracing is enabled for your Amazon API Gateway REST API stages.", 13 | "cloudProvider": "AWS", 14 | "service name": "apigateway" 15 | }, 16 | { 17 | "ID": "Apigateway-003", 18 | "name": "Check if API Gateway Stage has a WAF ACL attached.", 19 | "description": "Check if API Gateway Stage has a WAF ACL attached.", 20 | "cloudProvider": "AWS", 21 | "service name": "apigateway" 22 | }, 23 | { 24 | "ID": "Apigateway-004", 25 | "name": "Check if API Gateway Stage has logging enabled.", 26 | "description": "Check if API Gateway Stage has logging enabled.", 27 | "cloudProvider": "AWS", 28 | "service name": "apigateway" 29 | }, 30 | { 31 | "ID": "Apigateway-005", 32 | "name": "Check if API Gateway Stage has client certificate enabled to access your backend endpoint.", 33 | "description": "Check if API Gateway Stage has client certificate enabled to access your backend endpoint.", 34 | "cloudProvider": "AWS", 35 | "service name": "apigateway" 36 | }, 37 | { 38 | "ID": "Apigateway-006", 39 | "name": "Check if API Gateway REST API cache data is encrypted at rest.", 40 | "description": "This control checks whether all methods in API Gateway REST API stages that have cache enabled are encrypted. The control fails if any method in an API Gateway REST API stage is configured to cache and the cache is not encrypted.", 41 | "cloudProvider": "AWS", 42 | "service name": "apigateway" 43 | }, 44 | { 45 | "ID": "Apigateway-007", 46 | "name": "Check if API Gateway has configured authorizers at api or method level.", 47 | "description": "Check if API Gateway has configured authorizers at api or method level.", 48 | "cloudProvider": "AWS", 49 | "service name": "apigateway" 50 | }, 51 | { 52 | "ID": "Apigateway-008", 53 | "name": "Check if API Gateway public endpoint has an authorizer configured.", 54 | "description": "Check if API Gateway public endpoint has an authorizer configured.", 55 | "cloudProvider": "AWS", 56 | "service name": "apigateway" 57 | } 58 | ] -------------------------------------------------------------------------------- /checkov-rules/elasticsearch/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Elasticsearch-001", 4 | "name": "Ensure all data stored in the Elasticsearch is encrypted with a CMK", 5 | "cloudProvider": "AWS", 6 | "service name": "elasticsearch" 7 | }, 8 | { 9 | "ID": "Elasticsearch-002", 10 | "name": "Ensure all data stored in the Elasticsearch is securely encrypted at rest", 11 | "cloudProvider": "AWS", 12 | "service name": "elasticsearch" 13 | }, 14 | { 15 | "ID": "Elasticsearch-003", 16 | "name": "Ensure all Elasticsearch has node-to-node encryption enabled", 17 | "cloudProvider": "AWS", 18 | "service name": "elasticsearch" 19 | }, 20 | { 21 | "ID": "Elasticsearch-004", 22 | "name": "Ensure AWS ElasticSearch/OpenSearch Fine-grained access control is enabled", 23 | "cloudProvider": "AWS", 24 | "service name": "elasticsearch" 25 | }, 26 | { 27 | "ID": "Elasticsearch-005", 28 | "name": "Ensure Elasticsearch Domain Audit Logging is enabled", 29 | "cloudProvider": "AWS", 30 | "service name": "elasticsearch" 31 | }, 32 | { 33 | "ID": "Elasticsearch-006", 34 | "name": "Ensure Elasticsearch Domain enforces HTTPS", 35 | "cloudProvider": "AWS", 36 | "service name": "elasticsearch" 37 | }, 38 | { 39 | "ID": "Elasticsearch-007", 40 | "name": "Ensure Elasticsearch Domain Logging is enabled", 41 | "cloudProvider": "AWS", 42 | "service name": "elasticsearch" 43 | }, 44 | { 45 | "ID": "Elasticsearch-008", 46 | "name": "Ensure Elasticsearch domains are configured with at least three dedicated master nodes for HA", 47 | "cloudProvider": "AWS", 48 | "service name": "elasticsearch" 49 | }, 50 | { 51 | "ID": "Elasticsearch-009", 52 | "name": "Ensure ElasticSearch/OpenSearch has dedicated master node enabled", 53 | "cloudProvider": "AWS", 54 | "service name": "elasticsearch" 55 | }, 56 | { 57 | "ID": "Elasticsearch-010", 58 | "name": "Ensure that Elasticsearch is configured inside a VPC", 59 | "cloudProvider": "AWS", 60 | "service name": "elasticsearch" 61 | }, 62 | { 63 | "ID": "Elasticsearch-011", 64 | "name": "Ensure that Elasticsearch is not using the default Security Group", 65 | "cloudProvider": "AWS", 66 | "service name": "elasticsearch" 67 | }, 68 | { 69 | "ID": "Elasticsearch-012", 70 | "name": "Verify Elasticsearch domain is using an up to date TLS policy", 71 | "cloudProvider": "AWS", 72 | "service name": "elasticsearch" 73 | } 74 | ] -------------------------------------------------------------------------------- /aws-terraform/sqs/variables.tf: -------------------------------------------------------------------------------- 1 | variable "queue_name" { 2 | description = "The name of the SQS queue" 3 | type = string 4 | } 5 | 6 | variable "kms_key_id" { 7 | description = "The ID of the KMS key to use for encryption" 8 | type = string 9 | } 10 | 11 | variable "visibility_timeout" { 12 | description = "The visibility timeout for the queue in seconds" 13 | type = number 14 | default = 30 15 | } 16 | 17 | variable "message_retention_seconds" { 18 | description = "The number of seconds Amazon SQS retains a message" 19 | type = number 20 | default = 345600 # 4 days 21 | } 22 | 23 | variable "max_message_size" { 24 | description = "The maximum size of a message in bytes" 25 | type = number 26 | default = 262144 # 256 KiB 27 | } 28 | 29 | variable "delay_seconds" { 30 | description = "The time in seconds that the delivery of all messages in the queue will be delayed" 31 | type = number 32 | default = 0 33 | } 34 | 35 | variable "receive_wait_time_seconds" { 36 | description = "The time for which a ReceiveMessage call will wait for a message to arrive" 37 | type = number 38 | default = 0 39 | } 40 | 41 | variable "is_fifo_queue" { 42 | description = "Whether the queue is a FIFO queue" 43 | type = bool 44 | default = false 45 | } 46 | 47 | variable "content_based_deduplication" { 48 | description = "Enables content-based deduplication for FIFO queues" 49 | type = bool 50 | default = false 51 | } 52 | 53 | variable "max_receive_count" { 54 | description = "The number of times a message is delivered to the source queue before being moved to the dead-letter queue" 55 | type = number 56 | default = 3 57 | } 58 | 59 | variable "dlq_message_retention_seconds" { 60 | description = "The number of seconds Amazon SQS retains a message in the dead-letter queue" 61 | type = number 62 | default = 1209600 # 14 days 63 | } 64 | 65 | variable "tags" { 66 | description = "A map of tags to add to all resources" 67 | type = map(string) 68 | default = {} 69 | } 70 | 71 | variable "allowed_aws_accounts" { 72 | description = "List of AWS account IDs allowed to access the SQS queue" 73 | type = list(string) 74 | } 75 | 76 | variable "queue_depth_threshold" { 77 | description = "The threshold for queue depth alarm" 78 | type = number 79 | default = 100 80 | } 81 | 82 | variable "oldest_message_threshold" { 83 | description = "The threshold for oldest message age alarm in seconds" 84 | type = number 85 | default = 3600 # 1 hour 86 | } 87 | 88 | variable "sns_topic_arn" { 89 | description = "The ARN of the SNS topic for CloudWatch alarms" 90 | type = string 91 | } -------------------------------------------------------------------------------- /aws-terraform/secretsmanager/main.tf: -------------------------------------------------------------------------------- 1 | # AWS Secrets Manager Terraform Module 2 | 3 | # secretsmanager:001: Enable automatic rotation for Secrets Manager secrets 4 | resource "aws_secretsmanager_secret_rotation" "main" { 5 | secret_id = aws_secretsmanager_secret.main.id 6 | rotation_lambda_arn = var.rotation_lambda_arn 7 | 8 | rotation_rules { 9 | automatically_after_days = var.rotation_days 10 | } 11 | } 12 | 13 | # secretsmanager:002: Use AWS KMS Customer Managed Keys (CMK) for Secrets Manager secret encryption 14 | # secretsmanager:008: Enable and configure Secrets Manager secret versions 15 | # secretsmanager:009: Implement tagging strategy for Secrets Manager secrets 16 | resource "aws_secretsmanager_secret" "main" { 17 | name = var.secret_name 18 | description = var.secret_description 19 | kms_key_id = var.kms_key_id 20 | recovery_window_in_days = var.recovery_window_in_days 21 | 22 | tags = var.tags 23 | } 24 | 25 | # secretsmanager:003: Implement resource-based policies to restrict access to Secrets Manager secrets 26 | resource "aws_secretsmanager_secret_policy" "main" { 27 | secret_arn = aws_secretsmanager_secret.main.arn 28 | policy = var.secret_policy 29 | } 30 | 31 | # secretsmanager:007: Implement strict IAM policies for Secrets Manager access 32 | resource "aws_iam_policy" "secrets_manager_read" { 33 | name = "secrets-manager-read-policy" 34 | path = "/" 35 | description = "IAM policy for reading specific Secrets Manager secrets" 36 | 37 | policy = jsonencode({ 38 | Version = "2012-10-17" 39 | Statement = [ 40 | { 41 | Effect = "Allow" 42 | Action = [ 43 | "secretsmanager:GetSecretValue", 44 | "secretsmanager:DescribeSecret" 45 | ] 46 | Resource = aws_secretsmanager_secret.main.arn 47 | }, 48 | ] 49 | }) 50 | } 51 | 52 | resource "aws_iam_policy" "secrets_manager_write" { 53 | name = "secrets-manager-write-policy" 54 | path = "/" 55 | description = "IAM policy for writing to specific Secrets Manager secrets" 56 | 57 | policy = jsonencode({ 58 | Version = "2012-10-17" 59 | Statement = [ 60 | { 61 | Effect = "Allow" 62 | Action = [ 63 | "secretsmanager:PutSecretValue", 64 | "secretsmanager:UpdateSecret", 65 | "secretsmanager:RotateSecret" 66 | ] 67 | Resource = aws_secretsmanager_secret.main.arn 68 | }, 69 | ] 70 | }) 71 | } 72 | 73 | # secretsmanager:010: Use Secrets Manager for storing and rotating database credentials 74 | resource "aws_secretsmanager_secret_version" "db_credentials" { 75 | secret_id = aws_secretsmanager_secret.main.id 76 | secret_string = jsonencode(var.db_credentials) 77 | } -------------------------------------------------------------------------------- /aws-terraform/acm/notes.md: -------------------------------------------------------------------------------- 1 | # AWS ACM Security Requirements Implementation Notes 2 | 3 | 1. ACM:001: Use secure key algorithms for ACM certificates 4 | - Implemented in Terraform code using the `key_algorithm` parameter in the `aws_acm_certificate` resource. 5 | 6 | 2. ACM:002: Set up automated renewal for ACM certificates 7 | - Automatically handled by ACM for certificates issued through ACM. No additional configuration needed. 8 | 9 | 3. ACM:003: Enable Certificate Transparency logging for ACM certificates 10 | - Implemented in Terraform code by setting `certificate_transparency_logging_preference = "ENABLED"` in the `aws_acm_certificate` resource. 11 | 12 | 4. ACM:004: Avoid wildcard domains in ACM certificates 13 | - Implemented in Terraform code by using specific domain names in `domain_name` and `subject_alternative_names` variables. 14 | 15 | 5. ACM:005: Implement 'create before destroy' for ACM certificates 16 | - Implemented in Terraform code using the `create_before_destroy = true` lifecycle rule in the `aws_acm_certificate` resource. 17 | 18 | 6. ACM:006: Use ACM Private Certificate Authority for internal services 19 | - Implemented in Terraform code using the `aws_acmpca_certificate_authority` resource. 20 | 21 | 7. ACM:007: Implement certificate pinning for critical applications 22 | - Not directly implementable in Terraform. This is an application-level configuration that needs to be implemented in the application code. 23 | 24 | 8. ACM:008: Regularly audit and rotate ACM certificates 25 | - Not directly implementable in Terraform. This requires operational processes and potentially custom scripts or Lambda functions. 26 | 27 | 9. ACM:009: Use ACM certificates with AWS services that integrate with ACM 28 | - Partially implemented. The ACM certificate is created and can be referenced by other AWS services. Specific service integrations need to be configured in those service's Terraform resources. 29 | 30 | 10. ACM:010: Implement access controls for ACM certificate management 31 | - Implemented in Terraform code by creating IAM policies for read-only and full access to ACM. 32 | 33 | Additional security measures and best practices: 34 | - All configurable parameters are exposed as variables to make the module reusable and flexible. 35 | - The module uses secure defaults, such as RSA_2048 for the key algorithm. 36 | - For the private CA, a secure key algorithm (RSA_4096) is used by default. 37 | - Consider implementing additional monitoring and alerting for certificate expiration and renewal status. 38 | - Regularly review and audit ACM usage and access patterns. 39 | - Implement least privilege access principles when assigning ACM-related IAM policies to users and roles. 40 | - Consider using ACM Private CA for issuing certificates for internal services to maintain stricter control over certificate issuance. -------------------------------------------------------------------------------- /aws-terraform/fsx/variables.tf: -------------------------------------------------------------------------------- 1 | variable "storage_capacity" { 2 | description = "The storage capacity of the file system in GiB" 3 | type = number 4 | } 5 | 6 | variable "subnet_ids" { 7 | description = "A list of subnet IDs to associate with the file system" 8 | type = list(string) 9 | } 10 | 11 | variable "deployment_type" { 12 | description = "The deployment type of the file system" 13 | type = string 14 | default = "PERSISTENT_1" 15 | } 16 | 17 | variable "storage_type" { 18 | description = "The storage type for the file system" 19 | type = string 20 | default = "SSD" 21 | } 22 | 23 | variable "kms_key_id" { 24 | description = "The ARN for the KMS encryption key" 25 | type = string 26 | } 27 | 28 | variable "security_group_ids" { 29 | description = "A list of security group IDs to associate with the file system" 30 | type = list(string) 31 | } 32 | 33 | variable "tags" { 34 | description = "A map of tags to assign to the file system" 35 | type = map(string) 36 | default = {} 37 | } 38 | 39 | variable "automatic_backup_retention_days" { 40 | description = "The number of days to retain automatic backups" 41 | type = number 42 | default = 30 43 | } 44 | 45 | variable "import_path" { 46 | description = "The import path for FSx for Lustre" 47 | type = string 48 | default = null 49 | } 50 | 51 | variable "export_path" { 52 | description = "The export path for FSx for Lustre" 53 | type = string 54 | default = null 55 | } 56 | 57 | variable "imported_file_chunk_size" { 58 | description = "The imported file chunk size in MiB" 59 | type = number 60 | default = 1024 61 | } 62 | 63 | variable "storage_capacity_quota_gib" { 64 | description = "The amount of storage quota in GiB" 65 | type = number 66 | default = null 67 | } 68 | 69 | variable "throughput_capacity" { 70 | description = "The throughput capacity of the file system in MB/s" 71 | type = number 72 | } 73 | 74 | variable "active_directory_id" { 75 | description = "The ID of the AWS Directory Service directory to join" 76 | type = string 77 | } 78 | 79 | variable "weekly_maintenance_start_time" { 80 | description = "The preferred start time for weekly maintenance" 81 | type = string 82 | default = "1:00:00" 83 | } 84 | 85 | variable "storage_virtual_machine_name" { 86 | description = "The name of the storage virtual machine" 87 | type = string 88 | } 89 | 90 | variable "storage_capacity_threshold" { 91 | description = "The threshold for storage capacity alarm in percentage" 92 | type = number 93 | default = 80 94 | } 95 | 96 | variable "sns_topic_arn" { 97 | description = "The ARN of the SNS topic to notify for alarms" 98 | type = string 99 | } -------------------------------------------------------------------------------- /checkov-rules/sagemaker/security-reqs.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "ID": "Sagemaker-001", 4 | "name": "Ensure Amazon Sagemaker Data Quality Job encrypts all communications between instances used for monitoring jobs", 5 | "cloudProvider": "AWS", 6 | "service name": "sagemaker" 7 | }, 8 | { 9 | "ID": "Sagemaker-002", 10 | "name": "Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt data on attached storage volume", 11 | "cloudProvider": "AWS", 12 | "service name": "sagemaker" 13 | }, 14 | { 15 | "ID": "Sagemaker-003", 16 | "name": "Ensure Amazon Sagemaker Data Quality Job uses KMS to encrypt model artifacts", 17 | "cloudProvider": "AWS", 18 | "service name": "sagemaker" 19 | }, 20 | { 21 | "ID": "Sagemaker-004", 22 | "name": "Ensure Sagemaker domain and notebook instance are encrypted by KMS using a customer managed Key (CMK)", 23 | "cloudProvider": "AWS", 24 | "service name": "sagemaker" 25 | }, 26 | { 27 | "ID": "Sagemaker-005", 28 | "name": "Ensure all data stored in the Sagemaker Endpoint is securely encrypted at rest", 29 | "cloudProvider": "AWS", 30 | "service name": "sagemaker" 31 | }, 32 | { 33 | "ID": "Sagemaker-006", 34 | "name": "Ensure Amazon SageMaker Flow Definition uses KMS for output configurations", 35 | "cloudProvider": "AWS", 36 | "service name": "sagemaker" 37 | }, 38 | { 39 | "ID": "Sagemaker-007", 40 | "name": "Ensure Amazon SageMaker model uses network isolation", 41 | "cloudProvider": "AWS", 42 | "service name": "sagemaker" 43 | }, 44 | { 45 | "ID": "Sagemaker-008", 46 | "name": "Ensure Amazon SageMaker Notebook Instance only allows for IMDSv2", 47 | "cloudProvider": "AWS", 48 | "service name": "sagemaker" 49 | }, 50 | { 51 | "ID": "Sagemaker-009", 52 | "name": "Ensure SageMaker notebook instances should be launched into a custom VPC", 53 | "cloudProvider": "AWS", 54 | "service name": "sagemaker" 55 | }, 56 | { 57 | "ID": "Sagemaker-010", 58 | "name": "Ensure SageMaker Notebook is encrypted at rest using KMS CMK", 59 | "cloudProvider": "AWS", 60 | "service name": "sagemaker" 61 | }, 62 | { 63 | "ID": "Sagemaker-011", 64 | "name": "Ensure SageMaker Users should not have root access to SageMaker notebook instances", 65 | "cloudProvider": "AWS", 66 | "service name": "sagemaker" 67 | }, 68 | { 69 | "ID": "Sagemaker-012", 70 | "name": "Ensure that direct internet access is disabled for an Amazon SageMaker Notebook Instance", 71 | "cloudProvider": "AWS", 72 | "service name": "sagemaker" 73 | } 74 | ] -------------------------------------------------------------------------------- /aws-terraform/datasync/notes.md: -------------------------------------------------------------------------------- 1 | # AWS DataSync Security Requirements Implementation Notes 2 | 3 | 1. datasync:001: Enable CloudWatch Logging for DataSync Tasks 4 | - Implemented in Terraform code using `cloudwatch_log_group_arn` in the `aws_datasync_task` resource. 5 | 6 | 2. datasync:002: Use AWS KMS Customer Managed Key for DataSync Encryption 7 | - Partially implemented. DataSync uses AWS-managed keys by default. For customer-managed keys, additional configuration may be required depending on the source and destination types. 8 | 9 | 3. datasync:003: Restrict DataSync Task Access to Specific VPC Endpoints 10 | - Implemented in Terraform code using `source_network_interface_arns` and `destination_network_interface_arns` in the `aws_datasync_task` resource. 11 | 12 | 4. datasync:004: Implement Least Privilege Access for DataSync Tasks 13 | - Implemented in Terraform code using `aws_iam_role` and `aws_iam_role_policy` resources with minimal required permissions. 14 | 15 | 5. datasync:005: Enable Integrity Verification for DataSync Transfers 16 | - Implemented in Terraform code by setting `verify_mode = "POINT_IN_TIME_CONSISTENT"` in the `aws_datasync_task` resource. 17 | 18 | 6. datasync:006: Use HTTPS for DataSync Connections 19 | - This is enforced by default in AWS DataSync and doesn't require explicit configuration in Terraform. 20 | 21 | 7. datasync:007: Implement Task-Level Filters for DataSync 22 | - Implemented in Terraform code using the `includes` block in the `aws_datasync_task` resource. 23 | 24 | 8. datasync:008: Enable AWS CloudTrail for DataSync API Activity Monitoring 25 | - Not directly implementable in this module. CloudTrail should be configured at the account level. 26 | 27 | 9. datasync:009: Implement Regular Review of DataSync Task Configurations 28 | - Not directly implementable in Terraform. This is an operational process that should be implemented outside of infrastructure-as-code. 29 | 30 | 10. datasync:010: Use Secure Authentication Methods for DataSync Tasks 31 | - Implemented by using IAM roles for authentication, which is the default and most secure method for AWS services. 32 | 33 | Additional security measures and best practices: 34 | - All configurable parameters are exposed as variables to make the module reusable and flexible. 35 | - The module uses secure options by default, such as enabling integrity verification and task queueing. 36 | - Consider implementing additional monitoring and alerting for DataSync tasks using CloudWatch alarms. 37 | - Regularly review and audit DataSync task configurations and access logs to ensure compliance with security requirements. 38 | - Implement network security controls (e.g., security groups, NACLs) for the VPC endpoints used by DataSync tasks. 39 | - Ensure that the source and destination locations for DataSync tasks are properly secured and follow the principle of least privilege. -------------------------------------------------------------------------------- /aws-terraform/efs/variables.tf: -------------------------------------------------------------------------------- 1 | variable "private_subnet_ids" { 2 | description = "List of private subnet IDs for EFS mount targets" 3 | type = list(string) 4 | } 5 | 6 | variable "efs_security_group_id" { 7 | description = "ID of the security group for EFS mount targets" 8 | type = string 9 | } 10 | 11 | variable "allowed_principal_arns" { 12 | description = "List of ARNs of IAM principals allowed to access the EFS file system" 13 | type = list(string) 14 | } 15 | 16 | variable "kms_key_arn" { 17 | description = "ARN of the KMS key for EFS encryption" 18 | type = string 19 | } 20 | 21 | variable "creation_token" { 22 | description = "A unique name for the EFS file system" 23 | type = string 24 | } 25 | 26 | variable "performance_mode" { 27 | description = "Performance mode for the EFS file system" 28 | type = string 29 | default = "generalPurpose" 30 | } 31 | 32 | variable "throughput_mode" { 33 | description = "Throughput mode for the EFS file system" 34 | type = string 35 | default = "bursting" 36 | } 37 | 38 | variable "transition_to_ia" { 39 | description = "Number of days after which to transition files to Infrequent Access storage class" 40 | type = string 41 | default = "AFTER_30_DAYS" 42 | } 43 | 44 | variable "posix_user_gid" { 45 | description = "POSIX group ID for access point" 46 | type = number 47 | } 48 | 49 | variable "posix_user_uid" { 50 | description = "POSIX user ID for access point" 51 | type = number 52 | } 53 | 54 | variable "root_directory_path" { 55 | description = "Path for the root directory of the access point" 56 | type = string 57 | default = "/efs" 58 | } 59 | 60 | variable "root_directory_owner_gid" { 61 | description = "POSIX group ID for the root directory of the access point" 62 | type = number 63 | } 64 | 65 | variable "root_directory_owner_uid" { 66 | description = "POSIX user ID for the root directory of the access point" 67 | type = number 68 | } 69 | 70 | variable "root_directory_permissions" { 71 | description = "POSIX permissions for the root directory of the access point" 72 | type = string 73 | default = "0755" 74 | } 75 | 76 | variable "burst_credit_balance_threshold" { 77 | description = "Threshold for EFS burst credit balance CloudWatch alarm" 78 | type = number 79 | default = 1000000000000 80 | } 81 | 82 | variable "percent_io_limit_threshold" { 83 | description = "Threshold for EFS percent I/O limit CloudWatch alarm" 84 | type = number 85 | default = 95 86 | } 87 | 88 | variable "sns_topic_arn" { 89 | description = "ARN of the SNS topic for CloudWatch alarms" 90 | type = string 91 | } 92 | 93 | variable "tags" { 94 | description = "A map of tags to add to all resources" 95 | type = map(string) 96 | default = {} 97 | } -------------------------------------------------------------------------------- /aws-terraform/kinesis/notes.md: -------------------------------------------------------------------------------- 1 | # AWS Kinesis Security Requirements Implementation Notes 2 | 3 | 1. kinesis:001: Use AWS KMS Customer Managed Key (CMK) for Kinesis Stream Encryption 4 | - Implemented in Terraform code using `encryption_type` and `kms_key_id` in the `aws_kinesis_stream` resource. 5 | 6 | 2. kinesis:002: Enable Enhanced Fan-Out for Kinesis Data Streams Consumers 7 | - Implemented in Terraform code using `aws_kinesis_stream_consumer` resource. 8 | 9 | 3. kinesis:003: Implement Least Privilege Access for Kinesis Streams 10 | - Partially implemented in Terraform code by creating separate read and write IAM policies for Kinesis streams. 11 | 12 | 4. kinesis:004: Enable Server-Side Encryption for Kinesis Firehose Delivery Streams 13 | - Implemented in Terraform code using `server_side_encryption` block in the `aws_kinesis_firehose_delivery_stream` resource. 14 | 15 | 5. kinesis:005: Configure Secure VPC Endpoints for Kinesis Streams 16 | - Not implemented in this module. VPC endpoints should be managed separately. 17 | 18 | 6. kinesis:006: Implement Monitoring and Alerting for Kinesis Streams 19 | - Implemented in Terraform code using `aws_cloudwatch_metric_alarm` resource to monitor error rates. 20 | 21 | 7. kinesis:007: Enable Enhanced Monitoring for Kinesis Data Streams 22 | - Implemented in Terraform code by setting `stream_mode = "ON_DEMAND"` in the `aws_kinesis_stream` resource. 23 | 24 | 8. kinesis:008: Implement Secure Data Retention for Kinesis Streams 25 | - Implemented in Terraform code by setting `retention_period` in the `aws_kinesis_stream` resource. 26 | 27 | 9. kinesis:009: Use Latest AWS SDK Version for Kinesis Client Applications 28 | - Not directly implementable in Terraform. This is a recommendation for application development. 29 | 30 | 10. kinesis:010: Implement Secure Key Management for Kinesis Producer Library (KPL) 31 | - Not directly implementable in Terraform. This is a recommendation for application development and operations. 32 | 33 | Additional security measures and best practices: 34 | - All configurable parameters are exposed as variables to make the module reusable and flexible. 35 | - The module uses secure options by default, such as enabling encryption and setting retention periods. 36 | - The module assumes that KMS keys and SNS topics already exist and requires their ARNs as input. 37 | - Consider implementing additional monitoring and alerting for other Kinesis metrics. 38 | - Regularly review and audit Kinesis stream configurations and access patterns to ensure compliance with security requirements. 39 | - Implement proper error handling and retry mechanisms in Kinesis client applications. 40 | - Ensure that the AWS SDK is kept up-to-date in all client applications interacting with Kinesis streams. 41 | - Implement proper secret management for Kinesis Producer Library credentials using AWS Secrets Manager or Systems Manager Parameter Store. -------------------------------------------------------------------------------- /aws-terraform/vpc/variables.tf: -------------------------------------------------------------------------------- 1 | variable "vpc_cidr" { 2 | description = "CIDR block for the VPC" 3 | type = string 4 | } 5 | 6 | variable "vpc_name" { 7 | description = "Name of the VPC" 8 | type = string 9 | } 10 | 11 | variable "private_subnet_cidrs" { 12 | description = "List of CIDR blocks for private subnets" 13 | type = list(string) 14 | } 15 | 16 | variable "public_subnet_cidrs" { 17 | description = "List of CIDR blocks for public subnets" 18 | type = list(string) 19 | } 20 | 21 | variable "availability_zones" { 22 | description = "List of availability zones to use for subnets" 23 | type = list(string) 24 | } 25 | 26 | variable "map_public_ip_on_launch" { 27 | description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address" 28 | type = bool 29 | default = false 30 | } 31 | 32 | variable "flow_log_role_arn" { 33 | description = "ARN of the IAM role for VPC flow logs" 34 | type = string 35 | } 36 | 37 | variable "flow_log_destination" { 38 | description = "ARN of the destination for VPC flow logs (e.g., CloudWatch log group or S3 bucket)" 39 | type = string 40 | } 41 | 42 | variable "firewall_policy_arn" { 43 | description = "ARN of the Network Firewall policy" 44 | type = string 45 | } 46 | 47 | variable "region" { 48 | description = "AWS region" 49 | type = string 50 | } 51 | 52 | variable "nlb_arns" { 53 | description = "List of Network Load Balancer ARNs for VPC endpoint service" 54 | type = list(string) 55 | } 56 | 57 | variable "allowed_principal_arn" { 58 | description = "ARN of the principal allowed to connect to the VPC endpoint service" 59 | type = string 60 | } 61 | 62 | variable "peer_vpc_id" { 63 | description = "ID of the VPC to peer with" 64 | type = string 65 | } 66 | 67 | variable "auto_accept_peering" { 68 | description = "Auto-accept the peering connection" 69 | type = bool 70 | default = false 71 | } 72 | 73 | variable "peering_route_table_ids" { 74 | description = "List of route table IDs to add peering routes to" 75 | type = list(string) 76 | } 77 | 78 | variable "peer_vpc_cidr" { 79 | description = "CIDR block of the peer VPC" 80 | type = string 81 | } 82 | 83 | variable "vpn_gateway_id" { 84 | description = "ID of the VPN gateway" 85 | type = string 86 | } 87 | 88 | variable "customer_gateway_id" { 89 | description = "ID of the customer gateway" 90 | type = string 91 | } 92 | 93 | variable "tunnel1_inside_cidr" { 94 | description = "Inside CIDR for the first VPN tunnel" 95 | type = string 96 | } 97 | 98 | variable "tunnel2_inside_cidr" { 99 | description = "Inside CIDR for the second VPN tunnel" 100 | type = string 101 | } -------------------------------------------------------------------------------- /prowler-requirements.py: -------------------------------------------------------------------------------- 1 | import json 2 | import os 3 | 4 | # Initialize a counter for unique requirement IDs 5 | id_counter = 1 6 | 7 | # Define the root directory containing AWS service directories 8 | root_dir = 'prowler/prowler/providers/aws/services' 9 | 10 | # Iterate over each subdirectory in the 'services' directory 11 | for service in os.listdir(root_dir): 12 | # Reset ID counter for each service 13 | id_counter = 1 14 | security_reqs = [] # Initialize list to hold security requirements 15 | 16 | # Skip files, only process directories representing services 17 | if os.path.isdir(os.path.join(root_dir, service)): 18 | requirements_path = os.path.join(root_dir, service) 19 | 20 | # Iterate over requirements directories within the service directory 21 | for requirement in os.listdir(requirements_path): 22 | # Skip files and process only requirement directories 23 | if requirement != 'lib' and os.path.isdir(os.path.join(requirements_path, requirement)): 24 | # Define the path to the metadata file for the current requirement 25 | metadata_file = os.path.join(requirements_path, requirement, f'{requirement}.metadata.json') 26 | 27 | # Open and load the metadata file into a dictionary 28 | with open(metadata_file, 'r') as f: 29 | metadata = json.load(f) 30 | 31 | # Extract required fields from the metadata 32 | service_name = metadata['ServiceName'] 33 | check_title = metadata['CheckTitle'] 34 | description = metadata['Description'] 35 | 36 | # Append a dictionary with requirement details to the list 37 | security_reqs.append({ 38 | 'ID': f"{service_name.capitalize()}-{str(id_counter).zfill(3)}", # Format ID as 'Service-###' 39 | 'name': check_title, # Title of the check from metadata 40 | 'description': description, # Description of the check from metadata 41 | 'cloudProvider': 'AWS', # Specify the cloud provider 42 | 'service name': service_name, # Include the service name 43 | }) 44 | 45 | # Increment the ID counter for the next requirement 46 | id_counter += 1 47 | 48 | # Define the output file path for the current service's security requirements 49 | output_file = "prowler-rules/"+service+"/security-reqs.json" 50 | 51 | # Create the output directory structure if it doesn't already exist 52 | os.makedirs(os.path.dirname(output_file), exist_ok=True) 53 | 54 | # Write the list of security requirements to the specified JSON output file with pretty formatting 55 | with open(output_file, 'w') as f: 56 | json.dump(security_reqs, f, indent=4) -------------------------------------------------------------------------------- /aws-terraform/ebs/notes.md: -------------------------------------------------------------------------------- 1 | # AWS EBS Security Requirements Implementation Notes 2 | 3 | 1. EBS-001: Enable EBS default encryption using AWS KMS Customer Managed Key (CMK) 4 | - Implemented in Terraform code using `aws_ebs_encryption_by_default` and `aws_ebs_default_kms_key` resources. 5 | 6 | 2. EBS-002: Encrypt EBS snapshots using AWS KMS Customer Managed Key (CMK) 7 | - Inherently implemented by enabling default encryption (EBS-001). All new snapshots will be encrypted. 8 | 9 | 3. EBS-003: Encrypt all existing EBS volumes using AWS KMS Customer Managed Key (CMK) 10 | - Partially implemented through default encryption (EBS-001). Existing volumes will need to be manually encrypted or replaced. 11 | 12 | 4. EBS-004: Implement IAM policies for EBS volume and snapshot management 13 | - Implemented in Terraform code using `aws_iam_policy` resources for read and write access. 14 | 15 | 5. EBS-005: Enable EBS volume termination protection 16 | - Not directly implemented in Terraform. This setting is applied at the EC2 instance level when attaching the volume. 17 | 18 | 6. EBS-006: Implement regular backups of EBS volumes 19 | - Implemented in Terraform code using `aws_backup_plan` and `aws_backup_selection` resources. 20 | 21 | 7. EBS-007: Monitor EBS volume performance and usage 22 | - Implemented in Terraform code using `aws_cloudwatch_metric_alarm` resource for monitoring queue length. 23 | 24 | 8. EBS-008: Implement lifecycle policies for EBS snapshots 25 | - Implemented in Terraform code using `aws_dlm_lifecycle_policy` resource. 26 | 27 | 9. EBS-009: Use EBS encryption with supported EC2 instance types 28 | - Inherently implemented by enabling default encryption (EBS-001). Instance type selection is done at EC2 level. 29 | 30 | 10. EBS-010: Implement cross-region replication for critical EBS snapshots 31 | - Not directly implemented in Terraform. Requires custom scripts or manual implementation. 32 | 33 | Additional security measures and best practices: 34 | - All configurable parameters are exposed as variables to make the module reusable and flexible. 35 | - The module uses the most secure options by default, such as enabling encryption and setting up monitoring. 36 | - The module assumes that KMS keys, IAM roles, and SNS topics already exist and requires their ARNs as input. 37 | - Consider implementing additional access controls and monitoring for EBS volumes and snapshots. 38 | - Implement least privilege access principles when defining IAM policies for EBS management. 39 | - Regularly review and audit EBS volume and snapshot configurations to ensure compliance with security requirements. 40 | - For EBS-003, consider creating a process to identify and encrypt existing unencrypted volumes. 41 | - For EBS-005, ensure that termination protection is enabled when attaching volumes to EC2 instances. 42 | - For EBS-010, consider implementing a custom solution for cross-region snapshot replication for critical data. -------------------------------------------------------------------------------- /aws-terraform/cloudtrail/notes.md: -------------------------------------------------------------------------------- 1 | # AWS CloudTrail Security Requirements Implementation Notes 2 | 3 | 1. CloudTrail:001: Enable CloudTrail Insights for enhanced monitoring 4 | - Implemented in Terraform code using `insight_selector` block in `aws_cloudtrail` resource. 5 | 6 | 2. CloudTrail:002: Enable log file validation for CloudTrail 7 | - Implemented in Terraform code by setting `enable_log_file_validation = true` in `aws_cloudtrail` resource. 8 | 9 | 3. CloudTrail:003: Integrate CloudTrail with CloudWatch Logs 10 | - Implemented in Terraform code by setting `cloud_watch_logs_group_arn` and `cloud_watch_logs_role_arn` in `aws_cloudtrail` resource. 11 | 12 | 4. CloudTrail:004: Encrypt CloudTrail log files at rest using KMS CMK 13 | - Implemented in Terraform code by setting `kms_key_id` in `aws_cloudtrail` resource. 14 | 15 | 5. CloudTrail:005: Enable CloudTrail log file S3 bucket access logging 16 | - Not directly implemented in this module. This should be configured on the S3 bucket itself, which is assumed to be created separately. 17 | 18 | 6. CloudTrail:006: Configure CloudTrail to log data events for S3 buckets 19 | - Implemented in Terraform code using `event_selector` block in `aws_cloudtrail` resource. 20 | 21 | 7. CloudTrail:007: Enable CloudTrail multi-region logging 22 | - Implemented in Terraform code by setting `is_multi_region_trail = true` in `aws_cloudtrail` resource. 23 | 24 | 8. CloudTrail:008: Configure CloudTrail to use an SNS topic for notifications 25 | - Implemented in Terraform code by setting `sns_topic_name` in `aws_cloudtrail` resource. 26 | 27 | 9. CloudTrail:009: Use KMS CMK for CloudTrail Event Data Store encryption 28 | - Implemented in Terraform code by setting `kms_key_id` in `aws_cloudtrail_event_data_store` resource. 29 | 30 | 10. CloudTrail:010: Implement least privilege access for CloudTrail resources 31 | - Partially implemented by creating two IAM policies: one for read-only access and one for write access to CloudTrail. These policies should be attached to appropriate IAM roles or users based on their specific needs. 32 | 33 | Additional security measures and best practices: 34 | - The module uses secure defaults, such as enabling multi-region logging and log file validation. 35 | - CloudTrail Event Data Store is configured with multi-region and organization-wide logging enabled, and termination protection is turned on. 36 | - The module assumes that S3 buckets, KMS keys, CloudWatch log groups, and SNS topics already exist and requires their names/ARNs as input. 37 | - Consider implementing additional monitoring and alerting for CloudTrail activities. 38 | - Regularly review and audit CloudTrail logs and access patterns. 39 | - Ensure that the S3 bucket used for CloudTrail logs has appropriate access controls and encryption settings. 40 | - Consider implementing AWS Organizations and enabling CloudTrail for the entire organization for comprehensive logging across all accounts. --------------------------------------------------------------------------------