From e185d964b0884a141f2bc8b294d768e739fdf666 Mon Sep 17 00:00:00 2001 From: ismail yenigul Date: Sat, 28 Nov 2020 19:11:34 +0300 Subject: [PATCH 1/2] add CIS iam password policy rules --- README.md | 52 ++--- ...ount_password_policy_lowercase_letter.rego | 36 +++ .../iam_account_password_policy_numbers.rego | 36 +++ ..._account_password_policy_password_age.rego | 37 +++ ...count_password_policy_password_length.rego | 36 +++ ...word_policy_password_reuse_prevention.rego | 36 +++ .../iam_account_password_policy_symbol.rego | 36 +++ ...ount_password_policy_uppercase_letter.rego | 36 +++ ...password_policy_lowercase_letter_test.rego | 25 ++ ..._account_password_policy_numbers_test.rego | 25 ++ ...unt_password_policy_password_age_test.rego | 25 ++ ..._password_policy_password_length_test.rego | 25 ++ ...policy_password_reuse_prevention_test.rego | 25 ++ ...m_account_password_policy_symbol_test.rego | 25 ++ ...password_policy_uppercase_letter_test.rego | 25 ++ .../iam_account_password_policy_infra.rego | 219 ++++++++++++++++++ .../iam_account_password_policy_infra.tf | 23 ++ 17 files changed, 696 insertions(+), 26 deletions(-) create mode 100644 rules/aws/iam_account_password_policy_lowercase_letter.rego create mode 100644 rules/aws/iam_account_password_policy_numbers.rego create mode 100644 rules/aws/iam_account_password_policy_password_age.rego create mode 100644 rules/aws/iam_account_password_policy_password_length.rego create mode 100644 rules/aws/iam_account_password_policy_password_reuse_prevention.rego create mode 100644 rules/aws/iam_account_password_policy_symbol.rego create mode 100644 rules/aws/iam_account_password_policy_uppercase_letter.rego create mode 100644 tests/rules/aws/iam_account_password_policy_lowercase_letter_test.rego create mode 100644 tests/rules/aws/iam_account_password_policy_numbers_test.rego create mode 100644 tests/rules/aws/iam_account_password_policy_password_age_test.rego create mode 100644 tests/rules/aws/iam_account_password_policy_password_length_test.rego create mode 100644 tests/rules/aws/iam_account_password_policy_password_reuse_prevention_test.rego create mode 100644 tests/rules/aws/iam_account_password_policy_symbol_test.rego create mode 100644 tests/rules/aws/iam_account_password_policy_uppercase_letter_test.rego create mode 100644 tests/rules/aws/inputs/iam_account_password_policy_infra.rego create mode 100644 tests/rules/aws/inputs/iam_account_password_policy_infra.tf diff --git a/README.md b/README.md index 2cf8e8ea..982cb072 100644 --- a/README.md +++ b/README.md @@ -52,31 +52,31 @@ The second part is a Rego framework that: See [rules](https://github.com/fugue/regula/tree/master/rules) directory. Fugue is currently working on open sourcing more rules from [our product](https://www.fugue.co/) to Regula. -| Provider | Service | Rule Name | Rule Summary | -|----------|-----------------|---------------------------------------------|------------------------------------------------------------------------------------------------------------| -| AWS | CloudFront | cloudfront\_distribution\_https | CloudFront distributions should use HTTPS traffic | -| AWS | CloudTrail | cloudtrail\_log\_file\_validation | CloudTrail log file validation should be enabled | -| AWS | EBS | ebs\_volume\_encrypted | EBS volume encryption should be enabled | -| AWS | IAM | iam\_admin\_policy | IAM policies should not have full "*:*" administrative privileges | -| AWS | IAM | iam\_user\_attached\_policy | IAM policies should not be attached directly to users | -| AWS | KMS | kms\_rotate | KMS CMK rotation should be enabled | -| AWS | S3 | s3\_bucket\_sse | Server Side Encryption by default should be set for S3 buckets | | -| AWS | VPC | security\_group\_ingress\_anywhere | VPC security group rules should not permit ingress from '0.0.0.0/0' except to ports 80 and 443 | -| AWS | VPC | security\_group\_ingress\_anywhere\_rdp | VPC security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol) | -| AWS | VPC | security\_group\_ingress\_anywhere\_ssh | VPC security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH) | -| AWS | VPC | vpc\_flow\_log | VPC flow logging should be enabled | -| GCP | KMS | kms\_cryptokey\_rotate | KMS crypto keys should be rotated at least once every 365 days | -| GCP | Compute | compute\_firewall\_no\_ingress\_22 | VPC firewall rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH) | -| GCP | Compute | compute\_firewall\_no\_ingress\_3389 | VPC firewall rules should not permit ingress from '0.0.0.0/0' to port 3389 (RDP) | -| GCP | Compute | compute\_subnet\_private\_google\_access | VPC subnet 'Private Google Access' should be enabled | -| GCP | Compute | compute\_subnet\_flow\_log\_enabled | VPC subnet flow logging should be enabled | -| Azure | Storage Account | storage\_account\_deny\_access | Storage accounts should deny access from all networks by default | -| Azure | Storage Account | storage\_account\_microsoft\_services | Storage accounts 'Trusted Microsoft Services' access should be enabled | -| Azure | Storage Account | storage\_account\_secure\_transfer | Storage accounts 'Secure transfer required' should be enabled | -| Azure | Blob Storage | storage\_container\_private\_access | Storage containers should have access set to 'private' | -| Azure | Virtual Network | network\_security\_group\_no\_inbound\_22 | Network security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH) | -| Azure | Virtual Network | network\_security\_group\_no\_inbound\_3389 | Network security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (RDP) | -| Azure | SQL Server | sql\_server\_firewall\_no\_inbound\_all | SQL Server firewall rules should not permit ingress from 0.0.0.0/0 to all ports and protocols | +| Provider | Service | Rule ID| Rule Name | Rule Summary | +|----------|-----------------|---|------------------------------------------|------------------------------------------------------------------------------------------------------------| +| AWS | CloudFront | FG_R00011|cloudfront\_distribution\_https | CloudFront distributions should use HTTPS traffic | +| AWS | CloudTrail | FG_R00027|cloudtrail\_log\_file\_validation | CloudTrail log file validation should be enabled | +| AWS | EBS | FG_R00016 | ebs\_volume\_encrypted | EBS volume encryption should be enabled | +| AWS | IAM | FG_R00092 |iam\_admin\_policy | IAM policies should not have full "*:*" administrative privileges | +| AWS | IAM | FG_R00007 |iam\_user\_attached\_policy | IAM policies should not be attached directly to users | +| AWS | KMS |FG_R00036 | kms\_rotate | KMS CMK rotation should be enabled | +| AWS | VPC | FG_R00351 | security\_group\_ingress\_anywhere | VPC security group rules should not permit ingress from '0.0.0.0/0' except to ports 80 and 443 | +| AWS | VPC | FG_R00087 | security\_group\_ingress\_anywhere\_rdp | VPC security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol) | +| AWS | VPC | FG_R00085 | security\_group\_ingress\_anywhere\_ssh | VPC security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH) | +| AWS | VPC | FG_R00054 |vpc\_flow\_log | VPC flow logging should be enabled | +| GCP | KMS | FG_R00352 | kms\_cryptokey\_rotate | KMS crypto keys should be rotated at least once every 365 days | +| GCP | Compute | FG_R00353 | compute\_firewall\_no\_ingress\_22 | VPC firewall rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH) | +| GCP | Compute | FG_R00354 | compute\_firewall\_no\_ingress\_3389 | VPC firewall rules should not permit ingress from '0.0.0.0/0' to port 3389 (RDP) | +| GCP | Compute | FG_R00354 | compute\_subnet\_private\_google\_access | VPC subnet 'Private Google Access' should be enabled | +| GCP | Compute | FG_R00356 | compute\_subnet\_flow\_log\_enabled | VPC subnet flow logging should be enabled | + GCP | Compute | REGULA_R00013 | ompute\_subnet\_private\_google_access | VPC subnet 'Private Google Access' should be enable +| Azure | Storage Account | FG_R00154 |storage\_account\_deny\_access | Storage accounts should deny access from all networks by default | +| Azure | Storage Account | FG_R00208 | storage\_account\_microsoft\_services | Storage accounts 'Trusted Microsoft Services' access should be enabled | +| Azure | Storage Account | FG_R00152 | storage\_account\_secure\_transfer | Storage accounts 'Secure transfer required' should be enabled | +| Azure | Blob Storage | FG_R00207 | storage\_container\_private\_access | Storage containers should have access set to 'private' | +| Azure | Virtual Network | FG_R00190 | network\_security\_group\_no\_inbound\_22 | Network security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH) | +| Azure | Virtual Network | FG_R00191 | network\_security\_group\_no\_inbound\_3389| Network security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (RDP) | +| Azure | SQL Server | FG_R00192 | sql\_server\_firewall\_no\_inbound\_all | SQL Server firewall rules should not permit ingress from 0.0.0.0/0 to all ports and protocols | ## Running Regula locally @@ -475,4 +475,4 @@ To locally produce a Regula report on Windows, use the following steps: [terraform]: https://www.terraform.io/ [Rego]: https://www.openpolicyagent.org/docs/latest/policy-language/ [Fugue Custom Rules]: https://docs.fugue.co/rules.html -[Conftest]: https://github.com/instrumenta/conftest \ No newline at end of file +[Conftest]: https://github.com/instrumenta/conftest diff --git a/rules/aws/iam_account_password_policy_lowercase_letter.rego b/rules/aws/iam_account_password_policy_lowercase_letter.rego new file mode 100644 index 00000000..07eda763 --- /dev/null +++ b/rules/aws/iam_account_password_policy_lowercase_letter.rego @@ -0,0 +1,36 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package rules.iam_account_password_policy_lowercase_letter + +__rego__metadoc__ := { + "id": "FG_R00016", + "title": "Ensure IAM password policy requires at least one lowercase letter", + "description": "CIS recommends that the password policy require at least one lowercase letter.", + "custom": { + "controls": { + "CIS": [ + "CIS_1-6" + ] + }, + "severity": "Medium" + } +} + +resource_type = "aws_iam_account_password_policy" + +default allow = false + +allow { + input.require_lowercase_characters == true +} diff --git a/rules/aws/iam_account_password_policy_numbers.rego b/rules/aws/iam_account_password_policy_numbers.rego new file mode 100644 index 00000000..65d6ac99 --- /dev/null +++ b/rules/aws/iam_account_password_policy_numbers.rego @@ -0,0 +1,36 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package rules.iam_account_password_policy_numbers + +__rego__metadoc__ := { + "id": "FG_R00018", + "title": "Ensure IAM password policy requires at least one number", + "description": "CIS recommends that the password policy require at least one number.", + "custom": { + "controls": { + "CIS": [ + "CIS_1-8" + ] + }, + "severity": "Medium" + } +} + +resource_type = "aws_iam_account_password_policy" + +default allow = false + +allow { + input.require_numbers == true +} \ No newline at end of file diff --git a/rules/aws/iam_account_password_policy_password_age.rego b/rules/aws/iam_account_password_policy_password_age.rego new file mode 100644 index 00000000..dc799547 --- /dev/null +++ b/rules/aws/iam_account_password_policy_password_age.rego @@ -0,0 +1,37 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package rules.iam_account_password_policy_password_age + +__rego__metadoc__ := { + "id": "FG_R00021", + "title": "EEnsure IAM password policy expires passwords within 90 days or less", + "description": "CIS recommends that the password policy expire passwords after 90 days or less.", + "custom": { + "controls": { + "CIS": [ + "CIS_1-11" + ] + }, + "severity": "Medium" + } +} + +resource_type = "aws_iam_account_password_policy" + +default allow = false + +allow { + input.max_password_age > 0 + input.max_password_age <= 90 +} \ No newline at end of file diff --git a/rules/aws/iam_account_password_policy_password_length.rego b/rules/aws/iam_account_password_policy_password_length.rego new file mode 100644 index 00000000..403f74f5 --- /dev/null +++ b/rules/aws/iam_account_password_policy_password_length.rego @@ -0,0 +1,36 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package rules.iam_account_password_policy_password_length + +__rego__metadoc__ := { + "id": "FG_R00019", + "title": "Ensure IAM password policy requires a minimum length of 14 or greater", + "description": "CIS recommends that the password policy require a minimum password length of 14 characters.", + "custom": { + "controls": { + "CIS": [ + "CIS_1-9" + ] + }, + "severity": "Medium" + } +} + +resource_type = "aws_iam_account_password_policy" + +default allow = false + +allow { + input.minimum_password_length >= 14 +} \ No newline at end of file diff --git a/rules/aws/iam_account_password_policy_password_reuse_prevention.rego b/rules/aws/iam_account_password_policy_password_reuse_prevention.rego new file mode 100644 index 00000000..1df88d82 --- /dev/null +++ b/rules/aws/iam_account_password_policy_password_reuse_prevention.rego @@ -0,0 +1,36 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package rules.iam_account_password_policy_password_reuse_prevention + +__rego__metadoc__ := { + "id": "FG_R00020", + "title": "Ensure IAM password policy prevents password reuse", + "description": "This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24.", + "custom": { + "controls": { + "CIS": [ + "CIS_1-10" + ] + }, + "severity": "Low" + } +} + +resource_type = "aws_iam_account_password_policy" + +default allow = false + +allow { + input.password_reuse_prevention >= 24 +} \ No newline at end of file diff --git a/rules/aws/iam_account_password_policy_symbol.rego b/rules/aws/iam_account_password_policy_symbol.rego new file mode 100644 index 00000000..fd6b4621 --- /dev/null +++ b/rules/aws/iam_account_password_policy_symbol.rego @@ -0,0 +1,36 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package rules.iam_account_password_policy_symbols + +__rego__metadoc__ := { + "id": "FG_R00017", + "title": "Ensure IAM password policy requires at least one symbol", + "description": "CIS recommends that the password policy require at least one symbol.", + "custom": { + "controls": { + "CIS": [ + "CIS_1-7" + ] + }, + "severity": "Medium" + } +} + +resource_type = "aws_iam_account_password_policy" + +default allow = false + +allow { + input.require_symbols == true +} \ No newline at end of file diff --git a/rules/aws/iam_account_password_policy_uppercase_letter.rego b/rules/aws/iam_account_password_policy_uppercase_letter.rego new file mode 100644 index 00000000..18182544 --- /dev/null +++ b/rules/aws/iam_account_password_policy_uppercase_letter.rego @@ -0,0 +1,36 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package rules.iam_account_password_policy_uppercase_letter + +__rego__metadoc__ := { + "id": "FG_R00015", + "title": "Ensure IAM password policy requires at least one uppercase letter", + "description": "CIS recommends that the password policy require at least one uppercase letter.", + "custom": { + "controls": { + "CIS": [ + "CIS_1-5" + ] + }, + "severity": "Medium" + } +} + +resource_type = "aws_iam_account_password_policy" + +default allow = false + +allow { + input.require_uppercase_characters == true +} \ No newline at end of file diff --git a/tests/rules/aws/iam_account_password_policy_lowercase_letter_test.rego b/tests/rules/aws/iam_account_password_policy_lowercase_letter_test.rego new file mode 100644 index 00000000..154c9ea6 --- /dev/null +++ b/tests/rules/aws/iam_account_password_policy_lowercase_letter_test.rego @@ -0,0 +1,25 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package tests.rules.iam_account_password_policy_lowercase_letter + +import data.fugue.regula +import data.tests.rules.aws.inputs.iam_account_password_policy_infra.mock_plan_input + +test_iam_account_password_policy_lowercase_letter { + report := regula.report with input as mock_plan_input + resources := report.rules.iam_account_password_policy_lowercase_letter.resources + + resources["aws_iam_account_password_policy.good"].valid == true + resources["aws_iam_account_password_policy.bad"].valid == false +} diff --git a/tests/rules/aws/iam_account_password_policy_numbers_test.rego b/tests/rules/aws/iam_account_password_policy_numbers_test.rego new file mode 100644 index 00000000..5c906201 --- /dev/null +++ b/tests/rules/aws/iam_account_password_policy_numbers_test.rego @@ -0,0 +1,25 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package tests.rules.iam_account_password_policy_numbers + +import data.fugue.regula +import data.tests.rules.aws.inputs.iam_account_password_policy_infra.mock_plan_input + +test_iam_account_password_policy_numbers { + report := regula.report with input as mock_plan_input + resources := report.rules.iam_account_password_policy_numbers.resources + + resources["aws_iam_account_password_policy.good"].valid == true + resources["aws_iam_account_password_policy.bad"].valid == false +} diff --git a/tests/rules/aws/iam_account_password_policy_password_age_test.rego b/tests/rules/aws/iam_account_password_policy_password_age_test.rego new file mode 100644 index 00000000..cbcddd14 --- /dev/null +++ b/tests/rules/aws/iam_account_password_policy_password_age_test.rego @@ -0,0 +1,25 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package tests.rules.iam_account_password_policy_password_age + +import data.fugue.regula +import data.tests.rules.aws.inputs.iam_account_password_policy_infra.mock_plan_input + +test_iam_account_password_policy_password_age { + report := regula.report with input as mock_plan_input + resources := report.rules.iam_account_password_policy_password_age.resources + + resources["aws_iam_account_password_policy.good"].valid == true + resources["aws_iam_account_password_policy.bad"].valid == false +} diff --git a/tests/rules/aws/iam_account_password_policy_password_length_test.rego b/tests/rules/aws/iam_account_password_policy_password_length_test.rego new file mode 100644 index 00000000..871a213e --- /dev/null +++ b/tests/rules/aws/iam_account_password_policy_password_length_test.rego @@ -0,0 +1,25 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package tests.rules.iam_account_password_policy_password_length + +import data.fugue.regula +import data.tests.rules.aws.inputs.iam_account_password_policy_infra.mock_plan_input + +test_iam_account_password_policy_password_length { + report := regula.report with input as mock_plan_input + resources := report.rules.iam_account_password_policy_password_length.resources + + resources["aws_iam_account_password_policy.good"].valid == true + resources["aws_iam_account_password_policy.bad"].valid == false +} diff --git a/tests/rules/aws/iam_account_password_policy_password_reuse_prevention_test.rego b/tests/rules/aws/iam_account_password_policy_password_reuse_prevention_test.rego new file mode 100644 index 00000000..854218cf --- /dev/null +++ b/tests/rules/aws/iam_account_password_policy_password_reuse_prevention_test.rego @@ -0,0 +1,25 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package tests.rules.iam_account_password_policy_password_reuse_prevention + +import data.fugue.regula +import data.tests.rules.aws.inputs.iam_account_password_policy_infra.mock_plan_input + +test_iam_account_password_policy_password_reuse_prevention { + report := regula.report with input as mock_plan_input + resources := report.rules.iam_account_password_policy_password_reuse_prevention.resources + + resources["aws_iam_account_password_policy.good"].valid == true + resources["aws_iam_account_password_policy.bad"].valid == false +} diff --git a/tests/rules/aws/iam_account_password_policy_symbol_test.rego b/tests/rules/aws/iam_account_password_policy_symbol_test.rego new file mode 100644 index 00000000..047c3b6a --- /dev/null +++ b/tests/rules/aws/iam_account_password_policy_symbol_test.rego @@ -0,0 +1,25 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package tests.rules.iam_account_password_policy_symbol + +import data.fugue.regula +import data.tests.rules.aws.inputs.iam_account_password_policy_infra.mock_plan_input + +test_iam_account_password_policy_symbol { + report := regula.report with input as mock_plan_input + resources := report.rules.iam_account_password_policy_symbol.resources + + resources["aws_iam_account_password_policy.good"].valid == true + resources["aws_iam_account_password_policy.bad"].valid == false +} diff --git a/tests/rules/aws/iam_account_password_policy_uppercase_letter_test.rego b/tests/rules/aws/iam_account_password_policy_uppercase_letter_test.rego new file mode 100644 index 00000000..165563eb --- /dev/null +++ b/tests/rules/aws/iam_account_password_policy_uppercase_letter_test.rego @@ -0,0 +1,25 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +package tests.rules.iam_account_password_policy_uppercase_letter + +import data.fugue.regula +import data.tests.rules.aws.inputs.iam_account_password_policy_infra.mock_plan_input + +test_iam_account_password_policy_uppercase_letter { + report := regula.report with input as mock_plan_input + resources := report.rules.iam_account_password_policy_uppercase_letter.resources + + resources["aws_iam_account_password_policy.good"].valid == true + resources["aws_iam_account_password_policy.bad"].valid == false +} diff --git a/tests/rules/aws/inputs/iam_account_password_policy_infra.rego b/tests/rules/aws/inputs/iam_account_password_policy_infra.rego new file mode 100644 index 00000000..59240e20 --- /dev/null +++ b/tests/rules/aws/inputs/iam_account_password_policy_infra.rego @@ -0,0 +1,219 @@ +# Copyright 2020 Fugue, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This package was automatically generated from: +# +# tests/rules/aws/inputs/iam_account_password_policy_infra.tf +# +# using `generate_test_inputs.sh` and should not be modified +# directly. +# +# It provides three inputs for testing: +# - mock_input: The resource view input as passed to advanced rules +# - mock_resources: The resources present as a convenience for tests +# - mock_plan_input: The original plan input as generated by terraform +package tests.rules.aws.inputs.iam_account_password_policy_infra +import data.fugue.resource_view.resource_view_input +mock_input = ret { + ret = resource_view_input with input as mock_plan_input +} +mock_resources = mock_input.resources +mock_plan_input = { + "format_version": "0.1", + "terraform_version": "0.13.5", + "planned_values": { + "root_module": { + "resources": [ + { + "address": "aws_iam_account_password_policy.bad", + "mode": "managed", + "type": "aws_iam_account_password_policy", + "name": "bad", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "allow_users_to_change_password": false, + "max_password_age": 300, + "minimum_password_length": 4, + "password_reuse_prevention": 10, + "require_lowercase_characters": false, + "require_numbers": false, + "require_symbols": false, + "require_uppercase_characters": false + } + }, + { + "address": "aws_iam_account_password_policy.good", + "mode": "managed", + "type": "aws_iam_account_password_policy", + "name": "good", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "allow_users_to_change_password": true, + "max_password_age": 90, + "minimum_password_length": 14, + "password_reuse_prevention": 24, + "require_lowercase_characters": true, + "require_numbers": true, + "require_symbols": true, + "require_uppercase_characters": true + } + } + ] + } + }, + "resource_changes": [ + { + "address": "aws_iam_account_password_policy.bad", + "mode": "managed", + "type": "aws_iam_account_password_policy", + "name": "bad", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "allow_users_to_change_password": false, + "max_password_age": 300, + "minimum_password_length": 4, + "password_reuse_prevention": 10, + "require_lowercase_characters": false, + "require_numbers": false, + "require_symbols": false, + "require_uppercase_characters": false + }, + "after_unknown": { + "expire_passwords": true, + "hard_expiry": true, + "id": true + } + } + }, + { + "address": "aws_iam_account_password_policy.good", + "mode": "managed", + "type": "aws_iam_account_password_policy", + "name": "good", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "allow_users_to_change_password": true, + "max_password_age": 90, + "minimum_password_length": 14, + "password_reuse_prevention": 24, + "require_lowercase_characters": true, + "require_numbers": true, + "require_symbols": true, + "require_uppercase_characters": true + }, + "after_unknown": { + "expire_passwords": true, + "hard_expiry": true, + "id": true + } + } + } + ], + "configuration": { + "provider_config": { + "aws": { + "name": "aws", + "expressions": { + "region": { + "constant_value": "us-east-1" + } + } + } + }, + "root_module": { + "resources": [ + { + "address": "aws_iam_account_password_policy.bad", + "mode": "managed", + "type": "aws_iam_account_password_policy", + "name": "bad", + "provider_config_key": "aws", + "expressions": { + "allow_users_to_change_password": { + "constant_value": false + }, + "max_password_age": { + "constant_value": 300 + }, + "minimum_password_length": { + "constant_value": 4 + }, + "password_reuse_prevention": { + "constant_value": 10 + }, + "require_lowercase_characters": { + "constant_value": false + }, + "require_numbers": { + "constant_value": false + }, + "require_symbols": { + "constant_value": false + }, + "require_uppercase_characters": { + "constant_value": false + } + }, + "schema_version": 0 + }, + { + "address": "aws_iam_account_password_policy.good", + "mode": "managed", + "type": "aws_iam_account_password_policy", + "name": "good", + "provider_config_key": "aws", + "expressions": { + "allow_users_to_change_password": { + "constant_value": true + }, + "max_password_age": { + "constant_value": 90 + }, + "minimum_password_length": { + "constant_value": 14 + }, + "password_reuse_prevention": { + "constant_value": 24 + }, + "require_lowercase_characters": { + "constant_value": true + }, + "require_numbers": { + "constant_value": true + }, + "require_symbols": { + "constant_value": true + }, + "require_uppercase_characters": { + "constant_value": true + } + }, + "schema_version": 0 + } + ] + } + } +} diff --git a/tests/rules/aws/inputs/iam_account_password_policy_infra.tf b/tests/rules/aws/inputs/iam_account_password_policy_infra.tf new file mode 100644 index 00000000..62d828e9 --- /dev/null +++ b/tests/rules/aws/inputs/iam_account_password_policy_infra.tf @@ -0,0 +1,23 @@ +provider "aws" { + region = "us-east-1" +} +resource "aws_iam_account_password_policy" "bad" { + require_uppercase_characters = false + minimum_password_length = 4 + require_lowercase_characters = false + require_numbers = false + require_symbols = false + allow_users_to_change_password = false + password_reuse_prevention = 10 + max_password_age = 300 +} +resource "aws_iam_account_password_policy" "good" { + require_uppercase_characters = true + minimum_password_length = 14 + require_lowercase_characters = true + require_numbers = true + require_symbols = true + allow_users_to_change_password = true + password_reuse_prevention = 24 + max_password_age = 90 +} From 0e2735a9f9c0a90f39891ed6e3a91b9ff4fdc503 Mon Sep 17 00:00:00 2001 From: ismail yenigul Date: Sat, 28 Nov 2020 19:41:52 +0300 Subject: [PATCH 2/2] fix iam_account_password_policy_symbol rule name --- rules/aws/iam_account_password_policy_symbol.rego | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/aws/iam_account_password_policy_symbol.rego b/rules/aws/iam_account_password_policy_symbol.rego index fd6b4621..14c93a40 100644 --- a/rules/aws/iam_account_password_policy_symbol.rego +++ b/rules/aws/iam_account_password_policy_symbol.rego @@ -11,7 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. -package rules.iam_account_password_policy_symbols +package rules.iam_account_password_policy_symbol __rego__metadoc__ := { "id": "FG_R00017", @@ -33,4 +33,4 @@ default allow = false allow { input.require_symbols == true -} \ No newline at end of file +}