CIS AWS IAM password policy rules

README.md

@@ -52,31 +52,31 @@ The second part is a Rego framework that:
 
 See [rules](https://github.com/fugue/regula/tree/master/rules) directory.  Fugue is currently working on open sourcing more rules from [our product](https://www.fugue.co/) to Regula.
 
-| Provider | Service         | Rule Name                                   | Rule Summary                                                                                               |
-|----------|-----------------|---------------------------------------------|------------------------------------------------------------------------------------------------------------|
-| AWS      | CloudFront      | cloudfront\_distribution\_https             | CloudFront distributions should use HTTPS traffic                                                          |
-| AWS      | CloudTrail      | cloudtrail\_log\_file\_validation           | CloudTrail log file validation should be enabled                                                           |
-| AWS      | EBS             | ebs\_volume\_encrypted                      | EBS volume encryption should be enabled                                                                    |
-| AWS      | IAM             | iam\_admin\_policy                          | IAM policies should not have full "*:*" administrative privileges                                          |
-| AWS      | IAM             | iam\_user\_attached\_policy                 | IAM policies should not be attached directly to users                                                      |
-| AWS      | KMS             | kms\_rotate                                 | KMS CMK rotation should be enabled                                                                         |
-| AWS      | S3              | s3\_bucket\_sse                             | Server Side Encryption by default should be set for S3 buckets                                             |                                                                         |
-| AWS      | VPC             | security\_group\_ingress\_anywhere          | VPC security group rules should not permit ingress from '0.0.0.0/0' except to ports 80 and 443             |
-| AWS      | VPC             | security\_group\_ingress\_anywhere\_rdp     | VPC security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol) |
-| AWS      | VPC             | security\_group\_ingress\_anywhere\_ssh     | VPC security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH)                       |
-| AWS      | VPC             | vpc\_flow\_log                              | VPC flow logging should be enabled                                                                         |
-| GCP      | KMS             | kms\_cryptokey\_rotate                      | KMS crypto keys should be rotated at least once every 365 days                                             |
-| GCP      | Compute         | compute\_firewall\_no\_ingress\_22          | VPC firewall rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH)                             |
-| GCP      | Compute         | compute\_firewall\_no\_ingress\_3389        | VPC firewall rules should not permit ingress from '0.0.0.0/0' to port 3389 (RDP)                           |
-| GCP      | Compute         | compute\_subnet\_private\_google\_access    | VPC subnet 'Private Google Access' should be enabled                                                       |
-| GCP      | Compute         | compute\_subnet\_flow\_log\_enabled         | VPC subnet flow logging should be enabled                                                                  |
-| Azure    | Storage Account | storage\_account\_deny\_access              | Storage accounts should deny access from all networks by default                                           |
-| Azure    | Storage Account | storage\_account\_microsoft\_services       | Storage accounts 'Trusted Microsoft Services' access should be enabled                                     |
-| Azure    | Storage Account | storage\_account\_secure\_transfer          | Storage accounts 'Secure transfer required' should be enabled                                              |
-| Azure    | Blob Storage    | storage\_container\_private\_access         | Storage containers should have access set to 'private'                                                     |
-| Azure    | Virtual Network | network\_security\_group\_no\_inbound\_22   | Network security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH)                   |
-| Azure    | Virtual Network | network\_security\_group\_no\_inbound\_3389 | Network security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (RDP)                 |
-| Azure    | SQL Server      | sql\_server\_firewall\_no\_inbound\_all     | SQL Server firewall rules should not permit ingress from 0.0.0.0/0 to all ports and protocols              |
+| Provider | Service         | Rule ID|  Rule Name                                    | Rule Summary                                                                                               |
+|----------|-----------------|---|------------------------------------------|------------------------------------------------------------------------------------------------------------|
+| AWS      | CloudFront      | FG_R00011|cloudfront\_distribution\_https              | CloudFront distributions should use HTTPS traffic                                                          |
+| AWS      | CloudTrail      | FG_R00027|cloudtrail\_log\_file\_validation            | CloudTrail log file validation should be enabled                                                           |
+| AWS      | EBS             | FG_R00016 | ebs\_volume\_encrypted                     | EBS volume encryption should be enabled                                                                    |
+| AWS      | IAM             | FG_R00092 |iam\_admin\_policy                          | IAM policies should not have full "*:*" administrative privileges                                          |
+| AWS      | IAM             | FG_R00007 |iam\_user\_attached\_policy                 | IAM policies should not be attached directly to users                                                      |
+| AWS      | KMS             |FG_R00036 | kms\_rotate                                 | KMS CMK rotation should be enabled                                                                         |
+| AWS      | VPC             | FG_R00351 | security\_group\_ingress\_anywhere         | VPC security group rules should not permit ingress from '0.0.0.0/0' except to ports 80 and 443             |
+| AWS      | VPC             | FG_R00087 | security\_group\_ingress\_anywhere\_rdp    | VPC security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (Remote Desktop Protocol) |
+| AWS      | VPC             | FG_R00085 | security\_group\_ingress\_anywhere\_ssh    | VPC security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH)                       |
+| AWS      | VPC             |  FG_R00054 |vpc\_flow\_log                             | VPC flow logging should be enabled                                                                         |
+| GCP      | KMS             | FG_R00352 | kms\_cryptokey\_rotate                     | KMS crypto keys should be rotated at least once every 365 days                                             |
+| GCP      | Compute         | FG_R00353 | compute\_firewall\_no\_ingress\_22         | VPC firewall rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH)                             |
+| GCP      | Compute         | FG_R00354 | compute\_firewall\_no\_ingress\_3389       | VPC firewall rules should not permit ingress from '0.0.0.0/0' to port 3389 (RDP)                           |
+| GCP      | Compute         | FG_R00354 | compute\_subnet\_private\_google\_access   | VPC subnet 'Private Google Access' should be enabled                                                       |
+| GCP      | Compute         | FG_R00356 | compute\_subnet\_flow\_log\_enabled        | VPC subnet flow logging should be enabled                                                                  |
+ GCP       | Compute         | REGULA_R00013 | ompute\_subnet\_private\_google_access | VPC subnet 'Private Google Access' should be enable
+| Azure    | Storage Account | FG_R00154 |storage\_account\_deny\_access              | Storage accounts should deny access from all networks by default                                           |
+| Azure    | Storage Account | FG_R00208 | storage\_account\_microsoft\_services      | Storage accounts 'Trusted Microsoft Services' access should be enabled                                     |
+| Azure    | Storage Account | FG_R00152 | storage\_account\_secure\_transfer         | Storage accounts 'Secure transfer required' should be enabled                                              |
+| Azure    | Blob Storage    |  FG_R00207 | storage\_container\_private\_access       | Storage containers should have access set to 'private'                                                     |
+| Azure    | Virtual Network | FG_R00190 | network\_security\_group\_no\_inbound\_22  | Network security group rules should not permit ingress from '0.0.0.0/0' to port 22 (SSH)                   |
+| Azure    | Virtual Network | FG_R00191 | network\_security\_group\_no\_inbound\_3389| Network security group rules should not permit ingress from '0.0.0.0/0' to port 3389 (RDP)                 |
+| Azure    | SQL Server      | FG_R00192 | sql\_server\_firewall\_no\_inbound\_all    | SQL Server firewall rules should not permit ingress from 0.0.0.0/0 to all ports and protocols              |
 
 ## Running Regula locally
 
@@ -475,4 +475,4 @@ To locally produce a Regula report on Windows, use the following steps:
 [terraform]: https://www.terraform.io/
 [Rego]: https://www.openpolicyagent.org/docs/latest/policy-language/
 [Fugue Custom Rules]: https://docs.fugue.co/rules.html
-[Conftest]: https://github.com/instrumenta/conftest
+[Conftest]: https://github.com/instrumenta/conftest

rules/aws/iam_account_password_policy_lowercase_letter.rego

@@ -0,0 +1,36 @@
+# Copyright 2020 Fugue, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+package rules.iam_account_password_policy_lowercase_letter
+
+__rego__metadoc__ := {
+  "id": "FG_R00016",
+  "title": "Ensure IAM password policy requires at least one lowercase letter",
+  "description": "CIS recommends that the password policy require at least one lowercase letter.",
+  "custom": {
+    "controls": {
+      "CIS": [
+        "CIS_1-6"
+      ]
+    },
+    "severity": "Medium"
+  }
+}
+
+resource_type = "aws_iam_account_password_policy"
+
+default allow = false
+
+allow {
+   input.require_lowercase_characters == true
+}

rules/aws/iam_account_password_policy_numbers.rego

@@ -0,0 +1,36 @@
+# Copyright 2020 Fugue, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+package rules.iam_account_password_policy_numbers
+
+__rego__metadoc__ := {
+  "id": "FG_R00018",
+  "title": "Ensure IAM password policy requires at least one number",
+  "description": "CIS recommends that the password policy require at least one number.",
+  "custom": {
+    "controls": {
+      "CIS": [
+        "CIS_1-8"
+      ]
+    },
+    "severity": "Medium"
+  }
+}
+
+resource_type = "aws_iam_account_password_policy"
+
+default allow = false
+
+allow {
+   input.require_numbers == true
+}

rules/aws/iam_account_password_policy_password_age.rego

@@ -0,0 +1,37 @@
+# Copyright 2020 Fugue, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+package rules.iam_account_password_policy_password_age
+
+__rego__metadoc__ := {
+  "id": "FG_R00021",
+  "title": "EEnsure IAM password policy expires passwords within 90 days or less",
+  "description": "CIS recommends that the password policy expire passwords after 90 days or less.",
+  "custom": {
+    "controls": {
+      "CIS": [
+        "CIS_1-11"
+      ]
+    },
+    "severity": "Medium"
+  }
+}
+
+resource_type = "aws_iam_account_password_policy"
+
+default allow = false
+
+allow {
+   input.max_password_age > 0
+   input.max_password_age <= 90
+}

rules/aws/iam_account_password_policy_password_length.rego

@@ -0,0 +1,36 @@
+# Copyright 2020 Fugue, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+package rules.iam_account_password_policy_password_length
+
+__rego__metadoc__ := {
+  "id": "FG_R00019",
+  "title": "Ensure IAM password policy requires a minimum length of 14 or greater",
+  "description": "CIS recommends that the password policy require a minimum password length of 14 characters.",
+  "custom": {
+    "controls": {
+      "CIS": [
+        "CIS_1-9"
+      ]
+    },
+    "severity": "Medium"
+  }
+}
+
+resource_type = "aws_iam_account_password_policy"
+
+default allow = false
+
+allow {
+   input.minimum_password_length >= 14
+}

rules/aws/iam_account_password_policy_password_reuse_prevention.rego

@@ -0,0 +1,36 @@
+# Copyright 2020 Fugue, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+package rules.iam_account_password_policy_password_reuse_prevention
+
+__rego__metadoc__ := {
+  "id": "FG_R00020",
+  "title": "Ensure IAM password policy prevents password reuse",
+  "description": "This control checks whether the number of passwords to remember is set to 24. The control fails if the value is not 24.",
+  "custom": {
+    "controls": {
+      "CIS": [
+        "CIS_1-10"
+      ]
+    },
+    "severity": "Low"
+  }
+}
+
+resource_type = "aws_iam_account_password_policy"
+
+default allow = false
+
+allow {
+   input.password_reuse_prevention >= 24
+}

rules/aws/iam_account_password_policy_symbol.rego

@@ -0,0 +1,36 @@
+# Copyright 2020 Fugue, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+package rules.iam_account_password_policy_symbol
+
+__rego__metadoc__ := {
+  "id": "FG_R00017",
+  "title": "Ensure IAM password policy requires at least one symbol",
+  "description": "CIS recommends that the password policy require at least one symbol.",
+  "custom": {
+    "controls": {
+      "CIS": [
+        "CIS_1-7"
+      ]
+    },
+    "severity": "Medium"
+  }
+}
+
+resource_type = "aws_iam_account_password_policy"
+
+default allow = false
+
+allow {
+   input.require_symbols == true
+}

rules/aws/iam_account_password_policy_uppercase_letter.rego

@@ -0,0 +1,36 @@
+# Copyright 2020 Fugue, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+package rules.iam_account_password_policy_uppercase_letter
+
+__rego__metadoc__ := {
+  "id": "FG_R00015",
+  "title": "Ensure IAM password policy requires at least one uppercase letter",
+  "description": "CIS recommends that the password policy require at least one uppercase letter.",
+  "custom": {
+    "controls": {
+      "CIS": [
+        "CIS_1-5"
+      ]
+    },
+    "severity": "Medium"
+  }
+}
+
+resource_type = "aws_iam_account_password_policy"
+
+default allow = false
+
+allow {
+   input.require_uppercase_characters == true
+}

tests/rules/aws/iam_account_password_policy_lowercase_letter_test.rego

@@ -0,0 +1,25 @@
+# Copyright 2020 Fugue, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+package tests.rules.iam_account_password_policy_lowercase_letter
+
+import data.fugue.regula
+import data.tests.rules.aws.inputs.iam_account_password_policy_infra.mock_plan_input
+
+test_iam_account_password_policy_lowercase_letter {
+  report := regula.report with input as mock_plan_input
+  resources := report.rules.iam_account_password_policy_lowercase_letter.resources
+
+  resources["aws_iam_account_password_policy.good"].valid == true
+  resources["aws_iam_account_password_policy.bad"].valid == false
+}