Merge branch 'master' into terraformer_poc

Signed-off-by: João Reigota <[email protected]>

.github/workflows/go-ci.yml

@@ -68,6 +68,13 @@ jobs:
       - name: Get Modules
         run: |
           go mod vendor
+      - name: Set Windows Page size
+        if: matrix.os == 'windows-latest'
+        uses: al-cheb/[email protected]
+        with:
+          minimum-size: 32GB
+          maximum-size: 32GB
+          disk-root: "C:"
       - name: Test and Generate Report
         if: matrix.os != 'windows-latest'
         run: |

assets/libraries/common.rego

@@ -426,6 +426,8 @@ any_principal(statement) {
 } else {
 	is_array(statement.Principal.AWS)
 	contains(statement.Principal.AWS[_], "*")
+} else {
+	not valid_key(statement, "Principal")
 }
 
 is_recommended_tls(field) {

assets/queries/ansible/aws/redshift_using_default_port/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "e01de151-a7bd-4db4-b49b-3c4775a5e881",
+  "queryName": "Redshift Using Default Port",
+  "severity": "LOW",
+  "category": "Networking and Firewall",
+  "descriptionText": "Redshift should not use the default port (5439) because an attacker can easily guess the port",
+  "descriptionUrl": "https://docs.ansible.com/ansible/latest/collections/community/aws/redshift_module.html#parameter-port",
+  "platform": "Ansible",
+  "descriptionID": "64fe28a7",
+  "cloudProvider": "aws"
+}

assets/queries/ansible/aws/redshift_using_default_port/query.rego

@@ -0,0 +1,20 @@
+package Cx
+
+import data.generic.ansible as ans_lib
+import data.generic.common as common_lib 
+
+CxPolicy[result] {
+	task := ans_lib.tasks[id][t]
+	modules := {"redshift", "community.aws.redshift"}
+
+	task[modules[m]].port == 5439
+
+	result := {
+		"documentId": id,
+		"searchKey": sprintf("name={{%s}}.{{%s}}.port", [task.name, modules[m]]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "redshift.port is not set to 5439",
+		"keyActualValue": "redshift.port is set to 5439",
+		"searchLine": common_lib.build_search_line(["playbooks", t, modules[m], "port"], []),
+	}
+}

assets/queries/ansible/aws/redshift_using_default_port/test/negative.yaml

@@ -0,0 +1,8 @@
+- name: Redshift2
+  community.aws.redshift:
+    command: create
+    node_type: ds1.xlarge
+    identifier: new_cluster
+    username: cluster_admin
+    password: 1nsecur3
+    port: 1150

assets/queries/ansible/aws/redshift_using_default_port/test/positive.yaml

@@ -0,0 +1,8 @@
+- name: Redshift
+  community.aws.redshift:
+    command: create
+    node_type: ds1.xlarge
+    identifier: new_cluster
+    username: cluster_admin
+    password: 1nsecur3
+    port: 5439

assets/queries/ansible/aws/redshift_using_default_port/test/positive_expected_result.json

@@ -0,0 +1,8 @@
+[
+  {
+    "queryName": "Redshift Using Default Port",
+    "severity": "LOW",
+    "line": 8,
+    "fileName": "positive.yaml"
+  }
+]

assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/metadata.json

@@ -0,0 +1,11 @@
+{
+  "id": "52790cad-d60d-41d5-8483-146f9f21208d",
+  "queryName": "API Gateway Cache Cluster Disabled",
+  "severity": "LOW",
+  "category": "Insecure Configurations",
+  "descriptionText": "AWS API Gateway should have cache clustering enabled",
+  "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-cacheclusterenabled",
+  "platform": "CloudFormation",
+  "descriptionID": "c5c1c902",
+  "cloudProvider": "aws"
+}

assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/query.rego

@@ -0,0 +1,38 @@
+package Cx
+
+import data.generic.common as common_lib
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGateway::Stage"
+	properties := resource.Properties
+	not common_lib.valid_key(properties, "CacheClusterEnabled")
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("Resources.%s.Properties", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.CacheClusterEnabled is defined and not null", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.CacheClusterEnabled is undefined or null", [name]),
+		"searchLine": common_lib.build_search_line(["Resources", name, "Properties"], []),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGateway::Stage"
+	properties := resource.Properties
+
+	properties.CacheClusterEnabled == false
+
+	result := {
+		"documentId": input.document[i].id,
+		"searchKey": sprintf("Resources.%s.Properties.CacheClusterEnabled", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.CacheClusterEnabled is set to true", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.CacheClusterEnabled is set to false", [name]),
+		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "CacheClusterEnabled"], []),
+	}
+}

assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/negative1.yaml

@@ -0,0 +1,31 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: "BatchJobDefinition"
+Resources:
+  ProdNeg1:
+    Type: AWS::ApiGateway::Stage
+    Properties:
+      StageName: Prod
+      Description: Prod Stage
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: !Ref MyDocumentationVersion
+      ClientCertificateId: !Ref ClientCertificate
+      TracingEnabled: true
+      Variables:
+        Stack: Prod
+      MethodSettings:
+        - ResourcePath: /
+          HttpMethod: GET
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+        - ResourcePath: /stack
+          HttpMethod: POST
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+          ThrottlingBurstLimit: '999'
+        - ResourcePath: /stack
+          HttpMethod: GET
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+          ThrottlingBurstLimit: '555'
+      CacheClusterEnabled: true

assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/negative2.json

@@ -0,0 +1,43 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "ProdNeg1": {
+      "Properties": {
+        "CacheClusterEnabled": true,
+        "ClientCertificateId": "ClientCertificate",
+        "DeploymentId": "TestDeployment",
+        "Description": "Prod Stage",
+        "DocumentationVersion": "MyDocumentationVersion",
+        "MethodSettings": [
+          {
+            "DataTraceEnabled": "false",
+            "HttpMethod": "GET",
+            "MetricsEnabled": "true",
+            "ResourcePath": "/"
+          },
+          {
+            "DataTraceEnabled": "false",
+            "HttpMethod": "POST",
+            "MetricsEnabled": "true",
+            "ResourcePath": "/stack",
+            "ThrottlingBurstLimit": "999"
+          },
+          {
+            "DataTraceEnabled": "false",
+            "HttpMethod": "GET",
+            "MetricsEnabled": "true",
+            "ResourcePath": "/stack",
+            "ThrottlingBurstLimit": "555"
+          }
+        ],
+        "RestApiId": "MyRestApi",
+        "StageName": "Prod",
+        "TracingEnabled": true,
+        "Variables": {
+          "Stack": "Prod"
+        }
+      },
+      "Type": "AWS::ApiGateway::Stage"
+    }
+  }
+}

assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive1.yaml

@@ -0,0 +1,30 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: "BatchJobDefinition"
+Resources:
+  ProdPos1:
+    Type: AWS::ApiGateway::Stage
+    Properties:
+      StageName: Prod
+      Description: Prod Stage
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: !Ref MyDocumentationVersion
+      ClientCertificateId: !Ref ClientCertificate
+      TracingEnabled: true
+      Variables:
+        Stack: Prod
+      MethodSettings:
+        - ResourcePath: /
+          HttpMethod: GET
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+        - ResourcePath: /stack
+          HttpMethod: POST
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+          ThrottlingBurstLimit: '999'
+        - ResourcePath: /stack
+          HttpMethod: GET
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+          ThrottlingBurstLimit: '555'

assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive2.yaml

@@ -0,0 +1,31 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Description: "BatchJobDefinition"
+Resources:
+  ProdPos2:
+    Type: AWS::ApiGateway::Stage
+    Properties:
+      StageName: Prod
+      Description: Prod Stage
+      RestApiId: !Ref MyRestApi
+      DeploymentId: !Ref TestDeployment
+      DocumentationVersion: !Ref MyDocumentationVersion
+      ClientCertificateId: !Ref ClientCertificate
+      TracingEnabled: true
+      Variables:
+        Stack: Prod
+      MethodSettings:
+        - ResourcePath: /
+          HttpMethod: GET
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+        - ResourcePath: /stack
+          HttpMethod: POST
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+          ThrottlingBurstLimit: '999'
+        - ResourcePath: /stack
+          HttpMethod: GET
+          MetricsEnabled: 'true'
+          DataTraceEnabled: 'false'
+          ThrottlingBurstLimit: '555'
+      CacheClusterEnabled: false

assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive3.json

@@ -0,0 +1,49 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "ProdPos1": {
+      "Type": "AWS::ApiGateway::Stage",
+      "Properties": {
+        "StageName": "Prod",
+        "RestApiId": {
+          "Ref": "MyRestApi"
+        },
+        "DeploymentId": {
+          "Ref": "TestDeployment"
+        },
+        "DocumentationVersion": {
+          "Ref": "MyDocumentationVersion"
+        },
+        "ClientCertificateId": {
+          "Ref": "ClientCertificate"
+        },
+        "Variables": {
+          "Stack": "Prod"
+        },
+        "TracingEnabled": "true",
+        "MethodSettings": [
+          {
+            "ResourcePath": "/",
+            "HttpMethod": "GET",
+            "MetricsEnabled": "true",
+            "DataTraceEnabled": "false"
+          },
+          {
+            "ResourcePath": "/stack",
+            "HttpMethod": "POST",
+            "MetricsEnabled": "true",
+            "DataTraceEnabled": "false",
+            "ThrottlingBurstLimit": "999"
+          },
+          {
+            "ResourcePath": "/stack",
+            "HttpMethod": "GET",
+            "MetricsEnabled": "true",
+            "DataTraceEnabled": "false",
+            "ThrottlingBurstLimit": "555"
+          }
+        ]
+      }
+    }
+  }
+}

assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive4.json

@@ -0,0 +1,43 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Resources": {
+    "ProdPos2": {
+      "Properties": {
+        "CacheClusterEnabled": false,
+        "ClientCertificateId": "ClientCertificate",
+        "DeploymentId": "TestDeployment",
+        "Description": "Prod Stage",
+        "DocumentationVersion": "MyDocumentationVersion",
+        "MethodSettings": [
+          {
+            "DataTraceEnabled": "false",
+            "HttpMethod": "GET",
+            "MetricsEnabled": "true",
+            "ResourcePath": "/"
+          },
+          {
+            "DataTraceEnabled": "false",
+            "HttpMethod": "POST",
+            "MetricsEnabled": "true",
+            "ResourcePath": "/stack",
+            "ThrottlingBurstLimit": "999"
+          },
+          {
+            "DataTraceEnabled": "false",
+            "HttpMethod": "GET",
+            "MetricsEnabled": "true",
+            "ResourcePath": "/stack",
+            "ThrottlingBurstLimit": "555"
+          }
+        ],
+        "RestApiId": "MyRestApi",
+        "StageName": "Prod",
+        "TracingEnabled": true,
+        "Variables": {
+          "Stack": "Prod"
+        }
+      },
+      "Type": "AWS::ApiGateway::Stage"
+    }
+  }
+}

assets/queries/cloudFormation/aws/api_gateway_cache_cluster_disabled/test/positive_expected_result.json

@@ -0,0 +1,26 @@
+[
+  {
+    "queryName": "API Gateway Cache Cluster Disabled",
+    "severity": "LOW",
+    "line": 6,
+    "fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "API Gateway Cache Cluster Disabled",
+    "severity": "LOW",
+    "line": 31,
+    "fileName": "positive2.yaml"
+  },
+  {
+    "queryName": "API Gateway Cache Cluster Disabled",
+    "severity": "LOW",
+    "line": 6,
+    "fileName": "positive3.json"
+  },
+  {
+    "queryName": "API Gateway Cache Cluster Disabled",
+    "severity": "LOW",
+    "line": 6,
+    "fileName": "positive4.json"
+  }
+]