Update queries to use non-deprecated columns, update ebs_encryption_by_default_enabled control and query name, fix VPC security group rule queries only checking for exact port matches instead of ranges (#835)

Co-authored-by: Cody Bruno <[email protected]>

Author: khushboo9024

all_controls/ec2.pp

@@ -12,7 +12,7 @@
     control.ec2_ami_not_older_than_90_days,
     control.ec2_ami_restrict_public_access,
     control.ec2_client_vpn_endpoint_client_connection_logging_enabled,
-    control.ec2_ebs_default_encryption_enabled,
+    control.ebs_encryption_by_default_enabled,
     control.ec2_instance_attached_ebs_volume_delete_on_termination_enabled,
     control.ec2_instance_detailed_monitoring_enabled,
     control.ec2_instance_ebs_optimized,

cis_controls_v8_ig1/cis_controls_v8_ig1_11.pp

@@ -36,7 +36,7 @@
   description = "Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements."
   children = [
     control.ebs_attached_volume_encryption_enabled,
-    control.ec2_ebs_default_encryption_enabled,
+    control.ebs_encryption_by_default_enabled,
     control.rds_db_instance_encryption_at_rest_enabled
   ]
 

cis_controls_v8_ig1/cis_controls_v8_ig1_4.pp

@@ -37,7 +37,7 @@
     control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
     control.cloudtrail_trail_validation_enabled,
     control.ebs_attached_volume_encryption_enabled,
-    control.ec2_ebs_default_encryption_enabled,
+    control.ebs_encryption_by_default_enabled,
     control.ec2_instance_iam_profile_attached,
     control.iam_account_password_policy_strong_min_reuse_24,
     control.iam_group_user_role_no_inline_policies,

cis_v150/section_2.pp

@@ -138,7 +138,7 @@
   title         = "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions"
   description   = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported."
   documentation = file("./cis_v150/docs/cis_v150_2_2_1.md")
-  query         = query.ebs_volume_encryption_at_rest_enabled
+  query         = query.ebs_encryption_by_default_enabled
 
   tags = merge(local.cis_v150_2_2_common_tags, {
     cis_item_id = "2.2.1"

cis_v200/section_2.pp

@@ -123,7 +123,7 @@
   title         = "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions"
   description   = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported."
   documentation = file("./cis_v200/docs/cis_v200_2_2_1.md")
-  query         = query.ebs_volume_encryption_at_rest_enabled
+  query         = query.ebs_encryption_by_default_enabled
 
   tags = merge(local.cis_v200_2_2_common_tags, {
     cis_item_id = "2.2.1"

cis_v300/section_2.pp

@@ -123,7 +123,7 @@
   title         = "2.2.1 Ensure EBS Volume Encryption is Enabled in all Regions"
   description   = "Elastic Compute Cloud (EC2) supports encryption at rest when using the Elastic Block Store (EBS) service. While disabled by default, forcing encryption at EBS volume creation is supported."
   documentation = file("./cis_v300/docs/cis_v300_2_2_1.md")
-  query         = query.ebs_volume_encryption_at_rest_enabled
+  query         = query.ebs_encryption_by_default_enabled
 
   tags = merge(local.cis_v300_2_2_common_tags, {
     cis_item_id = "2.2.1"

cisa_cyber_essentials/your_data.pp

@@ -21,7 +21,7 @@
     control.cloudtrail_trail_logs_encrypted_with_kms_cmk,
     control.dynamodb_table_encrypted_with_kms,
     control.ebs_attached_volume_encryption_enabled,
-    control.ec2_ebs_default_encryption_enabled,
+    control.ebs_encryption_by_default_enabled,
     control.efs_file_system_encrypted_with_cmk,
     control.es_domain_encryption_at_rest_enabled,
     control.log_group_encryption_at_rest_enabled,
@@ -58,7 +58,7 @@
     control.dynamodb_table_encrypted_with_kms,
     control.ebs_attached_volume_encryption_enabled,
     control.ebs_snapshot_not_publicly_restorable,
-    control.ec2_ebs_default_encryption_enabled,
+    control.ebs_encryption_by_default_enabled,
     control.ec2_instance_in_vpc,
     control.ec2_instance_not_publicly_accessible,
     control.efs_file_system_encrypted_with_cmk,

cisa_cyber_essentials/your_systems.pp

@@ -65,7 +65,7 @@
     control.ebs_attached_volume_encryption_enabled,
     control.ebs_snapshot_not_publicly_restorable,
     control.ebs_volume_in_backup_plan,
-    control.ec2_ebs_default_encryption_enabled,
+    control.ebs_encryption_by_default_enabled,
     control.ec2_instance_ebs_optimized,
     control.ec2_instance_in_vpc,
     control.ec2_instance_not_publicly_accessible,

conformance_pack/ebs.pp

@@ -4,6 +4,28 @@
   })
 }
 
+control "ebs_encryption_by_default_enabled" {
+  title       = "EBS default encryption should be enabled"
+  description = "To help protect data at rest, ensure that encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes."
+  query       = query.ebs_encryption_by_default_enabled
+
+  tags = merge(local.conformance_pack_ec2_common_tags, {
+    cis_controls_v8_ig1                    = "true"
+    cisa_cyber_essentials                  = "true"
+    ffiec                                  = "true"
+    gxp_21_cfr_part_11                     = "true"
+    gxp_eu_annex_11                        = "true"
+    hipaa_final_omnibus_security_rule_2013 = "true"
+    hipaa_security_rule_2003               = "true"
+    nist_800_171_rev_2                     = "true"
+    nist_800_53_rev_4                      = "true"
+    nist_800_53_rev_5                      = "true"
+    nist_csf                               = "true"
+    pci_dss_v321                           = "true"
+    soc_2                                  = "true"
+  })
+}
+
 control "ebs_snapshot_not_publicly_restorable" {
   title       = "EBS snapshots should not be publicly restorable"
   description = "Manage access to the AWS Cloud by ensuring EBS snapshots are not publicly restorable."
@@ -163,6 +185,27 @@
   tags = local.conformance_pack_ebs_common_tags
 }
 
+query "ebs_encryption_by_default_enabled" {
+  sql = <<-EOQ
+    select
+      'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,
+      case
+        when r.opt_in_status = 'not-opted-in' then 'skip'
+        when not default_ebs_encryption_enabled then 'alarm'
+        else 'ok'
+      end as status,
+      case
+        when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'
+        when not default_ebs_encryption_enabled then r.region || ' default EBS encryption disabled.'
+        else r.region || ' default EBS encryption enabled.'
+      end as reason
+      ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "r.")}
+    from
+      aws_region as r
+      left join aws_ec2_regional_settings as s on s.account_id = r.account_id and s.region = r.region;
+  EOQ
+}
+
 query "ebs_snapshot_not_publicly_restorable" {
   sql = <<-EOQ
     select
@@ -386,4 +429,4 @@
       aws_ebs_volume as v
       left join volume_with_snapshots as s on s.volume_id = v.volume_id;
   EOQ
-}
+}

conformance_pack/ec2.pp

@@ -20,27 +20,6 @@
   tags = local.conformance_pack_ec2_common_tags
 }
 
-control "ec2_ebs_default_encryption_enabled" {
-  title       = "EBS default encryption should be enabled"
-  description = "To help protect data at rest, ensure that encryption is enabled for your AWS Elastic Block Store (AWS EBS) volumes."
-  query       = query.ec2_ebs_default_encryption_enabled
-
-  tags = merge(local.conformance_pack_ec2_common_tags, {
-    cis_controls_v8_ig1                    = "true"
-    cisa_cyber_essentials                  = "true"
-    ffiec                                  = "true"
-    gxp_21_cfr_part_11                     = "true"
-    gxp_eu_annex_11                        = "true"
-    hipaa_final_omnibus_security_rule_2013 = "true"
-    hipaa_security_rule_2003               = "true"
-    nist_800_171_rev_2                     = "true"
-    nist_800_53_rev_4                      = "true"
-    nist_800_53_rev_5                      = "true"
-    nist_csf                               = "true"
-    pci_dss_v321                           = "true"
-    soc_2                                  = "true"
-  })
-}
 
 control "ec2_instance_detailed_monitoring_enabled" {
   title       = "EC2 instance detailed monitoring should be enabled"
@@ -512,24 +491,6 @@
   tags = local.conformance_pack_ec2_common_tags
 }
 
-query "ec2_ebs_default_encryption_enabled" {
-  sql = <<-EOQ
-    select
-      'arn:' || partition || '::' || region || ':' || account_id as resource,
-      case
-        when not default_ebs_encryption_enabled then 'alarm'
-        else 'ok'
-      end as status,
-      case
-        when not default_ebs_encryption_enabled then region || ' default EBS encryption disabled.'
-        else region || ' default EBS encryption enabled.'
-      end as reason
-      ${local.common_dimensions_sql}
-    from
-      aws_ec2_regional_settings;
-  EOQ
-}
-
 query "ec2_instance_detailed_monitoring_enabled" {
   sql = <<-EOQ
     select
@@ -2036,4 +1997,4 @@
     from
       aws_ec2_network_interface;
   EOQ
-}
+}

conformance_pack/iam.pp

@@ -1518,28 +1518,48 @@
 
 query "iam_access_analyzer_enabled_without_findings" {
   sql = <<-EOQ
+    with accessanalyzer_findings as (
+      select
+        a.status as status,
+        f.access_analyzer_arn as arn,
+        a.region,
+        a.account_id,
+        a.tags,
+        a.name,
+        count(*)
+      from
+        aws_accessanalyzer_analyzer as a
+        left join aws_accessanalyzer_finding as f on f.access_analyzer_arn = a.arn
+      group by
+        f.access_analyzer_arn,
+        a.status,
+        a.region,
+        a.account_id,
+        a.tags,
+        a.name
+    )
     select
       'arn:' || r.partition || '::' || r.region || ':' || r.account_id as resource,
       case
         -- Skip any regions that are disabled in the account.
         when r.opt_in_status = 'not-opted-in' then 'skip'
-        when aa.status = 'ACTIVE' and aa.findings is null then 'ok'
-        when aa.status = 'ACTIVE' and jsonb_array_length(aa.findings) > 0 then 'alarm'
-        when aa.status = 'NOT_AVAILABLE' then 'alarm'
+        when f.status = 'ACTIVE' and f.arn is null then 'ok'
+        when f.status = 'ACTIVE' and f.arn is not null then 'alarm'
+        when f.status = 'NOT_AVAILABLE' then 'alarm'
         else 'alarm'
       end as status,
       case
         when r.opt_in_status = 'not-opted-in' then r.region || ' region is disabled.'
-        when aa.status = 'ACTIVE' and aa.findings is null then aa.name || ' does not have active findings in region ' || r.region || '.'
-        when aa.status = 'ACTIVE' and jsonb_array_length(aa.findings) > 0 then aa.name || ' has active findings in region ' || r.region || '.'
-        when aa.status = 'NOT_AVAILABLE' then aa.name || ' is not enabled in region ' || r.region || '.'
+        when f.status = 'ACTIVE' and f.arn is null then f.name || ' does not have active findings in region ' || r.region || '.'
+        when f.status = 'ACTIVE' and f.arn is not null then f.name || ' has active findings in region ' || r.region || '.'
+        when f.status = 'NOT_AVAILABLE' then f.name || ' is not enabled in region ' || r.region || '.'
         else 'IAM Access Analyzer is not active in region ' || r.region || '.'
       end as reason
       ${local.tag_dimensions_sql}
       ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "r.")}
     from
       aws_region as r
-      left join aws_accessanalyzer_analyzer as aa on r.account_id = aa.account_id and r.region = aa.region;
+      left join accessanalyzer_findings as f on f.region = r.region and f.account_id = r.account_id;
   EOQ
 }
 

conformance_pack/ssm.pp

@@ -176,21 +176,22 @@
 query "ssm_document_prohibit_public_access" {
   sql = <<-EOQ
     select
-      'arn:' || partition || ':ssm:' || region || ':' || account_id || ':document/' || name as resource,
+      d.arn as resource,
       case
-        when account_ids :: jsonb ? 'all' then 'alarm'
+        when p.account_ids :: jsonb ? 'all' then 'alarm'
         else 'ok'
       end as status,
       case
-        when account_ids :: jsonb ? 'all' then title || ' publicly accesible.'
-        else title || ' not publicly accesible.'
+        when p.account_ids :: jsonb ? 'all' then d.title || ' publicly accessible.'
+        else d.title || ' not publicly accessible.'
       end as reason
-      ${local.tag_dimensions_sql}
-      ${local.common_dimensions_sql}
+      ${replace(local.tag_dimensions_qualifier_sql, "__QUALIFIER__", "d.")}
+      ${replace(local.common_dimensions_qualifier_sql, "__QUALIFIER__", "d.")}
     from
-      aws_ssm_document
+      aws_ssm_document as d
+      left join aws_ssm_document_permission as p on p.document_name = d.name and p.region = d.region  and p.account_id = d.account_id
     where
-      owner_type = 'Self';
+      d.owner_type = 'Self';
   EOQ
 }