feat(terraform): Adding 2 new AWS policies (#5599)

* adding 2 YAML policies - S3 & Neptune security config * adding 2 YAML policies * adding 2 YAML policies * adding 2 YAML policies * added 2 YAML policies * updated the pass and fail cases * Updated terraform pass and fail cases * Deleted - AWS S3 global ACL view check * added policy "Ensure Elastic Search has dedicated master node enabled" CKV2_AWS_59: Ensure Elastic Search has dedicated master node enabled * added policy "CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled" Ensure RDS instance with copy tags to snapshots is enabled * [New Policy]: CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * [2 new Policies]: CKV2_AZURE_24, CKV2_AZURE_25 CKV2_AZURE_24: Ensure Azure automation account is NOT overly permissive CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Update checkov/terraform/checks/graph_checks/aws/ElasticSearchDedicatedMasterEnabled.yaml Added opensearch check capability Co-authored-by: Anton Grübel <[email protected]> * Modified CKV2_AWS_59: Ensure ElasticSearch/OpenSearch has dedicated master node enabled * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Renamed/Modified CKV2_AZURE_24: Ensure Azure automation account does NOT have overly permissive network access * Modified CKV2_AZURE_23: Ensure Azure spring cloud is configured with Virtual network (Vnet) * CKV2_AZURE_25: Ensure Azure SQL database Transparent Data Encryption (TDE) is enabled * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Added 5 YAML policies * Modified CKV2_AWS_60: Ensure RDS instance with copy tags to snapshots is enabled * Added 2 policies related to customer ask (GIC) * Optimised the policy name for CKV2_AWS_66 * Added the 2 policies records to test_yaml_policies.py * Modified policies as per suggestions * fix resource references --------- Co-authored-by: Anton Grübel <[email protected]>
bridgecrewio · Sep 28, 2023 · 3a2d217 · 3a2d217
1 parent 59cd4d3
commit 3a2d217
Show file tree

Hide file tree

Showing 7 changed files with 177 additions and 0 deletions.
diff --git a/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml b/checkov/terraform/checks/graph_checks/aws/AWS_private_MWAA_environment.yaml
@@ -0,0 +1,19 @@
+metadata:
+  id: "CKV2_AWS_66"
+  name: "Ensure MWAA environment is not publicly accessible"
+  category: "NETWORKING"
+
+definition:
+
+  or:
+
+    - cond_type: "attribute"
+      resource_types: "aws_mwaa_environment"
+      attribute: "webserver_access_mode"
+      operator: "not_exists"
+
+    - cond_type: "attribute"
+      resource_types: "aws_mwaa_environment"
+      attribute: "webserver_access_mode"
+      operator: "equals"
+      value: "PRIVATE_ONLY"
diff --git a/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml b/checkov/terraform/checks/graph_checks/aws/AWSdisableS3ACL.yaml
@@ -0,0 +1,12 @@
+metadata:
+  id: "CKV2_AWS_65"
+  name: "Ensure access control lists for S3 buckets are disabled"
+  category: "GENERAL_SECURITY"
+
+definition:
+
+  cond_type: "attribute"
+  resource_types: "aws_s3_bucket_ownership_controls"
+  attribute: "rule.object_ownership"
+  operator: "equals"
+  value: "BucketOwnerEnforced"
diff --git a/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/expected.yaml b/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/expected.yaml
@@ -0,0 +1,5 @@
+pass:
+  - "aws_mwaa_environment.pud_mwaa_env_pass"
+  - "aws_mwaa_environment.pud_mwaa_env_pass_1"
+fail:
+  - "aws_mwaa_environment.pud_mwaa_env_fail"
diff --git a/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/main.tf b/tests/terraform/graph/checks/resources/AWS_private_MWAA_environment/main.tf
@@ -0,0 +1,104 @@
+# PASS 1: webserver_access_mode = PRIVATE_ONLY
+
+resource "aws_iam_role" "pud_pass_role" {
+  name = "pud_pass_role"
+  assume_role_policy = jsonencode({
+    Version = "2023-09-27"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      },
+    ]
+  })
+
+  tags = {
+    tag-key = "pud_checkov_pass"
+  }
+}
+
+resource "aws_s3_bucket" "pud_pass_bucket" {
+  bucket = "pud_pass_bucket"
+}
+
+resource "aws_mwaa_environment" "pud_mwaa_env_pass" {
+  dag_s3_path        = "dags/"
+  execution_role_arn = aws_iam_role.pud_pass_role.arn
+  name               = "pud_mwaa_env_pass"
+  webserver_access_mode = "PRIVATE_ONLY"
+  source_bucket_arn = aws_s3_bucket.pud_pass_bucket.arn
+}
+
+# PASS 2: webserver_access_mode Not mentioned. DEFAULT = PRIVATE_ONLY
+
+resource "aws_iam_role" "pud_pass_role_1" {
+  name = "pud_pass_role_1"
+  assume_role_policy = jsonencode({
+    Version = "2023-09-27"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      },
+    ]
+  })
+
+  tags = {
+    tag-key = "pud_checkov_pass_1"
+  }
+}
+
+resource "aws_s3_bucket" "pud_pass_bucket_1" {
+  bucket = "pud_pass_bucket_1"
+}
+
+resource "aws_mwaa_environment" "pud_mwaa_env_pass_1" {
+  dag_s3_path        = "dags/"
+  execution_role_arn = aws_iam_role.pud_pass_role.arn
+  name               = "pud_mwaa_env_pass_1"
+  source_bucket_arn = aws_s3_bucket.pud_pass_bucket.arn
+}
+
+# FAIL: webserver_access_mode = PUBLIC_ONLY
+
+resource "aws_iam_role" "pud_fail_role" {
+  name = "pud_fail_role"
+  assume_role_policy = jsonencode({
+    Version = "2023-09-27"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      },
+    ]
+  })
+
+  tags = {
+    tag-key = "pud_checkov_fail"
+  }
+}
+
+resource "aws_s3_bucket" "pud_fail_bucket" {
+  bucket = "pud_fail_bucket"
+}
+
+resource "aws_mwaa_environment" "pud_mwaa_env_fail" {
+  dag_s3_path        = "dags/"
+  execution_role_arn = aws_iam_role.pud_fail_role.arn
+  name               = "pud_mwaa_env_fail"
+  webserver_access_mode = "PUBLIC_ONLY"
+  source_bucket_arn = aws_s3_bucket.pud_fail_bucket.arn
+}
+
diff --git a/tests/terraform/graph/checks/resources/AWSdisableS3ACL/expected.yaml b/tests/terraform/graph/checks/resources/AWSdisableS3ACL/expected.yaml
@@ -0,0 +1,4 @@
+fail:
+  - "aws_s3_bucket_ownership_controls.pud_bucket_fail"
+pass:
+  - "aws_s3_bucket_ownership_controls.pud_bucket_pass"
diff --git a/tests/terraform/graph/checks/resources/AWSdisableS3ACL/main.tf b/tests/terraform/graph/checks/resources/AWSdisableS3ACL/main.tf
@@ -0,0 +1,27 @@
+# FAIL
+
+resource "aws_s3_bucket" "pud_bucket_fail" {
+  bucket = "pud_bucket_fail"
+}
+
+resource "aws_s3_bucket_ownership_controls" "pud_bucket_fail" {
+  bucket = aws_s3_bucket.pud_bucket_fail.id
+
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+# PASS
+
+resource "aws_s3_bucket" "pud_bucket_pass" {
+  bucket = "pud_bucket_pass"
+}
+
+resource "aws_s3_bucket_ownership_controls" "pud_bucket_pass" {
+  bucket = aws_s3_bucket.pud_bucket_pass.id
+
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
diff --git a/tests/terraform/graph/checks/test_yaml_policies.py b/tests/terraform/graph/checks/test_yaml_policies.py
@@ -412,6 +412,12 @@ def test_AzureMariaDBserverUsingTLS_1_2(self):
     def test_AzureStorageAccountEnableSoftDelete(self):
             self.go("AzureStorageAccountEnableSoftDelete")
 
+    def test_AWSdisableS3ACL(self):
+        self.go("AWSdisableS3ACL")
+
+    def test_AWS_private_MWAA_environment(self):
+        self.go("AWS_private_MWAA_environment")
+
     def test_registry_load(self):
         registry = Registry(parser=GraphCheckParser(), checks_dir=str(
             Path(__file__).parent.parent.parent.parent.parent / "checkov" / "terraform" / "checks" / "graph_checks"))