DEV-3006 (#17)

* Adding a use case for EBS

* Adding VPC SG tests

* Adding an s3 unencrypted example

Author: jkamenik

aws/cloudformation/abstract/ec2_ebs_encryption/README.md

@@ -0,0 +1,3 @@
+# EC2 EBS Volume Encryption
+
+This shows various states of EBS.  All should be encrypted.

aws/cloudformation/abstract/ec2_ebs_encryption/expected/main.yaml

@@ -0,0 +1,18 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Resources:
+  Linux:
+    Type: AWS::EC2::Instance
+    Properties:
+      BlockDeviceMappings:
+        - DeviceName: /dev/xvda
+          Ebs:
+            VolumeSize: 20
+            Encrypted: true
+        - DeviceName: /dev/xvdb
+          Ebs:
+            Encrypted: true
+            VolumeSize: 20

aws/cloudformation/abstract/ec2_ebs_encryption/main.yaml

@@ -0,0 +1,17 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Resources:
+  Linux:
+    Type: AWS::EC2::Instance
+    Properties:
+      BlockDeviceMappings:
+        - DeviceName: /dev/xvda
+          Ebs:
+            VolumeSize: 20
+            Encrypted: false
+        - DeviceName: /dev/xvdb
+          Ebs:
+            VolumeSize: 20

aws/cloudformation/abstract/enable-vpc-flow-logs/README.md

@@ -0,0 +1,13 @@
+# S3 Unencrypted
+
+This shows the three states of S3 buckets.  One is unencrypted.  One is encrypted using Customer Managed Keys (CMK).  And one is encrypted using Provider Managed Keys (PMK).
+
+As long as encryption is provided one is not better then the other, so there are two expectations.  If the CMK is known then the unencrypted bucket should be encrypted using it (example `expected-cmk`).  Otherwise it should be encrypted using PMK (example `expected-pmk`).  In either case the currently encrypted buckets shouldn't be touched.
+
+You should only test against one of the two expectations.
+
+## Unguessable info
+
+The expectation assumes the following:
+
+1. CMK: `arn:aws:kms:us-east-1:111122223333:alias/my-s3-bucket-key`

aws/cloudformation/abstract/s3-unencrypted/README.md

@@ -0,0 +1,49 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Resources:
+  S3BucketUnencrypted:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: "aws:kms"
+              KMSMasterKeyID: "arn:aws:kms:us-east-1:111122223333:alias/my-s3-bucket-key"
+
+  S3BucketEncryptedWithPMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+
+  S3BucketEncryptedWithCMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: "aws:kms"
+              KMSMasterKeyID: "arn:aws:kms:us-east-1:111122223333:alias/my-s3-bucket-key"

aws/cloudformation/abstract/s3-unencrypted/expected-cmk/main.yaml

@@ -0,0 +1,48 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Resources:
+  S3BucketUnencrypted:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+
+  S3BucketEncryptedWithPMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+
+  S3BucketEncryptedWithCMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: "aws:kms"
+              KMSMasterKeyID: "arn:aws:kms:us-east-1:111122223333:alias/my-s3-bucket-key"

aws/cloudformation/abstract/s3-unencrypted/expected-pmk/main.yaml

@@ -0,0 +1,44 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Resources:
+  S3BucketUnencrypted:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+
+  S3BucketEncryptedWithPMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+
+  S3BucketEncryptedWithCMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: "aws:kms"
+              KMSMasterKeyID: "arn:aws:kms:us-east-1:111122223333:alias/my-s3-bucket-key"

aws/cloudformation/abstract/s3-unencrypted/main.yaml

@@ -0,0 +1,9 @@
+# VPC Flow Logs Misconfiguration
+
+Here a flow log set to the wrong bucket.  It should be fixed.
+
+## Unguessable info
+
+The expectation assumes the following:
+
+1. The VPC Flow Log LogDestination: `!Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"`

aws/cloudformation/abstract/vpc-flow-logs-misconfig/README.md

@@ -0,0 +1,38 @@
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Parameters:
+  EnvironmentName:
+    Description: An environment name that is prefixed to resource names
+    Type: String
+    Default: iac-scanning-poc-cf
+
+Resources:
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref EnvironmentName
+
+  FlowLog_for_VPC:
+    Type: AWS::EC2::FlowLog
+    Properties:
+      LogDestination: !Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"
+      LogDestinationType: s3
+      ResourceId: !Ref VPC
+      ResourceType: VPC
+      TrafficType: ALL
+
+  DefaultSG:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt VPC.DefaultSecurityGroup
+      IpProtocol: tcp
+      FromPort: 65535
+      ToPort: 65535
+      CidrIp: 1.1.1.1/32