DEV-3006

aws/cloudformation/abstract/ec2_ebs_encryption/README.md

@@ -0,0 +1,3 @@
+# EC2 EBS Volume Encryption
+
+This shows various states of EBS.  All should be encrypted.

aws/cloudformation/abstract/ec2_ebs_encryption/expected/main.yaml

@@ -0,0 +1,18 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Resources:
+  Linux:
+    Type: AWS::EC2::Instance
+    Properties:
+      BlockDeviceMappings:
+        - DeviceName: /dev/xvda
+          Ebs:
+            VolumeSize: 20
+            Encrypted: true
+        - DeviceName: /dev/xvdb
+          Ebs:
+            Encrypted: true
+            VolumeSize: 20

aws/cloudformation/abstract/ec2_ebs_encryption/main.yaml

@@ -0,0 +1,17 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Resources:
+  Linux:
+    Type: AWS::EC2::Instance
+    Properties:
+      BlockDeviceMappings:
+        - DeviceName: /dev/xvda
+          Ebs:
+            VolumeSize: 20
+            Encrypted: false
+        - DeviceName: /dev/xvdb
+          Ebs:
+            VolumeSize: 20

aws/cloudformation/abstract/s3-unencrypted/README.md

@@ -0,0 +1,13 @@
+# S3 Unencrypted
+
+This shows the three states of S3 buckets.  One is unencrypted.  One is encrypted using Customer Managed Keys (CMK).  And one is encrypted using Provider Managed Keys (PMK).
+
+As long as encryption is provided one is not better then the other, so there are two expectations.  If the CMK is known then the unencrypted bucket should be encrypted using it (example `expected-cmk`).  Otherwise it should be encrypted using PMK (example `expected-pmk`).  In either case the currently encrypted buckets shouldn't be touched.
+
+You should only test against one of the two expectations.
+
+## Unguessable info
+
+The expectation assumes the following:
+
+1. CMK: `arn:aws:kms:us-east-1:111122223333:alias/my-s3-bucket-key`

aws/cloudformation/abstract/s3-unencrypted/expected-cmk/main.yaml

@@ -0,0 +1,49 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Resources:
+  S3BucketUnencrypted:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: "aws:kms"
+              KMSMasterKeyID: "arn:aws:kms:us-east-1:111122223333:alias/my-s3-bucket-key"
+
+  S3BucketEncryptedWithPMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+
+  S3BucketEncryptedWithCMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: "aws:kms"
+              KMSMasterKeyID: "arn:aws:kms:us-east-1:111122223333:alias/my-s3-bucket-key"

aws/cloudformation/abstract/s3-unencrypted/expected-pmk/main.yaml

@@ -0,0 +1,48 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Resources:
+  S3BucketUnencrypted:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+
+  S3BucketEncryptedWithPMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+
+  S3BucketEncryptedWithCMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: "aws:kms"
+              KMSMasterKeyID: "arn:aws:kms:us-east-1:111122223333:alias/my-s3-bucket-key"

aws/cloudformation/abstract/s3-unencrypted/main.yaml

@@ -0,0 +1,44 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Resources:
+  S3BucketUnencrypted:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+
+  S3BucketEncryptedWithPMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: AES256
+
+  S3BucketEncryptedWithCMK:
+    Type: AWS::S3::Bucket
+    Properties:
+      PublicAccessBlockConfiguration:
+        # flip these to true
+        BlockPublicAcls: false
+        BlockPublicPolicy: false
+        IgnorePublicAcls: false
+        RestrictPublicBuckets: false
+      BucketEncryption:
+        ServerSideEncryptionConfiguration:
+          - ServerSideEncryptionByDefault:
+              SSEAlgorithm: "aws:kms"
+              KMSMasterKeyID: "arn:aws:kms:us-east-1:111122223333:alias/my-s3-bucket-key"

aws/cloudformation/abstract/vpc-flow-logs-misconfig/README.md

@@ -0,0 +1,9 @@
+# VPC Flow Logs Misconfiguration
+
+Here a flow log set to the wrong bucket.  It should be fixed.
+
+## Unguessable info
+
+The expectation assumes the following:
+
+1. The VPC Flow Log LogDestination: `!Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"`

aws/cloudformation/abstract/vpc-flow-logs-misconfig/expected/main.yaml

@@ -0,0 +1,38 @@
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Parameters:
+  EnvironmentName:
+    Description: An environment name that is prefixed to resource names
+    Type: String
+    Default: iac-scanning-poc-cf
+
+Resources:
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref EnvironmentName
+
+  FlowLog_for_VPC:
+    Type: AWS::EC2::FlowLog
+    Properties:
+      LogDestination: !Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"
+      LogDestinationType: s3
+      ResourceId: !Ref VPC
+      ResourceType: VPC
+      TrafficType: ALL
+
+  DefaultSG:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt VPC.DefaultSecurityGroup
+      IpProtocol: tcp
+      FromPort: 65535
+      ToPort: 65535
+      CidrIp: 1.1.1.1/32

aws/cloudformation/abstract/enable-vpc-flow-logs/expected/main.yaml → aws/cloudformation/abstract/vpc-flow-logs-misconfig/main.yaml

@@ -27,3 +27,12 @@ Resources:
       ResourceId: !Ref VPC
       ResourceType: VPC
       TrafficType: ALL
+
+  DefaultSG:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt VPC.DefaultSecurityGroup
+      IpProtocol: tcp
+      FromPort: 65535
+      ToPort: 65535
+      CidrIp: 1.1.1.1/32

aws/cloudformation/abstract/vpc-flow-logs-missing/README.md

@@ -0,0 +1,10 @@
+# VPC Flow Logs Missing
+
+Here there are no flow logs.  A flow log block should be added
+
+## Unguessable info
+
+The expectation assumes the following:
+
+1. The VPC Flow Log Object Name: `FlowLogBucket`
+1. The VPC Flow Log LogDestination: `!Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"`

aws/cloudformation/abstract/vpc-flow-logs-missing/expected/main.yaml

@@ -0,0 +1,38 @@
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Parameters:
+  EnvironmentName:
+    Description: An environment name that is prefixed to resource names
+    Type: String
+    Default: iac-scanning-poc-cf
+
+Resources:
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref EnvironmentName
+
+  DefaultSG:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt VPC.DefaultSecurityGroup
+      IpProtocol: tcp
+      FromPort: 65535
+      ToPort: 65535
+      CidrIp: 1.1.1.1/32
+
+  FlowLogBucket:
+    Type: AWS::EC2::FlowLog
+    Properties:
+      LogDestination: !Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"
+      LogDestinationType: s3
+      ResourceId: !Ref VPC
+      ResourceType: VPC
+      TrafficType: ALL

aws/cloudformation/abstract/enable-vpc-flow-logs/main.yaml → aws/cloudformation/abstract/vpc-flow-logs-missing/main.yaml

@@ -18,3 +18,12 @@ Resources:
       Tags:
         - Key: Name
           Value: !Ref EnvironmentName
+
+  DefaultSG:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt VPC.DefaultSecurityGroup
+      IpProtocol: tcp
+      FromPort: 65535
+      ToPort: 65535
+      CidrIp: 1.1.1.1/32

aws/cloudformation/abstract/vpc-undefined-default-sg/README.md

@@ -0,0 +1,10 @@
+# VPC with undefined Default SG
+
+A VPC without a defined default SG has an insecure enabled.  There is no way to prevent that, so the best solution is to make the default SG useless.
+
+## Unguessable Information
+
+The expected results assumes the following:
+
+1. The VPC SG safe port is "65535"
+2. The VPC SG safe CIDR is "1.1.1.1/32"

aws/cloudformation/abstract/vpc-undefined-default-sg/expected/main.yaml

@@ -0,0 +1,42 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+
+Transform: AWS::Serverless-2016-10-31
+
+Parameters:
+  EnvironmentName:
+    Description: An environment name that is prefixed to resource names
+    Type: String
+    Default: iac-scanning-poc-cf
+
+Resources:
+#################################
+## This section is for the VPC ##
+#################################
+  VPC:
+    Type: AWS::EC2::VPC
+    Properties:
+      CidrBlock: 10.0.0.0/16
+      EnableDnsSupport: true
+      EnableDnsHostnames: true
+      Tags:
+        - Key: Name
+          Value: !Ref EnvironmentName
+
+  DefaultSecurityGroupIngress:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      GroupId: !GetAtt VPC.DefaultSecurityGroup
+      IpProtocol: tcp
+      FromPort: 65535
+      ToPort: 65535
+      CidrIp: 1.1.1.1/32
+
+  VPCFlowLogs:
+    Type: AWS::EC2::FlowLog
+    Properties:
+      LogDestination: !Sub "arn:aws:s3:::gomboc-security-flowlogs-480437182633/${VPC}/"
+      LogDestinationType: s3
+      ResourceId: !Ref VPC
+      ResourceType: VPC
+      TrafficType: ALL