Skip to content

Commit 149f8f2

Browse files
tyler-dunkeltyler-dunkel
authored
Merge pull request #137 from cloudgraphdev/alpha
Beta branch release
2 parents 3847690 + 67e5df7 commit 149f8f2

5 files changed

Lines changed: 73 additions & 37 deletions

File tree

src/aws/pci-dss-3.2.1/rules/pci-dss-3.2.1-ec2-check-4.ts

Lines changed: 3 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -34,9 +34,7 @@ export default {
3434
accountId
3535
__typename
3636
instanceId
37-
ec2Instance {
38-
arn
39-
}
37+
ec2InstanceAssociationId
4038
}
4139
}`,
4240
resource: 'queryawsEip[*]',
@@ -48,8 +46,8 @@ export default {
4846
notEqual: null,
4947
},
5048
{
51-
path: '@.ec2Instance',
52-
isEmpty: false,
49+
path: '@.ec2InstanceAssociationId',
50+
notEqual: null,
5351
},
5452
],
5553
},

src/aws/pci-dss-3.2.1/rules/pci-dss-3.2.1-iam-check-1.ts

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -34,18 +34,19 @@ export default {
3434
'https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-pci-controls.html',
3535
],
3636
gql: `{
37-
queryawsIamUser {
37+
queryawsIamUser(filter: { name: { eq: "root" } }) {
3838
id
3939
arn
4040
accountId
41-
__typename
42-
name
41+
__typename
42+
accessKeysActive
4343
}
4444
}`,
45+
exclude: { not: { path: '@.name', equal: 'root' } },
4546
resource: 'queryawsIamUser[*]',
4647
severity: 'high',
4748
conditions: {
48-
path: '@.name',
49-
notEqual: 'root',
49+
path: '@.accessKeysActive',
50+
equal: false,
5051
},
5152
}

src/aws/pci-dss-3.2.1/rules/pci-dss-3.2.1-iam-check-3.ts

Lines changed: 26 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -45,24 +45,32 @@ export default {
4545
resource: 'queryawsIamPolicy[*]',
4646
severity: 'high',
4747
conditions: {
48-
not: {
49-
path: '@.policyContent.statement',
50-
array_any: {
51-
and: [
52-
{
53-
path: '[*].effect',
54-
equal: 'Allow',
55-
},
56-
{
57-
path: '[*].action',
58-
contains: '*',
59-
},
60-
{
61-
path: '[*].resource',
62-
contains: '*',
63-
},
64-
],
48+
or: [
49+
{
50+
path: '@.name',
51+
equal: 'AdministratorAccess',
6552
},
66-
},
53+
{
54+
not: {
55+
path: '@.policyContent.statement',
56+
array_any: {
57+
and: [
58+
{
59+
path: '[*].effect',
60+
equal: 'Allow',
61+
},
62+
{
63+
path: '[*].action',
64+
contains: '*',
65+
},
66+
{
67+
path: '[*].resource',
68+
contains: '*',
69+
},
70+
],
71+
},
72+
},
73+
}
74+
]
6775
},
6876
}

src/aws/pci-dss-3.2.1/tests/pci-dss-3.2.1-ec2-checks.test.ts

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -199,11 +199,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
199199
{
200200
id: cuid(),
201201
instanceId: cuid(),
202-
ec2Instance: [
203-
{
204-
arn: cuid(),
205-
},
206-
],
202+
ec2InstanceAssociationId: cuid(),
207203
},
208204
],
209205
}
@@ -222,7 +218,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
222218
{
223219
id: cuid(),
224220
instanceId: null,
225-
ec2Instance: [],
221+
ec2InstanceAssociationId: null,
226222
},
227223
],
228224
}

src/aws/pci-dss-3.2.1/tests/pci-dss-3.2.1-iam-checks.test.ts

Lines changed: 36 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,13 @@ describe('PCI Data Security Standard: 3.2.1', () => {
1818
})
1919

2020
describe('IAM Check 1: IAM root user access key should not exist', () => {
21-
test('Should fail when it finds a user called root', async () => {
21+
test('Should fail when root account has at least one access key active', async () => {
2222
const data = {
2323
queryawsIamUser: [
2424
{
2525
id: cuid(),
2626
name: 'root',
27+
accessKeysActive: true,
2728
},
2829
],
2930
}
@@ -36,12 +37,13 @@ describe('PCI Data Security Standard: 3.2.1', () => {
3637
expect(processedRule.result).toBe(Result.FAIL)
3738
})
3839

39-
test('Should pass when it does not find a user called root', async () => {
40+
test('Should pass when a root account does not have any access key active', async () => {
4041
const data = {
4142
queryawsIamUser: [
4243
{
4344
id: cuid(),
44-
name: 'user',
45+
name: 'root',
46+
accessKeysActive: false,
4547
},
4648
],
4749
}
@@ -101,6 +103,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
101103
queryawsIamPolicy: [
102104
{
103105
id: cuid(),
106+
name: 'AdministratorAccess-Amplify',
104107
policyContent: {
105108
statement: [
106109
{
@@ -131,6 +134,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
131134
queryawsIamPolicy: [
132135
{
133136
id: cuid(),
137+
name: 'AdministratorAccess-Amplify',
134138
policyContent: {
135139
statement: [
136140
{
@@ -157,6 +161,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
157161
queryawsIamPolicy: [
158162
{
159163
id: cuid(),
164+
name: 'AdministratorAccess-Amplify',
160165
policyContent: {
161166
statement: [
162167
{
@@ -187,6 +192,7 @@ describe('PCI Data Security Standard: 3.2.1', () => {
187192
queryawsIamPolicy: [
188193
{
189194
id: cuid(),
195+
name: 'AdministratorAccess-Amplify',
190196
policyContent: {
191197
statement: [
192198
{
@@ -207,6 +213,33 @@ describe('PCI Data Security Standard: 3.2.1', () => {
207213

208214
expect(processedRule.result).toBe(Result.FAIL)
209215
})
216+
217+
test('Should pass when IAM policies that allow full "*:*" administrative privileges for AdministratorAccess policy', async () => {
218+
const data = {
219+
queryawsIamPolicy: [
220+
{
221+
id: cuid(),
222+
name: 'AdministratorAccess',
223+
policyContent: {
224+
statement: [
225+
{
226+
effect: 'Allow',
227+
action: ['*'],
228+
resource: ['*'],
229+
},
230+
],
231+
},
232+
},
233+
],
234+
}
235+
236+
const [processedRule] = await rulesEngine.processRule(
237+
Aws_PCI_DSS_321_IAM_3 as Rule,
238+
{ ...data } as any
239+
)
240+
241+
expect(processedRule.result).toBe(Result.PASS)
242+
})
210243
})
211244

212245
describe('IAM Check 4: Hardware MFA should be enabled for the root user', () => {

0 commit comments

Comments
 (0)