feat(CG-1285): add aws cis 150 5.3

james-zhou-inspire11 · james-zhou-inspire11 · commit 65289997ec7a · 2022-10-30T23:33:43.000-05:00
diff --git a/src/aws/cis-1.5.0/README.md b/src/aws/cis-1.5.0/README.md
@@ -59,5 +59,6 @@ Policy Pack based on the [AWS Foundations 1.5.0](https://drive.google.com/file/d
 | ------------- | --------------------------------------------------------------------------------------------------------------------------- |
 | AWS CIS 5.1   | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports                                   |
 | AWS CIS 5.2   | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports                                |
+| AWS CIS 5.3   | Ensure no security groups allow ingress from ::/0 to remote server administration ports                                     |
 | AWS CIS 5.4   | Ensure the default security group of every VPC restricts all traffic                                                        |
 | AWS CIS 5.5   | Ensure routing tables for VPC peering are "least access"                                                                    |
diff --git a/src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.2.ts b/src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.2.ts
@@ -35,7 +35,7 @@ export default {
       id
       arn
       accountId
-       __typename
+      __typename
       inboundRules{
         source
         toPort
@@ -52,7 +52,7 @@ export default {
         and: [
           {
             path: '[*].source',
-            in: ['0.0.0.0/0', '::/0'],
+            equal: '0.0.0.0/0',
           },
           {
             or: [
diff --git a/src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.3.ts b/src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.3.ts
@@ -0,0 +1,109 @@
+export default {
+  id: 'aws-cis-1.5.0-5.3',
+  title: 'AWS CIS 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports',
+  
+  description: 'Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port *22* and RDP to port *3389*.',
+  
+  audit: `Perform the following to determine if the account is configured as prescribed:
+  
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Security Groups*
+  3. For each security group, perform the following:
+  4. Select the security group
+  5. Click the *Inbound Rules* tab
+  6. Ensure no rule exists that has a port range that includes port 22, 3389, or other remote server administration ports for your environment and has a Source of ::/0
+  
+  **Note:** A Port value of *ALL* or a port range such as *0-1024* are inclusive of port *22*, *3389*,
+  and other remote server administration ports.`,
+  
+  rationale: 'Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.',
+  
+  remediation: `Perform the following to implement the prescribed state:
+
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Security Groups*
+  3. For each security group, perform the following:
+  
+  Page 215
+  
+  4. Select the security group
+  5. Click the *Inbound Rules* tab
+  6. Click the *Edit inbound rules* button
+  7. Identify the rules to be edited or removed
+  8. Either A) update the Source field to a range other than ::/0, or, B) Click *Delete* to remove the offending inbound rule
+  9. Click *Save rules*`,
+
+  references: ['https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule'],
+  gql: `{
+    queryawsSecurityGroup{
+      id
+      arn
+      accountId
+      __typename
+      inboundRules{
+        source
+        toPort
+        fromPort
+      }
+    }
+  }`,
+  resource: 'queryawsSecurityGroup[*]',
+  severity: 'high',
+  conditions: {
+    not: {
+      path: '@.inboundRules',
+      array_any: {
+        and: [
+          {
+            path: '[*].source',
+            equal: '::/0',
+          },
+          {
+            or: [
+              {
+                and: [
+                  {
+                    path: '[*].fromPort',
+                    equal: null,
+                  },
+                  {
+                    path: '[*].toPort',
+                    equal: null,
+                  },
+                ],
+              },
+              {
+                or: [
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 22,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 22,
+                      },
+                    ],
+                  },
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 3389,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 3389,
+                      },
+                    ],
+                  },
+                ]
+              },
+            ],
+          },
+        ],
+      },
+    },
+  },
+}
diff --git a/src/aws/cis-1.5.0/rules/index.ts b/src/aws/cis-1.5.0/rules/index.ts
@@ -1,11 +1,13 @@
 import Aws_CIS_150_51 from './aws-cis-1.5.0-5.1'
 import Aws_CIS_150_52 from './aws-cis-1.5.0-5.2'
+import Aws_CIS_150_53 from './aws-cis-1.5.0-5.3'
 import Aws_CIS_150_54 from './aws-cis-1.5.0-5.4'
 import Aws_CIS_150_55 from './aws-cis-1.5.0-5.5'
 
 export default [
   Aws_CIS_150_51,
   Aws_CIS_150_52,
+  Aws_CIS_150_53,
   Aws_CIS_150_54,
   Aws_CIS_150_55,
 ]
diff --git a/src/aws/cis-1.5.0/tests/aws-cis-1.5.0-5.x.test.ts b/src/aws/cis-1.5.0/tests/aws-cis-1.5.0-5.x.test.ts
@@ -4,6 +4,7 @@ import { initRuleEngine } from '../../../utils/test'
 
 import Aws_CIS_150_51 from '../rules/aws-cis-1.5.0-5.1'
 import Aws_CIS_150_52 from '../rules/aws-cis-1.5.0-5.2'
+import Aws_CIS_150_53 from '../rules/aws-cis-1.5.0-5.3'
 import Aws_CIS_150_54 from '../rules/aws-cis-1.5.0-5.4'
 
 const ipV4WildcardAddress = '0.0.0.0/0'
@@ -255,9 +256,9 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
       await testRule(3389, 3389, '10.10.10.10/16', Result.PASS)
     })
 
-    test('No Security Issue when there is an inbound rule with IPv6 wildcard address and port 80', async () => {
-      await testRule(80, 80, ipV6WildcardAddress, Result.PASS)
-    })
+    // test('No Security Issue when there is an inbound rule with IPv6 wildcard address and port 80', async () => {
+    //   await testRule(80, 80, ipV6WildcardAddress, Result.PASS)
+    // })
 
     test('No Security Issue when there is an inbound rule with a random IPv4 and a port range not including the port 22', async () => {
       await testRule(
@@ -277,33 +278,10 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
       )
     })
 
-    test('No Security Issue when there is an inbound rule with IPv6 wildcard address and a port range not including the port 22', async () => {
-      await testRule(
-        100,
-        200,
-        ipV6WildcardAddress,
-        Result.PASS
-      )
-    })
-
-    test('No Security Issue when there is an inbound rule with IPv6 wildcard address and a port range not including the port 3389 (multiple values)', async () => {
-      await testRule(
-        1000,
-        2000,
-        ipV6WildcardAddress,
-        Result.PASS,
-        true
-      )
-    })
-
     test('Security Issue when IPv4 wildcard address and port 22', async () => {
       await testRule(22, 22, ipV4WildcardAddress, Result.FAIL)
     })
 
-    test('Security Issue when IPv6 wildcard address and port 3389', async () => {
-      await testRule(3389, 3389, ipV6WildcardAddress, Result.FAIL)
-    })
-
     test('Security Issue when IPv4 wildcard address and port 22 (multiple values)', async () => {
       await testRule(
         22,
@@ -333,6 +311,104 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
       )
     })
 
+    test('Security Issue when there is an inbound rule with IPv4 wildcard address and port range includes the port 22', async () => {
+      await testRule(0, 100, ipV4WildcardAddress, Result.FAIL)
+    })
+
+    test('No Security Issue when there is an inbound rule with security group as source', async () => {
+      await testRule(null, null, 'sg-049c76f349f62e4eb', Result.PASS)
+    })
+  })
+
+  describe('AWS CIS 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports', () => {
+    const testRule = async (
+      fromPort: number | null ,
+      toPort: number | null,
+      sourceAddress: string,
+      expectedResult: Result,
+      includeRandomValidData = false
+    ): Promise<void> => {
+      // Arrange
+      const validInboundRule = {
+        toPort: 123,
+        fromPort: 456,
+        source: '10.10.10.10/16',
+      }
+  
+      const data: QueryResponse = {
+        queryawsSecurityGroup: [
+          {
+            id: cuid(),
+            inboundRules: [
+              {
+                toPort,
+                fromPort,
+                source: sourceAddress,
+              },
+            ],
+          },
+        ],
+      }
+  
+      if (includeRandomValidData) {
+        data.queryawsSecurityGroup?.[0].inboundRules?.push(validInboundRule)
+        data.queryawsSecurityGroup?.push({
+          id: cuid(),
+          inboundRules: [validInboundRule, validInboundRule],
+        })
+      }
+  
+      // Act
+      const [processedRule] = await rulesEngine.processRule(Aws_CIS_150_53 as Rule, { ...data })
+  
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('No Security Issue when there is an inbound rule with a random IPv4 address and port 22', async () => {
+      await testRule(22, 22, '10.10.10.10/16', Result.PASS)
+    })
+
+    test('No Security Issue when there is an inbound rule with a random IPv4 address and port 3389', async () => {
+      await testRule(3389, 3389, '10.10.10.10/16', Result.PASS)
+    })
+
+    test('No Security Issue when there is an inbound rule with IPv6 wildcard address and port 80', async () => {
+      await testRule(80, 80, ipV6WildcardAddress, Result.PASS)
+    })
+
+    test('No Security Issue when there is an inbound rule with a random IPv4 and a port range not including the port 22', async () => {
+      await testRule(
+        100,
+        200,
+        '10.10.10.10/16',
+        Result.PASS
+      )
+    })
+
+    test('No Security Issue when there is an inbound rule with IPv6 wildcard address and a port range not including the port 22', async () => {
+      await testRule(
+        100,
+        200,
+        ipV6WildcardAddress,
+        Result.PASS
+      )
+    })
+
+    test('No Security Issue when there is an inbound rule with IPv6 wildcard address and a port range not including the port 3389 (multiple values)', async () => {
+      await testRule(
+        1000,
+        2000,
+        ipV6WildcardAddress,
+        Result.PASS,
+        true
+      )
+    })
+
+    test('Security Issue when IPv6 wildcard address and port 3389', async () => {
+      await testRule(3389, 3389, ipV6WildcardAddress, Result.FAIL)
+    })
+
     test('Security Issue when there is an inbound rule with IPv6 wildcard address and no port range is specified', async () => {
       await testRule(
         null,
@@ -342,10 +418,6 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
       )
     })
 
-    test('Security Issue when there is an inbound rule with IPv4 wildcard address and port range includes the port 22', async () => {
-      await testRule(0, 100, ipV4WildcardAddress, Result.FAIL)
-    })
-
     test('Security Issue when there is an inbound rule with IPv6 wildcard address and port range includes the port 3389', async () => {
       await testRule(3000, 4000, ipV6WildcardAddress, Result.FAIL)
     })
@@ -355,7 +427,7 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
     })
   })
 
-  describe('AWS CIS 5.3 Ensure the default security group of every VPC restricts all traffic', () => {
+  describe('AWS CIS 5.4 Ensure the default security group of every VPC restricts all traffic', () => {
     const test53Rule = async (
       ingressSource: string,
       egressDestination: string,
