Merge pull request #127 from cloudgraphdev/fix/CG-1328-aws-cis-140-215

fix(CG-1328): fix the AWS CIS 1.4.0 2.1.5 rule

Author: tyler-dunkel

src/aws/cis-1.4.0/README.md

@@ -82,7 +82,8 @@ Policy Pack based on the [AWS Foundations 1.4.0](https://docs.aws.amazon.com/aud
 | AWS CIS 2.1.2 | Ensure S3 Bucket Policy allows HTTPS requests                                                                               |
 | AWS CIS 2.1.3 | Ensure MFA Delete is enable on S3 buckets                                                                                   |
 | AWS CIS 2.1.4 | Ensure all data in Amazon S3 has been discovered, classified and secured when required.                                     |
-| AWS CIS 2.1.5 | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'                                          |
+| AWS CIS 2.1.5.1 | Ensure that S3 Buckets are configured with 'Block public access (account settings)'                                       |
+| AWS CIS 2.1.5.2 | Ensure that S3 Buckets are configured with 'Block public access (bucket settings)'                                        |
 | AWS CIS 2.2.1 | Ensure EBS volume encryption is enabled                                                                                     |
 | AWS CIS 2.3.1 | Ensure that encryption is enabled for RDS Instances                                                                         |
 | AWS CIS 3.1   | Ensure CloudTrail is enabled in all regions                                                                                 |

…s/cis-1.4.0/rules/aws-cis-1.4.0-2.1.5.ts …cis-1.4.0/rules/aws-cis-1.4.0-2.1.5.1.tssrc/aws/cis-1.4.0/rules/aws-cis-1.4.0-2.1.5.ts renamed to src/aws/cis-1.4.0/rules/aws-cis-1.4.0-2.1.5.1.ts src/aws/cis-1.4.0/rules/aws-cis-1.4.0-2.1.5.ts renamed to src/aws/cis-1.4.0/rules/aws-cis-1.4.0-2.1.5.1.ts

@@ -1,43 +1,10 @@
 export default {
-  id: 'aws-cis-1.4.0-2.1.5',  
-  title: 'AWS CIS 2.1.5 Ensure that S3 Buckets are configured with \'Block public access (bucket settings)\'',
+  id: 'aws-cis-1.4.0-2.1.5.1',  
+  title: 'AWS CIS 2.1.5.1 Ensure that S3 Buckets are configured with \'Block public access (bucket settings)\' (account settings)',
 
   description: 'Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.',
 
-  audit: `**If utilizing Block Public Access (bucket settings)**  
-  **From Console:**
-  
-  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
-  2. Select the Check box next to the Bucket.
-  3. Click on 'Edit public access settings'.
-  4. Ensure that block public access settings are set appropriately for this bucket
-  5. Repeat for all the buckets in your AWS account.
-  
-  **From Command Line:**
-  
-  1. List all of the S3 Buckets
-  
-          aws s3 ls
-  
-  2. Find the public access setting on that bucket
-  
-          aws s3api get-public-access-block --bucket <name-of-the-bucket>
-  
-  Output if Block Public access is enabled:
-  
-          { 
-              "PublicAccessBlockConfiguration": { 
-                  "BlockPublicAcls": true,
-                  "IgnorePublicAcls": true,
-                  "BlockPublicPolicy": true,
-                  "RestrictPublicBuckets": true 
-              } 
-          }
-  
-  If the output reads false for the separate configuration settings then proceed to the remediation.
-  
-  **If utilizing Block Public Access (account settings)**  
-  **From Console:**
+  audit: `**From Console:**
   
   1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
   2. Choose Block public access (account settings)
@@ -61,33 +28,11 @@ export default {
   
   If the output reads *false* for the separate configuration settings then proceed to the remediation.`,
 
-  rationale: `Amazon S3 Block public access (bucket settings) prevents the accidental or malicious public exposure of data contained within the respective bucket(s).
-  
-  Amazon S3 Block public access (account settings) prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.
+  rationale: `Amazon S3 'Block public access (account settings)' prevents the accidental or malicious public exposure of data contained within all buckets of the respective AWS account.
   
   Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.`,
 
-  remediation: `**If utilizing Block Public Access (bucket settings)**  
-  **From Console:**
-  
-  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
-  2. Select the Check box next to the Bucket.
-  3. Click on 'Edit public access settings'.
-  4. Click 'Block all public access'
-  5. Repeat for all the buckets in your AWS account that contain sensitive data.
-  
-  **From Command Line:**
-  
-  1. List all of the S3 Buckets
-  
-          aws s3 ls
-  
-  2. Set the Block Public Access to true on that bucket
-  
-          aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
-  
-  **If utilizing Block Public Access (account settings)**  
-  **From Console:**  
+  remediation: `**From Console:**  
   If the output reads *true* for the separate configuration settings then it is set on the account.
   
   1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
@@ -104,34 +49,34 @@ export default {
   references: ['https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html'],
   gql: `{
     queryawsS3 {
-       id
-       arn
-       accountId
-       __typename
-       blockPublicAcls
-       ignorePublicAcls
-       blockPublicPolicy
-       restrictPublicBuckets
-     }
-   }`,
+      id
+      arn
+      accountId
+      __typename
+      accountLevelBlockPublicAcls
+      accountLevelIgnorePublicAcls
+      accountLevelBlockPublicPolicy
+      accountLevelRestrictPublicBuckets
+    }
+  }`,
   resource: 'queryawsS3[*]',
   severity: 'high',
   conditions: {
     and: [
       {
-        path: '@.blockPublicAcls',
+        path: '@.accountLevelBlockPublicAcls',
         equal: 'Yes',
       },
       {
-        path: '@.ignorePublicAcls',
+        path: '@.accountLevelIgnorePublicAcls',
         equal: 'Yes',
       },
       {
-        path: '@.blockPublicPolicy',
+        path: '@.accountLevelBlockPublicPolicy',
         equal: 'Yes',
       },
       {
-        path: '@.restrictPublicBuckets',
+        path: '@.accountLevelRestrictPublicBuckets',
         equal: 'Yes',
       },
     ],

src/aws/cis-1.4.0/rules/aws-cis-1.4.0-2.1.5.2.ts

@@ -0,0 +1,95 @@
+export default {
+  id: 'aws-cis-1.4.0-2.1.5.2',  
+  title: 'AWS CIS 2.1.5.2 Ensure that S3 Buckets are configured with \'Block public access (bucket settings)\' (bucket settings)',
+  
+  description: 'Amazon S3 provides Block public access (bucket settings) and Block public access (account settings) to help you manage public access to Amazon S3 resources. By default, S3 buckets and objects are created with public access disabled. However, an IAM principal with sufficient S3 permissions can enable public access at the bucket and/or object level. While enabled, Block public access (bucket settings) prevents an individual bucket, and its contained objects, from becoming publicly accessible. Similarly, Block public access (account settings) prevents all buckets, and contained objects, from becoming publicly accessible across the entire account.',
+  
+  audit: `**From Console:**
+  
+  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
+  2. Select the Check box next to the Bucket.
+  3. Click on 'Edit public access settings'.
+  4. Ensure that block public access settings are set appropriately for this bucket
+  5. Repeat for all the buckets in your AWS account.
+  
+  **From Command Line:**
+  
+  1. List all of the S3 Buckets
+  
+          aws s3 ls
+  
+  2. Find the public access setting on that bucket
+  
+          aws s3api get-public-access-block --bucket <name-of-the-bucket>
+  
+  Output if Block Public access is enabled:
+  
+          { 
+              "PublicAccessBlockConfiguration": { 
+                  "BlockPublicAcls": true,
+                  "IgnorePublicAcls": true,
+                  "BlockPublicPolicy": true,
+                  "RestrictPublicBuckets": true 
+              } 
+          }
+  
+  If the output reads false for the separate configuration settings then proceed to the remediation.`,
+  
+  rationale: `Amazon S3 'Block public access (bucket settings)' prevents the accidental or malicious public exposure of data contained within the respective bucket(s).
+
+  Whether blocking public access to all or some buckets is an organizational decision that should be based on data sensitivity, least privilege, and use case.`,
+  
+  remediation: `**From Console:**
+  
+  1. Login to AWS Management Console and open the Amazon S3 console using https://console.aws.amazon.com/s3/
+  2. Select the Check box next to the Bucket.
+  3. Click on 'Edit public access settings'.
+  4. Click 'Block all public access'
+  5. Repeat for all the buckets in your AWS account that contain sensitive data.
+  
+  **From Command Line:**
+  
+  1. List all of the S3 Buckets
+  
+          aws s3 ls
+  
+  2. Set the Block Public Access to true on that bucket
+  
+          aws s3api put-public-access-block --bucket <name-of-bucket> --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"`,
+  
+  references: ['https://docs.aws.amazon.com/AmazonS3/latest/user-guide/block-public-access-account.html'],
+  gql: `{
+    queryawsS3 {
+      id
+      arn
+      accountId
+      __typename
+      blockPublicAcls
+      ignorePublicAcls
+      blockPublicPolicy
+      restrictPublicBuckets
+    }
+  }`,
+  resource: 'queryawsS3[*]',
+  severity: 'high',
+  conditions: {
+    and: [
+      {
+        path: '@.blockPublicAcls',
+        equal: 'Yes',
+      },
+      {
+        path: '@.ignorePublicAcls',
+        equal: 'Yes',
+      },
+      {
+        path: '@.blockPublicPolicy',
+        equal: 'Yes',
+      },
+      {
+        path: '@.restrictPublicBuckets',
+        equal: 'Yes',
+      },
+    ],
+  },
+}

src/aws/cis-1.4.0/rules/index.ts

@@ -23,7 +23,8 @@ import Aws_CIS_140_211 from './aws-cis-1.4.0-2.1.1'
 import Aws_CIS_140_212 from './aws-cis-1.4.0-2.1.2'
 import Aws_CIS_140_213 from './aws-cis-1.4.0-2.1.3'
 import Aws_CIS_140_214 from './aws-cis-1.4.0-2.1.4'
-import Aws_CIS_140_215 from './aws-cis-1.4.0-2.1.5'
+import Aws_CIS_140_215_1 from './aws-cis-1.4.0-2.1.5.1'
+import Aws_CIS_140_215_2 from './aws-cis-1.4.0-2.1.5.2'
 import Aws_CIS_140_221 from './aws-cis-1.4.0-2.2.1'
 import Aws_CIS_140_231 from './aws-cis-1.4.0-2.3.1'
 import Aws_CIS_140_31 from './aws-cis-1.4.0-3.1'
@@ -83,7 +84,8 @@ export default [
   Aws_CIS_140_212,
   Aws_CIS_140_213,
   Aws_CIS_140_214,
-  Aws_CIS_140_215,
+  Aws_CIS_140_215_1,
+  Aws_CIS_140_215_2,
   Aws_CIS_140_221,
   Aws_CIS_140_231,
   Aws_CIS_140_31,

src/aws/cis-1.4.0/tests/aws-cis-1.4.0-2.x.test.ts

@@ -5,7 +5,8 @@ import { initRuleEngine } from '../../../utils/test'
 import Aws_CIS_140_211 from '../rules/aws-cis-1.4.0-2.1.1'
 import Aws_CIS_140_212 from '../rules/aws-cis-1.4.0-2.1.2'
 import Aws_CIS_140_213 from '../rules/aws-cis-1.4.0-2.1.3'
-import Aws_CIS_140_215 from '../rules/aws-cis-1.4.0-2.1.5'
+import Aws_CIS_140_215_1 from '../rules/aws-cis-1.4.0-2.1.5.1'
+import Aws_CIS_140_215_2 from '../rules/aws-cis-1.4.0-2.1.5.2'
 import Aws_CIS_140_231 from '../rules/aws-cis-1.4.0-2.3.1'
 
 export interface Condition {
@@ -46,6 +47,10 @@ export interface QueryawsS3 {
   ignorePublicAcls?: string
   blockPublicPolicy?: string
   restrictPublicBuckets?: string
+  accountLevelBlockPublicAcls?: string,
+  accountLevelIgnorePublicAcls?: string,
+  accountLevelBlockPublicPolicy?: string,
+  accountLevelRestrictPublicBuckets?: string
   encrypted?: string
   encryptionRules?: EncryptionRule[]
 }
@@ -262,7 +267,103 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
     })
   })
 
-  describe('AWS CIS 2.1.5 Ensure that S3 Buckets are configured with Block public access (bucket settings)', () => {
+  describe('AWS CIS 2.1.5.1 Ensure that S3 Buckets are configured with Block public access (account settings)', () => {
+    const getTestRuleFixture = (
+      accountLevelBlockPublicAcls: string,
+      accountLevelIgnorePublicAcls: string,
+      accountLevelBlockPublicPolicy: string,
+      accountLevelRestrictPublicBuckets: string,
+    ): CIS2xQueryResponse => {
+      return {
+        queryawsS3: [
+          {
+            id: cuid(),
+            accountLevelBlockPublicAcls,
+            accountLevelIgnorePublicAcls,
+            accountLevelBlockPublicPolicy,
+            accountLevelRestrictPublicBuckets,
+          },
+        ],
+      }
+    }
+
+    // Act
+    const testRule = async (
+      data: CIS2xQueryResponse,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Aws_CIS_140_215_1 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('No Security Issue when S3 Account Level is configured with Block public access', async () => {
+      const data: CIS2xQueryResponse = getTestRuleFixture(
+        'Yes',
+        'Yes',
+        'Yes',
+        'Yes'
+      )
+      await testRule(data, Result.PASS)
+    })
+
+    test('Security Issue when S3 Account Level is not configured with Block public access', async () => {
+      const data: CIS2xQueryResponse = getTestRuleFixture(
+        'No',
+        'No',
+        'No',
+        'No'
+      )
+      await testRule(data, Result.FAIL)
+    })
+
+    test('Security Issue when S3 Account Level have a Block public access with blockPublicAcls set to No', async () => {
+      const data: CIS2xQueryResponse = getTestRuleFixture(
+        'No',
+        'Yes',
+        'Yes',
+        'Yes'
+      )
+      await testRule(data, Result.FAIL)
+    })
+
+    test('Security Issue when S3 Account Level have a Block public access with ignorePublicAcls set to No', async () => {
+      const data: CIS2xQueryResponse = getTestRuleFixture(
+        'Yes',
+        'No',
+        'Yes',
+        'Yes'
+      )
+      await testRule(data, Result.FAIL)
+    })
+
+    test('Security Issue when S3 Account Level have a Block public access with blockPublicPolicy set to No', async () => {
+      const data: CIS2xQueryResponse = getTestRuleFixture(
+        'Yes',
+        'Yes',
+        'No',
+        'Yes'
+      )
+      await testRule(data, Result.FAIL)
+    })
+
+    test('Security Issue when S3 Account Level have a Block public access with restrictPublicBuckets set to No', async () => {
+      const data: CIS2xQueryResponse = getTestRuleFixture(
+        'Yes',
+        'Yes',
+        'Yes',
+        'No'
+      )
+      await testRule(data, Result.FAIL)
+    })
+  })
+
+  describe('AWS CIS 2.1.5.2 Ensure that S3 Buckets are configured with Block public access (bucket settings)', () => {
     const getTestRuleFixture = (
       blockPublicAcls: string,
       ignorePublicAcls: string,
@@ -289,7 +390,7 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
     ): Promise<void> => {
       // Act
       const [processedRule] = await rulesEngine.processRule(
-        Aws_CIS_140_215 as Rule,
+        Aws_CIS_140_215_2 as Rule,
         { ...data }
       )