chore(merge): resolve conflicts

Author: tyler-dunkel

.yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs

@@ -2,6 +2,7 @@
   "name": "policy-packs",
   "version": "0.0.0",
   "description": "CloudGraph CSPM policy packs monorepo",
+  "packageManager": "yarn@3.2.0",
   "private": true,
   "repository": {
     "type": "git",
@@ -11,12 +12,14 @@
     "src/**/*"
   ],
   "devDependencies": {
+    "@qiwi/multi-semantic-release": "^6.1.1",
     "@semantic-release/changelog": "^6.0.1",
     "@semantic-release/git": "^10.0.1",
     "@semantic-release/github": "^8.0.1",
-    "semantic-release-pnpm": "^1.0.2",
-    "semantic-release": "^19.0.2",
-    "semantic-release-monorepo": "^7.0.5"
+    "@semantic-release/npm": "^9.0.1",
+    "@semrel-extra/npm": "^1.2.0",
+    "npm": "^8.8.0",
+    "semantic-release": "^19.0.2"
   },
   "resolutions": {
     "chalk": "^4.1.2"
@@ -29,12 +32,12 @@
     "singleQuote": true
   },
   "scripts": {
-    "release": "NODE_AUTH_TOKEN=$NPM_TOKEN pnpm -r --workspace-concurrency=1 exec -- pnpm semantic-release -e semantic-release-monorepo",
-    "install": "pnpm -r --workspace-concurrency=1 exec -- pnpm install",
-    "clean": "pnpm -r --workspace-concurrency=1 exec -- pnpm clean",
-    "lint": "pnpm -r --workspace-concurrency=1 exec -- pnpm lint",
-    "build": "pnpm -r --workspace-concurrency=1 exec -- pnpm build",
-    "test": "pnpm -r --workspace-concurrency=1 exec -- pnpm test"
+    "release": "NODE_AUTH_TOKEN=$NPM_TOKEN NPM_CONFIG_IGNORE_SCRIPTS='true' NODE_JQ_SKIP_INSTALL_BINARY='true' multi-semantic-release --ignore-scripts",
+    "clean": "yarn workspaces foreach -p run clean",
+    "lint": "yarn workspaces foreach run lint",
+    "lint:fix": "yarn workspaces foreach run lint:fix",
+    "prebuild": "tsc -b",
+    "build": "yarn workspaces foreach run build"
   },
   "dependencies": {
     "@cloudgraph/sdk": "0.21.1",

.yarn/releases/yarn-3.2.0.cjs

@@ -57,6 +57,38 @@ Policy Pack based on the [AWS Foundations 1.5.0](https://drive.google.com/file/d
 
 | Rule          | Description                                                                                                                 |
 | ------------- | --------------------------------------------------------------------------------------------------------------------------- |
+| AWS CIS 1.1   | Maintain current contact details                                                                                            |
+| AWS CIS 1.2   | Ensure security contact information is registered                                                                           |
+| AWS CIS 1.3   | Ensure security questions are registered in the AWS account                                                                 |
+| AWS CIS 1.4   | Ensure no 'root' user account access key exists                                                                             |
+| AWS CIS 1.5   | Ensure MFA is enabled for the 'root' user account                                                                           |
+| AWS CIS 1.6   | Ensure hardware MFA is enabled for the 'root' user account                                                                  |
+| AWS CIS 1.7   | Eliminate use of the 'root' user for administrative and daily tasks                                                         |
+| AWS CIS 1.8   | Ensure IAM password policy requires minimum length of 14 or greater                                                         |
+| AWS CIS 1.9   | Ensure IAM password policy prevents password reuse                                                                          |
+| AWS CIS 1.10  | Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password                          |
+| AWS CIS 1.11  | Do not setup access keys during initial user setup for all IAM users that have a console password                           |
+| AWS CIS 1.12  | Ensure credentials unused for 45 days or greater are disabled                                                               |
+| AWS CIS 1.13  | Ensure there is only one active access key available for any single IAM user                                                |
+| AWS CIS 1.14  | Ensure access keys are rotated every 90 days or less                                                                        |
+| AWS CIS 1.15  | Ensure IAM Users Receive Permissions Only Through Groups                                                                    |
+| AWS CIS 1.16  | Ensure IAM policies that allow full "*:*" administrative privileges are not attached                                        |
+| AWS CIS 1.17  | Ensure a support role has been created to manage incidents with AWS Support                                                 |
+| AWS CIS 1.18  | Ensure IAM instance roles are used for AWS resource access from instances                                                   |
+| AWS CIS 1.19  | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed                                              |
+| AWS CIS 1.20  | Ensure that IAM Access analyzer is enabled for all regions                                                                  |
+| AWS CIS 1.21  | Ensure IAM users are managed centrally via identity federation or AWS Organizations for multi-account environments          |
+| AWS CIS 3.1   | Ensure CloudTrail is enabled in all regions                                                                                 |
+| AWS CIS 3.2   | Ensure CloudTrail log file validation is enabled                                                                            |
+| AWS CIS 3.3   | Ensure the S3 bucket used to store CloudTrail logs is not publicly accessible                                               |
+| AWS CIS 3.4   | Ensure CloudTrail trails are integrated with CloudWatch Logs                                                                |
+| AWS CIS 3.5   | Ensure AWS Config is enabled in all regions                                                                                 |
+| AWS CIS 3.6   | Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket                                                      |
+| AWS CIS 3.7   | Ensure CloudTrail logs are encrypted at rest using KMS CMKs                                                                 |
+| AWS CIS 3.8   | Ensure rotation for customer created CMKs is enabled                                                                        |
+| AWS CIS 3.9   | Ensure VPC flow logging is enabled in all VPCs                                                                              |
+| AWS CIS 3.10  | Ensure that Object-level logging for write events is enabled for S3 bucket                                                  |
+| AWS CIS 3.11  | Ensure that Object-level logging for read events is enabled for S3 bucket                                                   |
 | AWS CIS 4.1   | Ensure a log metric filter and alarm exist for unauthorized API calls                                                       |
 | AWS CIS 4.2   | Ensure a log metric filter and alarm exist for Management Console sign-in without MFA                                       |
 | AWS CIS 4.3   | Ensure a log metric filter and alarm exist for usage of 'root' account                                                      |

package.json

@@ -0,0 +1,32 @@
+export default {
+  id: 'aws-cis-1.5.0-1.',
+  title: 'AWS CIS 1.1 Maintain current contact details',
+
+  description: `Ensure contact email and telephone details for AWS accounts are current and map to more than one individual in your organization.
+
+  An AWS account supports a number of contact details, and AWS will use these to contact the account owner if activity judged to be in breach of Acceptable Use Policy or indicative of likely security compromise is observed by the AWS Abuse team. Contact details should not be for a single individual, as circumstances may arise where that individual is unavailable. Email contact details should point to a mail alias which forwards email to multiple individuals within the organization; where feasible, phone contact details should point to a PABX hunt group or other call-forwarding system.`,
+
+  audit: `This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing )
+
+  1. Sign in to the AWS Management Console and open the Billing and Cost Management console at https://console.aws.amazon.com/billing/home#/.
+  2. On the navigation bar, choose your account name, and then choose My Account.
+  3. On the Account Settings page, review and verify the current details.
+  4. Under Contact Information, review and verify the current details.`,
+
+  rationale: 'If an AWS account is observed to be behaving in a prohibited or suspicious manner, AWS will attempt to contact the account owner by email and phone using the contact details listed. If this is unsuccessful and the account behavior needs urgent mitigation, proactive measures may be taken, including throttling of traffic between the account exhibiting suspicious behavior and the AWS API endpoints and the Internet. This will result in impaired service to and from the account in question, so it is in both the customers\' and AWS\' best interests that prompt contact can be established. This is best achieved by setting AWS account contact details to point to resources which have multiple individuals as recipients, such as email aliases and PABX hunt groups.',
+
+  remediation: `This activity can only be performed via the AWS Console, with a user who has permission to read and write Billing information (aws-portal:*Billing ).
+
+  1. Sign in to the AWS Management Console and open the Billing and Cost Management console at https://console.aws.amazon.com/billing/home#/.
+  2. On the navigation bar, choose your account name, and then choose My Account.
+  3. On the Account Settings page, next to Account Settings, choose Edit.
+  4. Next to the field that you need to update, choose Edit.
+  5. After you have entered your changes, choose Save changes.
+  6. After you have made your changes, choose Done.
+  7. To edit your contact information, under Contact Information, choose Edit.
+  8. For the fields that you want to change, type your updated information, and then choose Update.`,
+
+  references: ['https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html#contact-info'],
+
+  severity: 'high',
+}

src/aws/cis-1.5.0/README.md

@@ -0,0 +1,94 @@
+// AWS CIS 1.2.0 Rule equivalent 1.2
+export default {
+  id: 'aws-cis-1.5.0-1.10',  
+  title: 'AWS CIS 1.10 Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password',
+  
+  description: 'Multi-Factor Authentication (MFA) adds an extra layer of authentication assurance beyond traditional credentials. With MFA enabled, when a user signs in to the AWS Console, they will be prompted for their user name and password as well as for an authentication code from their physical or virtual MFA token. It is recommended that MFA be enabled for all accounts that have a console password.',
+  
+  audit: `Perform the following to determine if a MFA device is enabled for all IAM users having a console password:
+  
+  **From Console:**
+  
+  1. Open the IAM console at https://console.aws.amazon.com/iam/.
+  2. In the left pane, select *Users*
+  3. If the *MFA* or *Password age* columns are not visible in the table, click the gear icon at the upper right corner of the table and ensure a checkmark is next to both, then click *Close*.
+  4. Ensure that for each user where the *Password age* column shows a password age, the MFA column shows *Virtual*, *U2F Security Key*, or *Hardware*.
+  
+  **From Command Line:**
+  
+  1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their password and MFA status:
+  
+          aws iam generate-credential-report
+          
+          aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,8
+  
+  2. The output of this command will produce a table similar to the following:
+  
+          user,password_enabled,mfa_active
+          elise,false,false
+          brandon,true,true
+          rakesh,false,false
+          helene,false,false
+          paras,true,true
+          anitha,false,false
+  
+  3. For any column having *password_enabled* set to *true*, ensure *mfa_active* is also set to *true*.`,
+  
+  rationale: 'Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that displays a time-sensitive key and have knowledge of a credential.',
+  
+  remediation: `Perform the following to enable MFA:
+  
+  **From Console:**
+  
+  1. Sign in to the AWS Management Console and open the IAM console at 'https://console.aws.amazon.com/iam/'
+  2. In the left pane, select *Users*.
+  3. In the *User Name* list, choose the name of the intended MFA user.
+  4. Choose the *Security Credentials* tab, and then choose *Manage MFA Device*.
+  5. In the *Manage MFA Device wizard*, choose *Virtual MFA* device, and then choose *Continue*.
+  
+      IAM generates and displays configuration information for the virtual MFA device, including a QR code graphic. The graphic is a representation of the 'secret configuration key' that is available for manual entry on devices that do not support QR codes.
+  
+  6. Open your virtual MFA application. (For a list of apps that you can use for hosting virtual MFA devices, see Virtual MFA Applications at https://aws.amazon.com/iam/details/mfa/#Virtual_MFA_Applications). If the virtual MFA application supports multiple accounts (multiple virtual MFA devices), choose the option to create a new account (a new virtual MFA device).
+  7. Determine whether the MFA app supports QR codes, and then do one of the following:
+  
+      - Use the app to scan the QR code. For example, you might choose the camera icon or choose an option similar to Scan code, and then use the device's camera to scan the code.
+      - In the Manage MFA Device wizard, choose Show secret key for manual configuration, and then type the secret configuration key into your MFA application.
+  
+      When you are finished, the virtual MFA device starts generating one-time passwords.
+  
+  8. In the *Manage MFA Device wizard*, in the *MFA Code 1 box*, type the *one-time password* that currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new one-time password. Then type the second *one-time password* into the *MFA Code 2 box*.
+  9. Click *Assign MFA*.`,
+  
+  references: [
+      'https://tools.ietf.org/html/rfc6238',
+      'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html',
+      'https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#enable-mfa-for-privileged-users',
+      'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_virtual.html',
+      'CCE-78901-6',
+      'https://blogs.aws.amazon.com/security/post/Tx2SJJYE082KBUK/How-to-Delegate-Management-of-Multi-Factor-Authentication-to-AWS-IAM-Users',
+  ],
+  gql: `{
+    queryawsIamUser {
+      id
+      arn
+      accountId
+       __typename
+      passwordEnabled
+      mfaActive
+    }
+  }`,
+  resource: 'queryawsIamUser[*]',
+  severity: 'high',
+  conditions: {
+    or: [
+      {
+        path: '@.passwordEnabled',
+        equal: false,
+      },
+      {
+        path: '@.mfaActive',
+        equal: true,
+      }
+    ]
+  },
+}

src/aws/cis-1.5.0/rules/aws-cis-1.5.0-1.1.ts

@@ -0,0 +1,66 @@
+export default {
+  id: 'aws-cis-1.5.0-1.11',  
+  title: 'AWS CIS 1.11 Do not setup access keys during initial user setup for all IAM users that have a console password',
+  
+  description: `AWS console defaults to no check boxes selected when creating a new IAM user. When cerating the IAM User credentials you have to determine what type of access they require.
+  
+  Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.
+  
+  AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user.`,
+  
+  audit: `Perform the following to determine if access keys were created upon user creation and are being used and rotated as prescribed:
+  
+  **From Console:**
+  
+  1. Login to the AWS Management Console
+  2. Click Services
+  3. Click IAM
+  4. Click on a User where column Password age and Access key age is not set to None
+  5. Click on Security credentials Tab
+  6. Compare the user 'Creation timeto the Access KeyCreated date.
+  7. For any that match, the key was created during initial user setup.
+      - Keys that were created at the same time as the user profile and do not have a last used date should be deleted. Refer to the remediation below.
+  
+  **From Command Line:**
+  
+  1. Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization:
+  
+          aws iam generate-credential-report
+  
+          aws iam get-credential-report --query 'Content' --output text | base64 -d | cut -d, -f1,4,9,11,14,16
+  
+  2. The output of this command will produce a table similar to the following:
+  
+      user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_key_2_active,access_key_2_last_used_date elise,false,true,2015-04-16T15:14:00+00:00,false,N/A brandon,true,true,N/A,false,N/A rakesh,false,false,N/A,false,N/A helene,false,true,2015-11-18T17:47:00+00:00,false,N/A paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00 anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A
+  
+  3. For any user having password_enabled set to true AND access_key_last_used_date set to N/A refer to the remediation below.`,
+  
+  rationale: `Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are [a] necessary for their work and [b] once the access key is established on an account that the keys may be in use somewhere in the organization.
+  
+  **Note:** Even if it is known the user will need access keys, require them to create the keys themselves or put in a support ticket to have them created as a separate step from user creation.`,
+  
+  remediation: `Perform the following to delete access keys that do not pass the audit:
+  
+  **From Console:**
+  
+  1. Login to the AWS Management Console:
+  2. Click Services
+  3. Click IAM
+  4. Click on Users
+  5. Click on Security Credentials
+  6. As an Administrator
+      - Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.
+  7. As an IAM User
+      - Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.
+  
+  **From Command Line:**
+  
+      aws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name>`,
+  
+  references: [
+      'https://docs.aws.amazon.com/cli/latest/reference/iam/delete-access-key.html',
+      'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html',
+  ],
+
+  severity: 'high',
+}