Merge pull request #126 from cloudgraphdev/fix/CG-1327-aws-140-212

fix(CG-1327): fix AWS CIS 1.40 2.1.2 rule

Author: tyler-dunkel

src/aws/cis-1.4.0/rules/aws-cis-1.4.0-2.1.2.ts

@@ -116,4 +116,73 @@ export default {
   ],
 
   severity: 'medium',
+  gql: `{
+    queryawsS3 {
+      id
+      arn
+      accountId
+      __typename
+      policy {
+        statement {
+          effect
+          action
+          principal {
+            key
+            value
+          }
+          condition {
+            key
+            operator
+            value
+          }
+        }
+      }
+    }
+  }`,
+  resource: 'queryawsS3[*]',
+  conditions: {
+    path: '@.policy.statement',
+    array_any: {
+      and: [
+        {
+          path: '[*].effect',
+          equal: 'Deny',
+        },
+        {
+          path: '[*].principal',
+          array_any: {
+            and: [
+              {
+                path: '[*].key',
+                in: ['', 'AWS'],
+              },
+              {
+                path: '[*].value',
+                contains: '*',
+              },
+            ],
+          },
+        },
+        {
+          path: '[*].action',
+          contains: 's3:*',
+        },
+        {
+          path: '[*].condition',
+          array_any: {
+            and: [
+              {
+                path: '[*].key',
+                equal: 'aws:SecureTransport',
+              },
+              {
+                path: '[*].value',
+                contains: 'false',
+              },
+            ],
+          },
+        },
+      ],
+    },
+  },
 }

src/aws/cis-1.4.0/tests/aws-cis-1.4.0-2.x.test.ts

@@ -3,10 +3,32 @@ import cuid from 'cuid'
 import { initRuleEngine } from '../../../utils/test'
 
 import Aws_CIS_140_211 from '../rules/aws-cis-1.4.0-2.1.1'
+import Aws_CIS_140_212 from '../rules/aws-cis-1.4.0-2.1.2'
 import Aws_CIS_140_213 from '../rules/aws-cis-1.4.0-2.1.3'
 import Aws_CIS_140_215 from '../rules/aws-cis-1.4.0-2.1.5'
 import Aws_CIS_140_231 from '../rules/aws-cis-1.4.0-2.3.1'
 
+export interface Condition {
+  key: string
+  value: string[]
+}
+
+export interface Principal {
+  key: string
+  value: string[]
+}
+
+export interface Statement {
+  effect: string
+  action: string[]
+  principal: Principal[]
+  condition: Condition[]
+}
+
+export interface Policy {
+  statement: Statement[]
+}
+
 export interface QueryawsRdsDbInstance {
   id: string
   encrypted: boolean
@@ -17,6 +39,7 @@ export interface EncryptionRule {
 }
 export interface QueryawsS3 {
   id: string
+  policy?: Policy
   versioning?: string
   mfa?: string
   blockPublicAcls?: string
@@ -88,6 +111,102 @@ describe('CIS Amazon Web Services Foundations: 1.4.0', () => {
     })
   })
 
+  describe('AWS CIS 2.1.2 Ensure S3 Bucket Policy allows HTTPS requests', () => {
+    const getTestRuleFixture = (
+      effect: string,
+      action: string,
+      principal: Principal,
+      condition: Condition
+    ): CIS2xQueryResponse => {
+      return {
+        queryawsS3: [
+          {
+            id: cuid(),
+            policy: {
+              statement: [
+                {
+                  effect,
+                  action: [action],
+                  principal: [principal],
+                  condition: [condition],
+                },
+              ],
+            },
+          },
+        ],
+      }
+    }
+
+    // Act
+    const testRule = async (
+      data: CIS2xQueryResponse,
+      expectedResult: Result
+    ): Promise<void> => {
+      // Act
+      const [processedRule] = await rulesEngine.processRule(
+        Aws_CIS_140_212 as Rule,
+        { ...data }
+      )
+
+      // Asserts
+      expect(processedRule.result).toBe(expectedResult)
+    }
+
+    test('No Security Issue when S3 bucket policies only allow requests that use HTTPS', async () => {
+      const principal: Principal = {
+        key: 'AWS',
+        value: ['*'],
+      }
+      const condition: Condition = {
+        key: 'aws:SecureTransport',
+        value: ['false'],
+      }
+      const data: CIS2xQueryResponse = getTestRuleFixture(
+        'Deny',
+        's3:*',
+        principal,
+        condition
+      )
+
+      await testRule(data, Result.PASS)
+    })
+
+    test('Security Issue when S3 bucket policy does not have SecureTransport enabled', async () => {
+      const principal: Principal = {
+        key: 'AWS',
+        value: ['arn:aws:iam::111122223333:root'],
+      }
+      const condition: Condition = {
+        key: 'aws:SecureTransport',
+        value: ['false'],
+      }
+      const data: CIS2xQueryResponse = getTestRuleFixture(
+        'Allow',
+        's3:*',
+        principal,
+        condition
+      )
+
+      await testRule(data, Result.FAIL)
+    })
+
+    test('Security Issue when S3 bucket policy have SecureTransport enabled but grants permission to any public anonymous users', async () => {
+      const principal: Principal = { key: '', value: ['*'] }
+      const condition: Condition = {
+        key: 'aws:SecureTransport',
+        value: ['true'],
+      }
+      const data: CIS2xQueryResponse = getTestRuleFixture(
+        'Allow',
+        's3:*',
+        principal,
+        condition
+      )
+
+      await testRule(data, Result.FAIL)
+    })
+  })
+
   describe('AWS CIS 2.1.3 Ensure MFA Delete is enable on S3 buckets', () => {
     const getTestRuleFixture = (
       versioning: string,