feat(CG-1284): add networking rule support

Author: james-zhou-inspire11

src/aws/cis-1.5.0/README.md

@@ -57,4 +57,7 @@ Policy Pack based on the [AWS Foundations 1.5.0](https://drive.google.com/file/d
 
 | Rule          | Description                                                                                                                 |
 | ------------- | --------------------------------------------------------------------------------------------------------------------------- |
-
+| AWS CIS 5.1   | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports                                   |
+| AWS CIS 5.2   | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports                                |
+| AWS CIS 5.4   | Ensure the default security group of every VPC restricts all traffic                                                        |
+| AWS CIS 5.5   | Ensure routing tables for VPC peering are "least access"                                                                    |

src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.1.ts

@@ -0,0 +1,114 @@
+export default {
+  id: 'aws-cis-1.5.0-5.1',  
+  title: 'AWS CIS 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports',
+  
+  description: 'The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.',
+  
+  audit: `**From Console:**  
+  Perform the following to determine if the account is configured as prescribed:
+  
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Network ACLs*
+  3. For each network ACL, perform the following:
+      - Select the network ACL
+      - Click the *Inbound Rules* tab
+      - Ensure no rule exists that has a port range that includes port *22*, *3389*, or other remote server administration ports for your environment and has a *Source* of *0.0.0.0/0* and shows *ALLOW*
+  
+  **Note:** A Port value of *ALL* or a port range such as *0-1024* are inclusive of port *22*, *3389*, and other remote server administration ports`,
+  
+  rationale: 'Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.',
+  
+  remediation: `**From Console:**  
+  Perform the following:
+  
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Network ACLs*
+  3. For each network ACL to remediate, perform the following:
+      - Select the network ACL
+      - Click the *Inbound Rules* tab
+      - Click *Edit inbound rules*
+      - Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click *Delete* to remove the offending inbound rule
+      - Click *Save*`,
+  
+  references: [
+      'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html',
+      'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison',
+  ],
+  gql: `{
+    queryawsNetworkAcl {
+      id
+      arn
+      accountId
+      __typename
+      inboundRules {
+        source
+        fromPort
+        toPort
+        allowOrDeny
+      }
+    }
+  }`,
+  resource: 'queryawsNetworkAcl[*]',
+  severity: 'high',
+  conditions: {
+    not: {
+      path: '@.inboundRules',
+      array_any: {
+        and: [
+          {
+            path: '[*].source',
+            in: ['0.0.0.0/0', '::/0'],
+          },
+          {
+            path: '[*].allowOrDeny',
+            equal: 'allow',
+          },
+          {
+            or: [
+              {
+                and: [
+                  {
+                    path: '[*].fromPort',
+                    equal: null,
+                  },
+                  {
+                    path: '[*].toPort',
+                    equal: null,
+                  },
+                ],
+              },
+              {
+                or: [
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 22,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 22,
+                      },
+                    ],
+                  },
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 3389,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 3389,
+                      },
+                    ],
+                  },
+                ]
+              },
+            ],
+          },
+        ],
+      },
+    },
+  },
+}

src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.2.ts

@@ -0,0 +1,105 @@
+export default {
+  id: 'aws-cis-1.5.0-5.2',  
+  title: 'AWS CIS 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports',
+  
+  description: 'Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.',
+  
+  audit: `Perform the following to determine if the account is configured as prescribed:
+  
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Security Groups*
+  3. For each security group, perform the following:
+  4. Select the security group
+  5. Click the *Inbound Rules* tab
+  6. Ensure no rule exists that has a port range that includes port *22*, *3389*, or other remote server administration ports for your environment and has a *Source* of *0.0.0.0/0*
+  
+  **Note:** A Port value of *ALL* or a port range such as *0-1024* are inclusive of port *22*, *3389*, and other remote server administration ports.`,
+  
+  rationale: 'Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.',
+  
+  remediation: `Perform the following to implement the prescribed state:
+  
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Security Groups*
+  3. For each security group, perform the following:
+  4. Select the security group
+  5. Click the *Inbound Rules* tab
+  6. Click the *Edit inbound rules* button
+  7. Identify the rules to be edited or removed
+  8. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click *Delete* to remove the offending inbound rule
+  9. Click *Save rules*`,
+  
+  references: ['https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule'],
+  gql: `{
+    queryawsSecurityGroup{
+      id
+      arn
+      accountId
+       __typename
+      inboundRules{
+        source
+        toPort
+        fromPort
+      }
+    }
+  }`,
+  resource: 'queryawsSecurityGroup[*]',
+  severity: 'high',
+  conditions: {
+    not: {
+      path: '@.inboundRules',
+      array_any: {
+        and: [
+          {
+            path: '[*].source',
+            in: ['0.0.0.0/0', '::/0'],
+          },
+          {
+            or: [
+              {
+                and: [
+                  {
+                    path: '[*].fromPort',
+                    equal: null,
+                  },
+                  {
+                    path: '[*].toPort',
+                    equal: null,
+                  },
+                ],
+              },
+              {
+                or: [
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 22,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 22,
+                      },
+                    ],
+                  },
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 3389,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 3389,
+                      },
+                    ],
+                  },
+                ]
+              },
+            ],
+          },
+        ],
+      },
+    },
+  },
+}

src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.4.ts

@@ -0,0 +1,113 @@
+// AWS CIS 1.2.0 Rule equivalent 4.3
+export default {
+  id: 'aws-cis-1.5.0-5.3',
+  title:
+    'AWS CIS 5.3 Ensure the default security group of every VPC restricts all traffic',
+  description: `A VPC comes with a default security group whose initial settings deny all inbound traffic,
+  allow all outbound traffic, and allow all traffic between instances assigned to the security
+  group. If you don't specify a security group when you launch an instance, the instance is
+  automatically assigned to this default security group. Security groups provide stateful
+  filtering of ingress/egress network traffic to AWS resources. It is recommended that the
+  default security group restrict all traffic.
+
+  The default VPC in every region should have its default security group updated to comply.
+  Any newly created VPCs will automatically contain a default security group that will need
+  remediation to comply with this recommendation.
+
+  **NOTE:** When implementing this recommendation, VPC flow logging is invaluable in
+  determining the least privilege port access required by systems to work properly because it
+  can log all packet acceptances and rejections occurring under the current security groups.
+  This dramatically reduces the primary barrier to least privilege engineering - discovering
+  the minimum ports required by systems in the environment. Even if the VPC flow logging
+  recommendation in this benchmark is not adopted as a permanent security measure, it
+  should be used during any period of discovery and engineering for least privileged security
+  groups.`,
+  audit: `Perform the following to determine if the account is configured as prescribed:
+  Security Group State
+
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
+  3. In the left pane, click *Security Groups*
+  4. For each default security group, perform the following:
+  5. Select the *default* security group
+  6. Click the *Inbound Rules* tab
+  7. Ensure no rule exist
+  8. Click the *Outbound Rules* tab
+  9. Ensure no rules exist
+
+  Security Group Members
+
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. Repeat the next steps for all default groups in all VPCs - including the default VPC in each AWS region:
+  3. In the left pane, click *Security Groups*
+  4. Copy the id of the default security group.
+  5. Change to the EC2 Management Console at https://console.aws.amazon.com/ec2/v2/home
+  6. In the filter column type 'Security Group ID : < security group id from #4 >`,
+  rationale:
+    'Configuring all VPC default security groups to restrict all traffic will encourage least privilege security group development and mindful placement of AWS resources into security groups which will, in turn, reduce the exposure of those resources.',
+  remediation: `Security Group Members
+  Perform the following to implement the prescribed state:
+
+  1. Identify AWS resources that exist within the default security group
+  2. Create a set of least privilege security groups for those resources
+  3. Place the resources in those security groups
+  4. Remove the resources noted in #1 from the default security group
+
+  Security Group State
+
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. Repeat the next steps for all VPCs - including the default VPC in each AWS region:
+  3. In the left pane, click *Security Groups*
+  4. For each default security group, perform the following:
+  5. Select the *default* security group
+  6. Click the *Inbound Rules* tab
+  7. Remove any inbound rules
+  8. Click the *Outbound Rules* tab
+  9. Remove any inbound rules
+
+  Recommended:
+  IAM groups allow you to edit the "name" field. After remediating default groups rules for all VPCs in all regions, edit this field to add text similar to "DO NOT USE. DO NOT ADD RULES"`,
+  references: [
+    'CCE-79201-0',
+    'http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html',
+    'CIS CSC v6.0 #9.2',
+  ],
+  gql: `{
+    queryawsSecurityGroup(filter: { name: { eq: "default" } })   {
+      id
+      name
+      arn
+      accountId
+       __typename
+      inboundRules{
+        source
+      }
+      outboundRules{
+        destination
+      }
+    }
+  }`,
+  exclude: { not: { path: '@.name', equal: 'default' } },
+  resource: 'queryawsSecurityGroup[*]',
+  severity: 'high',
+  conditions: {
+    not: {
+      or: [
+        {
+          path: '@.inboundRules',
+          array_any: {
+            path: '[*].source',
+            in: ['0.0.0.0/0', '::/0'],
+          },
+        },
+        {
+          path: '@.outboundRules',
+          array_any: {
+            path: '[*].destination',
+            in: ['0.0.0.0/0', '::/0'],
+          },
+        },
+      ],
+    },
+  },
+}

src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.5.ts

@@ -0,0 +1,38 @@
+export default {
+  id: 'aws-cis-1.5.0-5.4',
+  title:
+    'AWS CIS 5.4 Ensure routing tables for VPC peering are "least access"',
+
+  description:
+    'Once a VPC peering connection is established, routing tables must be updated to establish any connections between the peered VPCs. These routes can be as specific as desired - even peering a VPC to only a single host on the other side of the connection.',
+
+  audit: `Review routing tables of peered VPCs for whether they route all subnets of each VPC and whether that is necessary to accomplish the intended purposes for peering the VPCs.
+
+**From Command Line:**
+
+1. List all the route tables from a VPC and check if "GatewayId" is pointing to a <peering_connection_id> (e.g. pcx-1a2b3c4d) and if "DestinationCidrBlock" is as specific as desired.
+
+        aws ec2 describe-route-tables --filter "Name=vpc-id,Values=<vpc_id>" --query "RouteTables[*].{RouteTableId:RouteTableId, VpcId:VpcId, Routes:Routes, AssociatedSubnets:Associations[*].SubnetId}"`,
+
+  rationale:
+    'Being highly selective in peering routing tables is a very effective way of minimizing the impact of breach as resources outside of these routes are inaccessible to the peered VPC.',
+
+  remediation: `Remove and add route table entries to ensure that the least number of subnets or hosts as is required to accomplish the purpose for peering are routable. 
+
+**From Command Line:**
+
+1. For each <route_table_id> containing routes non compliant with your routing policy (which grants more than desired "least access"), delete the non compliant route: 
+
+        aws ec2 delete-route --route-table-id <route_table_id> --destination-cidr-block <non_compliant_destination_CIDR>
+
+2. Create a new compliant route:
+
+        aws ec2 create-route --route-table-id <route_table_id> --destination-cidr-block <compliant_destination_CIDR> --vpc-peering-connection-id <peering_connection_id>`,
+
+  references: [
+    'https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html',
+    'https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpc-peering-connection.html',
+  ],
+
+  severity: 'high',
+}

src/aws/cis-1.5.0/rules/index.ts

@@ -1,2 +1,11 @@
+import Aws_CIS_150_51 from './aws-cis-1.5.0-5.1'
+import Aws_CIS_150_52 from './aws-cis-1.5.0-5.2'
+import Aws_CIS_150_54 from './aws-cis-1.5.0-5.4'
+import Aws_CIS_150_55 from './aws-cis-1.5.0-5.5'
+
 export default [
+  Aws_CIS_150_51,
+  Aws_CIS_150_52,
+  Aws_CIS_150_54,
+  Aws_CIS_150_55,
 ]