cloudgraphdev
diff --git a/‎src/aws/cis-1.5.0/README.md‎
Lines changed: 5 additions & 0 deletions b/‎src/aws/cis-1.5.0/README.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.1.ts‎
Lines changed: 114 additions & 0 deletions b/‎src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.1.ts‎
Lines changed: 114 additions & 0 deletions
diff --git a/‎src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.2.ts‎
Lines changed: 105 additions & 0 deletions b/‎src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.2.ts‎
Lines changed: 105 additions & 0 deletions
diff --git a/‎src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.3.ts‎
Lines changed: 109 additions & 0 deletions b/‎src/aws/cis-1.5.0/rules/aws-cis-1.5.0-5.3.ts‎
Lines changed: 109 additions & 0 deletions
@@ -104,3 +104,8 @@ Policy Pack based on the [AWS Foundations 1.5.0](https://drive.google.com/file/d
 | AWS CIS 4.13  | Ensure a log metric filter and alarm exist for route table changes                                                          |
 | AWS CIS 4.14  | Ensure a log metric filter and alarm exist for VPC changes                                                                  |
 | AWS CIS 4.15  | Ensure a log metric filter and alarm exists for AWS Organizations changes                                                   |
+| AWS CIS 5.1   | Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports                                   |
+| AWS CIS 5.2   | Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports                                |
+| AWS CIS 5.3   | Ensure no security groups allow ingress from ::/0 to remote server administration ports                                     |
+| AWS CIS 5.4   | Ensure the default security group of every VPC restricts all traffic                                                        |
+| AWS CIS 5.5   | Ensure routing tables for VPC peering are "least access"                                                                    |
@@ -0,0 +1,114 @@
+export default {
+  id: 'aws-cis-1.5.0-5.1',  
+  title: 'AWS CIS 5.1 Ensure no Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports',
+  
+  description: 'The Network Access Control List (NACL) function provide stateless filtering of ingress and egress network traffic to AWS resources. It is recommended that no NACL allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.',
+  
+  audit: `**From Console:**  
+  Perform the following to determine if the account is configured as prescribed:
+  
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Network ACLs*
+  3. For each network ACL, perform the following:
+      - Select the network ACL
+      - Click the *Inbound Rules* tab
+      - Ensure no rule exists that has a port range that includes port *22*, *3389*, or other remote server administration ports for your environment and has a *Source* of *0.0.0.0/0* and shows *ALLOW*
+  
+  **Note:** A Port value of *ALL* or a port range such as *0-1024* are inclusive of port *22*, *3389*, and other remote server administration ports`,
+  
+  rationale: 'Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.',
+  
+  remediation: `**From Console:**  
+  Perform the following:
+  
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Network ACLs*
+  3. For each network ACL to remediate, perform the following:
+      - Select the network ACL
+      - Click the *Inbound Rules* tab
+      - Click *Edit inbound rules*
+      - Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click *Delete* to remove the offending inbound rule
+      - Click *Save*`,
+  
+  references: [
+      'https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html',
+      'https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison',
+  ],
+  gql: `{
+    queryawsNetworkAcl {
+      id
+      arn
+      accountId
+      __typename
+      inboundRules {
+        source
+        fromPort
+        toPort
+        allowOrDeny
+      }
+    }
+  }`,
+  resource: 'queryawsNetworkAcl[*]',
+  severity: 'high',
+  conditions: {
+    not: {
+      path: '@.inboundRules',
+      array_any: {
+        and: [
+          {
+            path: '[*].source',
+            in: ['0.0.0.0/0', '::/0'],
+          },
+          {
+            path: '[*].allowOrDeny',
+            equal: 'allow',
+          },
+          {
+            or: [
+              {
+                and: [
+                  {
+                    path: '[*].fromPort',
+                    equal: null,
+                  },
+                  {
+                    path: '[*].toPort',
+                    equal: null,
+                  },
+                ],
+              },
+              {
+                or: [
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 22,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 22,
+                      },
+                    ],
+                  },
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 3389,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 3389,
+                      },
+                    ],
+                  },
+                ]
+              },
+            ],
+          },
+        ],
+      },
+    },
+  },
+}
@@ -0,0 +1,105 @@
+export default {
+  id: 'aws-cis-1.5.0-5.2',  
+  title: 'AWS CIS 5.2 Ensure no security groups allow ingress from 0.0.0.0/0 to remote server administration ports',
+  
+  description: 'Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port 22 and RDP to port 3389.',
+  
+  audit: `Perform the following to determine if the account is configured as prescribed:
+  
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Security Groups*
+  3. For each security group, perform the following:
+  4. Select the security group
+  5. Click the *Inbound Rules* tab
+  6. Ensure no rule exists that has a port range that includes port *22*, *3389*, or other remote server administration ports for your environment and has a *Source* of *0.0.0.0/0*
+  
+  **Note:** A Port value of *ALL* or a port range such as *0-1024* are inclusive of port *22*, *3389*, and other remote server administration ports.`,
+  
+  rationale: 'Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.',
+  
+  remediation: `Perform the following to implement the prescribed state:
+  
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Security Groups*
+  3. For each security group, perform the following:
+  4. Select the security group
+  5. Click the *Inbound Rules* tab
+  6. Click the *Edit inbound rules* button
+  7. Identify the rules to be edited or removed
+  8. Either A) update the Source field to a range other than 0.0.0.0/0, or, B) Click *Delete* to remove the offending inbound rule
+  9. Click *Save rules*`,
+  
+  references: ['https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule'],
+  gql: `{
+    queryawsSecurityGroup{
+      id
+      arn
+      accountId
+      __typename
+      inboundRules{
+        source
+        toPort
+        fromPort
+      }
+    }
+  }`,
+  resource: 'queryawsSecurityGroup[*]',
+  severity: 'high',
+  conditions: {
+    not: {
+      path: '@.inboundRules',
+      array_any: {
+        and: [
+          {
+            path: '[*].source',
+            equal: '0.0.0.0/0',
+          },
+          {
+            or: [
+              {
+                and: [
+                  {
+                    path: '[*].fromPort',
+                    equal: null,
+                  },
+                  {
+                    path: '[*].toPort',
+                    equal: null,
+                  },
+                ],
+              },
+              {
+                or: [
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 22,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 22,
+                      },
+                    ],
+                  },
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 3389,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 3389,
+                      },
+                    ],
+                  },
+                ]
+              },
+            ],
+          },
+        ],
+      },
+    },
+  },
+}
@@ -0,0 +1,109 @@
+export default {
+  id: 'aws-cis-1.5.0-5.3',
+  title: 'AWS CIS 5.3 Ensure no security groups allow ingress from ::/0 to remote server administration ports',
+  
+  description: 'Security groups provide stateful filtering of ingress and egress network traffic to AWS resources. It is recommended that no security group allows unrestricted ingress access to remote server administration ports, such as SSH to port *22* and RDP to port *3389*.',
+  
+  audit: `Perform the following to determine if the account is configured as prescribed:
+  
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Security Groups*
+  3. For each security group, perform the following:
+  4. Select the security group
+  5. Click the *Inbound Rules* tab
+  6. Ensure no rule exists that has a port range that includes port 22, 3389, or other remote server administration ports for your environment and has a Source of ::/0
+  
+  **Note:** A Port value of *ALL* or a port range such as *0-1024* are inclusive of port *22*, *3389*,
+  and other remote server administration ports.`,
+  
+  rationale: 'Public access to remote server administration ports, such as 22 and 3389, increases resource attack surface and unnecessarily raises the risk of resource compromise.',
+  
+  remediation: `Perform the following to implement the prescribed state:
+
+  1. Login to the AWS Management Console at https://console.aws.amazon.com/vpc/home
+  2. In the left pane, click *Security Groups*
+  3. For each security group, perform the following:
+  
+  Page 215
+  
+  4. Select the security group
+  5. Click the *Inbound Rules* tab
+  6. Click the *Edit inbound rules* button
+  7. Identify the rules to be edited or removed
+  8. Either A) update the Source field to a range other than ::/0, or, B) Click *Delete* to remove the offending inbound rule
+  9. Click *Save rules*`,
+
+  references: ['https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#deleting-security-group-rule'],
+  gql: `{
+    queryawsSecurityGroup{
+      id
+      arn
+      accountId
+      __typename
+      inboundRules{
+        source
+        toPort
+        fromPort
+      }
+    }
+  }`,
+  resource: 'queryawsSecurityGroup[*]',
+  severity: 'high',
+  conditions: {
+    not: {
+      path: '@.inboundRules',
+      array_any: {
+        and: [
+          {
+            path: '[*].source',
+            equal: '::/0',
+          },
+          {
+            or: [
+              {
+                and: [
+                  {
+                    path: '[*].fromPort',
+                    equal: null,
+                  },
+                  {
+                    path: '[*].toPort',
+                    equal: null,
+                  },
+                ],
+              },
+              {
+                or: [
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 22,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 22,
+                      },
+                    ],
+                  },
+                  {
+                    and: [
+                      {
+                        path: '[*].fromPort',
+                        lessThanInclusive: 3389,
+                      },
+                      {
+                        path: '[*].toPort',
+                        greaterThanInclusive: 3389,
+                      },
+                    ],
+                  },
+                ]
+              },
+            ],
+          },
+        ],
+      },
+    },
+  },
+}