InSpec example controls related to AWS Network
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # encoding: utf-8 | |
| # copyright: 2021, mk::labs | |
| title 'Network related resources compliance checks' | |
| control 'Security groups hardening default - port 22' do | |
| impact 0.7 | |
| title 'Ensure default security groups do not allow port 22' | |
| desc 'Ensure default security groups do not allow port 22' | |
| tag "severity": 'high' | |
| tag "check": "Review your AWS console in EC2 menu, and check your security groups' rules" | |
| tag "fix": "Ideally fix this in your Infrastructure-as-Code (such as terraform/cloudformation/etc)" | |
| aws_vpcs.vpc_ids.each do |vpc_id| | |
| describe aws_security_group(vpc_id: vpc_id, group_name: 'default') do | |
| it { should_not allow_in(port: 22) } | |
| end | |
| end | |
| end | |
| control 'Security groups hardening default ingress open to everything' do | |
| impact 0.7 | |
| title 'Ensure default security groups do not allow 0.0.0.0/0' | |
| desc 'Ensure default security groups do not allow 0.0.0.0/0' | |
| tag "severity": 'high' | |
| tag "check": "Review your AWS console in EC2 menu, and check your security groups' rules" | |
| tag "fix": "Ideally fix this in your Infrastructure-as-Code (such as terraform/cloudformation/etc)" | |
| aws_vpcs.vpc_ids.each do |vpc_id| | |
| describe aws_security_group(vpc_id: vpc_id, group_name: 'default') do | |
| it { should_not allow_in(ipv4_range: '0.0.0.0/0') } | |
| end | |
| end | |
| end | |
| control 'Security groups hardening - do not allow FTP ingress' do | |
| impact 0.8 | |
| title 'Ensure AWS Security Groups disallow FTP ingress from 0.0.0.0/0.' | |
| aws_vpcs.vpc_ids.each do |vpc_id| | |
| describe aws_security_group(vpc_id: vpc_id) do | |
| it { should_not allow_in(ipv4_range: '0.0.0.0/0', port: 21) } | |
| end | |
| end | |
| end | |
| control 'Security groups hardening - do not allow access to postgres from everywhere' do | |
| impact 0.8 | |
| title 'Ensure AWS Security Groups disallow postgres ingress from 0.0.0.0/0.' | |
| aws_vpcs.vpc_ids.each do |vpc_id| | |
| describe aws_security_group(vpc_id: vpc_id) do | |
| it { should_not allow_in(ipv4_range: '0.0.0.0/0', port: 5432) } | |
| end | |
| end | |
| end | |
| control 'Consistency in VPCs config' do | |
| impact 0.4 | |
| title 'Ensure all VPCs use the same DHCP option set' | |
| desc 'Ensure all VPCs use the same DHCP option set' | |
| tag "severity": 'high' | |
| tag "check": "Review your AWS console and check you VPCs state" | |
| tag "fix": "Ideally fix this in your Infrastructure-as-Code (such as terraform/cloudformation/etc)" | |
| describe aws_vpcs.where { dhcp_options_id != 'dopt-12345678' } do | |
| it { should_not exist } | |
| end | |
| end | |
| control 'Consistency in VPCs config' do | |
| impact 0.4 | |
| title 'Ensure VPCs have the correct state' | |
| desc 'Ensure VPCs have the correct state' | |
| tag "severity": 'high' | |
| tag "check": "Review your AWS console and check you VPCs state" | |
| tag "fix": "Ideally fix this in your Infrastructure-as-Code (such as terraform/cloudformation/etc)" | |
| vpc_instance_tenancy = input('vpc_instance_tenancy', value: 'default') | |
| aws_vpcs.vpc_ids.each do |vpc_id| | |
| describe aws_vpc(vpc_id: vpc_id) do | |
| its('state') { should eq 'available' } | |
| its('instance_tenancy') { should eq vpc_instance_tenancy } | |
| end | |
| end | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment