From c5400ca434484cf225718e3b0a1e419358937469 Mon Sep 17 00:00:00 2001 From: Anusha Hegde Date: Fri, 12 Apr 2024 09:45:22 +0200 Subject: [PATCH] Adding terraform policies --- .../check-awsvpc-network-mode.yaml | 27 ++++++++++++++ ...lidate-ecs-container-insights-enabled.yaml | 26 ++++++++++++++ ...-containers-nonprivileged-in-resource.yaml | 25 +++++++++++++ ...validate-ecs-containers-nonprivileged.yaml | 31 ++++++++++++++++ .../validate-ecs-containers-readonly.yaml | 33 +++++++++++++++++ ...ask-definition-log-configuration copy.yaml | 26 ++++++++++++++ ...ecs-task-definition-log-configuration.yaml | 32 +++++++++++++++++ ...ask-definition-memory-hard-limit copy.yaml | 27 ++++++++++++++ ...ecs-task-definition-memory-hard-limit.yaml | 25 +++++++++++++ ...date-ecs-task-definition-nonroot-user.yaml | 35 +++++++++++++++++++ ...te-ecs-task-definition-pid-mode-check.yaml | 24 +++++++++++++ ...on-user-for-host-mode-check-in-module.yaml | 30 ++++++++++++++++ ...k-definition-user-for-host-mode-check.yaml | 35 +++++++++++++++++++ .../validate-ecs-task-public-ip.yaml | 27 ++++++++++++++ .../validate-efs-volume-encryption.yaml | 24 +++++++++++++ 15 files changed, 427 insertions(+) create mode 100644 controls/terraform-best-practices/check-awsvpc-network-mode.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-container-insights-enabled.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-containers-nonprivileged-in-resource.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-containers-nonprivileged.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-containers-readonly.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-task-definition-log-configuration copy.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-task-definition-log-configuration.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-task-definition-memory-hard-limit copy.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-task-definition-memory-hard-limit.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-task-definition-nonroot-user.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-task-definition-pid-mode-check.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-task-definition-user-for-host-mode-check-in-module.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-task-definition-user-for-host-mode-check.yaml create mode 100644 controls/terraform-best-practices/validate-ecs-task-public-ip.yaml create mode 100644 controls/terraform-best-practices/validate-efs-volume-encryption.yaml diff --git a/controls/terraform-best-practices/check-awsvpc-network-mode.yaml b/controls/terraform-best-practices/check-awsvpc-network-mode.yaml new file mode 100644 index 0000000..7061aeb --- /dev/null +++ b/controls/terraform-best-practices/check-awsvpc-network-mode.yaml @@ -0,0 +1,27 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-awsvpc-network-mode + labels: + ecs.aws.network.kyverno.io: awsvpc + annotations: + policies.kyverno.io/title: Check awsvpc network mode + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + The awsvpc network mode restricts the flow of traffic between different + tasks or between your tasks and other services that run within your Amazon VPC. + The awsvpc network mode provides task-level network isolation for tasks + that run on Amazon EC2. +spec: + rules: + - name: check-awsvpc-network-mode + match: + any: + - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] | length(@) > `0`): true + assert: + all: + - message: ECS services and tasks are required to use awsvpc network mode. + check: + ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition'].values): + network_mode: awsvpc diff --git a/controls/terraform-best-practices/validate-ecs-container-insights-enabled.yaml b/controls/terraform-best-practices/validate-ecs-container-insights-enabled.yaml new file mode 100644 index 0000000..cd46546 --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-container-insights-enabled.yaml @@ -0,0 +1,26 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-container-insights-enabled + annotations: + policies.kyverno.io/title: Validate ECS container insights are enabled + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This Policy ensures that ECS clusters have container + insights enabled. +spec: + rules: + - name: validate-ecs-container-insights-enabled + match: + any: + - (planned_values.root_module.resources[?type=='aws_ecs_cluster'] | length(@) > `0`): true + assert: + all: + - message: ECS container insights are not enabled + check: + ~.(planned_values.root_module.resources[?type == 'aws_ecs_cluster']): + values: + (!setting): false + ~.(setting || `[]`): + value: enabled diff --git a/controls/terraform-best-practices/validate-ecs-containers-nonprivileged-in-resource.yaml b/controls/terraform-best-practices/validate-ecs-containers-nonprivileged-in-resource.yaml new file mode 100644 index 0000000..6f69bfe --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-containers-nonprivileged-in-resource.yaml @@ -0,0 +1,25 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-containers-nonprivileged-in-resource + annotations: + policies.kyverno.io/title: Validate ECS containers are set to non privileged. + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + When privileged is set to true, the container is given elevated permissions on the host container instance (similar to the root user). + This policy checks if the privileged parameter in the container definition is set to false. +spec: + rules: + - name: validate-ecs-containers-nonprivileged-in-resource + match: + any: + - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] | length(@) > `0` ): true + assert: + any: + - check: + ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition']): + values: + ~.(json_parse(container_definitions)): + (!!privileged): false + message: The `privileged` field, if present, should be set to `false` diff --git a/controls/terraform-best-practices/validate-ecs-containers-nonprivileged.yaml b/controls/terraform-best-practices/validate-ecs-containers-nonprivileged.yaml new file mode 100644 index 0000000..c274b19 --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-containers-nonprivileged.yaml @@ -0,0 +1,31 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-containers-nonprivileged + annotations: + policies.kyverno.io/title: Validate ECS containers are set to non privileged. + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + When privileged is set to true, the container is given elevated permissions on the host container instance (similar to the root user). + This policy checks if the privileged parameter in the container definition is set to false. +spec: + rules: + - name: validate-ecs-containers-nonprivileged + match: + any: + - (configuration.root_module.module_calls.ecs_container_definition != null): true + assert: + any: + - check: + (configuration.root_module.module_calls.ecs_container_definition.expressions.privileged == null): true + message: Containers `privileged` must be set to `false`. + - check: + configuration: + root_module: + module_calls: + ecs_container_definition: + expressions: + privileged: + constant_value: false + message: Containers must be set to non privileged. diff --git a/controls/terraform-best-practices/validate-ecs-containers-readonly.yaml b/controls/terraform-best-practices/validate-ecs-containers-readonly.yaml new file mode 100644 index 0000000..7398f0a --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-containers-readonly.yaml @@ -0,0 +1,33 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-containers-readonly + annotations: + policies.kyverno.io/title: Validate if ECS Containers only have read-only access to its root filesystems + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks if ECS Containers only have read-only + access to its root filesystems. +spec: + rules: + - name: validate-ecs-containers-readonly + match: + any: + - (configuration.root_module.module_calls.ecs_container_definition.expressions | length(@) > `0`): true + assert: + any: + - check: + (configuration.root_module.module_calls.ecs_container_definition.expressions.readonly_root_filesystem == null): true + message: >- + ECS Containers should have read-only access to its root filesystems + - check: + configuration: + root_module: + module_calls: + ecs_container_definition: + expressions: + readonly_root_filesystem: + constant_value: true + message: >- + `readonly_root_filesystem` should be set to `true` diff --git a/controls/terraform-best-practices/validate-ecs-task-definition-log-configuration copy.yaml b/controls/terraform-best-practices/validate-ecs-task-definition-log-configuration copy.yaml new file mode 100644 index 0000000..81f4cfa --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-task-definition-log-configuration copy.yaml @@ -0,0 +1,26 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-definition-log-configuration + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS Task definition log configuration + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + Checks if logConfiguration is set on active ECS Task Definitions. +spec: + rules: + - name: validate-ecs-task-definition-log-configuration + match: + any: + - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] | length(@) > `0`): true + assert: + all: + - message: logConfiguration is not set for active ECS Task Definitions + check: + ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition']): + values: + ~.(json_parse(container_definitions)): + (!logConfiguration): false diff --git a/controls/terraform-best-practices/validate-ecs-task-definition-log-configuration.yaml b/controls/terraform-best-practices/validate-ecs-task-definition-log-configuration.yaml new file mode 100644 index 0000000..5255313 --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-task-definition-log-configuration.yaml @@ -0,0 +1,32 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-definition-log-configuration + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS Task definition log configuration + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks if the ECS TaskDefiniteion does not have the + logConfiguration resource defined or the value for logConfiguration + is null in at least one container definition. +spec: + rules: + - name: validate-ecs-task-definition-log-configuration + match: + any: + - (planned_values.root_module.resources[?type=='aws_ecs_service'] | length(@) > `0`): true + assert: + all: + - message: logConfiguration is not defined for active ECS Task Definitions + check: + ~.(planned_values.root_module.resources[?type=='aws_ecs_service']): + values: + (!service_connect_configuration): false + - message: logConfiguration is not set on active ECS Task Definitions + check: + ~.(planned_values.root_module.resources[?type=='aws_ecs_service']): + ~.(values.service_connect_configuration || `[]`): + (!log_configuration): false diff --git a/controls/terraform-best-practices/validate-ecs-task-definition-memory-hard-limit copy.yaml b/controls/terraform-best-practices/validate-ecs-task-definition-memory-hard-limit copy.yaml new file mode 100644 index 0000000..e7e2a75 --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-task-definition-memory-hard-limit copy.yaml @@ -0,0 +1,27 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-definition-memory-hard-limit + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS Task Definition Memory Hard Limit + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks if Amazon Elastic Container Service + (ECS) task definitions have a set memory limit for its container definitions. +spec: + rules: + - name: validate-ecs-task-definition-memory-hard-limit + match: + any: + - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] != null): true + assert: + all: + - message: Memory limit for container definitions should be set + check: + ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition']): + values: + ~.(json_parse(container_definitions)): + (!memory): false diff --git a/controls/terraform-best-practices/validate-ecs-task-definition-memory-hard-limit.yaml b/controls/terraform-best-practices/validate-ecs-task-definition-memory-hard-limit.yaml new file mode 100644 index 0000000..fe00d3e --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-task-definition-memory-hard-limit.yaml @@ -0,0 +1,25 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-definition-memory-hard-limit + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS Task Definition Memory Hard Limit + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks if Amazon Elastic Container Service + (ECS) task definitions have a set memory limit for its container definitions. +spec: + rules: + - name: validate-ecs-task-definition-memory-hard-limit + match: + any: + - (configuration.root_module.module_calls.ecs_container_definition.expressions | length(@) > `0`): true + assert: + all: + - message: Memory limit for container definitions should be set. + check: + (configuration.root_module.module_calls.ecs_container_definition.expressions): + (!memory): false diff --git a/controls/terraform-best-practices/validate-ecs-task-definition-nonroot-user.yaml b/controls/terraform-best-practices/validate-ecs-task-definition-nonroot-user.yaml new file mode 100644 index 0000000..6a788ad --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-task-definition-nonroot-user.yaml @@ -0,0 +1,35 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-definition-nonroot-user + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS Task definition nonroot user for EC2 instances + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy checks if ECSTaskDefinitions specify a user for + Amazon Elastic Container Service (Amazon ECS) EC2 launch type + containers to run on. The rule fails if the ‘user’ parameter is not present or set to ‘root’. +spec: + rules: + - name: validate-ecs-task-definition-nonroot-user + match: + all: + - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] | length(@) > `0`): true + - ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition']): + values: + requires_compatibilities: + (contains(@, 'EC2')): true + assert: + all: + - message: For ECS EC2 containers, `user` parameter should not be set to `root` + check: + ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition']): + values: + ~.(json_parse(container_definitions)): + (!user): false + (starts_with(user || '', '0:') || ends_with(user || '', ':0')): false + (user != null): true + ((user != '0')): true diff --git a/controls/terraform-best-practices/validate-ecs-task-definition-pid-mode-check.yaml b/controls/terraform-best-practices/validate-ecs-task-definition-pid-mode-check.yaml new file mode 100644 index 0000000..ca1635c --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-task-definition-pid-mode-check.yaml @@ -0,0 +1,24 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-definition-pid-mode-check + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS task definition PID mode check + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy ensures that ECS task definitions do not share the host's process namespace +spec: + rules: + - name: validate-ecs-task-definition-pid-mode-check + match: + any: + - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] | length(@) > `0`): true + assert: + all: + - message: ECS task definitions shares the host's process namespace + check: + ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition'].values): + (pid_mode || 'task'): task diff --git a/controls/terraform-best-practices/validate-ecs-task-definition-user-for-host-mode-check-in-module.yaml b/controls/terraform-best-practices/validate-ecs-task-definition-user-for-host-mode-check-in-module.yaml new file mode 100644 index 0000000..eb596e0 --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-task-definition-user-for-host-mode-check-in-module.yaml @@ -0,0 +1,30 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-definition-user-for-host-mode-check-in-module + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS Task Definition User for Host mode + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy makes sure that ECS task definitions avoid using + the root user for the host network mode or false privileges. +spec: + rules: + - name: validate-ecs-task-definition-user-for-host-mode-check-in-module + match: + any: + - (configuration.root_module.module_calls.ecs_container_definition.expressions.privileged): + constant_value: false + assert: + all: + - message: Specify a non-root user or group to avoid privilege escalation. + check: + (configuration.root_module.module_calls.ecs_container_definition.expressions): + (!user): false + user: + (starts_with(constant_value || '', '0:') || ends_with(constant_value || '', ':0')): false + (constant_value != null): true + (constant_value != '0'): true diff --git a/controls/terraform-best-practices/validate-ecs-task-definition-user-for-host-mode-check.yaml b/controls/terraform-best-practices/validate-ecs-task-definition-user-for-host-mode-check.yaml new file mode 100644 index 0000000..68a573a --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-task-definition-user-for-host-mode-check.yaml @@ -0,0 +1,35 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-definition-user-for-host-mode-check + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS Task Definition User for Host mode + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy makes sure that ECS task definitions avoid using + the root user for the host network mode or false privileges. +spec: + rules: + - name: validate-ecs-task-definition-user-for-host-mode-check + match: + any: + - ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition'].values): + network_mode: host + - ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition'].values): + ~.(json_parse(container_definitions)): + privileged: false + assert: + all: + - message: User should be set to non-root user when using the host network mode or privileged set to false. + check: + ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition'] ): + values: + ~.(json_parse(container_definitions)): + (!user): false + (starts_with(user || '', '0:') || ends_with(user || '', ':0')): false + (user != null): true + (user != '0'): true + diff --git a/controls/terraform-best-practices/validate-ecs-task-public-ip.yaml b/controls/terraform-best-practices/validate-ecs-task-public-ip.yaml new file mode 100644 index 0000000..5737309 --- /dev/null +++ b/controls/terraform-best-practices/validate-ecs-task-public-ip.yaml @@ -0,0 +1,27 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-task-public-ip + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate ECS Task Public IP + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + ECS tasks with public IP address enabled, are easily reachable from the internet. + This policy validates whether public IP address is enabled on the ECS task +spec: + rules: + - name: validate-ecs-task-public-ip + match: + any: + - (planned_values.root_module.resources[?type=='aws_ecs_service'] | length(@) > `0`): true + assert: + any: + - message: Public IP address should not be enabled + check: + ~.(planned_values.root_module.resources[?type=='aws_ecs_service']): + values: + ~.(network_configuration[?assign_public_ip] || `[]`): + assign_public_ip: false diff --git a/controls/terraform-best-practices/validate-efs-volume-encryption.yaml b/controls/terraform-best-practices/validate-efs-volume-encryption.yaml new file mode 100644 index 0000000..10dab3b --- /dev/null +++ b/controls/terraform-best-practices/validate-efs-volume-encryption.yaml @@ -0,0 +1,24 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-efs-volume-encryption + labels: + ecs.aws.tags.kyverno.io: ecs-service + annotations: + policies.kyverno.io/title: Validate EFS Volume Encryption + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This policy validates whether transit_encryption is set to ENABLED in the task definition. +spec: + rules: + - name: validate-efs-volume-encryption + match: + any: + - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] | length(@) > `0`): true + assert: + all: + - message: Transit Encryption is not `ENABLED` for EFS volumes in ECS Task definitions + check: + ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition']): + (values.volume[].efs_volume_configuration[?transit_encryption=='ENABLED'][] | length(@) > `0`): true