From 120498bef43b63417f00cd023d5e9884fd7f4503 Mon Sep 17 00:00:00 2001 From: Justin Kufro Date: Mon, 29 Mar 2021 12:25:36 -0600 Subject: [PATCH] allow use of VPC Endpoint for AwsConfigMapper. Mappings now based on source identifier instead of name Signed-off-by: Justin Kufro --- lib/data/aws-config-mapping.csv | 214 ++++++++++++------------ lib/heimdall_tools/aws_config_mapper.rb | 21 ++- 2 files changed, 119 insertions(+), 116 deletions(-) diff --git a/lib/data/aws-config-mapping.csv b/lib/data/aws-config-mapping.csv index ae830a3..af7ac72 100644 --- a/lib/data/aws-config-mapping.csv +++ b/lib/data/aws-config-mapping.csv @@ -1,107 +1,107 @@ -AwsConfigRuleName,NIST-ID,Rev -secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4 -iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4 -iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4 -access-keys-rotated,AC-2(1)|AC-2(j),4 -iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4 -securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4 -guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4 -cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4 -cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 -multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 -rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 -cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4 -redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4 -iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4 -s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 -cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 -root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4 -emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4 -iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4 -iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4 -iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4 -s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 -lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 -rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 -redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 -s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4 -s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 -s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 -dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 -ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 -sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 -rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 -lambda-inside-vpc,AC-4|SC-7|SC-7(3),4 -ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4 -restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4 -restricted-ssh,AC-4|SC-7|SC-7(3),4 -vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4 -vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4 -acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4 -ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 -elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4 -emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4 -internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4 -codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4 -ec2-imdsv2-check,AC-6,4 -iam-no-inline-policy-check,AC-6,4 -alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4 -redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4 -s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4 -elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4 -alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4 -elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4 -api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4 -elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4 -vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4 -wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4 -cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4 -cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4 -s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4 -cw-loggroup-retention-period-check,AU-11|SI-12,4 -ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4 -rds-enhanced-monitoring-enabled,CA-7(a)(b),4 -ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4 -ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4 -ec2-stopped-instance,CM-2,4 -ec2-volume-inuse-check,CM-2|SC-4,4 -elb-deletion-protection-enabled,CM-2|CP-10,4 -cloudtrail-security-trail-enabled,CM-2,4 -ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4 -db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4 -dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4 -elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4 -dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4 -ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4 -efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4 -rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4 -dynamodb-autoscaling-enabled,CP-10|SC-5,4 -rds-multi-az-support,CP-10|SC-5|SC-36,4 -s3-bucket-versioning-enabled,CP-10|SI-12,4 -vpc-vpn-2-tunnels-up,CP-10,4 -elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4 -root-account-hardware-mfa-enabled,IA-2(1)(11),4 -mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4 -iam-user-mfa-enabled,IA-2(1)(2)(11),4 -guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4 -codebuild-project-source-repo-url-check,SA-3(a),4 -autoscaling-group-elb-healthcheck-required,SC-5,4 -rds-instance-deletion-protection-enabled,SC-5,4 -alb-waf-enabled,SC-7|SI-4(a)(b)(c),4 -elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4 -cmk-backing-key-rotation-enabled,SC-12,4 -kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4 -api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4 -efs-encrypted-check,SC-13|SC-28,4 -elasticsearch-encrypted-at-rest,SC-13|SC-28,4 -encrypted-volumes,SC-13|SC-28,4 -rds-storage-encrypted,SC-13|SC-28,4 -s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4 -sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4 -sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4 -sns-encrypted-kms,SC-13|SC-28,4 -dynamodb-table-encrypted-kms,SC-13,4 -s3-bucket-default-lock-enabled,SC-28,4 -ec2-ebs-encryption-by-default,SC-28,4 -rds-snapshot-encrypted,SC-28,4 -cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4 +AwsConfigRuleSourceIdentifier,AwsConfigRuleName,NIST-ID,Rev +SECRETSMANAGER_SCHEDULED_ROTATION_SUCCESS_CHECK,secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4 +IAM_USER_GROUP_MEMBERSHIP_CHECK,iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4 +IAM_PASSWORD_POLICY,iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4 +ACCESS_KEYS_ROTATED,access-keys-rotated,AC-2(1)|AC-2(j),4 +IAM_USER_UNUSED_CREDENTIALS_CHECK,iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4 +SECURITYHUB_ENABLED,securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4 +GUARDDUTY_ENABLED_CENTRALIZED,guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4 +CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED,cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4 +CLOUD_TRAIL_ENABLED,cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 +MULTI_REGION_CLOUD_TRAIL_ENABLED,multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 +RDS_LOGGING_ENABLED,rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 +CLOUDWATCH_ALARM_ACTION_CHECK,cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4 +REDSHIFT_CLUSTER_CONFIGURATION_CHECK,redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4 +IAM_ROOT_ACCESS_KEY_CHECK,iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4 +S3_BUCKET_LOGGING_ENABLED,s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 +CLOUDTRAIL_S3_DATAEVENTS_ENABLED,cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4 +ROOT_ACCOUNT_MFA_ENABLED,root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4 +EMR_KERBEROS_ENABLED,emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4 +IAM_GROUP_HAS_USERS_CHECK,iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4 +IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS,iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4 +IAM_USER_NO_POLICIES_CHECK,iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4 +S3_BUCKET_PUBLIC_WRITE_PROHIBITED,s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED,lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +RDS_SNAPSHOTS_PUBLIC_PROHIBITED,rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK,redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +S3_BUCKET_POLICY_GRANTEE_CHECK,s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4 +S3_BUCKET_PUBLIC_READ_PROHIBITED,s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS,s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +DMS_REPLICATION_NOT_PUBLIC,dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK,ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS,sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +RDS_INSTANCE_PUBLIC_ACCESS_CHECK,rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +LAMBDA_INSIDE_VPC,lambda-inside-vpc,AC-4|SC-7|SC-7(3),4 +INSTANCES_IN_VPC,ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4 +RESTRICTED_INCOMING_TRAFFIC,restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4 +INCOMING_SSH_DISABLED,restricted-ssh,AC-4|SC-7|SC-7(3),4 +VPC_DEFAULT_SECURITY_GROUP_CLOSED,vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4 +VPC_SG_OPEN_ONLY_TO_AUTHORIZED_PORTS,vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4 +ACM_CERTIFICATE_EXPIRATION_CHECK,acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4 +EC2_INSTANCE_NO_PUBLIC_IP,ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4 +ELASTICSEARCH_IN_VPC_ONLY,elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4 +EMR_MASTER_NO_PUBLIC_IP,emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4 +INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY,internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4 +CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK,codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4 +EC2_IMDSV2_CHECK,ec2-imdsv2-check,AC-6,4 +IAM_NO_INLINE_POLICY_CHECK,iam-no-inline-policy-check,AC-6,4 +ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK,alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4 +REDSHIFT_REQUIRE_TLS_SSL,redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4 +S3_BUCKET_SSL_REQUESTS_ONLY,s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4 +ELB_ACM_CERTIFICATE_REQUIRED,elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4 +ALB_HTTP_DROP_INVALID_HEADER_ENABLED,alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4 +ELB_TLS_HTTPS_LISTENERS_ONLY,elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4 +API_GW_EXECUTION_LOGGING_ENABLED,api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4 +ELB_LOGGING_ENABLED,elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4 +VPC_FLOW_LOGS_ENABLED,vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4 +WAFV2_LOGGING_ENABLED,wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4 +CLOUD_TRAIL_ENCRYPTION_ENABLED,cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4 +CLOUDWATCH_LOG_GROUP_ENCRYPTED,cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4 +S3_BUCKET_REPLICATION_ENABLED,s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4 +CW_LOGGROUP_RETENTION_PERIOD_CHECK,cw-loggroup-retention-period-check,AU-11|SI-12,4 +EC2_INSTANCE_DETAILED_MONITORING_ENABLED,ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4 +RDS_ENHANCED_MONITORING_ENABLED,rds-enhanced-monitoring-enabled,CA-7(a)(b),4 +EC2_INSTANCE_MANAGED_BY_SSM,ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4 +EC2_MANAGEDINSTANCE_ASSOCIATION_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4 +EC2_STOPPED_INSTANCE,ec2-stopped-instance,CM-2,4 +EC2_VOLUME_INUSE_CHECK,ec2-volume-inuse-check,CM-2|SC-4,4 +ELB_DELETION_PROTECTION_ENABLED,elb-deletion-protection-enabled,CM-2|CP-10,4 +CLOUDTRAIL_SECURITY_TRAIL_ENABLED,cloudtrail-security-trail-enabled,CM-2,4 +EC2_MANAGEDINSTANCE_PATCH_COMPLIANCE_STATUS_CHECK,ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4 +DB_INSTANCE_BACKUP_ENABLED,db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4 +DYNAMODB_PITR_ENABLED,dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4 +ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK,elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4 +DYNAMODB_IN_BACKUP_PLAN,dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4 +EBS_IN_BACKUP_PLAN,ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4 +EFS_IN_BACKUP_PLAN,efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4 +RDS_IN_BACKUP_PLAN,rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4 +DYNAMODB_AUTOSCALING_ENABLED,dynamodb-autoscaling-enabled,CP-10|SC-5,4 +RDS_MULTI_AZ_SUPPORT,rds-multi-az-support,CP-10|SC-5|SC-36,4 +S3_BUCKET_VERSIONING_ENABLED,s3-bucket-versioning-enabled,CP-10|SI-12,4 +VPC_VPN_2_TUNNELS_UP,vpc-vpn-2-tunnels-up,CP-10,4 +ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED,elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4 +ROOT_ACCOUNT_HARDWARE_MFA_ENABLED,root-account-hardware-mfa-enabled,IA-2(1)(11),4 +MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS,mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4 +IAM_USER_MFA_ENABLED,iam-user-mfa-enabled,IA-2(1)(2)(11),4 +GUARDDUTY_NON_ARCHIVED_FINDINGS,guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4 +CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK,codebuild-project-source-repo-url-check,SA-3(a),4 +AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED,autoscaling-group-elb-healthcheck-required,SC-5,4 +RDS_INSTANCE_DELETION_PROTECTION_ENABLED,rds-instance-deletion-protection-enabled,SC-5,4 +ALB_WAF_ENABLED,alb-waf-enabled,SC-7|SI-4(a)(b)(c),4 +ELASTICSEARCH_NODE_TO_NODE_ENCRYPTION_CHECK,elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4 +CMK_BACKING_KEY_ROTATION_ENABLED,cmk-backing-key-rotation-enabled,SC-12,4 +KMS_CMK_NOT_SCHEDULED_FOR_DELETION,kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4 +API_GW_CACHE_ENABLED_AND_ENCRYPTED,api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4 +EFS_ENCRYPTED_CHECK,efs-encrypted-check,SC-13|SC-28,4 +ELASTICSEARCH_ENCRYPTED_AT_REST,elasticsearch-encrypted-at-rest,SC-13|SC-28,4 +ENCRYPTED_VOLUMES,encrypted-volumes,SC-13|SC-28,4 +RDS_STORAGE_ENCRYPTED,rds-storage-encrypted,SC-13|SC-28,4 +S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED,s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4 +SAGEMAKER_ENDPOINT_CONFIGURATION_KMS_KEY_CONFIGURED,sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4 +SAGEMAKER_NOTEBOOK_INSTANCE_KMS_KEY_CONFIGURED,sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4 +SNS_ENCRYPTED_KMS,sns-encrypted-kms,SC-13|SC-28,4 +DYNAMODB_TABLE_ENCRYPTED_KMS,dynamodb-table-encrypted-kms,SC-13,4 +S3_BUCKET_DEFAULT_LOCK_ENABLED,s3-bucket-default-lock-enabled,SC-28,4 +EC2_EBS_ENCRYPTION_BY_DEFAULT,ec2-ebs-encryption-by-default,SC-28,4 +RDS_SNAPSHOT_ENCRYPTED,rds-snapshot-encrypted,SC-28,4 +CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED,cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4 \ No newline at end of file diff --git a/lib/heimdall_tools/aws_config_mapper.rb b/lib/heimdall_tools/aws_config_mapper.rb index 76ff2ea..17b4f5e 100644 --- a/lib/heimdall_tools/aws_config_mapper.rb +++ b/lib/heimdall_tools/aws_config_mapper.rb @@ -18,11 +18,15 @@ # module HeimdallTools class AwsConfigMapper - def initialize(custom_mapping, verbose = false) + def initialize(custom_mapping, endpoint = nil, verbose = false) @verbose = verbose @default_mapping = get_rule_mapping(AWS_CONFIG_MAPPING_FILE) @custom_mapping = custom_mapping.nil? ? {} : get_rule_mapping(custom_mapping) - @client = Aws::ConfigService::Client.new + if endpoint.nil? + @client = Aws::ConfigService::Client.new + else + @client = Aws::ConfigService::Client.new(endpoint: endpoint) + end @issues = get_all_config_rules end @@ -71,7 +75,7 @@ def to_hdf # # Returns: A mapped version of the csv in the format { rule_name: row, ... } def get_rule_mapping(path) - CSV.read(path, headers: true).map { |row| [row[0], row] }.to_h + CSV.read(path, headers: true).map { |row| [row['AwsConfigRuleSourceIdentifier'], row] }.to_h end ## @@ -238,18 +242,17 @@ def add_results_to_config_rules(config_rules) def hdf_tags(config_rule) result = {} - @default_mapping - @custom_mapping + source_identifier = config_rule.dig(:source, :source_identifier) # NIST tag result['nist'] = [] - default_mapping_match = @default_mapping[config_rule[:config_rule_name]] + default_mapping_match = @default_mapping[source_identifier] - result['nist'] += default_mapping_match[1].split('|') unless default_mapping_match.nil? + result['nist'] += default_mapping_match['NIST-ID'].split('|') unless default_mapping_match.nil? - custom_mapping_match = @custom_mapping[config_rule[:config_rule_name]] + custom_mapping_match = @custom_mapping[source_identifier] - result['nist'] += custom_mapping_match[1].split('|').map { |name| "#{name} (user provided)" } unless custom_mapping_match.nil? + result['nist'] += custom_mapping_match['NIST-ID'].split('|').map { |name| "#{name} (user provided)" } unless custom_mapping_match.nil? result['nist'] = ['unmapped'] if result['nist'].empty?