From 45228e020bb8d4762bdd57761263fdc5a559b919 Mon Sep 17 00:00:00 2001 From: lirshindalman Date: Thu, 8 Aug 2024 10:16:54 +0300 Subject: [PATCH] . --- .../graph_checks/aws/ALBProtectedByWAF.yaml | 81 +++++++++-------- .../aws/ALBRedirectsHTTPToHTTPS.yaml | 89 ++++++++++++++++--- 2 files changed, 118 insertions(+), 52 deletions(-) diff --git a/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml b/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml index a0a88ef2b5e..d629a2d9bd8 100644 --- a/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml +++ b/checkov/terraform/checks/graph_checks/aws/ALBProtectedByWAF.yaml @@ -1,44 +1,43 @@ metadata: id: "CKV2_AWS_28" - name: "cs-public-resource-based-policy-sqs" - severity: "high" - guidelines: "public resource based policy - sqs" - category: "general" -scope: - provider: "aws" + name: "Ensure public facing ALB are protected by WAF" + category: "NETWORKING" definition: - or: - - and: - - cond_type: "attribute" - resource_types: - - "aws_sqs_queue" - attribute: "policy.Statement[?(@.Effect == 'Allow' & @.Principal == '*')]" - operator: "jsonpath_not_exists" - - cond_type: "attribute" - resource_types: - - "aws_sqs_queue" - attribute: "policy.Statement[?(@.Effect == 'Allow')].Principal.AWS[*]" - operator: "jsonpath_not_equals" - value: "*" - - cond_type: "attribute" - resource_types: - - "aws_sqs_queue" - attribute: "policy.Statement[?(@.Effect == 'Allow')].NotPrincipal" - operator: "jsonpath_not_exists" - - and: - - cond_type: "attribute" - resource_types: - - "aws_sqs_queue_policy" - attribute: "policy.Statement[?(@.Effect == 'Allow' & @.Principal == '*')]" - operator: "jsonpath_not_exists" - - cond_type: "attribute" - resource_types: - - "aws_sqs_queue_policy" - attribute: "policy.Statement[?(@.Effect == 'Allow')].Principal.AWS[*]" - operator: "jsonpath_not_equals" - value: "*" - - cond_type: "attribute" - resource_types: - - "aws_sqs_queue_policy" - attribute: "policy.Statement[?(@.Effect == 'Allow')].NotPrincipal" - operator: "jsonpath_not_exists" \ No newline at end of file + and: + - cond_type: filter + value: + - aws_lb + - aws_alb + operator: within + attribute: resource_type + - or: + - cond_type: connection + operator: exists + resource_types: + - aws_lb + - aws_alb + connected_resource_types: + - aws_wafv2_web_acl_association + - cond_type: connection + operator: exists + resource_types: + - aws_lb + - aws_alb + connected_resource_types: + - aws_wafregional_web_acl_association + - cond_type: attribute + value: true + attribute: internal + resource_types: + - aws_lb + - aws_alb + operator: equals + - cond_type: attribute + resource_types: + - aws_lb + - aws_alb + attribute: load_balancer_type + operator: within + value: + - network + - gateway diff --git a/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml b/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml index 3106237b63f..0f20acc86b9 100644 --- a/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml +++ b/checkov/terraform/checks/graph_checks/aws/ALBRedirectsHTTPToHTTPS.yaml @@ -1,15 +1,82 @@ metadata: id: "CKV2_AWS_20" - name: "cs-public-resource-based-policy-sqs" - severity: "high" - guidelines: "public resource based policy - sqs" - category: "general" -scope: - provider: "aws" + name: "Ensure that ALB redirects HTTP requests into HTTPS ones" + category: "NETWORKING" definition: and: - - cond_type: "attribute" - resource_types: - - "aws_sqs_queue" - attribute: "policy.Statement[?(@.Effect == 'Allow' & @.Principal == '*')]" - operator: "jsonpath_not_exists" + - cond_type: filter + value: + - aws_lb + - aws_alb + operator: within + attribute: resource_type + - or: + - cond_type: connection + operator: not_exists + resource_types: + - aws_lb + - aws_alb + connected_resource_types: + - aws_lb_listener + - aws_alb_listener + - and: + - cond_type: connection + operator: exists + resource_types: + - aws_lb + - aws_alb + connected_resource_types: + - aws_lb_listener + - aws_alb_listener + - or: + - and: + - cond_type: attribute + attribute: port + operator: not_equals + value: "80" + resource_types: + - aws_lb_listener + - aws_alb_listener + - cond_type: attribute + attribute: protocol + operator: not_equals + value: HTTP + resource_types: + - aws_lb_listener + - aws_alb_listener + - and: + - cond_type: attribute + attribute: port + operator: equals + value: "80" + resource_types: + - aws_lb_listener + - aws_alb_listener + - cond_type: attribute + attribute: protocol + operator: equals + value: "HTTP" + resource_types: + - aws_lb_listener + - aws_alb_listener + - cond_type: attribute + attribute: default_action.type + operator: equals + value: "redirect" + resource_types: + - aws_lb_listener + - aws_alb_listener + - cond_type: attribute + attribute: default_action.redirect.*.port + operator: equals + value: "443" + resource_types: + - aws_lb_listener + - aws_alb_listener + - cond_type: attribute + attribute: default_action.redirect.*.protocol + operator: equals + value: "HTTPS" + resource_types: + - aws_lb_listener + - aws_alb_listener \ No newline at end of file