# AWS Security & Compliance CloudQuery policy pack

Official AWS security & compliance policy pack for CloudQuery.

## What is CloudQuery

The [open-source](https://github.com/cloudquery/cloudquery) cloud asset inventory powered by SQL.

CloudQuery extracts, transforms, and loads your cloud assets into normalized PostgreSQL tables. CloudQuery enables you to assess, audit, and evaluate the configurations of your cloud assets.

### Links
* Homepage: https://cloudquery.io
* Documentation: https://docs.cloudquery.io
* CloudQuery Hub (providers & policies documentation): https://hub.cloudquery.io/
* Discord: https://cloudquery.io/discord

## Included Policies

- CIS v1.2.0
- PCI DSS v.3.2.1
- Foundational Security
- Public Egress
- Publicly Available 

## Quick Start

### Prerequisite

1. [Install CloudQuery](https://docs.cloudquery.io/docs/getting-started)

```bash 
# install with brew
brew install cloudquery/tap/cloudquery
# or download precompiled binaries from https://github.com/cloudquery/cloudquery/releases
```

2. [Download and Configure AWS Provider](https://docs.cloudquery.io/docs/cli/fetch/overview)

```bash
cloudquery init aws
```

3. [Fetch](https://hub.cloudquery.io/providers/cloudquery/aws/latest)

```bash
# connect or run  a local PostgreSQL
docker run -p 5432:5432 -e POSTGRES_PASSWORD=pass -d postgres
# extract your cloud infra configuration
cloudquery fetch
```

### Running

```bash
# Describe what is available in the policy pack
cloudquery policy describe aws

# Run the whole pack
cloudquery policy run aws

# Run specific policy
cloudquery policy run aws//cis_v1.2.0

# Run specific policy
cloudquery policy run aws//pci_dss_v3.2.1

# Run specific check
cloudquery policy run aws//cis_v1.2.0/1/1.1
```


AWS Security & Compliance

With AWS Policies, you can use CloudQuery to automatically check compliance and security of AWS-based cloud resources. AWS CIS, PCI DSS and more to come.

v0.1.13

cis_v1.2.0

Avoid the use of 'root' account. Show used in last 30 days (Scored)

Ensure MFA is enabled for all IAM users that have a console password (Scored)

Ensure credentials unused for 90 days or greater are disabled (Scored)

Ensure access keys are rotated every 90 days or less

 Ensure IAM password policy requires at least one uppercase letter

 Ensure IAM password policy requires at least one lowercase letter

 Ensure IAM password policy requires at least one symbol

 Ensure IAM password policy requires at least one number

Ensure IAM password policy requires minimum length of 14 or greater

1.10 Ensure IAM password policy prevents password reuse

1.11 Ensure IAM password policy expires passwords within 90 days or less

1.12  Ensure no root account access key exists (Scored)

1.13 Ensure MFA is enabled for the 'root' account

1.14 Ensure hardware MFA is enabled for the 'root' account (Scored)

1.16 Ensure IAM policies are attached only to groups or roles (Scored)

Section 1: Identity and Access Management

Ensure CloudTrail is enabled in all regions

Ensure CloudTrail log file validation is enabled

Ensure CloudTrail trails are integrated with CloudWatch Logs

Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket

Ensure CloudTrail logs are encrypted at rest using KMS CMKs

Ensure rotation for customer created CMKs is enabled (Scored)

Ensure VPC flow logging is enabled in all VPCs (Scored)

Section 2: Logging

Ensure a log metric filter and alarm exist for unauthorized API calls (Scored)

Ensure a log metric filter and alarm exist for Management Console sign-in without MFA (Scored)

 Ensure a log metric filter and alarm exist for usage of 'root' account (Score)

Ensure a log metric filter and alarm exist for IAM policy changes (Score)

Ensure a log metric filter and alarm exist for CloudTrail configuration changes (Scored)

Ensure a log metric filter and alarm exist for AWS Management Console authentication failures (Scored)

Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMKs (Scored)

Ensure a log metric filter and alarm exist for S3 bucket policy changes (Scored)

Ensure a log metric filter and alarm exist for AWS Config configuration changes (Scored)

3.10 Ensure a log metric filter and alarm exist for security group changes (Scored)

3.11 Ensure a log metric filter and alarm exist for changes to Network Access Control Lists (NACL) (Scored)

3.12 Ensure a log metric filter and alarm exist for changes to network gateways (Scored)

3.13 Ensure a log metric filter and alarm exist for route table changes (Scored)

3.14 Ensure a log metric filter and alarm exist for VPC changes (Scored)

Section 3: Monitoring

aws_log_metric_filter_and_alarm

AWS Log Metric Filter and Alarm

Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)

Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389 (Scored)

 Ensure the default security group of every VPC restricts all traffic (Scored)

Section 4: Networking

aws_security_group_ingress_rules

Aggregates rules of security groups with ports and IPs including ipv6

AWS CIS V1.20 Policy

foundational_security

ACM.1

Imported ACM certificates should be renewed after a specified time period

acm controls

ApiGateway.1

API Gateway REST and WebSocket API logging should be enabled

ApiGateway.2

API Gateway REST API stages should be configured to use SSL certificates for backend authentication

ApiGateway.3

API Gateway REST API stages should have AWS X-Ray tracing enabled

ApiGateway.4

API Gateway should be associated with an AWS WAF web ACL

ApiGateway.5

API Gateway REST API cache data should be encrypted at rest

apigateway

apigateway controls

api_gateway_method_settings

AWS API Gateway Method Settings

AutoScaling.1

autoscaling

autoscaling controls

Cloudfront.1

CloudFront distributions should have a default root object configured

Cloudfront.2

CloudFront distributions should have origin access identity enabled

Cloudfront.3

CloudFront distributions should require encryption in transit

Cloudfront.4

CloudFront distributions should have origin failover configured

Cloudfront.5

CloudFront distributions should have logging enabled

Cloudfront.6

CloudFront distributions should have AWS WAF enabled

cloudfront

cloudfront controls

CloudTrail.1

CloudTrail should be enabled and configured with at least one multi-Region trail and not have management events excluded

CloudTrail.2

CloudTrail should have encryption at rest enabled

CloudTrail.4

CloudTrail.5

Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs

cloudtrail

cloudtrail controls

CodeBuild.1

CodeBuild GitHub or Bitbucket source repository URLs should use OAuth

CodeBuild.2

CodeBuild project environment variables should not contain clear text credentials

codebuild

codebuild controls

DMS.1

AWS Database Migration Service replication instances should not be public

AWS DMS controls

DynamoDB.1

DynamoDB tables should automatically scale capacity with demand

DynamoDB.2

DynamoDB tables should have point-in-time recovery enabled

DynamoDB.3

DynamoDB Accelerator (DAX) clusters should be encrypted at rest

dynamodb

DynamoDB controls

EC2.1

Amazon EBS snapshots should not be public, determined by the ability to be restorable by anyone

EC2.2

The VPC default security group should not allow inbound and outbound traffic

EC2.3

Attached EBS volumes should be encrypted at rest

EC2.4

Stopped EC2 instances should be removed after a specified time period

EC2.6

VPC flow logging should be enabled in all VPCs

EC2.7

EBS default encryption should be enabled

EC2.8

EC2 instances should use IMDSv2

EC2.9

EC2 instances should not have a public IP address

EC2.10

Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service

EC2.15

EC2 subnets should not automatically assign public IP addresses

EC2.16

Unused network access control lists should be removed

EC2.17

EC2 instances should not use multiple ENIs

EC2.18

Security groups should only allow unrestricted incoming traffic for authorized ports

EC2.19

Security groups should not allow unrestricted access to ports with high risk

EC2 controls

ECS.1

Amazon ECS task definitions should have secure networking modes and user definitions

ECS.2

Amazon ECS services should not have public IP addresses assigned to them automatically

ECS controls

EFS.1

Amazon EFS should be configured to encrypt file data at rest using AWS KMS

EFS.2

Amazon EFS volumes should be in backup plans

EFS controls

ElasticBeanstalk.1

Elastic Beanstalk environments should have enhanced health reporting enabled

ElasticBeanstalk.2

Elastic Beanstalk managed platform updates should be enabled

elastic_beanstalk

ElasticBeanstalk controls

Elasticsearch.1

Elasticsearch domains should have encryption at rest enabled

Elasticsearch.2

Elasticsearch domains should be in a VPC

Elasticsearch.3

Elasticsearch domains should encrypt data sent between nodes

Elasticsearch.4

Elasticsearch domain error logging to CloudWatch Logs should be enabled

Elasticsearch.5

Elasticsearch domains should have audit logging enabled

Elasticsearch.6

Elasticsearch domains should have at least three data nodes

Elasticsearch.7

Elasticsearch domains should be configured with at least three dedicated master nodes

Elasticsearch.8

Connections to Elasticsearch domains should be encrypted using TLS 1.2

elasticsearch

Elasticsearch controls

ELB.2

Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager

ELB.3

Classic Load Balancer listeners should be configured with HTTPS or TLS termination

ELB.4

Application load balancers should be configured to drop HTTP headers

ELB.5

Application and Classic Load Balancers logging should be enabled

ELB.6

Application Load Balancer deletion protection should be enabled

ELB.7

Classic Load Balancers should have connection draining enabled

ELB.8

Classic Load Balancers with HTTPS/SSL listeners should use a predefined security policy that has strong configuration

ELB controls

AWS Foundational Security Best Practices controls