Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat(aws-policies): Update ssm queries for aws policies #12067

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jul 11, 2023
Merged

feat(aws-policies): Update ssm queries for aws policies #12067

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
d6de6b5
Update titles of checks
Jul 7, 2023
0cc2cda
update SSM documents public
Jul 7, 2023
d0ac5c7
chore: Update code and docs
cq-bot Jul 7, 2023
27de11a
Merge branch 'main' into 12065-feat-update-ssm-queries-for-aws-policies
jsonpr Jul 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion plugins/source/aws/policies/queries/ssm/documents_should_not_be_public.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ select
account_id,
arn as resource_id,
case when
'all' = ANY(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(p->'AccountIds'))) -- TODO check
'all' = ANY(ARRAY(SELECT JSONB_ARRAY_ELEMENTS_TEXT(p->'AccountIds')))
then 'fail' else 'pass' end as status
from aws_ssm_documents, jsonb_array_elements(aws_ssm_documents.permissions) p
where owner in (select account_id from aws_iam_accounts)
2 changes: 1 addition & 1 deletion plugins/source/aws/policies/queries/ssm/ec2_instances_should_be_managed_by_ssm.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ select
:'execution_time' as execution_time,
:'framework' as framework,
:'check_id' as check_id,
'EC2 instances should be managed by AWS Systems Manager' as title,
'Amazon EC2 instances should be managed by AWS Systems Manager' as title,
aws_ec2_instances.account_id,
aws_ec2_instances.arn as resource_id,
case when
Expand Down
2 changes: 1 addition & 1 deletion ...policies/queries/ssm/instances_should_have_association_compliance_status_of_compliant.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ select
:'execution_time' as execution_time,
:'framework' as framework,
:'check_id' as check_id,
'Instances managed by Systems Manager should have an association compliance status of COMPLIANT' as title,
'Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT' as title,
aws_ssm_instances.account_id,
aws_ssm_instances.arn,
case when
Expand Down
2 changes: 1 addition & 1 deletion ...e/aws/policies/queries/ssm/instances_should_have_patch_compliance_status_of_compliant.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ select
:'execution_time' as execution_time,
:'framework' as framework,
:'check_id' as check_id,
'All EC2 instances managed by Systems Manager should be compliant with patching requirements' as title,
'Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation' as title,
aws_ssm_instances.account_id,
aws_ssm_instances.arn,
case when
Expand Down
12 changes: 6 additions & 6 deletions website/pages/docs/plugins/sources/aws/policies.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,9 +176,9 @@ AWS PCI DSS v3.2.1 performs the following checks:
- Secrets Manager secrets configured with automatic rotation should rotate successfully
- Remove unused Secrets Manager secrets
- Secrets Manager secrets should be rotated within a specified number of days
- All EC2 instances managed by Systems Manager should be compliant with patching requirements
- Instances managed by Systems Manager should have an association compliance status of COMPLIANT
- EC2 instances should be managed by AWS Systems Manager
- Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
- Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT
- Amazon EC2 instances should be managed by AWS Systems Manager
- AWS WAF Classic global web ACL logging should be enabled

### Dependent Views
Expand Down Expand Up @@ -401,9 +401,9 @@ AWS Foundational Security Best Practices performs the following checks:
- SNS topics should be encrypted at rest using AWS KMS
- Logging of delivery status should be enabled for notification messages sent to a topic
- Amazon SQS queues should be encrypted at rest
- EC2 instances should be managed by AWS Systems Manager
- All EC2 instances managed by Systems Manager should be compliant with patching requirements
- Instances managed by Systems Manager should have an association compliance status of COMPLIANT
- Amazon EC2 instances should be managed by AWS Systems Manager
- Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation
- Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT
- SSM documents should not be public
- AWS WAF Classic global web ACL logging should be enabled

Expand Down
4 changes: 2 additions & 2 deletions website/tables/aws/aws_ec2_instances.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -263,11 +263,11 @@ FROM
aws_ec2_instances;
```

### EC2 instances should be managed by AWS Systems Manager
### Amazon EC2 instances should be managed by AWS Systems Manager

```sql
SELECT
'EC2 instances should be managed by AWS Systems Manager' AS title,
'Amazon EC2 instances should be managed by AWS Systems Manager' AS title,
aws_ec2_instances.account_id,
aws_ec2_instances.arn AS resource_id,
CASE
Expand Down
8 changes: 4 additions & 4 deletions website/tables/aws/aws_ssm_instance_compliance_items.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,11 @@ This table depends on [aws_ssm_instances](aws_ssm_instances).

These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.

### Instances managed by Systems Manager should have an association compliance status of COMPLIANT
### Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT

```sql
SELECT
'Instances managed by Systems Manager should have an association compliance status of COMPLIANT'
'Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT'
AS title,
aws_ssm_instances.account_id,
aws_ssm_instances.arn,
Expand All @@ -54,11 +54,11 @@ FROM
aws_ssm_instances.arn = aws_ssm_instance_compliance_items.instance_arn;
```

### All EC2 instances managed by Systems Manager should be compliant with patching requirements
### Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

```sql
SELECT
'All EC2 instances managed by Systems Manager should be compliant with patching requirements'
'Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation'
AS title,
aws_ssm_instances.account_id,
aws_ssm_instances.arn,
Expand Down
12 changes: 6 additions & 6 deletions website/tables/aws/aws_ssm_instances.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,11 +47,11 @@ The following tables depend on aws_ssm_instances:

These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.

### EC2 instances should be managed by AWS Systems Manager
### Amazon EC2 instances should be managed by AWS Systems Manager

```sql
SELECT
'EC2 instances should be managed by AWS Systems Manager' AS title,
'Amazon EC2 instances should be managed by AWS Systems Manager' AS title,
aws_ec2_instances.account_id,
aws_ec2_instances.arn AS resource_id,
CASE
Expand All @@ -65,11 +65,11 @@ FROM
aws_ec2_instances.instance_id = aws_ssm_instances.instance_id;
```

### Instances managed by Systems Manager should have an association compliance status of COMPLIANT
### Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT

```sql
SELECT
'Instances managed by Systems Manager should have an association compliance status of COMPLIANT'
'Amazon EC2 instances managed by Systems Manager should have an association compliance status of COMPLIANT'
AS title,
aws_ssm_instances.account_id,
aws_ssm_instances.arn,
Expand All @@ -86,11 +86,11 @@ FROM
aws_ssm_instances.arn = aws_ssm_instance_compliance_items.instance_arn;
```

### All EC2 instances managed by Systems Manager should be compliant with patching requirements
### Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation

```sql
SELECT
'All EC2 instances managed by Systems Manager should be compliant with patching requirements'
'Amazon EC2 instances managed by Systems Manager should have a patch compliance status of COMPLIANT after a patch installation'
AS title,
aws_ssm_instances.account_id,
aws_ssm_instances.arn,
Expand Down