diff --git a/Makefile b/Makefile index e6c528cd..d52bfb22 100644 --- a/Makefile +++ b/Makefile @@ -13,7 +13,7 @@ fmt-rego: .PHONY: test-rego test-rego: - go run ./cmd/opa test --explain=fails lib/ checks/ + go run ./cmd/opa test --explain=fails lib/ checks/ --ignore '*.yaml' .PHONY: bundle bundle: create-bundle verify-bundle @@ -49,4 +49,8 @@ verify-bundle: rm scripts/bundle.tar.gz build-opa: - go build ./cmd/opa \ No newline at end of file + go build ./cmd/opa + +.PHONY: fmt-examples +fmt-examples: + go run ./cmd/fmt-examples \ No newline at end of file diff --git a/avd_docs/aws/apigateway/AVD-AWS-0001/CloudFormation.md b/avd_docs/aws/apigateway/AVD-AWS-0001/CloudFormation.md index 3a4cb12a..dc891c9b 100644 --- a/avd_docs/aws/apigateway/AVD-AWS-0001/CloudFormation.md +++ b/avd_docs/aws/apigateway/AVD-AWS-0001/CloudFormation.md @@ -2,19 +2,20 @@ Enable logging for API Gateway stages ```yaml -AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +AWSTemplateFormatVersion: "2010-09-09T00:00:00Z" Description: Good Example of ApiGateway Resources: - GoodApi: - Type: AWS::ApiGatewayV2::Api - GoodApiStage: - Properties: - AccessLogSettings: - DestinationArn: gateway-logging - Format: json - ApiId: GoodApi - StageName: GoodApiStage - Type: AWS::ApiGatewayV2::Stage + GoodApi: + Type: AWS::ApiGatewayV2::Api + GoodApiStage: + Properties: + AccessLogSettings: + DestinationArn: gateway-logging + Format: json + ApiId: GoodApi + StageName: GoodApiStage + Type: AWS::ApiGatewayV2::Stage + ``` diff --git a/avd_docs/aws/athena/AVD-AWS-0006/CloudFormation.md b/avd_docs/aws/athena/AVD-AWS-0006/CloudFormation.md index defb6201..fa74e0e5 100644 --- a/avd_docs/aws/athena/AVD-AWS-0006/CloudFormation.md +++ b/avd_docs/aws/athena/AVD-AWS-0006/CloudFormation.md @@ -3,14 +3,15 @@ Enable encryption at rest for Athena databases and workgroup configurations ```yaml Resources: - GoodExample: - Properties: - Name: goodExample - WorkGroupConfiguration: - ResultConfiguration: - EncryptionConfiguration: - EncryptionOption: SSE_KMS - Type: AWS::Athena::WorkGroup + GoodExample: + Properties: + Name: goodExample + WorkGroupConfiguration: + ResultConfiguration: + EncryptionConfiguration: + EncryptionOption: SSE_KMS + Type: AWS::Athena::WorkGroup + ``` diff --git a/avd_docs/aws/athena/AVD-AWS-0007/CloudFormation.md b/avd_docs/aws/athena/AVD-AWS-0007/CloudFormation.md index bd010830..cf9d70f9 100644 --- a/avd_docs/aws/athena/AVD-AWS-0007/CloudFormation.md +++ b/avd_docs/aws/athena/AVD-AWS-0007/CloudFormation.md @@ -3,15 +3,16 @@ Enforce the configuration to prevent client overrides ```yaml Resources: - GoodExample: - Properties: - Name: goodExample - WorkGroupConfiguration: - EnforceWorkGroupConfiguration: true - ResultConfiguration: - EncryptionConfiguration: - EncryptionOption: SSE_KMS - Type: AWS::Athena::WorkGroup + GoodExample: + Properties: + Name: goodExample + WorkGroupConfiguration: + EnforceWorkGroupConfiguration: true + ResultConfiguration: + EncryptionConfiguration: + EncryptionOption: SSE_KMS + Type: AWS::Athena::WorkGroup + ``` diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0010/CloudFormation.md b/avd_docs/aws/cloudfront/AVD-AWS-0010/CloudFormation.md index 60599e12..0f6c6974 100644 --- a/avd_docs/aws/cloudfront/AVD-AWS-0010/CloudFormation.md +++ b/avd_docs/aws/cloudfront/AVD-AWS-0010/CloudFormation.md @@ -3,19 +3,20 @@ Enable logging for CloudFront distributions ```yaml Resources: - GoodExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: https-only - Enabled: true - Logging: - Bucket: logging-bucket - Origins: - - DomainName: https://some.domain - Id: somedomain1 - Type: AWS::CloudFront::Distribution + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + Type: AWS::CloudFront::Distribution + ``` diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0011/CloudFormation.md b/avd_docs/aws/cloudfront/AVD-AWS-0011/CloudFormation.md index 911a7ef3..04aff8af 100644 --- a/avd_docs/aws/cloudfront/AVD-AWS-0011/CloudFormation.md +++ b/avd_docs/aws/cloudfront/AVD-AWS-0011/CloudFormation.md @@ -3,20 +3,21 @@ Enable WAF for the CloudFront distribution ```yaml Resources: - GoodExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: https-only - Enabled: true - Logging: - Bucket: logging-bucket - Origins: - - DomainName: https://some.domain - Id: somedomain1 - WebACLId: waf_id - Type: AWS::CloudFront::Distribution + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + WebACLId: waf_id + Type: AWS::CloudFront::Distribution + ``` diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0012/CloudFormation.md b/avd_docs/aws/cloudfront/AVD-AWS-0012/CloudFormation.md index 715e6c87..08ec7b88 100644 --- a/avd_docs/aws/cloudfront/AVD-AWS-0012/CloudFormation.md +++ b/avd_docs/aws/cloudfront/AVD-AWS-0012/CloudFormation.md @@ -3,20 +3,21 @@ Only allow HTTPS for CloudFront distribution communication ```yaml Resources: - GoodExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: https-only - Enabled: true - Logging: - Bucket: logging-bucket - Origins: - - DomainName: https://some.domain - Id: somedomain1 - WebACLId: waf_id - Type: AWS::CloudFront::Distribution + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + WebACLId: waf_id + Type: AWS::CloudFront::Distribution + ``` diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0013/CloudFormation.md b/avd_docs/aws/cloudfront/AVD-AWS-0013/CloudFormation.md index 946da062..bcd1c453 100644 --- a/avd_docs/aws/cloudfront/AVD-AWS-0013/CloudFormation.md +++ b/avd_docs/aws/cloudfront/AVD-AWS-0013/CloudFormation.md @@ -3,21 +3,22 @@ Use the most modern TLS/SSL policies available ```yaml Resources: - GoodExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: https-only - Enabled: true - Logging: - Bucket: logging-bucket - Origins: - - DomainName: https://some.domain - Id: somedomain1 - ViewerCertificate: - MinimumProtocolVersion: TLSv1.2_2021 - Type: AWS::CloudFront::Distribution + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + ViewerCertificate: + MinimumProtocolVersion: TLSv1.2_2021 + Type: AWS::CloudFront::Distribution + ``` diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md index a6ff2f81..acadb281 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0014/CloudFormation.md @@ -3,14 +3,15 @@ Enable Cloudtrail in all regions ```yaml Resources: - GoodExample: - Properties: - IsLogging: true - IsMultiRegionTrail: true - S3BucketName: CloudtrailBucket - S3KeyPrefix: /trailing - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail + GoodExample: + Properties: + IsLogging: true + IsMultiRegionTrail: true + S3BucketName: CloudtrailBucket + S3KeyPrefix: /trailing + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + ``` diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md index 4157d336..b2da13d4 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0015/CloudFormation.md @@ -3,15 +3,16 @@ Use Customer managed key ```yaml Resources: - GoodExample: - Properties: - IsLogging: true - IsMultiRegionTrail: true - KmsKeyId: alias/CloudtrailKey - S3BucketName: CloudtrailBucket - S3KeyPrefix: /trailing - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail + GoodExample: + Properties: + IsLogging: true + IsMultiRegionTrail: true + KmsKeyId: alias/CloudtrailKey + S3BucketName: CloudtrailBucket + S3KeyPrefix: /trailing + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + ``` #### Remediation Links diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md index 2e4a18cd..7fff72a2 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0016/CloudFormation.md @@ -3,15 +3,16 @@ Turn on log validation for Cloudtrail ```yaml Resources: - GoodExample: - Properties: - EnableLogFileValidation: true - IsLogging: true - IsMultiRegionTrail: true - S3BucketName: CloudtrailBucket - S3KeyPrefix: /trailing - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail + GoodExample: + Properties: + EnableLogFileValidation: true + IsLogging: true + IsMultiRegionTrail: true + S3BucketName: CloudtrailBucket + S3KeyPrefix: /trailing + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + ``` diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0161/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0161/CloudFormation.md index b06e337c..0d2e6f6a 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0161/CloudFormation.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0161/CloudFormation.md @@ -3,17 +3,18 @@ Restrict public access to the S3 bucket ```yaml Resources: - GoodExampleBucket: - Properties: - AccessControl: Private - BucketName: my-bucket - Type: AWS::S3::Bucket - GoodExampleTrail: - Properties: - IsLogging: true - S3BucketName: my-bucket - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail + GoodExampleBucket: + Properties: + AccessControl: Private + BucketName: my-bucket + Type: AWS::S3::Bucket + GoodExampleTrail: + Properties: + IsLogging: true + S3BucketName: my-bucket + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + ``` diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0162/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0162/CloudFormation.md index 6974d2b5..a252917b 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0162/CloudFormation.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0162/CloudFormation.md @@ -3,11 +3,12 @@ Enable logging to CloudWatch ```yaml Resources: - GoodExampleTrail: - Properties: - CloudWatchLogsLogGroupArn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:* - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail + GoodExampleTrail: + Properties: + CloudWatchLogsLogGroupArn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:* + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + ``` diff --git a/avd_docs/aws/cloudtrail/AVD-AWS-0163/CloudFormation.md b/avd_docs/aws/cloudtrail/AVD-AWS-0163/CloudFormation.md index d65f68bd..c653fa55 100644 --- a/avd_docs/aws/cloudtrail/AVD-AWS-0163/CloudFormation.md +++ b/avd_docs/aws/cloudtrail/AVD-AWS-0163/CloudFormation.md @@ -3,19 +3,20 @@ Enable access logging on the bucket ```yaml Resources: - GoodExampleBucket: - Properties: - BucketName: my-bucket - LoggingConfiguration: - DestinationBucketName: logging-bucket - LogFilePrefix: accesslogs/ - Type: AWS::S3::Bucket - GoodExampleTrail: - Properties: - IsLogging: true - S3BucketName: my-bucket - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail + GoodExampleBucket: + Properties: + BucketName: my-bucket + LoggingConfiguration: + DestinationBucketName: logging-bucket + LogFilePrefix: accesslogs/ + Type: AWS::S3::Bucket + GoodExampleTrail: + Properties: + IsLogging: true + S3BucketName: my-bucket + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + ``` diff --git a/avd_docs/aws/cloudwatch/AVD-AWS-0017/CloudFormation.md b/avd_docs/aws/cloudwatch/AVD-AWS-0017/CloudFormation.md index aeeedd35..367ed093 100644 --- a/avd_docs/aws/cloudwatch/AVD-AWS-0017/CloudFormation.md +++ b/avd_docs/aws/cloudwatch/AVD-AWS-0017/CloudFormation.md @@ -3,12 +3,13 @@ Enable CMK encryption of CloudWatch Log Groups ```yaml Resources: - GoodExample: - Properties: - KmsKeyId: arn:aws:kms:us-west-2:111122223333:key/lambdalogging - LogGroupName: aws/lambda/goodExample - RetentionInDays: 30 - Type: AWS::Logs::LogGroup + GoodExample: + Properties: + KmsKeyId: arn:aws:kms:us-west-2:111122223333:key/lambdalogging + LogGroupName: aws/lambda/goodExample + RetentionInDays: 30 + Type: AWS::Logs::LogGroup + ``` diff --git a/avd_docs/aws/codebuild/AVD-AWS-0018/CloudFormation.md b/avd_docs/aws/codebuild/AVD-AWS-0018/CloudFormation.md index 2a08902c..c6536ba5 100644 --- a/avd_docs/aws/codebuild/AVD-AWS-0018/CloudFormation.md +++ b/avd_docs/aws/codebuild/AVD-AWS-0018/CloudFormation.md @@ -3,29 +3,30 @@ Enable encryption for CodeBuild project artifacts ```yaml Resources: - GoodProject: - Properties: - Artifacts: - ArtifactIdentifier: String - EncryptionDisabled: false - Location: String - Name: String - NamespaceType: String - OverrideArtifactName: false - Packaging: String - Path: String - Type: String - SecondaryArtifacts: - - ArtifactIdentifier: String - EncryptionDisabled: false - Location: String - Name: String - NamespaceType: String - OverrideArtifactName: false - Packaging: String - Path: String - Type: String - Type: AWS::CodeBuild::Project + GoodProject: + Properties: + Artifacts: + ArtifactIdentifier: String + EncryptionDisabled: false + Location: String + Name: String + NamespaceType: String + OverrideArtifactName: false + Packaging: String + Path: String + Type: String + SecondaryArtifacts: + - ArtifactIdentifier: String + EncryptionDisabled: false + Location: String + Name: String + NamespaceType: String + OverrideArtifactName: false + Packaging: String + Path: String + Type: String + Type: AWS::CodeBuild::Project + ``` diff --git a/avd_docs/aws/config/AVD-AWS-0019/CloudFormation.md b/avd_docs/aws/config/AVD-AWS-0019/CloudFormation.md index 82f20d53..da8382a3 100644 --- a/avd_docs/aws/config/AVD-AWS-0019/CloudFormation.md +++ b/avd_docs/aws/config/AVD-AWS-0019/CloudFormation.md @@ -3,21 +3,23 @@ Set the aggregator to cover all regions ```yaml Resources: - GoodExample: - Properties: - AccountAggregationSources: - - AllAwsRegions: true - ConfigurationAggregatorName: GoodAccountLevelAggregation - Type: AWS::Config::ConfigurationAggregator + GoodExample: + Properties: + AccountAggregationSources: + - AllAwsRegions: true + ConfigurationAggregatorName: GoodAccountLevelAggregation + Type: AWS::Config::ConfigurationAggregator + ``` ```yaml Resources: - GoodExample: - Properties: - ConfigurationAggregatorName: GoodAccountLevelAggregation - OrganizationAggregationSource: - AllAwsRegions: true - Type: AWS::Config::ConfigurationAggregator + GoodExample: + Properties: + ConfigurationAggregatorName: GoodAccountLevelAggregation + OrganizationAggregationSource: + AllAwsRegions: true + Type: AWS::Config::ConfigurationAggregator + ``` diff --git a/avd_docs/aws/documentdb/AVD-AWS-0020/CloudFormation.md b/avd_docs/aws/documentdb/AVD-AWS-0020/CloudFormation.md index 1760f0f6..956a89de 100644 --- a/avd_docs/aws/documentdb/AVD-AWS-0020/CloudFormation.md +++ b/avd_docs/aws/documentdb/AVD-AWS-0020/CloudFormation.md @@ -3,25 +3,26 @@ Enable export logs ```yaml Resources: - GoodExample: - Properties: - BackupRetentionPeriod: 8 - DBClusterIdentifier: sample-cluster - DBClusterParameterGroupName: default.docdb3.6 - EnableCloudwatchLogsExports: - - audit - - profiler - KmsKeyId: your-kms-key-id - Type: AWS::DocDB::DBCluster - InstanceInstanceExample: - Properties: - AutoMinorVersionUpgrade: true - AvailabilityZone: us-east-1c - DBClusterIdentifier: sample-cluster - DBInstanceClass: db.r5.large - DBInstanceIdentifier: sample-cluster-instance-0 - PreferredMaintenanceWindow: sat:06:54-sat:07:24 - Type: AWS::DocDB::DBInstance + GoodExample: + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: sample-cluster + DBClusterParameterGroupName: default.docdb3.6 + EnableCloudwatchLogsExports: + - audit + - profiler + KmsKeyId: your-kms-key-id + Type: AWS::DocDB::DBCluster + InstanceInstanceExample: + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: us-east-1c + DBClusterIdentifier: sample-cluster + DBInstanceClass: db.r5.large + DBInstanceIdentifier: sample-cluster-instance-0 + PreferredMaintenanceWindow: sat:06:54-sat:07:24 + Type: AWS::DocDB::DBInstance + ``` diff --git a/avd_docs/aws/documentdb/AVD-AWS-0021/CloudFormation.md b/avd_docs/aws/documentdb/AVD-AWS-0021/CloudFormation.md index 6e4a371e..2cdbfd70 100644 --- a/avd_docs/aws/documentdb/AVD-AWS-0021/CloudFormation.md +++ b/avd_docs/aws/documentdb/AVD-AWS-0021/CloudFormation.md @@ -3,26 +3,27 @@ Enable storage encryption ```yaml Resources: - GoodExample: - Properties: - BackupRetentionPeriod: 8 - DBClusterIdentifier: sample-cluster - DBClusterParameterGroupName: default.docdb3.6 - EnableCloudwatchLogsExports: - - audit - - profiler - KmsKeyId: your-kms-key-id - StorageEncrypted: true - Type: AWS::DocDB::DBCluster - InstanceInstanceExample: - Properties: - AutoMinorVersionUpgrade: true - AvailabilityZone: us-east-1c - DBClusterIdentifier: sample-cluster - DBInstanceClass: db.r5.large - DBInstanceIdentifier: sample-cluster-instance-0 - PreferredMaintenanceWindow: sat:06:54-sat:07:24 - Type: AWS::DocDB::DBInstance + GoodExample: + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: sample-cluster + DBClusterParameterGroupName: default.docdb3.6 + EnableCloudwatchLogsExports: + - audit + - profiler + KmsKeyId: your-kms-key-id + StorageEncrypted: true + Type: AWS::DocDB::DBCluster + InstanceInstanceExample: + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: us-east-1c + DBClusterIdentifier: sample-cluster + DBInstanceClass: db.r5.large + DBInstanceIdentifier: sample-cluster-instance-0 + PreferredMaintenanceWindow: sat:06:54-sat:07:24 + Type: AWS::DocDB::DBInstance + ``` diff --git a/avd_docs/aws/documentdb/AVD-AWS-0022/CloudFormation.md b/avd_docs/aws/documentdb/AVD-AWS-0022/CloudFormation.md index f3d457b0..87db3873 100644 --- a/avd_docs/aws/documentdb/AVD-AWS-0022/CloudFormation.md +++ b/avd_docs/aws/documentdb/AVD-AWS-0022/CloudFormation.md @@ -3,25 +3,26 @@ Enable encryption using customer managed keys ```yaml Resources: - GoodExample: - Properties: - BackupRetentionPeriod: 8 - DBClusterIdentifier: sample-cluster - DBClusterParameterGroupName: default.docdb3.6 - EnableCloudwatchLogsExports: - - audit - - profiler - KmsKeyId: your-kms-key-id - Type: AWS::DocDB::DBCluster - InstanceInstanceExample: - Properties: - AutoMinorVersionUpgrade: true - AvailabilityZone: us-east-1c - DBClusterIdentifier: sample-cluster - DBInstanceClass: db.r5.large - DBInstanceIdentifier: sample-cluster-instance-0 - PreferredMaintenanceWindow: sat:06:54-sat:07:24 - Type: AWS::DocDB::DBInstance + GoodExample: + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: sample-cluster + DBClusterParameterGroupName: default.docdb3.6 + EnableCloudwatchLogsExports: + - audit + - profiler + KmsKeyId: your-kms-key-id + Type: AWS::DocDB::DBCluster + InstanceInstanceExample: + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: us-east-1c + DBClusterIdentifier: sample-cluster + DBInstanceClass: db.r5.large + DBInstanceIdentifier: sample-cluster-instance-0 + PreferredMaintenanceWindow: sat:06:54-sat:07:24 + Type: AWS::DocDB::DBInstance + ``` diff --git a/avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md b/avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md index afc0ef02..97b058fe 100644 --- a/avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md +++ b/avd_docs/aws/dynamodb/AVD-AWS-0023/CloudFormation.md @@ -3,16 +3,17 @@ Enable encryption at rest for DAX Cluster ```yaml Resources: - GoodExample: - Properties: - ClusterName: MyDAXCluster - Description: DAX cluster with encryption at rest - IAMRoleARN: arn:aws:iam::111122223333:role/DaxAccess - NodeType: dax.r3.large - ReplicationFactor: 1 - SSESpecification: - SSEEnabled: true - Type: AWS::DAX::Cluster + GoodExample: + Properties: + ClusterName: MyDAXCluster + Description: DAX cluster with encryption at rest + IAMRoleARN: arn:aws:iam::111122223333:role/DaxAccess + NodeType: dax.r3.large + ReplicationFactor: 1 + SSESpecification: + SSEEnabled: true + Type: AWS::DAX::Cluster + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0008/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0008/CloudFormation.md index 6a255403..2ab4df67 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0008/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0008/CloudFormation.md @@ -3,15 +3,16 @@ Turn on encryption for all block devices ```yaml Resources: - GoodExample: - Properties: - BlockDeviceMappings: - - DeviceName: root - Ebs: - Encrypted: true - ImageId: ami-123456 - InstanceType: t2.small - Type: AWS::AutoScaling::LaunchConfiguration + GoodExample: + Properties: + BlockDeviceMappings: + - DeviceName: root + Ebs: + Encrypted: true + ImageId: ami-123456 + InstanceType: t2.small + Type: AWS::AutoScaling::LaunchConfiguration + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0009/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0009/CloudFormation.md index 134ef41f..57b50b04 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0009/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0009/CloudFormation.md @@ -3,11 +3,12 @@ Set the instance to not be publicly accessible ```yaml Resources: - GoodExample: - Properties: - ImageId: ami-123456 - InstanceType: t2.small - Type: AWS::AutoScaling::LaunchConfiguration + GoodExample: + Properties: + ImageId: ami-123456 + InstanceType: t2.small + Type: AWS::AutoScaling::LaunchConfiguration + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0026/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0026/CloudFormation.md index 1752423d..d06aeb82 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0026/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0026/CloudFormation.md @@ -3,13 +3,14 @@ Enable encryption of EBS volumes ```yaml Resources: - GoodExample: - DeletionPolicy: Snapshot - Properties: - Encrypted: true - KmsKeyId: alias/volumeEncrypt - Size: 100 - Type: AWS::EC2::Volume + GoodExample: + DeletionPolicy: Snapshot + Properties: + Encrypted: true + KmsKeyId: alias/volumeEncrypt + Size: 100 + Type: AWS::EC2::Volume + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0027/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0027/CloudFormation.md index cd7aba56..3efbb9c8 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0027/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0027/CloudFormation.md @@ -3,23 +3,25 @@ Enable encryption using customer managed keys ```yaml Resources: - GoodExample: - DeletionPolicy: Snapshot - Properties: - Encrypted: true - KmsKeyId: alias/volumeEncrypt - Size: 100 - Type: AWS::EC2::Volume + GoodExample: + DeletionPolicy: Snapshot + Properties: + Encrypted: true + KmsKeyId: alias/volumeEncrypt + Size: 100 + Type: AWS::EC2::Volume + ``` ```yaml Resources: - GoodExample: - DeletionPolicy: Snapshot - Properties: - Encrypted: true - KmsKeyId: MyStack:Key - Size: 100 - Type: AWS::EC2::Volume + GoodExample: + DeletionPolicy: Snapshot + Properties: + Encrypted: true + KmsKeyId: MyStack:Key + Size: 100 + Type: AWS::EC2::Volume + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0029/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0029/CloudFormation.md index dcf37836..92eafbf2 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0029/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0029/CloudFormation.md @@ -3,20 +3,21 @@ Remove sensitive data from the EC2 instance user-data ```yaml Resources: - GoodExample: - Properties: - BlockDeviceMappings: - - DeviceName: /dev/sdm - Ebs: - DeleteOnTermination: "false" - Iops: "200" - VolumeSize: "20" - VolumeType: io1 - - DeviceName: /dev/sdk - ImageId: ami-79fd7eee - KeyName: testkey - UserData: export SSM_PATH=/database/creds - Type: AWS::EC2::Instance + GoodExample: + Properties: + BlockDeviceMappings: + - DeviceName: /dev/sdm + Ebs: + DeleteOnTermination: "false" + Iops: "200" + VolumeSize: "20" + VolumeType: io1 + - DeviceName: /dev/sdk + ImageId: ami-79fd7eee + KeyName: testkey + UserData: export SSM_PATH=/database/creds + Type: AWS::EC2::Instance + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md index 593aeb2f..8878cc43 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0099/CloudFormation.md @@ -3,13 +3,14 @@ Add descriptions for all security groups ```yaml Resources: - GoodSecurityGroup: - Properties: - GroupDescription: Limits security group egress traffic - SecurityGroupEgress: - - CidrIp: 127.0.0.1/32 - IpProtocol: "-1" - Type: AWS::EC2::SecurityGroup + GoodSecurityGroup: + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupEgress: + - CidrIp: 127.0.0.1/32 + IpProtocol: "-1" + Type: AWS::EC2::SecurityGroup + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0102/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0102/CloudFormation.md index b36f19e5..d29aa98e 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0102/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0102/CloudFormation.md @@ -2,21 +2,22 @@ Set specific allowed ports ```yaml -AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +AWSTemplateFormatVersion: "2010-09-09T00:00:00Z" Description: Good example of excessive ports Resources: - NetworkACL: - Properties: - RuleAction: allow - VpcId: something - Type: AWS::EC2::NetworkAcl - Rule: - Properties: - NetworkAclId: null - Protocol: 6 - Ref: NetworkACL - RuleAction: allow - Type: AWS::EC2::NetworkAclEntry + NetworkACL: + Properties: + RuleAction: allow + VpcId: something + Type: AWS::EC2::NetworkAcl + Rule: + Properties: + NetworkAclId: null + Protocol: 6 + Ref: NetworkACL + RuleAction: allow + Type: AWS::EC2::NetworkAclEntry + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0104/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0104/CloudFormation.md index ee7948e3..997900a2 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0104/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0104/CloudFormation.md @@ -2,16 +2,17 @@ Set a more restrictive cidr range ```yaml -AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +AWSTemplateFormatVersion: "2010-09-09T00:00:00Z" Description: Good example of egress rule Resources: - BadSecurityGroup: - Properties: - GroupDescription: Limits security group egress traffic - SecurityGroupEgress: - - CidrIp: 127.0.0.1/32 - IpProtocol: "6" - Type: AWS::EC2::SecurityGroup + BadSecurityGroup: + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupEgress: + - CidrIp: 127.0.0.1/32 + IpProtocol: "6" + Type: AWS::EC2::SecurityGroup + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0105/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0105/CloudFormation.md index 276090e8..f898de68 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0105/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0105/CloudFormation.md @@ -2,21 +2,22 @@ Set a more restrictive CIDR range ```yaml -AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +AWSTemplateFormatVersion: "2010-09-09T00:00:00Z" Description: Godd example of excessive ports Resources: - NetworkACL: - Properties: - VpcId: something - Type: AWS::EC2::NetworkAcl - Rule: - Properties: - CidrBlock: 10.0.0.0/8 - NetworkAclId: - Ref: NetworkACL - Protocol: 6 - RuleAction: allow - Type: AWS::EC2::NetworkAclEntry + NetworkACL: + Properties: + VpcId: something + Type: AWS::EC2::NetworkAcl + Rule: + Properties: + CidrBlock: 10.0.0.0/8 + NetworkAclId: + Ref: NetworkACL + Protocol: 6 + RuleAction: allow + Type: AWS::EC2::NetworkAclEntry + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md index b1b1e17b..8a3303d0 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md @@ -3,13 +3,14 @@ Set a more restrictive CIDR range ```yaml Resources: - GoodSecurityGroup: - Properties: - GroupDescription: Limits security group egress traffic - SecurityGroupIngress: - - CidrIp: 127.0.0.1/32 - IpProtocol: "6" - Type: AWS::EC2::SecurityGroup + GoodSecurityGroup: + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupIngress: + - CidrIp: 127.0.0.1/32 + IpProtocol: "6" + Type: AWS::EC2::SecurityGroup + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md index a1190584..496b01fa 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0124/CloudFormation.md @@ -3,14 +3,15 @@ Add descriptions for all security groups rules ```yaml Resources: - GoodSecurityGroup: - Properties: - GroupDescription: Limits security group egress traffic - SecurityGroupEgress: - - CidrIp: 127.0.0.1/32 - Description: Can connect to loopback - IpProtocol: "-1" - Type: AWS::EC2::SecurityGroup + GoodSecurityGroup: + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupEgress: + - CidrIp: 127.0.0.1/32 + Description: Can connect to loopback + IpProtocol: "-1" + Type: AWS::EC2::SecurityGroup + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0129/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0129/CloudFormation.md index 4c222656..e962c860 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0129/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0129/CloudFormation.md @@ -3,31 +3,32 @@ Remove sensitive data from the EC2 instance user-data generated by launch templa ```yaml Resources: - GoodExample: - Properties: - LaunchTemplateData: - DisableApiTermination: true - IamInstanceProfile: - Arn: - - MyIamInstanceProfile - - Arn - ImageId: ami-04d5cc9b88example - InstanceType: t2.micro - KeyName: MyKeyPair - MetadataOptions: - - HttpTokens: required - SecurityGroupIds: - - sg-083cd3bfb8example - UserData: export SSM_PATH=/database/creds - LaunchTemplateName: MyLaunchTemplate - Type: AWS::EC2::LaunchTemplate - InstanceProfile: - Properties: - InstanceProfileName: MyIamInstanceProfile - Path: / - Roles: - - MyAdminRole - Type: AWS::IAM::InstanceProfile + GoodExample: + Properties: + LaunchTemplateData: + DisableApiTermination: true + IamInstanceProfile: + Arn: + - MyIamInstanceProfile + - Arn + ImageId: ami-04d5cc9b88example + InstanceType: t2.micro + KeyName: MyKeyPair + MetadataOptions: + - HttpTokens: required + SecurityGroupIds: + - sg-083cd3bfb8example + UserData: export SSM_PATH=/database/creds + LaunchTemplateName: MyLaunchTemplate + Type: AWS::EC2::LaunchTemplate + InstanceProfile: + Properties: + InstanceProfileName: MyIamInstanceProfile + Path: / + Roles: + - MyAdminRole + Type: AWS::IAM::InstanceProfile + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0130/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0130/CloudFormation.md index a090947d..36fa84f5 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0130/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0130/CloudFormation.md @@ -3,12 +3,13 @@ Enable HTTP token requirement for IMDS ```yaml Resources: - GoodExample: - Properties: - MetadataOptions: - HttpEndpoint: enabled - HttpTokens: required - Type: AWS::AutoScaling::LaunchConfiguration + GoodExample: + Properties: + MetadataOptions: + HttpEndpoint: enabled + HttpTokens: required + Type: AWS::AutoScaling::LaunchConfiguration + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0131/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0131/CloudFormation.md index e12835b1..cf7caf5c 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0131/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0131/CloudFormation.md @@ -3,20 +3,21 @@ Turn on encryption for all block devices ```yaml Resources: - GoodExample: - Properties: - BlockDeviceMappings: - - DeviceName: /dev/sdm - Ebs: - DeleteOnTermination: "false" - Encrypted: true - Iops: "200" - VolumeSize: "20" - VolumeType: io1 - ImageId: ami-79fd7eee - KeyName: testkey - UserData: export SSM_PATH=/database/creds - Type: AWS::EC2::Instance + GoodExample: + Properties: + BlockDeviceMappings: + - DeviceName: /dev/sdm + Ebs: + DeleteOnTermination: "false" + Encrypted: true + Iops: "200" + VolumeSize: "20" + VolumeType: io1 + ImageId: ami-79fd7eee + KeyName: testkey + UserData: export SSM_PATH=/database/creds + Type: AWS::EC2::Instance + ``` diff --git a/avd_docs/aws/ec2/AVD-AWS-0164/CloudFormation.md b/avd_docs/aws/ec2/AVD-AWS-0164/CloudFormation.md index 544b0a02..e9182be1 100644 --- a/avd_docs/aws/ec2/AVD-AWS-0164/CloudFormation.md +++ b/avd_docs/aws/ec2/AVD-AWS-0164/CloudFormation.md @@ -3,10 +3,11 @@ Set the instance to not be publicly accessible ```yaml Resources: - GoodExample: - Properties: - VpcId: vpc-123456 - Type: AWS::EC2::Subnet + GoodExample: + Properties: + VpcId: vpc-123456 + Type: AWS::EC2::Subnet + ``` diff --git a/avd_docs/aws/ecr/AVD-AWS-0030/CloudFormation.md b/avd_docs/aws/ecr/AVD-AWS-0030/CloudFormation.md index 08c7be74..41d8f7f9 100644 --- a/avd_docs/aws/ecr/AVD-AWS-0030/CloudFormation.md +++ b/avd_docs/aws/ecr/AVD-AWS-0030/CloudFormation.md @@ -3,16 +3,17 @@ Enable ECR image scanning ```yaml Resources: - GoodExample: - Properties: - EncryptionConfiguration: - EncryptionType: KMS - KmsKey: alias/ecr-key - ImageScanningConfiguration: - ScanOnPush: true - ImageTagImmutability: IMMUTABLE - RepositoryName: test-repository - Type: AWS::ECR::Repository + GoodExample: + Properties: + EncryptionConfiguration: + EncryptionType: KMS + KmsKey: alias/ecr-key + ImageScanningConfiguration: + ScanOnPush: true + ImageTagImmutability: IMMUTABLE + RepositoryName: test-repository + Type: AWS::ECR::Repository + ``` diff --git a/avd_docs/aws/ecr/AVD-AWS-0031/CloudFormation.md b/avd_docs/aws/ecr/AVD-AWS-0031/CloudFormation.md index ad865293..bc06d867 100644 --- a/avd_docs/aws/ecr/AVD-AWS-0031/CloudFormation.md +++ b/avd_docs/aws/ecr/AVD-AWS-0031/CloudFormation.md @@ -3,16 +3,17 @@ Only use immutable images in ECR ```yaml Resources: - GoodExample: - Properties: - EncryptionConfiguration: - EncryptionType: KMS - KmsKey: alias/ecr-key - ImageScanningConfiguration: - ScanOnPush: false - ImageTagMutability: IMMUTABLE - RepositoryName: test-repository - Type: AWS::ECR::Repository + GoodExample: + Properties: + EncryptionConfiguration: + EncryptionType: KMS + KmsKey: alias/ecr-key + ImageScanningConfiguration: + ScanOnPush: false + ImageTagMutability: IMMUTABLE + RepositoryName: test-repository + Type: AWS::ECR::Repository + ``` diff --git a/avd_docs/aws/ecr/AVD-AWS-0032/CloudFormation.md b/avd_docs/aws/ecr/AVD-AWS-0032/CloudFormation.md index d2e45504..2af8d393 100644 --- a/avd_docs/aws/ecr/AVD-AWS-0032/CloudFormation.md +++ b/avd_docs/aws/ecr/AVD-AWS-0032/CloudFormation.md @@ -3,32 +3,33 @@ Do not allow public access in the policy ```yaml Resources: - GoodExample: - Properties: - EncryptionConfiguration: - EncryptionType: KMS - KmsKey: alias/ecr-key - ImageScanningConfiguration: - ScanOnPush: false - ImageTagImmutability: IMMUTABLE - RepositoryName: test-repository - RepositoryPolicyText: - Statement: - - Action: - - ecr:GetDownloadUrlForLayer - - ecr:BatchGetImage - - ecr:BatchCheckLayerAvailability - - ecr:PutImage - - ecr:InitiateLayerUpload - - ecr:UploadLayerPart - - ecr:CompleteLayerUpload - Effect: Allow - Principal: - AWS: - - arn:aws:iam::123456789012:user/Alice - Sid: AllowPushPull - Version: "2012-10-17" - Type: AWS::ECR::Repository + GoodExample: + Properties: + EncryptionConfiguration: + EncryptionType: KMS + KmsKey: alias/ecr-key + ImageScanningConfiguration: + ScanOnPush: false + ImageTagImmutability: IMMUTABLE + RepositoryName: test-repository + RepositoryPolicyText: + Statement: + - Action: + - ecr:GetDownloadUrlForLayer + - ecr:BatchGetImage + - ecr:BatchCheckLayerAvailability + - ecr:PutImage + - ecr:InitiateLayerUpload + - ecr:UploadLayerPart + - ecr:CompleteLayerUpload + Effect: Allow + Principal: + AWS: + - arn:aws:iam::123456789012:user/Alice + Sid: AllowPushPull + Version: "2012-10-17" + Type: AWS::ECR::Repository + ``` diff --git a/avd_docs/aws/ecr/AVD-AWS-0033/CloudFormation.md b/avd_docs/aws/ecr/AVD-AWS-0033/CloudFormation.md index 21189dd8..81459d3a 100644 --- a/avd_docs/aws/ecr/AVD-AWS-0033/CloudFormation.md +++ b/avd_docs/aws/ecr/AVD-AWS-0033/CloudFormation.md @@ -3,16 +3,17 @@ Use customer managed keys ```yaml Resources: - GoodExample: - Properties: - EncryptionConfiguration: - EncryptionType: KMS - KmsKey: alias/ecr-key - ImageScanningConfiguration: - ScanOnPush: false - ImageTagImmutability: IMMUTABLE - RepositoryName: test-repository - Type: AWS::ECR::Repository + GoodExample: + Properties: + EncryptionConfiguration: + EncryptionType: KMS + KmsKey: alias/ecr-key + ImageScanningConfiguration: + ScanOnPush: false + ImageTagImmutability: IMMUTABLE + RepositoryName: test-repository + Type: AWS::ECR::Repository + ``` diff --git a/avd_docs/aws/ecs/AVD-AWS-0034/CloudFormation.md b/avd_docs/aws/ecs/AVD-AWS-0034/CloudFormation.md index b09fcd4f..a9d645bb 100644 --- a/avd_docs/aws/ecs/AVD-AWS-0034/CloudFormation.md +++ b/avd_docs/aws/ecs/AVD-AWS-0034/CloudFormation.md @@ -3,13 +3,14 @@ Enable Container Insights ```yaml Resources: - GoodExample: - Properties: - ClusterName: MyCluster - ClusterSettings: - - Name: containerInsights - Value: enabled - Type: AWS::ECS::Cluster + GoodExample: + Properties: + ClusterName: MyCluster + ClusterSettings: + - Name: containerInsights + Value: enabled + Type: AWS::ECS::Cluster + ``` diff --git a/avd_docs/aws/ecs/AVD-AWS-0035/CloudFormation.md b/avd_docs/aws/ecs/AVD-AWS-0035/CloudFormation.md index 9eddbb42..634914ef 100644 --- a/avd_docs/aws/ecs/AVD-AWS-0035/CloudFormation.md +++ b/avd_docs/aws/ecs/AVD-AWS-0035/CloudFormation.md @@ -3,40 +3,41 @@ Enable in transit encryption when using efs ```yaml Resources: - GoodExample: - Properties: - ClusterName: MyCluster - ClusterSettings: - - Name: containerInsights - Value: enabled - Type: AWS::ECS::Cluster - GoodTask: - Properties: - ContainerDefinitions: - - Image: cfsec/cfsec:latest - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-group: cfsec-logs - awslogs-region: AWS::Region - awslogs-stream-prefix: cfsec - MountPoints: - - ContainerPath: /src - SourceVolume: src - Name: cfsec - Cpu: 512 - Family: CFSec scan - Memory: 1024 - NetworkMode: awsvpc - RequiresCompatibilities: - - FARGATE - - EC2 - Volumes: - - EFSVolumeConfiguration: - FilesystemId: fs1 - TransitEncryption: ENABLED - Name: jenkins-home - Type: AWS::ECS::TaskDefinition + GoodExample: + Properties: + ClusterName: MyCluster + ClusterSettings: + - Name: containerInsights + Value: enabled + Type: AWS::ECS::Cluster + GoodTask: + Properties: + ContainerDefinitions: + - Image: cfsec/cfsec:latest + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: cfsec-logs + awslogs-region: AWS::Region + awslogs-stream-prefix: cfsec + MountPoints: + - ContainerPath: /src + SourceVolume: src + Name: cfsec + Cpu: 512 + Family: CFSec scan + Memory: 1024 + NetworkMode: awsvpc + RequiresCompatibilities: + - FARGATE + - EC2 + Volumes: + - EFSVolumeConfiguration: + FilesystemId: fs1 + TransitEncryption: ENABLED + Name: jenkins-home + Type: AWS::ECS::TaskDefinition + ``` diff --git a/avd_docs/aws/ecs/AVD-AWS-0036/CloudFormation.md b/avd_docs/aws/ecs/AVD-AWS-0036/CloudFormation.md index d4582067..b9456686 100644 --- a/avd_docs/aws/ecs/AVD-AWS-0036/CloudFormation.md +++ b/avd_docs/aws/ecs/AVD-AWS-0036/CloudFormation.md @@ -3,40 +3,41 @@ Use secrets for the task definition ```yaml Resources: - GoodExample: - Properties: - ClusterName: MyCluster - ClusterSettings: - - Name: containerInsights - Value: enabled - Type: AWS::ECS::Cluster - GoodTask: - Properties: - ContainerDefinitions: - - Image: cfsec/cfsec:latest - LogConfiguration: - LogDriver: awslogs - Options: - awslogs-group: cfsec-logs - awslogs-region: AWS::Region - awslogs-stream-prefix: cfsec - MountPoints: - - ContainerPath: /src - SourceVolume: src - Name: cfsec - Cpu: 512 - Family: CFSec scan - Memory: 1024 - NetworkMode: awsvpc - RequiresCompatibilities: - - FARGATE - - EC2 - Volumes: - - EFSVolumeConfiguration: - FilesystemId: fs1 - TransitEncryption: ENABLED - Name: jenkins-home - Type: AWS::ECS::TaskDefinition + GoodExample: + Properties: + ClusterName: MyCluster + ClusterSettings: + - Name: containerInsights + Value: enabled + Type: AWS::ECS::Cluster + GoodTask: + Properties: + ContainerDefinitions: + - Image: cfsec/cfsec:latest + LogConfiguration: + LogDriver: awslogs + Options: + awslogs-group: cfsec-logs + awslogs-region: AWS::Region + awslogs-stream-prefix: cfsec + MountPoints: + - ContainerPath: /src + SourceVolume: src + Name: cfsec + Cpu: 512 + Family: CFSec scan + Memory: 1024 + NetworkMode: awsvpc + RequiresCompatibilities: + - FARGATE + - EC2 + Volumes: + - EFSVolumeConfiguration: + FilesystemId: fs1 + TransitEncryption: ENABLED + Name: jenkins-home + Type: AWS::ECS::TaskDefinition + ``` diff --git a/avd_docs/aws/efs/AVD-AWS-0037/CloudFormation.md b/avd_docs/aws/efs/AVD-AWS-0037/CloudFormation.md index 4f43e2f8..d4fd2f69 100644 --- a/avd_docs/aws/efs/AVD-AWS-0037/CloudFormation.md +++ b/avd_docs/aws/efs/AVD-AWS-0037/CloudFormation.md @@ -3,16 +3,17 @@ Enable encryption for EFS ```yaml Resources: - GoodExample: - Properties: - BackupPolicy: - Status: ENABLED - Encrypted: true - LifecyclePolicies: - - TransitionToIA: AFTER_60_DAYS - PerformanceMode: generalPurpose - ThroughputMode: bursting - Type: AWS::EFS::FileSystem + GoodExample: + Properties: + BackupPolicy: + Status: ENABLED + Encrypted: true + LifecyclePolicies: + - TransitionToIA: AFTER_60_DAYS + PerformanceMode: generalPurpose + ThroughputMode: bursting + Type: AWS::EFS::FileSystem + ``` diff --git a/avd_docs/aws/eks/AVD-AWS-0039/CloudFormation.md b/avd_docs/aws/eks/AVD-AWS-0039/CloudFormation.md index 3e2666dd..37382ef3 100644 --- a/avd_docs/aws/eks/AVD-AWS-0039/CloudFormation.md +++ b/avd_docs/aws/eks/AVD-AWS-0039/CloudFormation.md @@ -3,23 +3,24 @@ Enable encryption of EKS secrets ```yaml Resources: - GoodExample: - Properties: - EncryptionConfig: - Provider: - KeyArn: alias/eks-kms - Resources: - - secrets - Name: goodExample - ResourcesVpcConfig: - SecurityGroupIds: - - sg-6979fe18 - SubnetIds: - - subnet-6782e71e - - subnet-e7e761ac - RoleArn: arn:aws:iam::012345678910:role/eks-service-role-good-example - Version: "1.14" - Type: AWS::EKS::Cluster + GoodExample: + Properties: + EncryptionConfig: + Provider: + KeyArn: alias/eks-kms + Resources: + - secrets + Name: goodExample + ResourcesVpcConfig: + SecurityGroupIds: + - sg-6979fe18 + SubnetIds: + - subnet-6782e71e + - subnet-e7e761ac + RoleArn: arn:aws:iam::012345678910:role/eks-service-role-good-example + Version: "1.14" + Type: AWS::EKS::Cluster + ``` diff --git a/avd_docs/aws/elasticache/AVD-AWS-0049/CloudFormation.md b/avd_docs/aws/elasticache/AVD-AWS-0049/CloudFormation.md index 9c8ec433..57310928 100644 --- a/avd_docs/aws/elasticache/AVD-AWS-0049/CloudFormation.md +++ b/avd_docs/aws/elasticache/AVD-AWS-0049/CloudFormation.md @@ -3,20 +3,21 @@ Add descriptions for all security groups and rules ```yaml Resources: - GoodExampleCacheGroup: - Properties: - Description: Some description - Type: AWS::ElastiCache::SecurityGroup - GoodExampleEc2SecurityGroup: - Properties: - GroupDescription: Good Elasticache Security Group - GroupName: GoodExample - Type: AWS::EC2::SecurityGroup - GoodSecurityGroupIngress: - Properties: - CacheSecurityGroupName: GoodExampleCacheGroup - EC2SecurityGroupName: GoodExampleEc2SecurityGroup - Type: AWS::ElastiCache::SecurityGroupIngress + GoodExampleCacheGroup: + Properties: + Description: Some description + Type: AWS::ElastiCache::SecurityGroup + GoodExampleEc2SecurityGroup: + Properties: + GroupDescription: Good Elasticache Security Group + GroupName: GoodExample + Type: AWS::EC2::SecurityGroup + GoodSecurityGroupIngress: + Properties: + CacheSecurityGroupName: GoodExampleCacheGroup + EC2SecurityGroupName: GoodExampleEc2SecurityGroup + Type: AWS::ElastiCache::SecurityGroupIngress + ``` diff --git a/avd_docs/aws/elasticache/AVD-AWS-0050/CloudFormation.md b/avd_docs/aws/elasticache/AVD-AWS-0050/CloudFormation.md index 67cbdde5..491f7383 100644 --- a/avd_docs/aws/elasticache/AVD-AWS-0050/CloudFormation.md +++ b/avd_docs/aws/elasticache/AVD-AWS-0050/CloudFormation.md @@ -3,18 +3,19 @@ Configure snapshot retention for redis cluster ```yaml Resources: - GoodExample: - Properties: - AZMode: cross-az - CacheNodeType: cache.m3.medium - Engine: redis - NumCacheNodes: "3" - PreferredAvailabilityZones: - - us-west-2a - - us-west-2a - - us-west-2b - SnapshotRetentionLimit: 7 - Type: AWS::ElastiCache::CacheCluster + GoodExample: + Properties: + AZMode: cross-az + CacheNodeType: cache.m3.medium + Engine: redis + NumCacheNodes: "3" + PreferredAvailabilityZones: + - us-west-2a + - us-west-2a + - us-west-2b + SnapshotRetentionLimit: 7 + Type: AWS::ElastiCache::CacheCluster + ``` diff --git a/avd_docs/aws/elasticache/AVD-AWS-0051/CloudFormation.md b/avd_docs/aws/elasticache/AVD-AWS-0051/CloudFormation.md index 8ab62ce3..8bffd518 100644 --- a/avd_docs/aws/elasticache/AVD-AWS-0051/CloudFormation.md +++ b/avd_docs/aws/elasticache/AVD-AWS-0051/CloudFormation.md @@ -3,24 +3,25 @@ Enable in transit encryption for replication group ```yaml Resources: - GoodExample: - Properties: - AutomaticFailoverEnabled: true - CacheNodeType: cache.r3.large - CacheSubnetGroupName: CacheSubnetGroup - Engine: redis - EngineVersion: "3.2" - NumNodeGroups: "2" - Port: 6379 - PreferredMaintenanceWindow: sun:05:00-sun:09:00 - ReplicasPerNodeGroup: "3" - ReplicationGroupDescription: A sample replication group - SecurityGroupIds: - - ReplicationGroupSG - SnapshotRetentionLimit: 5 - SnapshotWindow: 10:00-12:00 - TransitEncryptionEnabled: true - Type: AWS::ElastiCache::ReplicationGroup + GoodExample: + Properties: + AutomaticFailoverEnabled: true + CacheNodeType: cache.r3.large + CacheSubnetGroupName: CacheSubnetGroup + Engine: redis + EngineVersion: "3.2" + NumNodeGroups: "2" + Port: 6379 + PreferredMaintenanceWindow: sun:05:00-sun:09:00 + ReplicasPerNodeGroup: "3" + ReplicationGroupDescription: A sample replication group + SecurityGroupIds: + - ReplicationGroupSG + SnapshotRetentionLimit: 5 + SnapshotWindow: 10:00-12:00 + TransitEncryptionEnabled: true + Type: AWS::ElastiCache::ReplicationGroup + ``` diff --git a/avd_docs/aws/elasticsearch/AVD-AWS-0042/CloudFormation.md b/avd_docs/aws/elasticsearch/AVD-AWS-0042/CloudFormation.md index 3fb75f0c..f0376c57 100644 --- a/avd_docs/aws/elasticsearch/AVD-AWS-0042/CloudFormation.md +++ b/avd_docs/aws/elasticsearch/AVD-AWS-0042/CloudFormation.md @@ -3,29 +3,30 @@ Enable logging for ElasticSearch domains ```yaml Resources: - GoodExample: - Properties: - DomainName: test - EBSOptions: - EBSEnabled: true - Iops: "0" - VolumeSize: "20" - VolumeType: gp2 - ElasticsearchClusterConfig: - DedicatedMasterCount: "3" - DedicatedMasterEnabled: true - DedicatedMasterType: m3.medium.elasticsearch - InstanceCount: "2" - InstanceType: m3.medium.elasticsearch - ZoneAwarenessEnabled: true - ElasticsearchVersion: "7.10" - EncryptionAtRestOptions: - Enabled: true - KmsKeyId: alias/kmskey - LogPublishingOptions: - AUDIT_LOGS: - Enabled: true - Type: AWS::Elasticsearch::Domain + GoodExample: + Properties: + DomainName: test + EBSOptions: + EBSEnabled: true + Iops: "0" + VolumeSize: "20" + VolumeType: gp2 + ElasticsearchClusterConfig: + DedicatedMasterCount: "3" + DedicatedMasterEnabled: true + DedicatedMasterType: m3.medium.elasticsearch + InstanceCount: "2" + InstanceType: m3.medium.elasticsearch + ZoneAwarenessEnabled: true + ElasticsearchVersion: "7.10" + EncryptionAtRestOptions: + Enabled: true + KmsKeyId: alias/kmskey + LogPublishingOptions: + AUDIT_LOGS: + Enabled: true + Type: AWS::Elasticsearch::Domain + ``` diff --git a/avd_docs/aws/elasticsearch/AVD-AWS-0043/CloudFormation.md b/avd_docs/aws/elasticsearch/AVD-AWS-0043/CloudFormation.md index 67edca1c..d66ca007 100644 --- a/avd_docs/aws/elasticsearch/AVD-AWS-0043/CloudFormation.md +++ b/avd_docs/aws/elasticsearch/AVD-AWS-0043/CloudFormation.md @@ -3,28 +3,29 @@ Enable encrypted node to node communication ```yaml Resources: - GoodExample: - Properties: - DomainName: test - EBSOptions: - EBSEnabled: true - Iops: "0" - VolumeSize: "20" - VolumeType: gp2 - ElasticsearchClusterConfig: - DedicatedMasterCount: "3" - DedicatedMasterEnabled: true - DedicatedMasterType: m3.medium.elasticsearch - InstanceCount: "2" - InstanceType: m3.medium.elasticsearch - ZoneAwarenessEnabled: true - ElasticsearchVersion: "7.10" - EncryptionAtRestOptions: - Enabled: true - KmsKeyId: alias/kmskey - NodeToNodeEncryptionOptions: - Enabled: true - Type: AWS::Elasticsearch::Domain + GoodExample: + Properties: + DomainName: test + EBSOptions: + EBSEnabled: true + Iops: "0" + VolumeSize: "20" + VolumeType: gp2 + ElasticsearchClusterConfig: + DedicatedMasterCount: "3" + DedicatedMasterEnabled: true + DedicatedMasterType: m3.medium.elasticsearch + InstanceCount: "2" + InstanceType: m3.medium.elasticsearch + ZoneAwarenessEnabled: true + ElasticsearchVersion: "7.10" + EncryptionAtRestOptions: + Enabled: true + KmsKeyId: alias/kmskey + NodeToNodeEncryptionOptions: + Enabled: true + Type: AWS::Elasticsearch::Domain + ``` diff --git a/avd_docs/aws/elasticsearch/AVD-AWS-0046/CloudFormation.md b/avd_docs/aws/elasticsearch/AVD-AWS-0046/CloudFormation.md index acde08bd..5176bb95 100644 --- a/avd_docs/aws/elasticsearch/AVD-AWS-0046/CloudFormation.md +++ b/avd_docs/aws/elasticsearch/AVD-AWS-0046/CloudFormation.md @@ -3,28 +3,29 @@ Enforce the use of HTTPS for ElasticSearch ```yaml Resources: - GoodExample: - Properties: - DomainEndpointOptions: - EnforceHTTPS: true - DomainName: test - EBSOptions: - EBSEnabled: true - Iops: "0" - VolumeSize: "20" - VolumeType: gp2 - ElasticsearchClusterConfig: - DedicatedMasterCount: "3" - DedicatedMasterEnabled: true - DedicatedMasterType: m3.medium.elasticsearch - InstanceCount: "2" - InstanceType: m3.medium.elasticsearch - ZoneAwarenessEnabled: true - ElasticsearchVersion: "7.10" - EncryptionAtRestOptions: - Enabled: true - KmsKeyId: alias/kmskey - Type: AWS::Elasticsearch::Domain + GoodExample: + Properties: + DomainEndpointOptions: + EnforceHTTPS: true + DomainName: test + EBSOptions: + EBSEnabled: true + Iops: "0" + VolumeSize: "20" + VolumeType: gp2 + ElasticsearchClusterConfig: + DedicatedMasterCount: "3" + DedicatedMasterEnabled: true + DedicatedMasterType: m3.medium.elasticsearch + InstanceCount: "2" + InstanceType: m3.medium.elasticsearch + ZoneAwarenessEnabled: true + ElasticsearchVersion: "7.10" + EncryptionAtRestOptions: + Enabled: true + KmsKeyId: alias/kmskey + Type: AWS::Elasticsearch::Domain + ``` diff --git a/avd_docs/aws/elasticsearch/AVD-AWS-0048/CloudFormation.md b/avd_docs/aws/elasticsearch/AVD-AWS-0048/CloudFormation.md index 9c84c6e6..463b257d 100644 --- a/avd_docs/aws/elasticsearch/AVD-AWS-0048/CloudFormation.md +++ b/avd_docs/aws/elasticsearch/AVD-AWS-0048/CloudFormation.md @@ -3,26 +3,27 @@ Enable ElasticSearch domain encryption ```yaml Resources: - GoodExample: - Properties: - DomainName: test - EBSOptions: - EBSEnabled: true - Iops: "0" - VolumeSize: "20" - VolumeType: gp2 - ElasticsearchClusterConfig: - DedicatedMasterCount: "3" - DedicatedMasterEnabled: true - DedicatedMasterType: m3.medium.elasticsearch - InstanceCount: "2" - InstanceType: m3.medium.elasticsearch - ZoneAwarenessEnabled: true - ElasticsearchVersion: "7.10" - EncryptionAtRestOptions: - Enabled: true - KmsKeyId: alias/kmskey - Type: AWS::Elasticsearch::Domain + GoodExample: + Properties: + DomainName: test + EBSOptions: + EBSEnabled: true + Iops: "0" + VolumeSize: "20" + VolumeType: gp2 + ElasticsearchClusterConfig: + DedicatedMasterCount: "3" + DedicatedMasterEnabled: true + DedicatedMasterType: m3.medium.elasticsearch + InstanceCount: "2" + InstanceType: m3.medium.elasticsearch + ZoneAwarenessEnabled: true + ElasticsearchVersion: "7.10" + EncryptionAtRestOptions: + Enabled: true + KmsKeyId: alias/kmskey + Type: AWS::Elasticsearch::Domain + ``` diff --git a/avd_docs/aws/elasticsearch/AVD-AWS-0126/CloudFormation.md b/avd_docs/aws/elasticsearch/AVD-AWS-0126/CloudFormation.md index 52be5833..8be7ec8c 100644 --- a/avd_docs/aws/elasticsearch/AVD-AWS-0126/CloudFormation.md +++ b/avd_docs/aws/elasticsearch/AVD-AWS-0126/CloudFormation.md @@ -3,28 +3,29 @@ Use the most modern TLS/SSL policies available ```yaml Resources: - GoodExample: - Properties: - DomainEndpointOptions: - TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07 - DomainName: test - EBSOptions: - EBSEnabled: true - Iops: "0" - VolumeSize: "20" - VolumeType: gp2 - ElasticsearchClusterConfig: - DedicatedMasterCount: "3" - DedicatedMasterEnabled: true - DedicatedMasterType: m3.medium.elasticsearch - InstanceCount: "2" - InstanceType: m3.medium.elasticsearch - ZoneAwarenessEnabled: true - ElasticsearchVersion: "7.10" - EncryptionAtRestOptions: - Enabled: true - KmsKeyId: alias/kmskey - Type: AWS::Elasticsearch::Domain + GoodExample: + Properties: + DomainEndpointOptions: + TLSSecurityPolicy: Policy-Min-TLS-1-2-2019-07 + DomainName: test + EBSOptions: + EBSEnabled: true + Iops: "0" + VolumeSize: "20" + VolumeType: gp2 + ElasticsearchClusterConfig: + DedicatedMasterCount: "3" + DedicatedMasterEnabled: true + DedicatedMasterType: m3.medium.elasticsearch + InstanceCount: "2" + InstanceType: m3.medium.elasticsearch + ZoneAwarenessEnabled: true + ElasticsearchVersion: "7.10" + EncryptionAtRestOptions: + Enabled: true + KmsKeyId: alias/kmskey + Type: AWS::Elasticsearch::Domain + ``` diff --git a/avd_docs/aws/kinesis/AVD-AWS-0064/CloudFormation.md b/avd_docs/aws/kinesis/AVD-AWS-0064/CloudFormation.md index 71b4111a..4f03a6cb 100644 --- a/avd_docs/aws/kinesis/AVD-AWS-0064/CloudFormation.md +++ b/avd_docs/aws/kinesis/AVD-AWS-0064/CloudFormation.md @@ -3,18 +3,19 @@ Enable in transit encryption ```yaml Resources: - GoodExample: - Properties: - Name: GoodExample - RetentionPeriodHours: 168 - ShardCount: 3 - StreamEncryption: - EncryptionType: KMS - KeyId: alis/key - Tags: - - Key: Environment - Value: Production - Type: AWS::Kinesis::Stream + GoodExample: + Properties: + Name: GoodExample + RetentionPeriodHours: 168 + ShardCount: 3 + StreamEncryption: + EncryptionType: KMS + KeyId: alis/key + Tags: + - Key: Environment + Value: Production + Type: AWS::Kinesis::Stream + ``` diff --git a/avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md b/avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md index 13b82276..7ff99663 100644 --- a/avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md +++ b/avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md @@ -3,24 +3,25 @@ Enable tracing ```yaml Resources: - GoodExample: - Properties: - Code: - S3Bucket: my-bucket - S3Key: function.zip - Handler: index.handler - Role: arn:aws:iam::123456789012:role/lambda-role - Runtime: nodejs12.x - Timeout: 5 - TracingConfig: - Mode: Active - VpcConfig: - SecurityGroupIds: - - sg-085912345678492fb - SubnetIds: - - subnet-071f712345678e7c8 - - subnet-07fd123456788a036 - Type: AWS::Lambda::Function + GoodExample: + Properties: + Code: + S3Bucket: my-bucket + S3Key: function.zip + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Runtime: nodejs12.x + Timeout: 5 + TracingConfig: + Mode: Active + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 + Type: AWS::Lambda::Function + ``` diff --git a/avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md b/avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md index f8805864..5105b544 100644 --- a/avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md +++ b/avd_docs/aws/lambda/AVD-AWS-0067/CloudFormation.md @@ -3,31 +3,32 @@ Always provide a source arn for Lambda permissions ```yaml Resources: - GoodExample: - Properties: - Code: - S3Bucket: my-bucket - S3Key: function.zip - Handler: index.handler - Role: arn:aws:iam::123456789012:role/lambda-role - Runtime: nodejs12.x - Timeout: 5 - TracingConfig: - Mode: Active - VpcConfig: - SecurityGroupIds: - - sg-085912345678492fb - SubnetIds: - - subnet-071f712345678e7c8 - - subnet-07fd123456788a036 - Type: AWS::Lambda::Function - GoodPermission: - Properties: - Action: lambda:InvokeFunction - FunctionName: BadExample - Principal: s3.amazonaws.com - SourceArn: lambda.amazonaws.com - Type: AWS::Lambda::Permission + GoodExample: + Properties: + Code: + S3Bucket: my-bucket + S3Key: function.zip + Handler: index.handler + Role: arn:aws:iam::123456789012:role/lambda-role + Runtime: nodejs12.x + Timeout: 5 + TracingConfig: + Mode: Active + VpcConfig: + SecurityGroupIds: + - sg-085912345678492fb + SubnetIds: + - subnet-071f712345678e7c8 + - subnet-07fd123456788a036 + Type: AWS::Lambda::Function + GoodPermission: + Properties: + Action: lambda:InvokeFunction + FunctionName: BadExample + Principal: s3.amazonaws.com + SourceArn: lambda.amazonaws.com + Type: AWS::Lambda::Permission + ``` diff --git a/avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md b/avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md index 3a20ae67..7912c88b 100644 --- a/avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md +++ b/avd_docs/aws/mq/AVD-AWS-0070/CloudFormation.md @@ -3,11 +3,12 @@ Enable audit logging ```yaml Resources: - GoodBroker: - Properties: - Logs: - Audit: true - Type: AWS::AmazonMQ::Broker + GoodBroker: + Properties: + Logs: + Audit: true + Type: AWS::AmazonMQ::Broker + ``` diff --git a/avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md b/avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md index 2a0870b9..ade3cc8c 100644 --- a/avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md +++ b/avd_docs/aws/mq/AVD-AWS-0071/CloudFormation.md @@ -3,11 +3,12 @@ Enable general logging ```yaml Resources: - GoodBroker: - Properties: - Logs: - General: true - Type: AWS::AmazonMQ::Broker + GoodBroker: + Properties: + Logs: + General: true + Type: AWS::AmazonMQ::Broker + ``` diff --git a/avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md b/avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md index dc7afbfb..0982acdc 100644 --- a/avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md +++ b/avd_docs/aws/mq/AVD-AWS-0072/CloudFormation.md @@ -3,10 +3,11 @@ Disable public access when not required ```yaml Resources: - GoodBroker: - Properties: - PubliclyAccessible: false - Type: AWS::AmazonMQ::Broker + GoodBroker: + Properties: + PubliclyAccessible: false + Type: AWS::AmazonMQ::Broker + ``` diff --git a/avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md b/avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md index 7abbf5a1..c3331023 100644 --- a/avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md +++ b/avd_docs/aws/msk/AVD-AWS-0073/CloudFormation.md @@ -3,12 +3,13 @@ Enable in transit encryption ```yaml Resources: - GoodCluster: - Properties: - EncryptionInfo: - EncryptionInTransit: - ClientBroker: TLS - Type: AWS::MSK::Cluster + GoodCluster: + Properties: + EncryptionInfo: + EncryptionInTransit: + ClientBroker: TLS + Type: AWS::MSK::Cluster + ``` diff --git a/avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md b/avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md index 2a623f99..0b65b87a 100644 --- a/avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md +++ b/avd_docs/aws/msk/AVD-AWS-0074/CloudFormation.md @@ -3,13 +3,14 @@ Enable logging ```yaml Resources: - GoodCluster: - Properties: - LoggingInfo: - BrokerLogs: - S3: - Enabled: true - Type: AWS::MSK::Cluster + GoodCluster: + Properties: + LoggingInfo: + BrokerLogs: + S3: + Enabled: true + Type: AWS::MSK::Cluster + ``` diff --git a/avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md b/avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md index 120a835a..628f82c9 100644 --- a/avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md +++ b/avd_docs/aws/msk/AVD-AWS-0179/CloudFormation.md @@ -3,12 +3,13 @@ Enable at rest encryption ```yaml Resources: - GoodCluster: - Properties: - EncryptionInfo: - EncryptionAtRest: - DataVolumeKMSKeyId: foo-bar-key - Type: AWS::MSK::Cluster + GoodCluster: + Properties: + EncryptionInfo: + EncryptionAtRest: + DataVolumeKMSKeyId: foo-bar-key + Type: AWS::MSK::Cluster + ``` diff --git a/avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md b/avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md index 8231fc0c..98a32d27 100644 --- a/avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md +++ b/avd_docs/aws/neptune/AVD-AWS-0075/CloudFormation.md @@ -3,11 +3,12 @@ Enable export logs ```yaml Resources: - GoodCluster: - Properties: - EnableCloudwatchLogsExports: - - audit - Type: AWS::Neptune::DBCluster + GoodCluster: + Properties: + EnableCloudwatchLogsExports: + - audit + Type: AWS::Neptune::DBCluster + ``` diff --git a/avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md b/avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md index e64b5c3f..11232269 100644 --- a/avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md +++ b/avd_docs/aws/neptune/AVD-AWS-0076/CloudFormation.md @@ -3,11 +3,12 @@ Enable encryption of Neptune storage ```yaml Resources: - GoodCluster: - Properties: - KmsKeyId: something - StorageEncrypted: true - Type: AWS::Neptune::DBCluster + GoodCluster: + Properties: + KmsKeyId: something + StorageEncrypted: true + Type: AWS::Neptune::DBCluster + ``` diff --git a/avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md b/avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md index 64078942..c9a1bde8 100644 --- a/avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md +++ b/avd_docs/aws/neptune/AVD-AWS-0128/CloudFormation.md @@ -3,11 +3,12 @@ Enable encryption using customer managed keys ```yaml Resources: - GoodCluster: - Properties: - KmsKeyId: something - StorageEncrypted: true - Type: AWS::Neptune::DBCluster + GoodCluster: + Properties: + KmsKeyId: something + StorageEncrypted: true + Type: AWS::Neptune::DBCluster + ``` diff --git a/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md index 31841835..4e137717 100644 --- a/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0077/CloudFormation.md @@ -3,10 +3,11 @@ Explicitly set the retention period to greater than the default ```yaml Resources: - GoodExample: - Properties: - BackupRetentionPeriod: 30 - Type: AWS::RDS::DBInstance + GoodExample: + Properties: + BackupRetentionPeriod: 30 + Type: AWS::RDS::DBInstance + ``` diff --git a/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md index 0381fe76..01193d9c 100644 --- a/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0078/CloudFormation.md @@ -3,11 +3,12 @@ Use Customer Managed Keys to encrypt Performance Insights data ```yaml Resources: - GoodExample: - Properties: - EnablePerformanceInsights: true - PerformanceInsightsKMSKeyId: something - Type: AWS::RDS::DBInstance + GoodExample: + Properties: + EnablePerformanceInsights: true + PerformanceInsightsKMSKeyId: something + Type: AWS::RDS::DBInstance + ``` diff --git a/avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md index a3dd6143..531485ef 100644 --- a/avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0079/CloudFormation.md @@ -3,11 +3,12 @@ Enable encryption for RDS clusters ```yaml Resources: - GoodExample: - Properties: - KmsKeyId: something - StorageEncrypted: true - Type: AWS::RDS::DBCluster + GoodExample: + Properties: + KmsKeyId: something + StorageEncrypted: true + Type: AWS::RDS::DBCluster + ``` diff --git a/avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md index 2b7c2ecd..e46c6d4f 100644 --- a/avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0080/CloudFormation.md @@ -3,11 +3,12 @@ Enable encryption for RDS instances ```yaml Resources: - GoodExample: - Properties: - KmsKeyId: something - StorageEncrypted: true - Type: AWS::RDS::DBInstance + GoodExample: + Properties: + KmsKeyId: something + StorageEncrypted: true + Type: AWS::RDS::DBInstance + ``` diff --git a/avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md index ab9af8f2..5b17f9f0 100644 --- a/avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0133/CloudFormation.md @@ -3,11 +3,12 @@ Enable performance insights ```yaml Resources: - GoodExample: - Properties: - EnablePerformanceInsights: true - PerformanceInsightsKMSKeyId: something - Type: AWS::RDS::DBInstance + GoodExample: + Properties: + EnablePerformanceInsights: true + PerformanceInsightsKMSKeyId: something + Type: AWS::RDS::DBInstance + ``` diff --git a/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md b/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md index 5cfb20fd..a049f8fa 100644 --- a/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md +++ b/avd_docs/aws/rds/AVD-AWS-0180/CloudFormation.md @@ -2,12 +2,12 @@ Remove the public endpoint from the RDS instance. ```yaml ---- Resources: GoodExample: - Type: AWS::RDS::DBInstance Properties: PubliclyAccessible: false + Type: AWS::RDS::DBInstance + ``` diff --git a/avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md b/avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md index 59530c47..c95bfe86 100644 --- a/avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md +++ b/avd_docs/aws/redshift/AVD-AWS-0083/CloudFormation.md @@ -3,10 +3,11 @@ Add descriptions for all security groups and rules ```yaml Resources: - GoodExample: - Properties: - Description: Disallow bad stuff - Type: AWS::Redshift::ClusterSecurityGroup + GoodExample: + Properties: + Description: Disallow bad stuff + Type: AWS::Redshift::ClusterSecurityGroup + ``` diff --git a/avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md b/avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md index 7ae0d637..33fc9ee6 100644 --- a/avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md +++ b/avd_docs/aws/redshift/AVD-AWS-0084/CloudFormation.md @@ -3,11 +3,12 @@ Enable encryption using CMK ```yaml Resources: - GoodExample: - Properties: - Encrypted: true - KmsKeyId: something - Type: AWS::Redshift::Cluster + GoodExample: + Properties: + Encrypted: true + KmsKeyId: something + Type: AWS::Redshift::Cluster + ``` diff --git a/avd_docs/aws/redshift/AVD-AWS-0085/CloudFormation.md b/avd_docs/aws/redshift/AVD-AWS-0085/CloudFormation.md index 62826eeb..b76e8bde 100644 --- a/avd_docs/aws/redshift/AVD-AWS-0085/CloudFormation.md +++ b/avd_docs/aws/redshift/AVD-AWS-0085/CloudFormation.md @@ -2,9 +2,10 @@ Switch to VPC resources ```yaml -AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +AWSTemplateFormatVersion: "2010-09-09T00:00:00Z" Description: Good example of redshift sgr Resources: null + ``` diff --git a/avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md b/avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md index eeab6614..a111a20e 100644 --- a/avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md +++ b/avd_docs/aws/redshift/AVD-AWS-0127/CloudFormation.md @@ -3,10 +3,11 @@ Deploy Redshift cluster into a non default VPC ```yaml Resources: - GoodCluster: - Properties: - ClusterSubnetGroupName: my-subnet-group - Type: AWS::Redshift::Cluster + GoodCluster: + Properties: + ClusterSubnetGroupName: my-subnet-group + Type: AWS::Redshift::Cluster + ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0086/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0086/CloudFormation.md index c6d1f5b8..92a526eb 100644 --- a/avd_docs/aws/s3/AVD-AWS-0086/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0086/CloudFormation.md @@ -3,14 +3,15 @@ Enable blocking any PUT calls with a public ACL specified ```yaml Resources: - GoodExample: - Properties: - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - Type: AWS::S3::Bucket + GoodExample: + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + Type: AWS::S3::Bucket + ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0087/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0087/CloudFormation.md index 47e9679a..dee77158 100644 --- a/avd_docs/aws/s3/AVD-AWS-0087/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0087/CloudFormation.md @@ -3,14 +3,15 @@ Prevent policies that allow public access being PUT ```yaml Resources: - GoodExample: - Properties: - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - Type: AWS::S3::Bucket + GoodExample: + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + Type: AWS::S3::Bucket + ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md index 2e6d55c8..56c5f8c6 100644 --- a/avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0088/CloudFormation.md @@ -3,14 +3,15 @@ Configure bucket encryption ```yaml Resources: - GoodExample: - Properties: - BucketEncryption: - ServerSideEncryptionConfiguration: - - BucketKeyEnabled: true - ServerSideEncryptionByDefault: - SSEAlgorithm: AES256 - Type: AWS::S3::Bucket + GoodExample: + Properties: + BucketEncryption: + ServerSideEncryptionConfiguration: + - BucketKeyEnabled: true + ServerSideEncryptionByDefault: + SSEAlgorithm: AES256 + Type: AWS::S3::Bucket + ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md index 575cedfb..b7b2ed9e 100644 --- a/avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md @@ -2,31 +2,34 @@ Add a logging block to the resource to enable access logging ```yaml ---- Resources: GoodExample: - Type: AWS::S3::Bucket Properties: LoggingConfiguration: DestinationBucketName: logging-bucket LogFilePrefix: accesslogs/ + Type: AWS::S3::Bucket + ``` ```yaml ---- Resources: GoodExample: - Type: AWS::S3::Bucket Properties: - BucketName: !Sub my-s3-bucket-${BucketSuffix} - LoggingConfiguration: - DestinationBucketName: !FindInMap [EnvironmentMapping, s3, logging] - LogFilePrefix: !Sub s3-logs/AWSLogs/${AWS::AccountId}/my-s3-bucket-${BucketSuffix} AccessControl: Private + BucketName: my-s3-bucket-${BucketSuffix} + LoggingConfiguration: + DestinationBucketName: + - EnvironmentMapping + - s3 + - logging + LogFilePrefix: s3-logs/AWSLogs/${AWS::AccountId}/my-s3-bucket-${BucketSuffix} PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true + Type: AWS::S3::Bucket + ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md index 63200a68..a1f39ade 100644 --- a/avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0090/CloudFormation.md @@ -3,11 +3,12 @@ Enable versioning to protect against accidental/malicious removal or modificatio ```yaml Resources: - GoodExample: - Properties: - VersioningConfiguration: - Status: Enabled - Type: AWS::S3::Bucket + GoodExample: + Properties: + VersioningConfiguration: + Status: Enabled + Type: AWS::S3::Bucket + ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md index 0e3c3434..852ec191 100644 --- a/avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0091/CloudFormation.md @@ -3,15 +3,16 @@ Enable ignoring the application of public ACLs in PUT calls ```yaml Resources: - GoodExample: - Properties: - AccessControl: Private - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - Type: AWS::S3::Bucket + GoodExample: + Properties: + AccessControl: Private + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + Type: AWS::S3::Bucket + ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md index a666792d..1c8fac94 100644 --- a/avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0092/CloudFormation.md @@ -3,10 +3,11 @@ Don't use canned ACLs or switch to private acl ```yaml Resources: - GoodExample: - Properties: - AccessControl: Private - Type: AWS::S3::Bucket + GoodExample: + Properties: + AccessControl: Private + Type: AWS::S3::Bucket + ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md index 1de84144..e37fca6d 100644 --- a/avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0093/CloudFormation.md @@ -3,14 +3,15 @@ Limit the access to public buckets to only the owner or AWS Services (eg; CloudF ```yaml Resources: - GoodExample: - Properties: - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - Type: AWS::S3::Bucket + GoodExample: + Properties: + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + Type: AWS::S3::Bucket + ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md index 66b89d76..10aceddb 100644 --- a/avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0094/CloudFormation.md @@ -3,15 +3,16 @@ Define a aws_s3_bucket_public_access_block for the given bucket to control publi ```yaml Resources: - GoodExample: - Properties: - AccessControl: Private - PublicAccessBlockConfiguration: - BlockPublicAcls: true - BlockPublicPolicy: true - IgnorePublicAcls: true - RestrictPublicBuckets: true - Type: AWS::S3::Bucket + GoodExample: + Properties: + AccessControl: Private + PublicAccessBlockConfiguration: + BlockPublicAcls: true + BlockPublicPolicy: true + IgnorePublicAcls: true + RestrictPublicBuckets: true + Type: AWS::S3::Bucket + ``` diff --git a/avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md b/avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md index 2152d4d3..ca02c350 100644 --- a/avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md +++ b/avd_docs/aws/s3/AVD-AWS-0132/CloudFormation.md @@ -3,15 +3,16 @@ Enable encryption using customer managed keys ```yaml Resources: - GoodExample: - Properties: - BucketEncryption: - ServerSideEncryptionConfiguration: - - BucketKeyEnabled: true - ServerSideEncryptionByDefault: - KMSMasterKeyID: kms-arn - SSEAlgorithm: aws:kms - Type: AWS::S3::Bucket + GoodExample: + Properties: + BucketEncryption: + ServerSideEncryptionConfiguration: + - BucketKeyEnabled: true + ServerSideEncryptionByDefault: + KMSMasterKeyID: kms-arn + SSEAlgorithm: aws:kms + Type: AWS::S3::Bucket + ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md index b4fd8c29..bb5b55b7 100644 --- a/avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0110/CloudFormation.md @@ -3,16 +3,17 @@ Enable cache encryption ```yaml Resources: - GoodExample: - Properties: - Domain: - SecurityPolicy: TLS_1_2 - MethodSettings: - CacheDataEncrypted: true - Name: Good SAM API example - StageName: Prod - TracingEnabled: false - Type: AWS::Serverless::Api + GoodExample: + Properties: + Domain: + SecurityPolicy: TLS_1_2 + MethodSettings: + CacheDataEncrypted: true + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Type: AWS::Serverless::Api + ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md index 6e0d216c..07beea26 100644 --- a/avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0111/CloudFormation.md @@ -3,12 +3,13 @@ Enable tracing ```yaml Resources: - GoodExample: - Properties: - Name: Good SAM API example - StageName: Prod - TracingEnabled: true - Type: AWS::Serverless::Api + GoodExample: + Properties: + Name: Good SAM API example + StageName: Prod + TracingEnabled: true + Type: AWS::Serverless::Api + ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md index bdd1c448..c7569113 100644 --- a/avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0112/CloudFormation.md @@ -3,14 +3,15 @@ Use the most modern TLS/SSL policies available ```yaml Resources: - GoodExample: - Properties: - Domain: - SecurityPolicy: TLS_1_2 - Name: Good SAM API example - StageName: Prod - TracingEnabled: false - Type: AWS::Serverless::Api + GoodExample: + Properties: + Domain: + SecurityPolicy: TLS_1_2 + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Type: AWS::Serverless::Api + ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md index f8e99ea1..9bc8d7ef 100644 --- a/avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0113/CloudFormation.md @@ -3,17 +3,18 @@ Enable logging for API Gateway stages ```yaml Resources: - GoodExample: - Properties: - AccessLogSetting: - DestinationArn: gateway-logging - Format: json - Domain: - SecurityPolicy: TLS_1_2 - Name: Good SAM API example - StageName: Prod - TracingEnabled: false - Type: AWS::Serverless::Api + GoodExample: + Properties: + AccessLogSetting: + DestinationArn: gateway-logging + Format: json + Domain: + SecurityPolicy: TLS_1_2 + Name: Good SAM API example + StageName: Prod + TracingEnabled: false + Type: AWS::Serverless::Api + ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md index abafcedc..bec73ece 100644 --- a/avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0116/CloudFormation.md @@ -3,15 +3,16 @@ Enable logging for API Gateway stages ```yaml Resources: - GoodExample: - Properties: - AccessLogSettings: - DestinationArn: gateway-logging - Format: json - Name: Good SAM API example - StageName: Prod - Tracing: Activey - Type: AWS::Serverless::HttpApi + GoodExample: + Properties: + AccessLogSettings: + DestinationArn: gateway-logging + Format: json + Name: Good SAM API example + StageName: Prod + Tracing: Activey + Type: AWS::Serverless::HttpApi + ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md index 54780e52..67f5d202 100644 --- a/avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0117/CloudFormation.md @@ -3,19 +3,20 @@ Enable tracing ```yaml Resources: - GoodStateMachine: - Properties: - Definition: - StartAt: MyLambdaState - States: - MyLambdaState: - End: true - Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app - Type: Task - Role: arn:aws:iam::123456123456:role/service-role/my-sample-role - Tracing: - Enabled: true - Type: AWS::Serverless::StateMachine + GoodStateMachine: + Properties: + Definition: + StartAt: MyLambdaState + States: + MyLambdaState: + End: true + Resource: arn:aws:lambda:us-east-1:123456123456:function:my-sample-lambda-app + Type: Task + Role: arn:aws:iam::123456123456:role/service-role/my-sample-role + Tracing: + Enabled: true + Type: AWS::Serverless::StateMachine + ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md index 062c4184..1bc9527e 100644 --- a/avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0121/CloudFormation.md @@ -3,12 +3,13 @@ Enable server side encryption ```yaml Resources: - GoodFunction: - Properties: - SSESpecification: - SSEEnabled: true - TableName: GoodTable - Type: AWS::Serverless::SimpleTable + GoodFunction: + Properties: + SSESpecification: + SSEEnabled: true + TableName: GoodTable + Type: AWS::Serverless::SimpleTable + ``` diff --git a/avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md b/avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md index 89c9c8cd..243b6daa 100644 --- a/avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md +++ b/avd_docs/aws/sam/AVD-AWS-0125/CloudFormation.md @@ -3,18 +3,19 @@ Enable tracing ```yaml Resources: - GoodFunction: - Properties: - ImageConfig: - Command: - - app.lambda_handler - EntryPoint: - - entrypoint1 - WorkingDirectory: workDir - ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name - PackageType: Image - Tracing: Active - Type: AWS::Serverless::Function + GoodFunction: + Properties: + ImageConfig: + Command: + - app.lambda_handler + EntryPoint: + - entrypoint1 + WorkingDirectory: workDir + ImageUri: account-id.dkr.ecr.region.amazonaws.com/ecr-repo-name:image-name + PackageType: Image + Tracing: Active + Type: AWS::Serverless::Function + ``` diff --git a/avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md b/avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md index 7a80ec05..9fc114b7 100644 --- a/avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md +++ b/avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md @@ -3,11 +3,12 @@ Turn on SNS Topic encryption ```yaml Resources: - GoodTopic: - Properties: - KmsMasterKeyId: some-key - TopicName: blah - Type: AWS::SQS::Topic + GoodTopic: + Properties: + KmsMasterKeyId: some-key + TopicName: blah + Type: AWS::SQS::Topic + ``` diff --git a/avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md b/avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md index 626dd260..057ef7c3 100644 --- a/avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md +++ b/avd_docs/aws/sns/AVD-AWS-0136/CloudFormation.md @@ -3,11 +3,12 @@ Use a CMK for SNS Topic encryption ```yaml Resources: - GoodTopic: - Properties: - KmsMasterKeyId: some-key - TopicName: blah - Type: AWS::SQS::Topic + GoodTopic: + Properties: + KmsMasterKeyId: some-key + TopicName: blah + Type: AWS::SQS::Topic + ``` diff --git a/avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md b/avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md index ca46fcfb..59c41e2e 100644 --- a/avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md +++ b/avd_docs/aws/sqs/AVD-AWS-0096/CloudFormation.md @@ -2,14 +2,15 @@ Turn on SQS Queue encryption ```yaml -AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +AWSTemplateFormatVersion: "2010-09-09T00:00:00Z" Description: Good example of queue Resources: - Queue: - Properties: - KmsMasterKeyId: some-key - QueueName: my-queue - Type: AWS::SQS::Queue + Queue: + Properties: + KmsMasterKeyId: some-key + QueueName: my-queue + Type: AWS::SQS::Queue + ``` diff --git a/avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md b/avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md index 45052823..737f3956 100644 --- a/avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md +++ b/avd_docs/aws/sqs/AVD-AWS-0097/CloudFormation.md @@ -2,28 +2,29 @@ Keep policy scope to the minimum that is required to be effective ```yaml -AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +AWSTemplateFormatVersion: "2010-09-09T00:00:00Z" Description: Good example of queue policy Resources: - MyQueue: - Properties: - Name: something - Type: AWS::SQS::Queue - SampleSQSPolicy: - Properties: - PolicyDocument: - Statement: - - Action: - - SQS:SendMessage - - SQS:ReceiveMessage - Effect: Allow - Principal: - AWS: - - "111122223333" - Resource: arn:aws:sqs:us-east-2:444455556666:queue2 - Queues: - - Ref: MyQueue - Type: AWS::SQS::QueuePolicy + MyQueue: + Properties: + Name: something + Type: AWS::SQS::Queue + SampleSQSPolicy: + Properties: + PolicyDocument: + Statement: + - Action: + - SQS:SendMessage + - SQS:ReceiveMessage + Effect: Allow + Principal: + AWS: + - "111122223333" + Resource: arn:aws:sqs:us-east-2:444455556666:queue2 + Queues: + - Ref: MyQueue + Type: AWS::SQS::QueuePolicy + ``` diff --git a/avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md b/avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md index f72202cf..9f608b4b 100644 --- a/avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md +++ b/avd_docs/aws/sqs/AVD-AWS-0135/CloudFormation.md @@ -2,14 +2,15 @@ Encrypt SQS Queue with a customer-managed key ```yaml -AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +AWSTemplateFormatVersion: "2010-09-09T00:00:00Z" Description: Good example of queue Resources: - Queue: - Properties: - KmsMasterKeyId: some-key - QueueName: my-queue - Type: AWS::SQS::Queue + Queue: + Properties: + KmsMasterKeyId: some-key + QueueName: my-queue + Type: AWS::SQS::Queue + ``` diff --git a/avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md b/avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md index 33286b7e..23661bcc 100644 --- a/avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md +++ b/avd_docs/aws/ssm/AVD-AWS-0098/CloudFormation.md @@ -2,16 +2,17 @@ Use customer managed keys ```yaml -AWSTemplateFormatVersion: 2010-09-09T00:00:00Z +AWSTemplateFormatVersion: "2010-09-09T00:00:00Z" Description: Good example of ingress rule Resources: - Secret: - Properties: - Description: secret - KmsKeyId: my-key-id - Name: blah - SecretString: don't tell anyone - Type: AWS::SecretsManager::Secret + Secret: + Properties: + Description: secret + KmsKeyId: my-key-id + Name: blah + SecretString: don't tell anyone + Type: AWS::SecretsManager::Secret + ``` diff --git a/avd_docs/aws/workspaces/AVD-AWS-0109/CloudFormation.md b/avd_docs/aws/workspaces/AVD-AWS-0109/CloudFormation.md index babe4122..ced89017 100644 --- a/avd_docs/aws/workspaces/AVD-AWS-0109/CloudFormation.md +++ b/avd_docs/aws/workspaces/AVD-AWS-0109/CloudFormation.md @@ -3,21 +3,23 @@ Root and user volume encryption should be enabled ```yaml Resources: - GoodExample: - Properties: - RootVolumeEncryptionEnabled: true - UserName: admin - UserVolumeEncryptionEnabled: true - Type: AWS::WorkSpaces::Workspace + GoodExample: + Properties: + RootVolumeEncryptionEnabled: true + UserName: admin + UserVolumeEncryptionEnabled: true + Type: AWS::WorkSpaces::Workspace + ``` ```yaml Resources: - GoodExample: - Properties: - RootVolumeEncryptionEnabled: true - UserName: admin - UserVolumeEncryptionEnabled: true - Type: AWS::WorkSpaces::Workspace + GoodExample: + Properties: + RootVolumeEncryptionEnabled: true + UserName: admin + UserVolumeEncryptionEnabled: true + Type: AWS::WorkSpaces::Workspace + ``` diff --git a/avd_docs/google/sql/AVD-GCP-0014/Terraform.md b/avd_docs/google/sql/AVD-GCP-0014/Terraform.md index 7264b6e6..51e1f0f1 100644 --- a/avd_docs/google/sql/AVD-GCP-0014/Terraform.md +++ b/avd_docs/google/sql/AVD-GCP-0014/Terraform.md @@ -7,9 +7,9 @@ resource "google_sql_database_instance" "db" { database_version = "POSTGRES_12" region = "us-central1" settings { - database_flags { - name = "log_temp_files" - value = "0" + database_flags { + name = "log_temp_files" + value = "0" } } } diff --git a/checks/cloud/aws/apigateway/enable_access_logging.yaml b/checks/cloud/aws/apigateway/enable_access_logging.yaml index 466764a0..bfba268f 100644 --- a/checks/cloud/aws/apigateway/enable_access_logging.yaml +++ b/checks/cloud/aws/apigateway/enable_access_logging.yaml @@ -1,3 +1,33 @@ +cloudformation: + good: + - | + AWSTemplateFormatVersion: "2010-09-09T00:00:00Z" + Description: Good Example of ApiGateway + Resources: + GoodApi: + Type: AWS::ApiGatewayV2::Api + GoodApiStage: + Properties: + AccessLogSettings: + DestinationArn: gateway-logging + Format: json + ApiId: GoodApi + StageName: GoodApiStage + Type: AWS::ApiGatewayV2::Stage + bad: + - | + AWSTemplateFormatVersion: "2010-09-09T00:00:00Z" + Description: Bad Example of ApiGateway + Resources: + BadApi: + Type: AWS::ApiGatewayV2::Api + BadApiStage: + Properties: + AccessLogSettings: + Format: json + ApiId: BadApi + StageName: BadApiStage + Type: AWS::ApiGatewayV2::Stage terraform: good: - |- @@ -33,33 +63,3 @@ terraform: rest_api_id = aws_api_gateway_rest_api.example.id stage_name = "example" } -cloudformation: - good: - - |- - AWSTemplateFormatVersion: 2010-09-09T00:00:00Z - Description: Good Example of ApiGateway - Resources: - GoodApi: - Type: AWS::ApiGatewayV2::Api - GoodApiStage: - Properties: - AccessLogSettings: - DestinationArn: gateway-logging - Format: json - ApiId: GoodApi - StageName: GoodApiStage - Type: AWS::ApiGatewayV2::Stage - bad: - - |- - AWSTemplateFormatVersion: 2010-09-09T00:00:00Z - Description: Bad Example of ApiGateway - Resources: - BadApi: - Type: AWS::ApiGatewayV2::Api - BadApiStage: - Properties: - AccessLogSettings: - Format: json - ApiId: BadApi - StageName: BadApiStage - Type: AWS::ApiGatewayV2::Stage diff --git a/checks/cloud/aws/athena/enable_at_rest_encryption.yaml b/checks/cloud/aws/athena/enable_at_rest_encryption.yaml index a44f33df..81acffcb 100644 --- a/checks/cloud/aws/athena/enable_at_rest_encryption.yaml +++ b/checks/cloud/aws/athena/enable_at_rest_encryption.yaml @@ -1,3 +1,24 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + Name: goodExample + WorkGroupConfiguration: + ResultConfiguration: + EncryptionConfiguration: + EncryptionOption: SSE_KMS + Type: AWS::Athena::WorkGroup + bad: + - | + Resources: + BadExample: + Properties: + Name: badExample + WorkGroupConfiguration: + ResultConfiguration: null + Type: AWS::Athena::WorkGroup terraform: good: - |- @@ -47,24 +68,3 @@ terraform: } } } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - Name: goodExample - WorkGroupConfiguration: - ResultConfiguration: - EncryptionConfiguration: - EncryptionOption: SSE_KMS - Type: AWS::Athena::WorkGroup - bad: - - |- - Resources: - BadExample: - Properties: - Name: badExample - WorkGroupConfiguration: - ResultConfiguration: null - Type: AWS::Athena::WorkGroup diff --git a/checks/cloud/aws/athena/no_encryption_override.yaml b/checks/cloud/aws/athena/no_encryption_override.yaml index 410664bb..12ca56b7 100644 --- a/checks/cloud/aws/athena/no_encryption_override.yaml +++ b/checks/cloud/aws/athena/no_encryption_override.yaml @@ -1,3 +1,28 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + Name: goodExample + WorkGroupConfiguration: + EnforceWorkGroupConfiguration: true + ResultConfiguration: + EncryptionConfiguration: + EncryptionOption: SSE_KMS + Type: AWS::Athena::WorkGroup + bad: + - | + Resources: + BadExample: + Properties: + Name: badExample + WorkGroupConfiguration: + EnforceWorkGroupConfiguration: false + ResultConfiguration: + EncryptionConfiguration: + EncryptionOption: SSE_KMS + Type: AWS::Athena::WorkGroup terraform: good: - |- @@ -42,28 +67,3 @@ terraform: name = "example" } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - Name: goodExample - WorkGroupConfiguration: - EnforceWorkGroupConfiguration: true - ResultConfiguration: - EncryptionConfiguration: - EncryptionOption: SSE_KMS - Type: AWS::Athena::WorkGroup - bad: - - |- - Resources: - BadExample: - Properties: - Name: badExample - WorkGroupConfiguration: - EnforceWorkGroupConfiguration: false - ResultConfiguration: - EncryptionConfiguration: - EncryptionOption: SSE_KMS - Type: AWS::Athena::WorkGroup diff --git a/checks/cloud/aws/cloudfront/enable_logging.yaml b/checks/cloud/aws/cloudfront/enable_logging.yaml index 0babfd80..bcea70f3 100644 --- a/checks/cloud/aws/cloudfront/enable_logging.yaml +++ b/checks/cloud/aws/cloudfront/enable_logging.yaml @@ -1,3 +1,34 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + Type: AWS::CloudFront::Distribution + bad: + - | + Resources: + BadExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Origins: + - DomainName: https://some.domain + Id: somedomain1 + Type: AWS::CloudFront::Distribution terraform: good: - |- @@ -15,34 +46,3 @@ terraform: // other config // no logging_config } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: https-only - Enabled: true - Logging: - Bucket: logging-bucket - Origins: - - DomainName: https://some.domain - Id: somedomain1 - Type: AWS::CloudFront::Distribution - bad: - - |- - Resources: - BadExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: https-only - Enabled: true - Origins: - - DomainName: https://some.domain - Id: somedomain1 - Type: AWS::CloudFront::Distribution diff --git a/checks/cloud/aws/cloudfront/enable_waf.yaml b/checks/cloud/aws/cloudfront/enable_waf.yaml index 8fef060b..edcb2054 100644 --- a/checks/cloud/aws/cloudfront/enable_waf.yaml +++ b/checks/cloud/aws/cloudfront/enable_waf.yaml @@ -1,3 +1,37 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + WebACLId: waf_id + Type: AWS::CloudFront::Distribution + bad: + - | + Resources: + BadExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + Type: AWS::CloudFront::Distribution terraform: good: - |- @@ -64,37 +98,3 @@ terraform: target_origin_id = "groupS3" } } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: https-only - Enabled: true - Logging: - Bucket: logging-bucket - Origins: - - DomainName: https://some.domain - Id: somedomain1 - WebACLId: waf_id - Type: AWS::CloudFront::Distribution - bad: - - |- - Resources: - BadExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: https-only - Enabled: true - Logging: - Bucket: logging-bucket - Origins: - - DomainName: https://some.domain - Id: somedomain1 - Type: AWS::CloudFront::Distribution diff --git a/checks/cloud/aws/cloudfront/enforce_https.yaml b/checks/cloud/aws/cloudfront/enforce_https.yaml index da2ca518..866b19e1 100644 --- a/checks/cloud/aws/cloudfront/enforce_https.yaml +++ b/checks/cloud/aws/cloudfront/enforce_https.yaml @@ -1,3 +1,38 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + WebACLId: waf_id + Type: AWS::CloudFront::Distribution + bad: + - | + Resources: + BadExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: allow-all + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + WebACLId: waf_id + Type: AWS::CloudFront::Distribution terraform: good: - |- @@ -13,38 +48,3 @@ terraform: viewer_protocol_policy = "allow-all" } } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: https-only - Enabled: true - Logging: - Bucket: logging-bucket - Origins: - - DomainName: https://some.domain - Id: somedomain1 - WebACLId: waf_id - Type: AWS::CloudFront::Distribution - bad: - - |- - Resources: - BadExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: allow-all - Enabled: true - Logging: - Bucket: logging-bucket - Origins: - - DomainName: https://some.domain - Id: somedomain1 - WebACLId: waf_id - Type: AWS::CloudFront::Distribution diff --git a/checks/cloud/aws/cloudfront/use_secure_tls_policy.yaml b/checks/cloud/aws/cloudfront/use_secure_tls_policy.yaml index ea62609c..0f66ef5b 100644 --- a/checks/cloud/aws/cloudfront/use_secure_tls_policy.yaml +++ b/checks/cloud/aws/cloudfront/use_secure_tls_policy.yaml @@ -1,3 +1,40 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + ViewerCertificate: + MinimumProtocolVersion: TLSv1.2_2021 + Type: AWS::CloudFront::Distribution + bad: + - | + Resources: + BadExample: + Properties: + DistributionConfig: + DefaultCacheBehavior: + TargetOriginId: target + ViewerProtocolPolicy: https-only + Enabled: true + Logging: + Bucket: logging-bucket + Origins: + - DomainName: https://some.domain + Id: somedomain1 + ViewerCertificate: + MinimumProtocolVersion: TLSv1.0 + Type: AWS::CloudFront::Distribution terraform: good: - |- @@ -15,40 +52,3 @@ terraform: minimum_protocol_version = "TLSv1.0" } } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: https-only - Enabled: true - Logging: - Bucket: logging-bucket - Origins: - - DomainName: https://some.domain - Id: somedomain1 - ViewerCertificate: - MinimumProtocolVersion: TLSv1.2_2021 - Type: AWS::CloudFront::Distribution - bad: - - |- - Resources: - BadExample: - Properties: - DistributionConfig: - DefaultCacheBehavior: - TargetOriginId: target - ViewerProtocolPolicy: https-only - Enabled: true - Logging: - Bucket: logging-bucket - Origins: - - DomainName: https://some.domain - Id: somedomain1 - ViewerCertificate: - MinimumProtocolVersion: TLSv1.0 - Type: AWS::CloudFront::Distribution diff --git a/checks/cloud/aws/cloudtrail/enable_all_regions.yaml b/checks/cloud/aws/cloudtrail/enable_all_regions.yaml index 39cdb925..8e6aa37d 100644 --- a/checks/cloud/aws/cloudtrail/enable_all_regions.yaml +++ b/checks/cloud/aws/cloudtrail/enable_all_regions.yaml @@ -1,3 +1,26 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + IsLogging: true + IsMultiRegionTrail: true + S3BucketName: CloudtrailBucket + S3KeyPrefix: /trailing + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + bad: + - | + Resources: + BadExample: + Properties: + IsLogging: true + IsMultiRegionTrail: false + S3BucketName: CloudtrailBucket + S3KeyPrefix: /trailing + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail terraform: good: - |- @@ -27,26 +50,3 @@ terraform: } } } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - IsLogging: true - IsMultiRegionTrail: true - S3BucketName: CloudtrailBucket - S3KeyPrefix: /trailing - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail - bad: - - |- - Resources: - BadExample: - Properties: - IsLogging: true - IsMultiRegionTrail: false - S3BucketName: CloudtrailBucket - S3KeyPrefix: /trailing - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail diff --git a/checks/cloud/aws/cloudtrail/enable_log_validation.yaml b/checks/cloud/aws/cloudtrail/enable_log_validation.yaml index c04207b6..61599047 100644 --- a/checks/cloud/aws/cloudtrail/enable_log_validation.yaml +++ b/checks/cloud/aws/cloudtrail/enable_log_validation.yaml @@ -1,3 +1,27 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + EnableLogFileValidation: true + IsLogging: true + IsMultiRegionTrail: true + S3BucketName: CloudtrailBucket + S3KeyPrefix: /trailing + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + bad: + - | + Resources: + BadExample: + Properties: + IsLogging: true + IsMultiRegionTrail: false + S3BucketName: CloudtrailBucket + S3KeyPrefix: /trailing + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail terraform: good: - |- @@ -30,27 +54,3 @@ terraform: } } } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - EnableLogFileValidation: true - IsLogging: true - IsMultiRegionTrail: true - S3BucketName: CloudtrailBucket - S3KeyPrefix: /trailing - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail - bad: - - |- - Resources: - BadExample: - Properties: - IsLogging: true - IsMultiRegionTrail: false - S3BucketName: CloudtrailBucket - S3KeyPrefix: /trailing - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail diff --git a/checks/cloud/aws/cloudtrail/encryption_customer_key.yaml b/checks/cloud/aws/cloudtrail/encryption_customer_key.yaml index bc3827a8..58eb3e17 100644 --- a/checks/cloud/aws/cloudtrail/encryption_customer_key.yaml +++ b/checks/cloud/aws/cloudtrail/encryption_customer_key.yaml @@ -1,3 +1,27 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + IsLogging: true + IsMultiRegionTrail: true + KmsKeyId: alias/CloudtrailKey + S3BucketName: CloudtrailBucket + S3KeyPrefix: /trailing + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + bad: + - | + Resources: + BadExample: + Properties: + IsLogging: true + IsMultiRegionTrail: false + S3BucketName: CloudtrailBucket + S3KeyPrefix: /trailing + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail terraform: good: - |- @@ -31,27 +55,3 @@ terraform: } } } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - IsLogging: true - IsMultiRegionTrail: true - KmsKeyId: alias/CloudtrailKey - S3BucketName: CloudtrailBucket - S3KeyPrefix: /trailing - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail - bad: - - |- - Resources: - BadExample: - Properties: - IsLogging: true - IsMultiRegionTrail: false - S3BucketName: CloudtrailBucket - S3KeyPrefix: /trailing - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail diff --git a/checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.yaml b/checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.yaml index e1f9b0b0..6c267a69 100644 --- a/checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.yaml +++ b/checks/cloud/aws/cloudtrail/ensure_cloudwatch_integration.yaml @@ -1,3 +1,19 @@ +cloudformation: + good: + - | + Resources: + GoodExampleTrail: + Properties: + CloudWatchLogsLogGroupArn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:* + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + bad: + - | + Resources: + BadExampleTrail: + Properties: + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail terraform: good: - |- @@ -33,19 +49,3 @@ terraform: } } } -cloudformation: - good: - - |- - Resources: - GoodExampleTrail: - Properties: - CloudWatchLogsLogGroupArn: arn:aws:logs:us-east-1:123456789012:log-group:CloudTrail/DefaultLogGroup:* - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail - bad: - - |- - Resources: - BadExampleTrail: - Properties: - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail diff --git a/checks/cloud/aws/cloudtrail/no_public_log_access.yaml b/checks/cloud/aws/cloudtrail/no_public_log_access.yaml index d6f3cc34..9835ae82 100644 --- a/checks/cloud/aws/cloudtrail/no_public_log_access.yaml +++ b/checks/cloud/aws/cloudtrail/no_public_log_access.yaml @@ -1,3 +1,32 @@ +cloudformation: + good: + - | + Resources: + GoodExampleBucket: + Properties: + AccessControl: Private + BucketName: my-bucket + Type: AWS::S3::Bucket + GoodExampleTrail: + Properties: + IsLogging: true + S3BucketName: my-bucket + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + bad: + - | + Resources: + BadExampleBucket: + Properties: + AccessControl: AuthenticatedRead + BucketName: my-bucket + Type: AWS::S3::Bucket + BadExampleTrail: + Properties: + IsLogging: true + S3BucketName: my-bucket + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail terraform: good: - |- @@ -39,32 +68,3 @@ terraform: bucket = "abcdefgh" acl = "public-read" } -cloudformation: - good: - - |- - Resources: - GoodExampleBucket: - Properties: - AccessControl: Private - BucketName: my-bucket - Type: AWS::S3::Bucket - GoodExampleTrail: - Properties: - IsLogging: true - S3BucketName: my-bucket - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail - bad: - - |- - Resources: - BadExampleBucket: - Properties: - AccessControl: AuthenticatedRead - BucketName: my-bucket - Type: AWS::S3::Bucket - BadExampleTrail: - Properties: - IsLogging: true - S3BucketName: my-bucket - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail diff --git a/checks/cloud/aws/cloudtrail/require_bucket_access_logging.yaml b/checks/cloud/aws/cloudtrail/require_bucket_access_logging.yaml index 3ccbccd5..63583d68 100644 --- a/checks/cloud/aws/cloudtrail/require_bucket_access_logging.yaml +++ b/checks/cloud/aws/cloudtrail/require_bucket_access_logging.yaml @@ -1,3 +1,33 @@ +cloudformation: + good: + - | + Resources: + GoodExampleBucket: + Properties: + BucketName: my-bucket + LoggingConfiguration: + DestinationBucketName: logging-bucket + LogFilePrefix: accesslogs/ + Type: AWS::S3::Bucket + GoodExampleTrail: + Properties: + IsLogging: true + S3BucketName: my-bucket + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail + bad: + - | + Resources: + BadExampleBucket: + Properties: + BucketName: my-bucket + Type: AWS::S3::Bucket + BadExampleTrail: + Properties: + IsLogging: true + S3BucketName: my-bucket + TrailName: Cloudtrail + Type: AWS::CloudTrail::Trail terraform: good: - |- @@ -41,33 +71,3 @@ terraform: bucket = "abcdefgh" } -cloudformation: - good: - - |- - Resources: - GoodExampleBucket: - Properties: - BucketName: my-bucket - LoggingConfiguration: - DestinationBucketName: logging-bucket - LogFilePrefix: accesslogs/ - Type: AWS::S3::Bucket - GoodExampleTrail: - Properties: - IsLogging: true - S3BucketName: my-bucket - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail - bad: - - |- - Resources: - BadExampleBucket: - Properties: - BucketName: my-bucket - Type: AWS::S3::Bucket - BadExampleTrail: - Properties: - IsLogging: true - S3BucketName: my-bucket - TrailName: Cloudtrail - Type: AWS::CloudTrail::Trail diff --git a/checks/cloud/aws/cloudwatch/log_group_customer_key.yaml b/checks/cloud/aws/cloudwatch/log_group_customer_key.yaml index 395583b0..5e376009 100644 --- a/checks/cloud/aws/cloudwatch/log_group_customer_key.yaml +++ b/checks/cloud/aws/cloudwatch/log_group_customer_key.yaml @@ -1,3 +1,22 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + KmsKeyId: arn:aws:kms:us-west-2:111122223333:key/lambdalogging + LogGroupName: aws/lambda/goodExample + RetentionInDays: 30 + Type: AWS::Logs::LogGroup + bad: + - | + Resources: + BadExample: + Properties: + KmsKeyId: "" + LogGroupName: aws/lambda/badExample + RetentionInDays: 30 + Type: AWS::Logs::LogGroup terraform: good: - |- @@ -12,22 +31,3 @@ terraform: name = "bad_example" } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - KmsKeyId: arn:aws:kms:us-west-2:111122223333:key/lambdalogging - LogGroupName: aws/lambda/goodExample - RetentionInDays: 30 - Type: AWS::Logs::LogGroup - bad: - - |- - Resources: - BadExample: - Properties: - KmsKeyId: "" - LogGroupName: aws/lambda/badExample - RetentionInDays: 30 - Type: AWS::Logs::LogGroup diff --git a/checks/cloud/aws/codebuild/enable_encryption.yaml b/checks/cloud/aws/codebuild/enable_encryption.yaml index ab72051f..420b8299 100644 --- a/checks/cloud/aws/codebuild/enable_encryption.yaml +++ b/checks/cloud/aws/codebuild/enable_encryption.yaml @@ -1,3 +1,81 @@ +cloudformation: + good: + - | + Resources: + GoodProject: + Properties: + Artifacts: + ArtifactIdentifier: String + EncryptionDisabled: false + Location: String + Name: String + NamespaceType: String + OverrideArtifactName: false + Packaging: String + Path: String + Type: String + SecondaryArtifacts: + - ArtifactIdentifier: String + EncryptionDisabled: false + Location: String + Name: String + NamespaceType: String + OverrideArtifactName: false + Packaging: String + Path: String + Type: String + Type: AWS::CodeBuild::Project + bad: + - | + Resources: + GoodProject: + Properties: + Artifacts: + ArtifactIdentifier: String + EncryptionDisabled: true + Location: String + Name: String + NamespaceType: String + OverrideArtifactName: false + Packaging: String + Path: String + Type: String + SecondaryArtifacts: + - ArtifactIdentifier: String + EncryptionDisabled: false + Location: String + Name: String + NamespaceType: String + OverrideArtifactName: false + Packaging: String + Path: String + Type: String + Type: AWS::CodeBuild::Project + - | + Resources: + GoodProject: + Properties: + Artifacts: + ArtifactIdentifier: String + EncryptionDisabled: false + Location: String + Name: String + NamespaceType: String + OverrideArtifactName: false + Packaging: String + Path: String + Type: String + SecondaryArtifacts: + - ArtifactIdentifier: String + EncryptionDisabled: true + Location: String + Name: String + NamespaceType: String + OverrideArtifactName: false + Packaging: String + Path: String + Type: String + Type: AWS::CodeBuild::Project terraform: good: - |- @@ -59,81 +137,3 @@ terraform: encryption_disabled = true } } -cloudformation: - good: - - |- - Resources: - GoodProject: - Properties: - Artifacts: - ArtifactIdentifier: String - EncryptionDisabled: false - Location: String - Name: String - NamespaceType: String - OverrideArtifactName: false - Packaging: String - Path: String - Type: String - SecondaryArtifacts: - - ArtifactIdentifier: String - EncryptionDisabled: false - Location: String - Name: String - NamespaceType: String - OverrideArtifactName: false - Packaging: String - Path: String - Type: String - Type: AWS::CodeBuild::Project - bad: - - |- - Resources: - GoodProject: - Properties: - Artifacts: - ArtifactIdentifier: String - EncryptionDisabled: true - Location: String - Name: String - NamespaceType: String - OverrideArtifactName: false - Packaging: String - Path: String - Type: String - SecondaryArtifacts: - - ArtifactIdentifier: String - EncryptionDisabled: false - Location: String - Name: String - NamespaceType: String - OverrideArtifactName: false - Packaging: String - Path: String - Type: String - Type: AWS::CodeBuild::Project - - |- - Resources: - GoodProject: - Properties: - Artifacts: - ArtifactIdentifier: String - EncryptionDisabled: false - Location: String - Name: String - NamespaceType: String - OverrideArtifactName: false - Packaging: String - Path: String - Type: String - SecondaryArtifacts: - - ArtifactIdentifier: String - EncryptionDisabled: true - Location: String - Name: String - NamespaceType: String - OverrideArtifactName: false - Packaging: String - Path: String - Type: String - Type: AWS::CodeBuild::Project diff --git a/checks/cloud/aws/config/aggregate_all_regions.yaml b/checks/cloud/aws/config/aggregate_all_regions.yaml index 291da591..8108d934 100644 --- a/checks/cloud/aws/config/aggregate_all_regions.yaml +++ b/checks/cloud/aws/config/aggregate_all_regions.yaml @@ -1,3 +1,28 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + AccountAggregationSources: + - AllAwsRegions: true + ConfigurationAggregatorName: GoodAccountLevelAggregation + Type: AWS::Config::ConfigurationAggregator + - | + Resources: + GoodExample: + Properties: + ConfigurationAggregatorName: GoodAccountLevelAggregation + OrganizationAggregationSource: + AllAwsRegions: true + Type: AWS::Config::ConfigurationAggregator + bad: + - | + Resources: + BadExample: + Properties: + ConfigurationAggregatorName: BadAccountLevelAggregation + Type: AWS::Config::ConfigurationAggregator terraform: good: - |- @@ -19,28 +44,3 @@ terraform: regions = ["us-west-2", "eu-west-1"] } } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - AccountAggregationSources: - - AllAwsRegions: true - ConfigurationAggregatorName: GoodAccountLevelAggregation - Type: AWS::Config::ConfigurationAggregator - - |- - Resources: - GoodExample: - Properties: - ConfigurationAggregatorName: GoodAccountLevelAggregation - OrganizationAggregationSource: - AllAwsRegions: true - Type: AWS::Config::ConfigurationAggregator - bad: - - |- - Resources: - BadExample: - Properties: - ConfigurationAggregatorName: BadAccountLevelAggregation - Type: AWS::Config::ConfigurationAggregator diff --git a/checks/cloud/aws/documentdb/enable_log_export.yaml b/checks/cloud/aws/documentdb/enable_log_export.yaml index 9f91de80..07e65c5f 100644 --- a/checks/cloud/aws/documentdb/enable_log_export.yaml +++ b/checks/cloud/aws/documentdb/enable_log_export.yaml @@ -1,3 +1,44 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: sample-cluster + DBClusterParameterGroupName: default.docdb3.6 + EnableCloudwatchLogsExports: + - audit + - profiler + KmsKeyId: your-kms-key-id + Type: AWS::DocDB::DBCluster + InstanceInstanceExample: + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: us-east-1c + DBClusterIdentifier: sample-cluster + DBInstanceClass: db.r5.large + DBInstanceIdentifier: sample-cluster-instance-0 + PreferredMaintenanceWindow: sat:06:54-sat:07:24 + Type: AWS::DocDB::DBInstance + bad: + - | + Resources: + BadExample: + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: sample-cluster + DBClusterParameterGroupName: default.docdb3.6 + Type: AWS::DocDB::DBCluster + BadInstanceExample: + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: us-east-1c + DBClusterIdentifier: sample-cluster + DBInstanceClass: db.r5.large + DBInstanceIdentifier: sample-cluster-instance-0 + PreferredMaintenanceWindow: sat:06:54-sat:07:24 + Type: AWS::DocDB::DBInstance terraform: good: - |- @@ -23,44 +64,3 @@ terraform: skip_final_snapshot = true enabled_cloudwatch_logs_exports = "something" } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - BackupRetentionPeriod: 8 - DBClusterIdentifier: sample-cluster - DBClusterParameterGroupName: default.docdb3.6 - EnableCloudwatchLogsExports: - - audit - - profiler - KmsKeyId: your-kms-key-id - Type: AWS::DocDB::DBCluster - InstanceInstanceExample: - Properties: - AutoMinorVersionUpgrade: true - AvailabilityZone: us-east-1c - DBClusterIdentifier: sample-cluster - DBInstanceClass: db.r5.large - DBInstanceIdentifier: sample-cluster-instance-0 - PreferredMaintenanceWindow: sat:06:54-sat:07:24 - Type: AWS::DocDB::DBInstance - bad: - - |- - Resources: - BadExample: - Properties: - BackupRetentionPeriod: 8 - DBClusterIdentifier: sample-cluster - DBClusterParameterGroupName: default.docdb3.6 - Type: AWS::DocDB::DBCluster - BadInstanceExample: - Properties: - AutoMinorVersionUpgrade: true - AvailabilityZone: us-east-1c - DBClusterIdentifier: sample-cluster - DBInstanceClass: db.r5.large - DBInstanceIdentifier: sample-cluster-instance-0 - PreferredMaintenanceWindow: sat:06:54-sat:07:24 - Type: AWS::DocDB::DBInstance diff --git a/checks/cloud/aws/documentdb/enable_storage_encryption.yaml b/checks/cloud/aws/documentdb/enable_storage_encryption.yaml index 696ec0e5..17b91dea 100644 --- a/checks/cloud/aws/documentdb/enable_storage_encryption.yaml +++ b/checks/cloud/aws/documentdb/enable_storage_encryption.yaml @@ -1,3 +1,45 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: sample-cluster + DBClusterParameterGroupName: default.docdb3.6 + EnableCloudwatchLogsExports: + - audit + - profiler + KmsKeyId: your-kms-key-id + StorageEncrypted: true + Type: AWS::DocDB::DBCluster + InstanceInstanceExample: + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: us-east-1c + DBClusterIdentifier: sample-cluster + DBInstanceClass: db.r5.large + DBInstanceIdentifier: sample-cluster-instance-0 + PreferredMaintenanceWindow: sat:06:54-sat:07:24 + Type: AWS::DocDB::DBInstance + bad: + - | + Resources: + BadExample: + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: sample-cluster + DBClusterParameterGroupName: default.docdb3.6 + Type: AWS::DocDB::DBCluster + BadInstanceExample: + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: us-east-1c + DBClusterIdentifier: sample-cluster + DBInstanceClass: db.r5.large + DBInstanceIdentifier: sample-cluster-instance-0 + PreferredMaintenanceWindow: sat:06:54-sat:07:24 + Type: AWS::DocDB::DBInstance terraform: good: - |- @@ -23,45 +65,3 @@ terraform: skip_final_snapshot = true storage_encrypted = false } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - BackupRetentionPeriod: 8 - DBClusterIdentifier: sample-cluster - DBClusterParameterGroupName: default.docdb3.6 - EnableCloudwatchLogsExports: - - audit - - profiler - KmsKeyId: your-kms-key-id - StorageEncrypted: true - Type: AWS::DocDB::DBCluster - InstanceInstanceExample: - Properties: - AutoMinorVersionUpgrade: true - AvailabilityZone: us-east-1c - DBClusterIdentifier: sample-cluster - DBInstanceClass: db.r5.large - DBInstanceIdentifier: sample-cluster-instance-0 - PreferredMaintenanceWindow: sat:06:54-sat:07:24 - Type: AWS::DocDB::DBInstance - bad: - - |- - Resources: - BadExample: - Properties: - BackupRetentionPeriod: 8 - DBClusterIdentifier: sample-cluster - DBClusterParameterGroupName: default.docdb3.6 - Type: AWS::DocDB::DBCluster - BadInstanceExample: - Properties: - AutoMinorVersionUpgrade: true - AvailabilityZone: us-east-1c - DBClusterIdentifier: sample-cluster - DBInstanceClass: db.r5.large - DBInstanceIdentifier: sample-cluster-instance-0 - PreferredMaintenanceWindow: sat:06:54-sat:07:24 - Type: AWS::DocDB::DBInstance diff --git a/checks/cloud/aws/documentdb/encryption_customer_key.yaml b/checks/cloud/aws/documentdb/encryption_customer_key.yaml index a1a37d8c..549e8099 100644 --- a/checks/cloud/aws/documentdb/encryption_customer_key.yaml +++ b/checks/cloud/aws/documentdb/encryption_customer_key.yaml @@ -1,3 +1,44 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: sample-cluster + DBClusterParameterGroupName: default.docdb3.6 + EnableCloudwatchLogsExports: + - audit + - profiler + KmsKeyId: your-kms-key-id + Type: AWS::DocDB::DBCluster + InstanceInstanceExample: + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: us-east-1c + DBClusterIdentifier: sample-cluster + DBInstanceClass: db.r5.large + DBInstanceIdentifier: sample-cluster-instance-0 + PreferredMaintenanceWindow: sat:06:54-sat:07:24 + Type: AWS::DocDB::DBInstance + bad: + - | + Resources: + BadExample: + Properties: + BackupRetentionPeriod: 8 + DBClusterIdentifier: sample-cluster + DBClusterParameterGroupName: default.docdb3.6 + Type: AWS::DocDB::DBCluster + BadInstanceExample: + Properties: + AutoMinorVersionUpgrade: true + AvailabilityZone: us-east-1c + DBClusterIdentifier: sample-cluster + DBInstanceClass: db.r5.large + DBInstanceIdentifier: sample-cluster-instance-0 + PreferredMaintenanceWindow: sat:06:54-sat:07:24 + Type: AWS::DocDB::DBInstance terraform: good: - |- @@ -26,44 +67,3 @@ terraform: preferred_backup_window = "07:00-09:00" skip_final_snapshot = true } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - BackupRetentionPeriod: 8 - DBClusterIdentifier: sample-cluster - DBClusterParameterGroupName: default.docdb3.6 - EnableCloudwatchLogsExports: - - audit - - profiler - KmsKeyId: your-kms-key-id - Type: AWS::DocDB::DBCluster - InstanceInstanceExample: - Properties: - AutoMinorVersionUpgrade: true - AvailabilityZone: us-east-1c - DBClusterIdentifier: sample-cluster - DBInstanceClass: db.r5.large - DBInstanceIdentifier: sample-cluster-instance-0 - PreferredMaintenanceWindow: sat:06:54-sat:07:24 - Type: AWS::DocDB::DBInstance - bad: - - |- - Resources: - BadExample: - Properties: - BackupRetentionPeriod: 8 - DBClusterIdentifier: sample-cluster - DBClusterParameterGroupName: default.docdb3.6 - Type: AWS::DocDB::DBCluster - BadInstanceExample: - Properties: - AutoMinorVersionUpgrade: true - AvailabilityZone: us-east-1c - DBClusterIdentifier: sample-cluster - DBInstanceClass: db.r5.large - DBInstanceIdentifier: sample-cluster-instance-0 - PreferredMaintenanceWindow: sat:06:54-sat:07:24 - Type: AWS::DocDB::DBInstance diff --git a/checks/cloud/aws/dynamodb/enable_at_rest_encryption.yaml b/checks/cloud/aws/dynamodb/enable_at_rest_encryption.yaml index d6be396a..57f4f5b0 100644 --- a/checks/cloud/aws/dynamodb/enable_at_rest_encryption.yaml +++ b/checks/cloud/aws/dynamodb/enable_at_rest_encryption.yaml @@ -1,3 +1,29 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + ClusterName: MyDAXCluster + Description: DAX cluster with encryption at rest + IAMRoleARN: arn:aws:iam::111122223333:role/DaxAccess + NodeType: dax.r3.large + ReplicationFactor: 1 + SSESpecification: + SSEEnabled: true + Type: AWS::DAX::Cluster + bad: + - | + Resources: + BadExample: + Properties: + ClusterName: MyDAXCluster + Description: DAX cluster without encryption at rest + IAMRoleARN: arn:aws:iam::111122223333:role/DaxAccess + NodeType: dax.r3.large + ReplicationFactor: 1 + SubnetGroupName: subnetGroupClu + Type: AWS::DAX::Cluster terraform: good: - |- @@ -29,29 +55,3 @@ terraform: enabled = false // disabled server side encryption } } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - ClusterName: MyDAXCluster - Description: DAX cluster with encryption at rest - IAMRoleARN: arn:aws:iam::111122223333:role/DaxAccess - NodeType: dax.r3.large - ReplicationFactor: 1 - SSESpecification: - SSEEnabled: true - Type: AWS::DAX::Cluster - bad: - - |- - Resources: - BadExample: - Properties: - ClusterName: MyDAXCluster - Description: DAX cluster without encryption at rest - IAMRoleARN: arn:aws:iam::111122223333:role/DaxAccess - NodeType: dax.r3.large - ReplicationFactor: 1 - SubnetGroupName: subnetGroupClu - Type: AWS::DAX::Cluster diff --git a/checks/cloud/aws/ec2/add_description_to_security_group.yaml b/checks/cloud/aws/ec2/add_description_to_security_group.yaml index 2b05913a..755e119a 100644 --- a/checks/cloud/aws/ec2/add_description_to_security_group.yaml +++ b/checks/cloud/aws/ec2/add_description_to_security_group.yaml @@ -1,3 +1,23 @@ +cloudformation: + good: + - | + Resources: + GoodSecurityGroup: + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupEgress: + - CidrIp: 127.0.0.1/32 + IpProtocol: "-1" + Type: AWS::EC2::SecurityGroup + bad: + - | + Resources: + BadSecurityGroup: + Properties: + SecurityGroupEgress: + - CidrIp: 127.0.0.1/32 + IpProtocol: "-1" + Type: AWS::EC2::SecurityGroup terraform: good: - |- @@ -27,23 +47,3 @@ terraform: cidr_blocks = [aws_vpc.main.cidr_block] } } -cloudformation: - good: - - |- - Resources: - GoodSecurityGroup: - Properties: - GroupDescription: Limits security group egress traffic - SecurityGroupEgress: - - CidrIp: 127.0.0.1/32 - IpProtocol: "-1" - Type: AWS::EC2::SecurityGroup - bad: - - |- - Resources: - BadSecurityGroup: - Properties: - SecurityGroupEgress: - - CidrIp: 127.0.0.1/32 - IpProtocol: "-1" - Type: AWS::EC2::SecurityGroup diff --git a/checks/cloud/aws/ec2/add_description_to_security_group_rule.yaml b/checks/cloud/aws/ec2/add_description_to_security_group_rule.yaml index fade3a0f..43c85b55 100644 --- a/checks/cloud/aws/ec2/add_description_to_security_group_rule.yaml +++ b/checks/cloud/aws/ec2/add_description_to_security_group_rule.yaml @@ -1,3 +1,25 @@ +cloudformation: + good: + - | + Resources: + GoodSecurityGroup: + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupEgress: + - CidrIp: 127.0.0.1/32 + Description: Can connect to loopback + IpProtocol: "-1" + Type: AWS::EC2::SecurityGroup + bad: + - | + Resources: + BadSecurityGroup: + Properties: + GroupDescription: Limits security group egress traffic + SecurityGroupEgress: + - CidrIp: 127.0.0.1/32 + IpProtocol: "-1" + Type: AWS::EC2::SecurityGroup terraform: good: - |- @@ -25,25 +47,3 @@ terraform: cidr_blocks = [aws_vpc.main.cidr_block] } } -cloudformation: - good: - - |- - Resources: - GoodSecurityGroup: - Properties: - GroupDescription: Limits security group egress traffic - SecurityGroupEgress: - - CidrIp: 127.0.0.1/32 - Description: Can connect to loopback - IpProtocol: "-1" - Type: AWS::EC2::SecurityGroup - bad: - - |- - Resources: - BadSecurityGroup: - Properties: - GroupDescription: Limits security group egress traffic - SecurityGroupEgress: - - CidrIp: 127.0.0.1/32 - IpProtocol: "-1" - Type: AWS::EC2::SecurityGroup diff --git a/checks/cloud/aws/ec2/as_enable_at_rest_encryption.yaml b/checks/cloud/aws/ec2/as_enable_at_rest_encryption.yaml index c25aac43..549435a4 100644 --- a/checks/cloud/aws/ec2/as_enable_at_rest_encryption.yaml +++ b/checks/cloud/aws/ec2/as_enable_at_rest_encryption.yaml @@ -1,3 +1,31 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + BlockDeviceMappings: + - DeviceName: root + Ebs: + Encrypted: true + ImageId: ami-123456 + InstanceType: t2.small + Type: AWS::AutoScaling::LaunchConfiguration + bad: + - | + Resources: + BadExample: + Properties: + BlockDeviceMappings: + - DeviceName: root + Ebs: + Encrypted: true + - DeviceName: data + Ebs: + Encrypted: false + ImageId: ami-123456 + InstanceType: t2.small + Type: AWS::AutoScaling::LaunchConfiguration terraform: good: - |- @@ -13,31 +41,3 @@ terraform: encrypted = false } } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - BlockDeviceMappings: - - DeviceName: root - Ebs: - Encrypted: true - ImageId: ami-123456 - InstanceType: t2.small - Type: AWS::AutoScaling::LaunchConfiguration - bad: - - |- - Resources: - BadExample: - Properties: - BlockDeviceMappings: - - DeviceName: root - Ebs: - Encrypted: true - - DeviceName: data - Ebs: - Encrypted: false - ImageId: ami-123456 - InstanceType: t2.small - Type: AWS::AutoScaling::LaunchConfiguration diff --git a/checks/cloud/aws/ec2/as_enforce_http_token_imds.yaml b/checks/cloud/aws/ec2/as_enforce_http_token_imds.yaml index 7f58efeb..266e95dc 100644 --- a/checks/cloud/aws/ec2/as_enforce_http_token_imds.yaml +++ b/checks/cloud/aws/ec2/as_enforce_http_token_imds.yaml @@ -1,3 +1,22 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + MetadataOptions: + HttpEndpoint: enabled + HttpTokens: required + Type: AWS::AutoScaling::LaunchConfiguration + bad: + - | + Resources: + BadExample: + Properties: + MetadataOptions: + HttpEndpoint: enabled + HttpTokens: optional + Type: AWS::AutoScaling::LaunchConfiguration terraform: good: - |- @@ -14,22 +33,3 @@ terraform: image_id = "ami-005e54dee72cc1d00" instance_type = "t2.micro" } -cloudformation: - good: - - |- - Resources: - GoodExample: - Properties: - MetadataOptions: - HttpEndpoint: enabled - HttpTokens: required - Type: AWS::AutoScaling::LaunchConfiguration - bad: - - |- - Resources: - BadExample: - Properties: - MetadataOptions: - HttpEndpoint: enabled - HttpTokens: optional - Type: AWS::AutoScaling::LaunchConfiguration diff --git a/checks/cloud/aws/ec2/as_no_secrets_in_user_data.yaml b/checks/cloud/aws/ec2/as_no_secrets_in_user_data.yaml index 9dd1a836..46627ea7 100644 --- a/checks/cloud/aws/ec2/as_no_secrets_in_user_data.yaml +++ b/checks/cloud/aws/ec2/as_no_secrets_in_user_data.yaml @@ -1,3 +1,58 @@ +cloudformation: + good: + - | + Resources: + GoodExample: + Properties: + LaunchTemplateData: + DisableApiTermination: true + IamInstanceProfile: + Arn: + - MyIamInstanceProfile + - Arn + ImageId: ami-04d5cc9b88example + InstanceType: t2.micro + KeyName: MyKeyPair + MetadataOptions: + - HttpTokens: required + SecurityGroupIds: + - sg-083cd3bfb8example + UserData: export SSM_PATH=/database/creds + LaunchTemplateName: MyLaunchTemplate + Type: AWS::EC2::LaunchTemplate + InstanceProfile: + Properties: + InstanceProfileName: MyIamInstanceProfile + Path: / + Roles: + - MyAdminRole + Type: AWS::IAM::InstanceProfile + bad: + - | + Resources: + BadExample: + Properties: + LaunchTemplateData: + DisableApiTermination: true + IamInstanceProfile: + Arn: + - MyIamInstanceProfile + - Arn + ImageId: ami-04d5cc9b88example + InstanceType: t2.micro + KeyName: MyKeyPair + SecurityGroupIds: + - sg-083cd3bfb8example + UserData: export DATABASE_PASSWORD=password1234 + LaunchTemplateName: MyLaunchTemplate + Type: AWS::EC2::LaunchTemplate + InstanceProfile: + Properties: + InstanceProfileName: MyIamInstanceProfile + Path: / + Roles: + - MyAdminRole + Type: AWS::IAM::InstanceProfile terraform: good: - |- @@ -17,70 +72,4 @@ terraform: EOF } bad: - - |- - resource "aws_launch_template" "bad_example" { - image_id = "ami-12345667" - instance_type = "t2.small" - - user_data = <= 6.0.1 resource "google_sql_database_instance" "postgres" { @@ -39,7 +38,6 @@ terraform: } } } - bad: - |- resource "google_sql_database_instance" "postgres" { diff --git a/checks/cloud/google/sql/no_public_access.yaml b/checks/cloud/google/sql/no_public_access.yaml index 2d9ca2a9..d3e0dd35 100644 --- a/checks/cloud/google/sql/no_public_access.yaml +++ b/checks/cloud/google/sql/no_public_access.yaml @@ -22,20 +22,20 @@ terraform: resource "google_sql_database_instance" "postgres" { name = "postgres-instance-a" database_version = "POSTGRES_11" - + settings { tier = "db-f1-micro" - + ip_configuration { ipv4_enabled = false authorized_networks { - value = "108.12.12.0/24" - name = "internal" + value = "108.12.12.0/24" + name = "internal" } - + authorized_networks { - value = "0.0.0.0/0" - name = "internet" + value = "0.0.0.0/0" + name = "internet" } } } diff --git a/checks/cloud/google/sql/pg_log_lock_waits.yaml b/checks/cloud/google/sql/pg_log_lock_waits.yaml index 4fc084a1..8e19bd57 100644 --- a/checks/cloud/google/sql/pg_log_lock_waits.yaml +++ b/checks/cloud/google/sql/pg_log_lock_waits.yaml @@ -12,7 +12,6 @@ terraform: } } } - bad: - |- resource "google_sql_database_instance" "db" { diff --git a/checks/cloud/google/storage/no_public_access.yaml b/checks/cloud/google/storage/no_public_access.yaml index 7321c37d..f80cfcf4 100644 --- a/checks/cloud/google/storage/no_public_access.yaml +++ b/checks/cloud/google/storage/no_public_access.yaml @@ -12,7 +12,7 @@ terraform: - |- resource "google_storage_bucket_iam_binding" "binding" { bucket = google_storage_bucket.default.name - role = "roles/storage.admin" + role = "roles/storage.admin" members = [ "allAuthenticatedUsers", ] diff --git a/cmd/avd_generator/main.go b/cmd/avd_generator/main.go index c243a1f9..d5ecb715 100644 --- a/cmd/avd_generator/main.go +++ b/cmd/avd_generator/main.go @@ -7,12 +7,12 @@ import ( "strings" "text/template" + "github.com/aquasecurity/trivy-checks/internal/examples" "github.com/aquasecurity/trivy/pkg/iac/framework" "github.com/aquasecurity/trivy/pkg/iac/rego" "github.com/aquasecurity/trivy/pkg/iac/rules" "github.com/aquasecurity/trivy/pkg/iac/scan" types "github.com/aquasecurity/trivy/pkg/iac/types/rules" - "gopkg.in/yaml.v3" ) func main() { @@ -62,59 +62,41 @@ func writeDocsFile(meta types.RegisteredRule, path string) { } if err := tmpl.Execute(file, rule); err != nil { - fail("error occurred generating the document %v", err) + fail("error occurred generating the document %s", err.Error()) } fmt.Printf("Generating docs file for policy %s\n", rule.AVDID) - if err := generateExamplesForEngine(rule, rule.Terraform, docpath, terraformMarkdownTemplate, "Terraform"); err != nil { + exmpls, path, err := examples.GetCheckExamples(rule) + if err != nil { + fail("failed to get check examples: %s", err.Error()) + } + + if path == "" { + return + } + + if err := generateExamplesForEngine(rule, rule.Terraform, exmpls, docpath, terraformMarkdownTemplate, "Terraform"); err != nil { fail("error generating examples for terraform: %v\n", err) } - if err := generateExamplesForEngine(rule, rule.CloudFormation, docpath, cloudformationMarkdownTemplate, "CloudFormation"); err != nil { + if err := generateExamplesForEngine(rule, rule.CloudFormation, exmpls, docpath, cloudformationMarkdownTemplate, "CloudFormation"); err != nil { fail("error generating examples for cloudformation: %v\n", err) } } -type checkExamples struct { - Terraform providerExamples `yaml:"terraform,omitempty"` - CloudFormation providerExamples `yaml:"cloudformation,omitempty"` -} - -type providerExamples struct { - Good []string `yaml:"good,omitempty"` - Bad []string `yaml:"bad,omitempty"` -} +func generateExamplesForEngine(rule scan.Rule, engine *scan.EngineMetadata, exmpls examples.CheckExamples, docpath, tpl, provider string) error { -func generateExamplesForEngine(rule scan.Rule, engine *scan.EngineMetadata, docpath, tpl, provider string) error { - if engine == nil { - return nil - } + providerExampls := exmpls[strings.ToLower(provider)] - if len(engine.GoodExamples) == 0 { + if providerExampls.IsEmpty() { return nil } - b, err := os.ReadFile(engine.GoodExamples[0]) - if err != nil { - return err - } - - var exmpls checkExamples - if err := yaml.Unmarshal(b, &exmpls); err != nil { - return err - } - - switch provider { - case "Terraform": - engine.GoodExamples = exmpls.Terraform.Good - case "CloudFormation": - engine.GoodExamples = exmpls.CloudFormation.Good - } + engine.GoodExamples = providerExampls.Good.ToStrigns() for i := range engine.GoodExamples { engine.GoodExamples[i] = "\n" + engine.GoodExamples[i] } - tmpl, err := template.New(strings.ToLower(provider)).Parse(tpl) if err != nil { fail("error occurred creating the template %v\n", err) diff --git a/cmd/avd_generator/main_test.go b/cmd/avd_generator/main_test.go index bab1b772..d27e1c38 100644 --- a/cmd/avd_generator/main_test.go +++ b/cmd/avd_generator/main_test.go @@ -21,43 +21,40 @@ func Test_AVDPageGeneration(t *testing.T) { b, err := os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0077", "Terraform.md")) require.NoError(t, err) assert.Contains(t, string(b), `hcl - resource "aws_rds_cluster" "good_example" { - cluster_identifier = "aurora-cluster-demo" - engine = "aurora-mysql" - engine_version = "5.7.mysql_aurora.2.03.2" - availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] - database_name = "mydb" - master_username = "foo" - master_password = "bar" - backup_retention_period = 5 - preferred_backup_window = "07:00-09:00" - }`) +resource "aws_rds_cluster" "good_example" { + cluster_identifier = "aurora-cluster-demo" + engine = "aurora-mysql" + engine_version = "5.7.mysql_aurora.2.03.2" + availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] + database_name = "mydb" + master_username = "foo" + master_password = "bar" + backup_retention_period = 5 + preferred_backup_window = "07:00-09:00" +}`) b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0077", "CloudFormation.md")) require.NoError(t, err) - assert.Contains(t, string(b), `--- -Resources: + assert.Contains(t, string(b), `Resources: GoodExample: - Type: AWS::RDS::DBInstance Properties: BackupRetentionPeriod: 30 + Type: AWS::RDS::DBInstance `) // check rego policies b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0180", "Terraform.md")) require.NoError(t, err) assert.Contains(t, string(b), `hcl - resource "aws_db_instance" "good_example" { - publicly_accessible = false - }`) +resource "aws_db_instance" "good_example" { + publicly_accessible = false +}`) b, err = os.ReadFile(filepath.Join(tmpDir, "aws/rds/AVD-AWS-0180", "CloudFormation.md")) require.NoError(t, err) - assert.Contains(t, string(b), `--- -Resources: + assert.Contains(t, string(b), `Resources: GoodExample: - Type: AWS::RDS::DBInstance Properties: PubliclyAccessible: false -`) + Type: AWS::RDS::DBInstance`) } diff --git a/cmd/fmt-examples/main.go b/cmd/fmt-examples/main.go new file mode 100644 index 00000000..7f07b21f --- /dev/null +++ b/cmd/fmt-examples/main.go @@ -0,0 +1,55 @@ +package main + +import ( + "fmt" + "os" + + "gopkg.in/yaml.v3" + + "github.com/aquasecurity/trivy-checks/internal/examples" + "github.com/aquasecurity/trivy/pkg/iac/framework" + "github.com/aquasecurity/trivy/pkg/iac/rego" + "github.com/aquasecurity/trivy/pkg/iac/rules" +) + +func main() { + if err := run(); err != nil { + fmt.Println(err.Error()) + os.Exit(1) + } +} + +func run() error { + // Clean up all Go checks + rules.Reset() + + // Load Rego checks + rego.LoadAndRegister() + + for _, r := range rules.GetRegistered(framework.ALL) { + exmpls, path, err := examples.GetCheckExamples(r.Rule) + if err != nil { + return err + } + + if path == "" { + continue + } + + exmpls.Format() + f, err := os.Create(path) + if err != nil { + return err + } + + enc := yaml.NewEncoder(f) + enc.SetIndent(2) + if err := enc.Encode(&exmpls); err != nil { + f.Close() + return err + } + f.Close() + } + + return nil +} diff --git a/go.mod b/go.mod index f8f869ae..bc724055 100644 --- a/go.mod +++ b/go.mod @@ -6,6 +6,7 @@ toolchain go1.22.2 require ( github.com/aquasecurity/trivy v0.55.1-0.20240920045012-1f9fc13da4a1 + github.com/hashicorp/hcl/v2 v2.22.0 github.com/liamg/iamgo v0.0.9 github.com/liamg/memoryfs v1.6.0 github.com/open-policy-agent/opa v0.67.1 @@ -61,11 +62,11 @@ require ( github.com/golang/protobuf v1.5.4 // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/flatbuffers v2.0.8+incompatible // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/uuid v1.6.0 // indirect github.com/gorilla/mux v1.8.1 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect github.com/hashicorp/hcl v1.0.1-vault-5 // indirect - github.com/hashicorp/hcl/v2 v2.22.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/kevinburke/ssh_config v1.2.0 // indirect diff --git a/internal/examples/examples.go b/internal/examples/examples.go new file mode 100644 index 00000000..7cddff52 --- /dev/null +++ b/internal/examples/examples.go @@ -0,0 +1,121 @@ +package examples + +import ( + "bytes" + "strings" + + trivy_checks "github.com/aquasecurity/trivy-checks" + "github.com/aquasecurity/trivy/pkg/iac/scan" + "github.com/hashicorp/hcl/v2/hclwrite" + "gopkg.in/yaml.v3" +) + +func GetCheckExamples(r scan.Rule) (CheckExamples, string, error) { + path := getCheckExamplesPath(r) + if path == "" { + return CheckExamples{}, "", nil + } + + b, err := trivy_checks.EmbeddedPolicyFileSystem.ReadFile(path) + if err != nil { + return CheckExamples{}, "", err + } + + var exmpls CheckExamples + if err := yaml.Unmarshal(b, &exmpls); err != nil { + return CheckExamples{}, "", err + } + + return exmpls, path, nil +} + +// TODO: use `examples` field after adding +func getCheckExamplesPath(r scan.Rule) string { + for _, eng := range []*scan.EngineMetadata{r.Terraform, r.CloudFormation} { + if eng == nil { + continue + } + + paths := append(eng.BadExamples, eng.GoodExamples...) + for _, path := range paths { + if path != "" { + return path + } + } + + } + + return "" +} + +type CheckExamples map[string]ProviderExamples + +type blockString string + +type blocks []blockString + +func (b blocks) ToStrigns() []string { + res := make([]string, 0, len(b)) + for _, bs := range b { + res = append(res, string(bs)) + } + return res +} + +func (b blocks) format(fn func(blockString) blockString) { + for i, block := range b { + b[i] = fn(block) + } +} + +type ProviderExamples struct { + Good blocks `yaml:"good,omitempty"` + Bad blocks `yaml:"bad,omitempty"` +} + +func (e ProviderExamples) IsEmpty() bool { + return len(e.Good) == 0 && len(e.Bad) == 0 +} + +func (b blockString) MarshalYAML() (interface{}, error) { + return &yaml.Node{ + Kind: yaml.ScalarNode, + Style: yaml.LiteralStyle, + Value: string(b), + }, nil +} + +func (e CheckExamples) Format() { + for providerName, examples := range e { + if formatFunc, ok := formatterMap[providerName]; ok { + examples.Good.format(formatFunc) + examples.Bad.format(formatFunc) + } + e[providerName] = examples + } +} + +var formatterMap = map[string]func(blockString) blockString{ + "terraform": formatHCL, + "cloudformation": formatYaml, +} + +func formatHCL(b blockString) blockString { + return blockString(hclwrite.Format([]byte(strings.Trim(string(b), " \n")))) +} + +func formatYaml(b blockString) blockString { + var d any + if err := yaml.Unmarshal([]byte(b), &d); err != nil { + panic(err) + } + + var buf bytes.Buffer + enc := yaml.NewEncoder(&buf) + enc.SetIndent(2) + + if err := enc.Encode(d); err != nil { + panic(err) + } + return blockString(buf.String()) +}