diff --git a/CHANGELOG.md b/CHANGELOG.md index 56c4041e2..6a5190843 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,26 +1,31 @@ # Changelog ## 1.0.0 (UNRELEASED) -Major updates to Terrascan and the underlying architecture. +Major updates to Terrascan and the underlying architecture including: + +- Pluggable architecture written in Golang. We updated the architecture to be easier to extend Terrascan with additional IaC languages and support policies for different cloud providers and cloud native tooling. +- Server mode. This allows Terrascan to be executed as a server and use it's API to perform static code analysis +- Notifications hooks. Will be able to integrate for notifications to external systems (e.g. email, slack, etc.) +- Uses OPA policy engine and policies written in Rego. ## 0.2.3 (2020-07-23) -* Introduces the '-f' flag for passing a list of ".tf" files for linting and the '--version' flag. +- Introduces the '-f' flag for passing a list of ".tf" files for linting and the '--version' flag. ## 0.2.2 (2020-07-21) -* Adds Docker image and pipeline to push to DockerHub +- Adds Docker image and pipeline to push to DockerHub ## 0.2.1 (2020-06-19) -* Bugfix: The pyhcl hard dependency in the requirements.txt file caused issues if a higher version was installed. This was fixed by using the ">=" operator. +- Bugfix: The pyhcl hard dependency in the requirements.txt file caused issues if a higher version was installed. This was fixed by using the ">=" operator. ## 0.2.0 (2020-01-11) -* Adds support for terraform 0.12+ +- Adds support for terraform 0.12+ ## 0.1.2 (2020-01-05) -* Adds ability to setup terrascan as a pre-commit hook +- Adds ability to setup terrascan as a pre-commit hook ## 0.1.1 (2020-01-01) -* Updates dependent packages to latest versions -* Migrates CI to GitHub Actions from travis +- Updates dependent packages to latest versions +- Migrates CI to GitHub Actions from travis ## 0.1.0 (2017-11-26) -* First release on PyPI. +- First release on PyPI. diff --git a/README.md b/README.md index eb3bcd45a..efd1ecb4f 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ![CI](https://github.com/accurics/terrascan/workflows/build/badge.svg) [![codecov](https://codecov.io/gh/accurics/terrascan/branch/master/graph/badge.svg)](https://codecov.io/gh/accurics/terrascan) [![community](https://img.shields.io/discourse/status?server=https%3A%2F%2Fcommunity.accurics.com)](https://community.accurics.com) -[![Documentation](https://readthedocs.org/projects/terrascan/badge/?version=latest)](https://terrascan.readthedocs.io/en/latest/?badge=latest) +[![Documentation Status](https://readthedocs.com/projects/accurics-terrascan/badge/?version=latest)](https://docs.accurics.com/projects/accurics-terrascan/en/latest/?badge=latest) [![downloads](https://img.shields.io/github/downloads/accurics/terrascan/total)](https://github.com/accurics/terrascan/releases) @@ -30,13 +30,6 @@ $ install terrascan /usr/local/bin $ terrascan --help ``` -### Homebrew -Terrascan can be installed using Homebrew on macOS: - -``` -brew install terrascan -``` - ### Docker Terrascan is also available as a Docker image and can be used as follows @@ -49,49 +42,42 @@ $ docker run accurics/terrascan To scan your code for security issues you can run the following ``` -$ terrascan --iac terraform --iac-version v12 --cloud aws -d pkg/iac-providers/terraform/v12/testdata/moduleconfigs +$ terrascan scan -t aws ``` -The following flags are available: +The following commands are available: ``` -$ terrascan -h - +$ terrascan Terrascan -Scan IaC files for security violations - -Usage - - terrascan -cloud [aws|azure|gcp] [options...] - -Options - -Cloud - -cloud Required. Cloud provider (supported values: aws, azure, gcp) +An advanced IaC (Infrastructure-as-Code) file scanner written in Go. +Secure your cloud deployments at design time. +For more information, please visit https://www.accurics.com -IaC (Infrastructure as Code) - -d IaC directory path (default: current working directory) - -f IaC file path - -iac IaC provider (supported values: terraform, default: terraform) - -iac-version IaC version (supported values: 'v12' for Terraform, default: v12) - -p Policy directory path +Usage: + terrascan [command] -Mode - -server Run Terrascan in server mode +Available Commands: + help Help about any command + init Initialize Terrascan + scan Scan IaC (Infrastructure-as-Code) files for vulnerabilities. + server Run Terrascan as an API server -Logging - -log-level Logging level (supported values: debug, info, warn, error, panic, fatal) - -log-type Logging type (supported values: json, yaml, console, default: console) +Flags: + -c, --config-path string config file path + -h, --help help for terrascan + -l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info") + -x, --log-type string log output type (console, json) (default "console") + -o, --output-type string output type (json, yaml, xml) (default "yaml") + -v, --version version for terrascan -Miscellaneous - -config Configuration file path - -version Print the Terrascan version +Use "terrascan [command] --help" for more information about a command. ``` ## Documentation -To learn more about Terrascan check out the documentation https://docs.accurics.com where we include a getting started guide, Terrascan's architecture, a break down of it's commands, and how to write your own policies. +To learn more about Terrascan check out the documentation https://docs.accurics.com where we include a getting started guide, Terrascan's architecture, a break down of it's commands, and a deep dive into policies. ## Developing Terrascan To learn more about developing and contributing to Terrascan refer to our [contributing guide](CONTRIBUTING.md). diff --git a/build/Dockerfile b/build/Dockerfile index 7dae7cb2d..55f8f1151 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -28,9 +28,9 @@ RUN addgroup --gid 101 terrascan && \ USER terrascan # copy terrascan binary from build -COPY --from=builder /go/bin/terrascan /go/bin/terrascan +COPY --from=builder /go/bin/terrascan /go/bin/terrascan EXPOSE 9010 -ENTRYPOINT ["/go/bin/terrascan", "--server"] +ENTRYPOINT ["/go/bin/terrascan", "server"] CMD ["--log-type", "json"] diff --git a/docs/architecture.diagrams.py b/docs/architecture.diagrams.py new file mode 100644 index 000000000..cfeb7a001 --- /dev/null +++ b/docs/architecture.diagrams.py @@ -0,0 +1,39 @@ +from diagrams import Cluster, Diagram +from diagrams.aws.compute import ECS +from diagrams.aws.management import Cloudformation +from diagrams.aws.integration import ConsoleMobileApplication +from diagrams.azure.compute import VM +from diagrams.gcp.compute import GCE +from diagrams.programming.language import Bash +from diagrams.onprem import iac +from diagrams.onprem.compute import Server + + +with Diagram("Terrascan architecture", show=False): + cli = Bash("CLI") + server = Server("API server") + notifier = ConsoleMobileApplication("Notifier (Webhook)") + writer = Bash("Writer (JSON, YAML, XML)") + + with Cluster("Runtime"): + ECS("Input Validate") + output = ECS("Output") + ECS("Process") + + with Cluster("IaC Providers"): + tf = iac.Terraform("Terraform") + ansible = iac.Ansible("Ansible") + cft = Cloudformation("CloudFormation") + + + with Cluster("Policy Engine"): + policy = [ + VM("Azure"), + GCE("GCP"), + ECS("AWS") + ] + + server >> output >> tf >> policy >> notifier + cli >> output >> ansible >> policy >> writer + output >> cft >> policy + diff --git a/docs/architecture.md b/docs/architecture.md index 886527ed5..f97828dcd 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -1,7 +1,15 @@ # Architecture -## Runtime +Terrascan's architecture is built to be modular to facilitate adding IaC languages and policies. At a high level Terrascan is composed of the following architectural components: a command line interface, API server, runtime, pluggable IaC proviers, pluggable policy engine, notifier, and writter. + +* Command Line Interface = Provides CLI input to Terrascan. +* API Server = Provider input to Terrascan through an API. +* Runtime = Performs input validation and process inputs +* IaC Providers = Converts IaC language into normalized JSON +* Policy Engine = Applies policies against normalized JSON +* Notifier = Providers webhooks for results of Terrascan scans. +* Writter = Writes results into various formats like JSON, YAML, or XML. + +![Terrascan architecture](terrascan_architecture.png) -## IaC Language Providers -## Policy Engine diff --git a/docs/getting-started.md b/docs/getting-started.md index a94306683..4566dfbe9 100644 --- a/docs/getting-started.md +++ b/docs/getting-started.md @@ -4,7 +4,7 @@ Terrascan is a static code analyzer for Infrastructure as Code tooling. It can e ## Installation Terrascan's binary can be found on the package for each [release](https://github.com/accurics/terrascan/releases). Here's an example of how to install it: -``` Bash linenums="1" +``` Bash $ curl --location https://github.com/accurics/terrascan/releases/download/v1.0.0/terrascan_darwin_amd64.zip --output terrascan_darwin_amd64.zip $ unzip terrascan_darwin_amd64.zip Archive: terrascan_darwin_amd64.zip @@ -13,87 +13,208 @@ $ install terrascan /usr/local/bin $ terrascan --help ``` -### Installing on macOS -For Mac users, Terrascan can be installed using Homebrew: - -``` Bash linenums="1" -brew install terrascan -``` - ### Using Docker -Terrascan is also available as a Docker image and can used as follows: +Terrascan is available as a Docker image and can used as follows: -``` Bash linenums="1" +``` Bash $ docker run accurics/terrascan ``` ### Building Terrascan Terrascan can be built locally. This is helpful if you want to be on the latest version or when developing Terrascan. -``` Bash linenums="1" +``` Bash $ git clone git@github.com:accurics/terrascan.git $ cd terrascan $ make build $ ./bin/terrascan ``` -## Scanning +## Terrascan Commands +Terrascan's interface is divided into subcommands as follows: -By typing `terrascan` without flags or other arguments, you can display the usage information. +* init = Will initialize Terrascan by downloading the latest Rego policies into ~/.terrascan. Note that the scan command will implicitly call this if it detects that there are no policies found. +* scan = Will scan IaC files based on the policies contained within the .terrascan directory +* server = Will start Terrascan's API server +* help = You can obtain the usage menu by typing `help` or using the `-h` flag on any subcommand (e.g. `terrascan init -h`) -``` Bash linenums="1" -$ terrascan -h +By typing `terrascan` without flags or other arguments, you can display the usage information. +``` Bash +$ terrascan Terrascan -Scan IaC files for security violations - -Usage +Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure. +For more information, please visit https://docs.accurics.com - terrascan -cloud [aws|azure|gcp] [options...] +Usage: + terrascan [command] -Options +Available Commands: + help Help about any command + init Initialize Terrascan + scan Detect compliance and security violations across Infrastructure as Code. + server Run Terrascan as an API server -Cloud - -cloud Required. Cloud provider (supported values: aws, azure, gcp) +Flags: + -c, --config-path string config file path + -h, --help help for terrascan + -l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info") + -x, --log-type string log output type (console, json) (default "console") + -o, --output string output type (json, yaml, xml) (default "yaml") + -v, --version version for terrascan -IaC (Infrastructure as Code) - -d IaC directory path (default: current working directory) - -f IaC file path - -iac IaC provider (supported values: terraform, default: terraform) - -iac-version IaC version (supported values: 'v12' for Terraform, default: v12) - -p Policy directory path +Use "terrascan [command] --help" for more information about a command. +``` -Mode - -server Run Terrascan in server mode +### Initializing +The initialization process downloads the latest policies from the [repository](https://github.com/accurics/terrascan) into `~/.terrascan`. The policies are located at `~/.terrascan/pkg/policies/opa/rego` and are fetched when scanning the IaC. This command is implicitly executed if the `scan` command doesn't found policies while executing. -Logging - -log-level Logging level (supported values: debug, info, warn, error, panic, fatal) - -log-type Logging type (supported values: json, yaml, console, default: console) +### Scanning +The CLI will default to the `scan` command if no other subcommands are used. For example, the below two commands will scan the current directory containing Terraform HCL2 files for AWS resources: -Miscellaneous - -config Configuration file path - -version Print the Terrascan version +``` Bash +$ terrascan -t aws +$ terrascan scan -t aws ``` +The `scan` command support flags to configure: the directory being scanned, scanning of a specific file, IaC provier type, path to policies, and policy type. The full list of flags can be found by typing `terrascan scan -h` + +``` Bash +$ terrascan scan -h +Terrascan -``` Bash linenums="1" -$ terrascan -cloud aws -iac terraform -iac-version v12 -p $REGO_POLICIES -d . --output json +Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure. + +Usage: + terrascan scan [flags] + +Flags: + -h, --help help for scan + -d, --iac-dir string path to a directory containing one or more IaC files (default ".") + -f, --iac-file string path to a single IaC file + -i, --iac-type string iac type (terraform) (default "terraform") + --iac-version string iac version (v12) (default "v12") + -p, --policy-path string policy path directory + -t, --policy-type string policy type (aws, azure, gcp) + +Global Flags: + -c, --config-path string config file path + -l, --log-level string log level (debug, info, warn, error, panic, fatal) (default "info") + -x, --log-type string log output type (console, json) (default "console") + -o, --output string output type (json, yaml, xml) (default "yaml") ``` -### Example scanning Terraform (HCL2) +By default Terrascan will output YAML. This can be changed to JSON or XML by using the `-o` flag. + +### Server mode +Server mode will execute Terrascan's API server. This is useful when using Terrascan to enforce policies in a centralized way. By default the server will be started listening in port 9010 and supports the following routes: + +* GET /health = Returns the health status of the server +* POST /v1/{iacType}/{iacVersion}/{policyType}/local/file/scan} = The payload for this request should include a `file` parameter with the value being the contents of the file. + +You can launch server mode by executing the Terrascan CLI or with the Docker container: -Here's an example of scanning Terraform HCL2 files containing AWS resources: +``` Bash +$ terrascan server +``` +You can also launch Terrascan using Docker: -``` Bash linenums="1" -terrascan -cloud aws -d ~/iac_folder +``` Bash +$ docker run --rm --name terrascan -p 9010:9010 accurics/terrascan ``` -In the example above, the `-cloud` flag is used to specify AWS as the cloud provider and the `-d` flag is used to specify the directory to scan. -### Launch Terrascan in server mode +Here's an example of how to send a request to the Terrascan server using curl: + +``` Bash +$ curl -i -F "file=@aws_cloudfront_distribution.tf" localhost:9010/v1/terraform/v12/aws/local/file/scan +HTTP/1.1 100 Continue + +HTTP/1.1 200 OK +Date: Sun, 16 Aug 2020 02:45:35 GMT +Content-Type: text/plain; charset=utf-8 +Transfer-Encoding: chunked + +{ + "results": { + "violations": [ + { + "rule_name": "cloudfrontNoGeoRestriction", + "description": "Ensure that geo restriction is enabled for your Amazon CloudFront CDN distribution to whitelist or blacklist a country in order to allow or restrict users in specific locations from accessing web application content.", + "rule_id": "AWS.CloudFront.Network Security.Low.0568", + "severity": "LOW", + "category": "Network Security", + "resource_name": "s3-distribution-TLS-v1", + "resource_type": "aws_cloudfront_distribution", + "file": "terrascan-492583054.tf", + "line": 7 + }, + { + "rule_name": "cloudfrontNoHTTPSTraffic", + "description": "Use encrypted connection between CloudFront and origin server", + "rule_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0407", + "severity": "HIGH", + "category": "Encryption and Key Management", + "resource_name": "s3-distribution-TLS-v1", + "resource_type": "aws_cloudfront_distribution", + "file": "terrascan-492583054.tf", + "line": 7 + }, + { + "rule_name": "cloudfrontNoHTTPSTraffic", + "description": "Use encrypted connection between CloudFront and origin server", + "rule_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0407", + "severity": "HIGH", + "category": "Encryption and Key Management", + "resource_name": "s3-distribution-TLS-v1", + "resource_type": "aws_cloudfront_distribution", + "file": "terrascan-492583054.tf", + "line": 7 + }, + { + "rule_name": "cloudfrontNoLogging", + "description": "Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).", + "rule_id": "AWS.CloudFront.Logging.Medium.0567", + "severity": "MEDIUM", + "category": "Logging", + "resource_name": "s3-distribution-TLS-v1", + "resource_type": "aws_cloudfront_distribution", + "file": "terrascan-492583054.tf", + "line": 7 + }, + { + "rule_name": "cloudfrontNoSecureCiphers", + "description": "Secure ciphers are not used in CloudFront distribution", + "rule_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0408", + "severity": "HIGH", + "category": "Encryption and Key Management", + "resource_name": "s3-distribution-TLS-v1", + "resource_type": "aws_cloudfront_distribution", + "file": "terrascan-492583054.tf", + "line": 7 + } + ], + "count": { + "low": 1, + "medium": 1, + "high": 3, + "total": 5 + } + } +} +``` -To launch Terrascan in server mode you can execute the following: +### Config File +The `-c` or `--config-path` global variable allows you to provide a TOML configuration file for Terrascan. This file can be use to configure the webhook notifications. Here's an example configuration: -``` Bash linenums="1" -terrascan -server +``` TOML +[notifications] + [notifications.webhook] + url = "https://httpbin.org/post" + token = "my_auth_token" ``` + +### Logging +Logging can be configured by using the `-l` or `--log-level` flags with possible values being: debug, info, warn, error, panic, or fatal. This defaults to "info". + +In addition to the default "console" logs, the logs can be configured to be output in JSON by using the `-x` or `--log-type` flag with the value of `json`. diff --git a/docs/index.md b/docs/index.md index 3efae1a5c..b50a19465 100644 --- a/docs/index.md +++ b/docs/index.md @@ -6,7 +6,5 @@ Terrascan documentation is composed of the following major sections: * [Getting Started](getting-started.md): Tutorial on how to install and quickly get started with Terrascan. * [Architecture](architecture.md): Explains the pluggable architecture powering Terrascan. -* [Provider Reference](providers.md): References the different IaC providers (e.g. Terraform HCL2, Kubernetes YAML, etc.). * [Policies](policies.md): Explains policies, how to write them, and reference for all policies/rules included by default. -* [Educational Resources](learning.md): Additional resources and tutorials. diff --git a/docs/javascripts/tables.js b/docs/javascripts/tables.js new file mode 100644 index 000000000..c84ad7981 --- /dev/null +++ b/docs/javascripts/tables.js @@ -0,0 +1,6 @@ +app.location$.subscribe(function () { + var tables = document.querySelectorAll("article table") + tables.forEach(function (table) { + new Tablesort(table) + }) +}) diff --git a/docs/overrides/header.html b/docs/overrides/header.html new file mode 100644 index 000000000..e98859ef5 --- /dev/null +++ b/docs/overrides/header.html @@ -0,0 +1,83 @@ + + + + + +
+ + + +
diff --git a/docs/overrides/integrations/analytics.html b/docs/overrides/integrations/analytics.html new file mode 100644 index 000000000..5426d9722 --- /dev/null +++ b/docs/overrides/integrations/analytics.html @@ -0,0 +1,12 @@ + + + diff --git a/docs/policies.md b/docs/policies.md index ee21d817e..8b7a314a4 100644 --- a/docs/policies.md +++ b/docs/policies.md @@ -4,37 +4,38 @@ Terrascan policies are written using the [Rego policy language](https://www.open ## Rule JSON file -The rule files follow this naming convention: `....json` +The rule files follow this naming convention: `.....json` Here's an example of the contents of a rule file: -``` json linenums="1" +``` json { - "ruleName": "unrestrictedIngressAccess", - "rule": "unrestrictedIngressAccess.rego", - "ruleTemplate": "unrestrictedIngressAccess", - "ruleArgument": { - "prefix": "" + "name": "unrestrictedIngressAccess", + "file": "unrestrictedIngressAccess.rego", + "template_args": { + "prefix": "" }, "severity": "HIGH", - "description": "Ensure no security groups allow ingress from 0.0.0.0/0 to ALL ports and protocols", - "ruleReferenceId": "AWS.SecurityGroup.NetworkPortsSecurity.High.0094", + "description": " It is recommended that no security group allows unrestricted ingress access", + "reference_id": "AWS.SecurityGroup.NetworkSecurity.High.0094", "category": "Network Ports Security", - "version" : "1" + "version": 2 } ``` -| Key | Value | -| ------------------- | --------------------------------------------- | -| ruleName | Short name for the rule | -| rule | File name of the rego policy | -| ruleTemplate | Rego policy template Used for the rule | -| ruleArgument | Argument passed to the template | -| ruleArgument.prefix | Used for making rego policies unique | -| severity | Likelihood x impact of issue | -| description | Description of the issue found with this rule | -| ruleReferenceId | Unique ID of the rule in the format `...` | +| Key | Value | +| -------------------- | --------------------------------------------- | +| name | Short name for the rule | +| file | File name of the Rego policy | +| template_args.prefix | Used for making rego policies unique | +| severity | Likelihood * impact of issue | +| description | Description of the issue found with this rule | +| ruleReferenceId | Unique ID of the rule in the format `....` | | category | Descriptive category for this rule | | version | Version number for the rule/rego | -## AWS +--8<-- "docs/policies/aws.md" + +--8<-- "docs/policies/azure.md" + +--8<-- "docs/policies/gcp.md" diff --git a/docs/policies/aws.md b/docs/policies/aws.md new file mode 100644 index 000000000..71ffa7082 --- /dev/null +++ b/docs/policies/aws.md @@ -0,0 +1,370 @@ + +### aws_iam_role_policy +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | IamPolicy | HIGH | It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges. | AWS.IamPolicy.IAM.High.0392 | + + +### aws_route53_record +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| DNS Management | Route53HostedZone | HIGH | Route53HostedZone should have recordSets. | AWS.Route53HostedZone.DNSManagement.High.0422 | + + +### aws_api_gateway_method_settings +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | API Gateway | MEDIUM | Enable Detailed CloudWatch Metrics for APIs | AWS.API Gateway.Logging.Medium.0569 | + + +### aws_vpc +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | VPC | MEDIUM | Avoid creating resources in default VPC | AWS.VPC.Logging.Medium.0471 | +| Logging | VPC | MEDIUM | Ensure VPC flow logging is enabled in all VPCs | AWS.VPC.Logging.Medium.0470 | + + +### aws_ec2 +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption & KeyManagement | EC2 | MEDIUM | Enable AWS AMI Encryption | AWS.EC2.Encryption&KeyManagement.Medium.0688 | + + +### aws_iam_account_password_policy +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| IAM | Iam | MEDIUM | Lower case alphabet not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack | AWS.Iam.IAM.Medium.0454 | +| IAM | Iam | MEDIUM | Setting a lengthy password increases account resiliency against brute force login attempts | AWS.Iam.IAM.Medium.0458 | +| IAM | Iam | LOW | It is recommended that the password policy prevent the reuse of passwords.Preventing password reuse increases account resiliency against brute force login attempts | AWS.Iam.IAM.Low.0539 | +| IAM | Iam | MEDIUM | Number not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack | AWS.Iam.IAM.Medium.0455 | +| IAM | Iam | MEDIUM | Setting a lengthy password increases account resiliency against brute force login attempts | AWS.Iam.IAM.Medium.0495 | +| IAM | Iam | MEDIUM | Special symbols not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack | AWS.Iam.IAM.Medium.0456 | +| IAM | Iam | MEDIUM | Upper case alphabet not present in the Password, Password Complexity is not high. Increased Password complexity increases resiliency against brute force attack | AWS.Iam.IAM.Medium.0457 | +| IAM | Iam | LOW | Reducing the password lifetime increases account resiliency against brute force login attempts | AWS.Iam.IAM.Low.0540 | + + +### aws_db_instance +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | AWS RDS | HIGH | RDS Instance publicly_accessible flag is true | AWS.AWS RDS.NS.High.0101 | +| Data Security | RDS | HIGH | Ensure Certificate used in RDS instance is updated | AWS.RDS.DS.High.1042 | +| Data Security | RDS | HIGH | Ensure that your RDS database has IAM Authentication enabled. | AWS.RDS.DataSecurity.High.0577 | +| Data Security | RDS | HIGH | RDS Instance Auto Minor Version Upgrade flag disabled | AWS.RDS.DS.High.1041 | +| Data Security | RDS | HIGH | Ensure that your RDS database instances have automated backups enabled for point-in-time recovery. To back up your database instances, AWS RDS take automatically a full daily snapshot of your data (with transactions logs) during the specified backup window and keeps the backups for a limited period of time (known as retention period) defined by the instance owner. | AWS.RDS.DataSecurity.High.0414 | + + +### aws_ebs_volume +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | EcsCluster | HIGH | Ensure that AWS EBS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS EBS clusters and associated cache storage systems. | AWS.EcsCluster.EncryptionandKeyManagement.High.0413 | + + +### aws_api_gateway_rest_api +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| | APIGateway | MEDIUM | Enable Content Encoding | AWS.APIGateway.Medium.0568 | +| Network Security | APIGateway | MEDIUM | API Gateway Private Endpoints | AWS.APIGateway.Network Security.Medium.0570 | + + +### aws_iam_role +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | IamPolicy | HIGH | It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges. | AWS.IamPolicy.IAM.High.0392 | + + +### aws_ebs_encryption_by_default +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Data Security | EBS | HIGH | Ensure that the AWS EBS that hold sensitive and critical data is encrypted by default to fulfill compliance requirements for data-at-rest encryption. | AWS.EBS.DataSecurity.High.0580 | + + +### aws_sns_topic +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | SNS | MEDIUM | Ensure SNS Topic is Publicly Accessible For Subscription | AWS.SNS.NS.Medium.1044 | + + +### aws_efs_file_system +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | EFS | HIGH | Enable encryption of your EFS file systems in order to protect your data and metadata from breaches or unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. | AWS.EFS.EncryptionandKeyManagement.High.0409 | +| Encryption and Key Management | EFS | HIGH | Enable encryption of your EFS file systems in order to protect your data and metadata from breaches or unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization. | AWS.EFS.EncryptionandKeyManagement.High.0410 | + + +### aws_sqs_queue +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | SQS | HIGH | Identify any publicly accessible SQS queues available in your AWS account and update their permissions in order to protect against unauthorized users. | AWS.SQS.NetworkSecurity.High.0569 | +| Network Security | SQS | HIGH | Ensure that your Amazon Simple Queue Service (SQS) queues are protecting the contents of their messages using Server-Side Encryption (SSE). The SQS service uses an AWS KMS Customer Master Key (CMK) to generate data keys required for the encryption/decryption process of SQS messages. There is no additional charge for using SQS Server-Side Encryption, however, there is a charge for using AWS KMS | AWS.SQS.NetworkSecurity.High.0570 | + + +### aws_instance +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | Instance | MEDIUM | Instance should be configured in vpc. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. | AWS.Instance.NetworkSecurity.Medium.0506 | + + +### aws_config +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption & Key Management | Config | MEDIUM | AWS Config Rule for Web-Tier Encrypted Volumes | AWS.Config.Encryption&KeyManagement.Medium.0660 | + + +### aws_cloudformation_stack +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| | CloudFormation | MEDIUM | AWS CloudFormation Not In Use | AWS.CloudFormation.Medium.0599 | +| | CloudFormation | MEDIUM | AWS CloudFormation Stack Policy | AWS.CloudFormation.Medium.0604 | +| | CloudFormation | MEDIUM | Enable AWS CloudFormation Stack Termination Protection | AWS.CloudFormation.Medium.0605 | +| | CloudFormation | MEDIUM | Enable AWS CloudFormation Stack Notifications | AWS.CloudFormation.Medium.0603 | +| | CloudFormation | MEDIUM | AWS CloudFormation Has Been Drifted. | AWS.CloudFormation.Medium.0601 | + + +### aws_iam_user_policy +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | IamPolicy | HIGH | It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges. | AWS.IamPolicy.IAM.High.0392 | +| Identity and Access Management | IamUser | HIGH | Ensure Hardware MFA device is enabled for the "root" account | AWS.IamUser.IAM.High.0387 | +| Identity and Access Management | IamUser | HIGH | Ensure Virtual MFA device is enabled for the "root" account | AWS.IamUser.IAM.High.0388 | +| Identity and Access Management | IamUser | HIGH | It is recommended that MFA be enabled for all accounts that have a console password. Enabling MFA provides increased security for console access as it requires the authenticating principal to possess a device that emits a time-sensitive key and have knowledge of a credential | AWS.IamUser.IAM.High.0389 | + + +### aws_ecs_task_definition +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | EcsCluster | HIGH | Like any other EC2 instance it is recommended to place ECS instance within a VPC. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations | AWS.EcsCluster.NetworkSecurity.High.0104 | +| Data Security | LaunchConfiguration | HIGH | Sensitive Information Disclosure | AWS.LaunchConfiguration.DataSecurity.High.0101 | + + +### aws_ecr_repository_policy +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Data Security | ECR | HIGH | Identify any exposed Amazon ECR image repositories available within your AWS account and update their permissions in order to protect against unauthorized access. Amazon Elastic Container Registry (ECR) is a managed Docker registry service that makes it easy for DevOps teams to store, manage and deploy Docker container images. An ECR repository is a collection of Docker images available on AWS cloud. | AWS.ECR.DataSecurity.High.0579 | + + +### aws_iam_policy +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | IamPolicy | HIGH | It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges. | AWS.IamPolicy.IAM.High.0392 | + + +### aws_ecr_repository +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Data Security | ECR | MEDIUM | Unscanned images may contain vulnerabilities | AWS.ECR.DataSecurity.High.0578 | + + +### aws_cloudfront_distribution +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | CloudFront | HIGH | Secure ciphers are not used in CloudFront distribution | AWS.CloudFront.EncryptionandKeyManagement.High.0408 | +| Network Security | CloudFront | LOW | Ensure that geo restriction is enabled for your Amazon CloudFront CDN distribution to whitelist or blacklist a country in order to allow or restrict users in specific locations from accessing web application content. | AWS.CloudFront.Network Security.Low.0568 | +| Encryption and Key Management | CloudFront | HIGH | Use encrypted connection between CloudFront and origin server | AWS.CloudFront.EncryptionandKeyManagement.High.0407 | +| Logging | CloudFront | MEDIUM | Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN). | AWS.CloudFront.Logging.Medium.0567 | + + +### aws_mq +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | ElasticSearch | MEDIUM | Publicly Accessible MQ Brokers | AWS.ElasticSearch.NetworkSecurity.Medium.0887 | +| Logging | ElasticSearch | MEDIUM | Enable AWS MQ Log Exports | AWS.ElasticSearch.Logging.Medium.0885 | + + +### aws_cloudwatch +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | CloudWatch | MEDIUM | App-Tier CloudWatch Log Group Retention Period | AWS.CloudWatch.Logging.Medium.0631 | + + +### aws_ami_launch_permission +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | AMI | MEDIUM | Limit access to AWS AMIs | AWS.AMI.NS.Medium.1040 | + + +### aws_launch_configuration +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | EcsCluster | HIGH | Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems. | AWS.EcsCluster.EncryptionandKeyManagement.High.0413 | +| Data Security | LaunchConfiguration | HIGH | Avoid using base64 encoded private keys as part of config | AWS.LaunchConfiguration.DataSecurity.High.0102 | +| Data Security | LaunchConfiguration | HIGH | Avoid using base64 encoded shell script as part of config | AWS.LaunchConfiguration.DataSecurity.High.0101 | + + +### aws_api_gateway_stage +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | API Gateway | MEDIUM | Enable SSL Client Certificate | AWS.API Gateway.Network Security.Medium.0565 | +| Logging | API Gateway | MEDIUM | Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level. | AWS.API Gateway.Logging.Medium.0572 | +| Logging | API Gateway | MEDIUM | Enable Active Tracing | AWS.API Gateway.Logging.Medium.0571 | +| Logging | API Gateway | MEDIUM | Enable AWS CloudWatch Logs for APIs | AWS.API Gateway.Logging.Medium.0567 | + + +### aws_elasticsearch_domain +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | Elasticsearch | MEDIUM | Ensure that your AWS Elasticsearch clusters have enabled the support for publishing slow logs to AWS CloudWatch Logs. This feature enables you to publish slow logs from the indexing and search operations performed on your ES clusters and gain full insight into the performance of these operations. | AWS.Elasticsearch.Logging.Medium.0573 | +| Encryption & Key Management | ElasticSearch | MEDIUM | ElasticSearch Domain Encrypted with KMS CMKs | AWS.ElasticSearch.Encryption&KeyManagement.Medium.0768 | +| Encryption & Key Management | ElasticSearch | MEDIUM | Enable AWS ElasticSearch Encryption At Rest | AWS.ElasticSearch.Encryption&KeyManagement.Medium.0778 | + + +### aws_iam_user_login_profile +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | Iam | HIGH | Password policies are, in part, used to enforce password complexity requirements. IAM password policies can be used to ensure password are comprised of different character sets, have minimal length, rotation and history restrictions | AWS.Iam.IAM.High.0391 | + + +### aws_iam_group_policy +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | IamPolicy | HIGH | It is recommended and considered a standard security advice to grant least privileges that is, granting only the permissions required to perform a task. IAM policies are the means by which privileges are granted to users, groups, or roles. Determine what users need to do and then craft policies for them that let the users perform only those tasks, instead of granting full administrative privileges. | AWS.IamPolicy.IAM.High.0392 | + + +### aws_load_balancer_policy +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | ELB | HIGH | Using insecure ciphers for your ELB Predefined or Custom Security Policy, could make the SSL connection between the client and the load balancer vulnerable to exploits. TLS 1.0 was recommended to be disabled by PCI Council after June 30, 2016 | AWS.ELB.EncryptionandKeyManagement.High.0401 | +| Encryption and Key Management | ELB | HIGH | Remove insecure ciphers for your ELB Predefined or Custom Security Policy, to reduce the risk of the SSL connection between the client and the load balancer being exploited. | AWS.ELB.EncryptionandKeyManagement.High.0403 | + + +### aws_s3_bucket +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| IAM | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0377 | +| Network Security | S3Bucket | HIGH | Ensure that there are not any static websites being hosted on buckets you aren't aware of | AWS.S3Bucket.NetworkSecurity.High.0417 | +| IAM | S3Bucket | HIGH | Enabling S3 versioning will enable easy recovery from both unintended user actions, like deletes and overwrites | AWS.S3Bucket.IAM.High.0370 | +| S3 | S3Bucket | HIGH | S3 bucket Access is allowed to all AWS Account Users. | AWS.S3Bucket.DS.High.1043 | +| IAM | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0379 | +| Encryption and Key Management | S3Bucket | HIGH | Ensure that S3 Buckets have server side encryption at rest enabled with KMS key to protect sensitive data. | AWS.S3Bucket.EncryptionandKeyManagement.High.0405 | +| IAM | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0378 | +| IAM | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0381 | + + +### aws_elb +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Ports Security | ELB | LOW | AWS ELB incoming traffic not encrypted | AWS.ELB.NetworkPortsSecurity.Low.0563 | + + +### aws_redshift_cluster +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | Redshift | HIGH | Ensure Redshift clusters are not publicly accessible to minimise security risks. | AWS.Redshift.NetworkSecurity.HIGH.0564 | +| Logging | Redshift | MEDIUM | Ensure audit logging is enabled for Redshift clusters for security and troubleshooting purposes. | AWS.Redshift.Logging.Medium.0565 | +| Encryption and Key Management | Redshift | HIGH | Use customer-managed KMS keys instead of AWS-managed keys, to have granular control over encrypting and encrypting data. Encrypt Redshift clusters with a Customer-managed KMS key. This is a recommended best practice. | AWS.Redshift.EncryptionandKeyManagement.High.0415 | + + +### aws_kinesis_stream +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | Kinesis | HIGH | Kinesis Streams and metadata are not protected | AWS.Kinesis.EncryptionandKeyManagement.High.0412 | + + +### aws_config_configuration_aggregator +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | Config | HIGH | Ensure AWS Config is enabled in all regions | AWS.Config.Logging.HIGH.0590 | + + +### aws_organizations_policy +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| IAM | Organizations | MEDIUM | Ensure that All Features is enabled within your Amazon Organizations to achieve full control over the use of AWS services and actions across multiple AWS accounts using Service Control Policies (SCPs). | AWS.Organizations.IAM.MEDIUM.0590 | + + +### aws_route53_query_log +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | Route53 query logs | MEDIUM | Ensure CloudWatch logging is enabled for Route53 hosted zones. | AWS.Route53 query logs.Logging.Medium.0574 | + + +### aws_iam_access_key +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | IamUser | HIGH | The root account is the most privileged user in an AWS account. AWS Access Keys provide programmatic access to a given AWS account. It is recommended that all access keys associated with the root account be removed. Removing access keys associated with the root account limits vectors by which the account can be compromised. Additionally, removing the root access keys encourages the creation and use of role based accounts that are least privileged. | AWS.IamUser.IAM.High.0390 | +| Identity and Access Management | IamUser | MEDIUM | Ensure that there are no exposed Amazon IAM access keys in order to protect your AWS resources against unapproved access | AWS.IamUser.IAM.High.0391 | + + +### aws_guardduty_detector +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | GuardDuty Enabled | MEDIUM | Ensure that Amazon GuardDuty service is currently enabled in all regions in order to protect your AWS environment and infrastructure (AWS accounts and resources, IAM credentials, guest operating systems, applications, etc) against security threats. AWS GuardDuty is a managed threat detection service that continuously monitors your VPC flow logs, AWS CloudTrail event logs and DNS logs for malicious or unauthorized behavior. The service monitors for activity such as unusual API calls, potentially compromised EC2 instances or potentially unauthorized deployments that indicate a possible AWS account compromise. AWS GuardDuty operates entirely on Amazon Web Services infrastructure and does not affect the performance or reliability of your applications. The service does not require any software agents, sensors or network appliances. | AWS.GuardDuty Enabled.Security.Medium.0575 | + + +### aws_db_security_group +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | RDS | HIGH | RDS should not be defined with public interface. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment. | AWS.RDS.NetworkSecurity.High.0101 | +| Network Security | RDS | HIGH | RDS should not be open to a large scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment. | AWS.RDS.NetworkSecurity.High.0103 | +| Network Security | RDS | HIGH | RDS should not be open to a public scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment. | AWS.RDS.NetworkSecurity.High.0102 | + + +### aws_s3_bucket_policy +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0371 | +| Identity and Access Management | IamPolicy | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.IamPolicy.IAM.High.0376 | +| Identity and Access Management | IamPolicy | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.IamPolicy.IAM.High.0375 | +| Identity and Access Management | IamPolicy | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.IamPolicy.IAM.High.0374 | +| Identity and Access Management | S3Bucket | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.S3Bucket.IAM.High.0372 | +| Identity and Access Management | IamPolicy | HIGH | Misconfigured S3 buckets can leak private information to the entire internet or allow unauthorized data tampering / deletion | AWS.IamPolicy.IAM.High.0373 | + + +### aws_elasticache_cluster +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Data Security | ElastiCache | HIGH | ElastiCache for Redis version is not compliant with AWS PCI DSS requirements | AWS.ElastiCache.DataSecurity.High.0425 | +| Data Security | ElastiCache | HIGH | ElastiCache for Memcached is not in use in AWS PCI DSS environments | AWS.ElastiCache.DataSecurity.High.0424 | +| High Availability | ElastiCache | MEDIUM | AWS ElastiCache Multi-AZ | AWS.ElastiCache.HighAvailability.Medium.0757 | + + +### aws_kinesis_firehose_delivery_stream +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | Kinesis | HIGH | AWS Kinesis Server data at rest has server side encryption (SSE) | AWS.Kinesis.EncryptionandKeyManagement.High.0411 | + + +### aws_rds_cluster +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | RDS | HIGH | Encrypt Amazon RDS instances and snapshots at rest, by enabling the encryption option for your Amazon RDS DB instance | AWS.RDS.EncryptionandKeyManagement.High.0414 | + + +### aws_lambda +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | ElasticSearch | MEDIUM | Lambda Functions with Admin Privileges | AWS.ElasticSearch.IAM.Medium.0878 | + + +### aws_cloudtrail +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | CloudTrail | HIGH | Cloud Trail Log Not Enabled | AWS.CloudTrail.Logging.High.0399 | +| Logging | CloudTrail | MEDIUM | Cloud Trail Multi Region not enabled | AWS.CloudTrail.Logging.Medium.0460 | +| Logging | CloudTrail | MEDIUM | Ensure appropriate subscribers to each SNS topic | AWS.CloudTrail.Logging.Low.0559 | + + +### aws_lambda_function +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | VPC | LOW | Lambda tracing is not enabled. | AWS.VPC.Logging.Medium.0470 | + + +### aws_kms_key +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | KMS | HIGH | Ensure rotation for customer created CMKs is enabled | AWS.KMS.Logging.High.0400 | +| Network Security | KMS | HIGH | Identify any publicly accessible AWS Key Management Service master keys and update their access policy in order to stop any unsigned requests made to these resources. | AWS.KMS.NetworkSecurity.High.0566 | + + +### aws_security_group +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Ports Security | SecurityGroup | HIGH | It is recommended that no security group allows unrestricted ingress access | AWS.SecurityGroup.NetworkSecurity.High.0094 | + + +### aws_ecs_service +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Data Security | ECS | HIGH | Identify any exposed Amazon ECR image repositories available within your AWS account and update their permissions in order to protect against unauthorized access. Amazon Elastic Container Registry (ECR) is a managed Docker registry service that makes it easy for DevOps teams to store, manage and deploy Docker container images. An ECR repository is a collection of Docker images available on AWS cloud. | AWS.ECS.High.0436 | + + diff --git a/docs/policies/azure.md b/docs/policies/azure.md new file mode 100644 index 000000000..570e79b41 --- /dev/null +++ b/docs/policies/azure.md @@ -0,0 +1,161 @@ + +### azurerm_virtual_machine +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | azure | HIGH | Ensure that at least one Network Security Group is attached to all VMs and subnets that are public | accurics.azure.NS.18 | + + +### azurerm_storage_container +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | azure | HIGH | Anonymous, public read access to a container and its blobs can be enabled in Azure Blob storage. This is only recommended if absolutely necessary. | accurics.azure.IAM.368 | + + +### azurerm_sql_firewall_rule +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | azure | MEDIUM | Restrict Azure SQL Server accessibility to a minimal address range | accurics.azure.NS.169 | +| Network Security | azure | HIGH | Ensure entire Azure infrastructure doesn't have access to Azure SQL ServerEnsure entire Azure infrastructure doesn't have access to Azure SQL Server | accurics.azure.NS.5 | +| Network Security | azure | HIGH | Ensure that no SQL Server allows ingress from 0.0.0.0/0 (ANY IP) | accurics.azure.NS.21 | + + +### azurerm_key_vault +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | azure | MEDIUM | Ensure the key vault is recoverable - enable "Soft Delete" setting for a Key Vault | accurics.azure.EKM.164 | +| Encryption and Key Management | azure | HIGH | Ensure that logging for Azure KeyVault is 'Enabled' | accurics.azure.EKM.20 | + + +### azurerm_resource_group +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | azure | LOW | Ensure that Azure Resource Group has resource lock enabled | accurics.azure.NS.272 | + + +### azurerm_storage_account +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | azure | HIGH | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | accurics.azure.NS.2 | +| Network Security | azure | HIGH | Ensure default network access rule for Storage Accounts is not open to public | accurics.azure.NS.4 | +| Encryption and Key Management | azure | HIGH | Ensure that 'Secure transfer required' is enabled for Storage Accounts | accurics.azure.EKM.7 | + + +### azurerm_sql_server +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Monitoring | azure | MEDIUM | Ensure that 'Auditing' is set to 'On' for SQL servers | accurics.azure.MON.354 | +| Identity and Access Management | azure | HIGH | Ensure that Azure Active Directory Admin is configured for SQL Server | accurics.azure.IAM.10 | +| Identity and Access Management | azure | MEDIUM | Avoid using names like 'Admin' for an Azure SQL Server admin account login | accurics.azure.IAM.138 | +| Logging | azure | MEDIUM | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers. | accurics.azure.LOG.356 | + + +### azurerm_sql_database +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Monitoring | azure | MEDIUM | Ensure that 'Threat Detection' is enabled for Azure SQL Database | accurics.azure.MON.157 | + + +### azurerm_redis_cache +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | azure | HIGH | Ensure that Redis is updated regularly with security and operational updates. + +Note this feature is only available to Premium tier Redis Caches. | accurics.azure.NS.13 | +| Encryption and Key Management | azure | MEDIUM | Ensure that the Redis Cache accepts only SSL connections | accurics.azure.EKM.23 | +| Network Security | azure | HIGH | Ensure there are no firewall rules allowing unrestricted access to Redis from other Azure sources | accurics.azure.NS.31 | +| Network Security | azure | HIGH | Ensure there are no firewall rules allowing unrestricted access to Redis from the Internet | accurics.azure.NS.30 | +| Network Security | azure | MEDIUM | Ensure there are no firewall rules allowing Redis Cache access for a large number of source IPs | accurics.azure.NS.166 | + + +### azurerm_kubernetes_cluster +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | azure | MEDIUM | Ensure Kube Dashboard is disabled | accurics.azure.NS.383 | +| Network Security | azure | MEDIUM | Ensure AKS cluster has Network Policy configured. | accurics.azure.NS.382 | + + +### azurerm_managed_disk +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | azure | MEDIUM | Ensure that 'OS disk' are encrypted | accurics.azure.EKM.156 | + + +### azurerm_network_watcher_flow_log +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | azure | MEDIUM | Network Security Group Flow Logs should be enabled and the retention period is set to greater than or equal to 90 days. Flow logs enable capturing information about IP traffic flowing in and out of network security groups. Logs can be used to check for anomalies and give insight into suspected breaches. | accurics.azure.NS.342 | +| Network Security | azure | HIGH | Enable Network Watcher for Azure subscriptions. Network diagnostic and visualization tools available with Network Watcher help users understand, diagnose, and gain insights to the network in Azure. | accurics.azure.NS.11 | + + +### azurerm_key_vault_secret +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Key Management | azure | HIGH | Ensure that the expiration date is set on all secrets | accurics.azure.EKM.26 | + + +### azurerm_key_vault_key +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Key Management | azure | HIGH | Ensure that the expiration date is set on all keys | accurics.azure.EKM.25 | + + +### azurerm_network_security_rule +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Ports Security | azure | HIGH | SSH (TCP:22) is exposed to the wide public internet | accurics.azure.NPS.37 | +| Network Ports Security | azure | HIGH | Remote Desktop (TCP:3389) is exposed to the wide public internet | accurics.azure.NPS.36 | +| Network Ports Security | azure | HIGH | SSH (TCP:22) is exposed to the entire public internet | accurics.azure.NPS.172 | +| Network Ports Security | azure | HIGH | Remote Desktop (TCP:3389) is exposed to the entire public internet | accurics.azure.NPS.171 | +| Network Ports Security | azure | HIGH | CiscoSecure, WebSM (TCP:9090) is exposed to the wide public internet | accurics.azure.NPS.35 | + + +### azurerm_cosmosdb_account +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Cloud Assets Management | azure | MEDIUM | Ensure that Cosmos DB Account has an associated tag | accurics.azure.CAM.162 | + + +### azurerm_security_center_subscription_pricing +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Operational Efficiency | azure | MEDIUM | Ensure that standard pricing tiers are selected | accurics.azure.OPS.349 | + + +### azurerm_sql_active_directory_administrator +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | azure | MEDIUM | Avoid using names like 'Admin' for an Azure SQL Server Active Directory Administrator account | accurics.azure.IAM.137 | + + +### azurerm_container_registry +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | azure | MEDIUM | Ensure that admin user is disabled for Container Registry | accurics.azure.EKM.164 | +| Azure Container Services | azure | HIGH | Ensure Container Registry has locks | accurics.azure.AKS.3 | + + +### azurerm_virtual_network +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | azure | MEDIUM | Ensure that Azure Virtual Network subnet is configured with a Network Security Group | accurics.azure.NS.161 | + + +### azurerm_role_assignment +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity and Access Management | azure | HIGH | Ensure that there are no guest users | accurics.azure.IAM.388 | + + +### azurerm_application_gateway +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | azure | MEDIUM | Ensure Azure Application Gateway Web application firewall (WAF) is enabled | accurics.azure.NS.147 | + + +### azurerm_postgresql_server +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption and Key Management | azure | HIGH | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | accurics.azure.EKM.1 | +| Backup and Disaster Recovery | azure | HIGH | Ensure that Geo Redundant Backups is enabled on PostgreSQL | accurics.azure.BDR.163 | + + diff --git a/docs/policies/document_policies.py b/docs/policies/document_policies.py new file mode 100644 index 000000000..c824d3cc6 --- /dev/null +++ b/docs/policies/document_policies.py @@ -0,0 +1,27 @@ +import os +import json + +def dir_size(dir): + for policy_type in os.listdir(dir): + with open(f"docs/policies/{policy_type}.md", "w") as f: + f.write(f"\n") + for resource_type in os.listdir(os.path.join(dir,policy_type)): + f.write(f"### {resource_type}\n") + f.write("| Category | Resource | Severity | Description | Reference ID |\n") + f.write("| -------- | -------- | -------- | ----------- | ------------ |\n") + for (dirpath, dirs, files) in os.walk(os.path.join(dir, policy_type, resource_type)): + for filename in files: + if '.json' in filename: + with open(os.path.join(dirpath,filename)) as p: + policy = json.load(p) + category = policy['category'] + resource = filename.split('.')[1] + severity = policy['severity'] + description = policy['description'] + reference_id = policy['reference_id'] + f.write(f"| {category} | {resource} | {severity} | {description} | {reference_id} |\n") + f.write("\n\n") + +if __name__ == '__main__': + policy_dir = os.path.join(os.getcwd(), "pkg", "policies", "opa", "rego") + dir_size(policy_dir) diff --git a/docs/policies/gcp.md b/docs/policies/gcp.md new file mode 100644 index 000000000..b6c89b9e0 --- /dev/null +++ b/docs/policies/gcp.md @@ -0,0 +1,148 @@ + +### google_container_node_pool +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Operational Efficiency | gcp | HIGH | Ensure 'Automatic node upgrade' is enabled for Kubernetes Clusters. | accurics.gcp.OPS.101 | +| Operational Efficiency | gcp | HIGH | Ensure Container-Optimized OS (cos) is used for Kubernetes Engine Clusters Node image. | accurics.gcp.OPS.114 | +| Operational Efficiency | gcp | MEDIUM | Ensure 'Automatic node repair' is enabled for Kubernetes Clusters. | accurics.gcp.OPS.144 | + + +### github_repository +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity & Access Management | gcp | MEDIUM | Repository is Not Private. | accurics.gcp.IAM.145 | + + +### google_bigquery_dataset +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity & Access Management | gcp | HIGH | BigQuery datasets may be anonymously or publicly accessible. | accurics.gcp.IAM.106 | + + +### google_compute_project_metadata +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Access Control | gcp | HIGH | Ensure oslogin is enabled for a Project | accurics.gcp.IAM.127 | + + +### google_compute_subnetwork +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | gcp | MEDIUM | Ensure that VPC Flow Logs is enabled for every subnet in a VPC Network. | accurics.gcp.LOG.118 | + + +### google_project_iam_audit_config +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | gcp | HIGH | Ensure that Cloud Audit Logging is configured properly across all services and all users from a project. | accurics.gcp.LOG.010 | + + +### google_sql_database_instance +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Backup & Disaster Recovery | gcp | HIGH | Ensure all Cloud SQL database instance have backup configuration enabled. | accurics.gcp.BDR.105 | +| Network Security | gcp | HIGH | Ensure that Cloud SQL database Instances are not open to the world. | accurics.gcp.NS.102 | +| Encryption & Key Management | gcp | HIGH | Ensure that Cloud SQL database instance requires all incoming connections to use SSL | accurics.gcp.EKM.141 | + + +### google_compute_instance +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | gcp | MEDIUM | Ensure IP forwarding is not enabled on Instances. | accurics.gcp.NS.130 | +| Encryption & Key Management | gcp | MEDIUM | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) . | accurics.gcp.EKM.132 | +| Identity & Access Management | gcp | MEDIUM | Instances may have been configured to use the default service account with full access to all Cloud APIs | accurics.gcp.IAM.124 | +| Network Security | gcp | MEDIUM | Ensure Compute instances are launched with Shielded VM enabled. | accurics.gcp.NS.133 | +| Access Control | gcp | HIGH | Instances may have been configured to use the default service account with full access to all Cloud APIs | accurics.gcp.NS.125 | + + +### google_storage_bucket_iam_binding +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity & Access Management | gcp | MEDIUM | Ensure that Cloud Storage bucket is not anonymously or publicly accessible. | accurics.gcp.IAM.121 | + + +### google_container_cluster +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Monitoring | gcp | HIGH | Ensure Stackdriver Monitoring is enabled on Kubernetes Engine Clusters. | accurics.gcp.MON.143 | +| Network Security | gcp | HIGH | Ensure Kubernetes Cluster is created with Private cluster enabled. | accurics.gcp.NS.117 | +| Operational Efficiency | gcp | HIGH | Ensure PodSecurityPolicy controller is enabled on the Kubernetes Engine Clusters. | accurics.gcp.OPS.116 | +| Identity & Access Management | gcp | HIGH | Ensure GKE basic auth is disabled. | accurics.gcp.IAM.110 | +| Network Security | gcp | HIGH | Ensure Master Authentication is set to enabled on Kubernetes Engine Clusters. | accurics.gcp.NS.112 | +| Operational Efficiency | gcp | HIGH | Ensure Kubernetes Cluster is created with Alias IP ranges enabled | accurics.gcp.OPS.115 | +| Network Security | gcp | HIGH | Ensure GKE Control Plane is not public. | accurics.gcp.NS.109 | +| Identity & Access Management | gcp | HIGH | Ensure Kubernetes Cluster is created with Client Certificate enabled. | accurics.gcp.IAM.104 | +| Operational Efficiency | gcp | HIGH | Ensure Kubernetes Clusters are configured with Labels. | accurics.gcp.OPS.113 | +| Identity & Access Management | gcp | HIGH | Ensure Legacy Authorization is set to disabled on Kubernetes Engine Clusters. | accurics.gcp.IAM.142 | +| Logging | gcp | HIGH | Ensure Stackdriver Logging is enabled on Kubernetes Engine Clusters. | accurics.gcp.LOG.100 | +| Network Security | gcp | HIGH | Ensure Network policy is enabled on Kubernetes Engine Clusters. | accurics.gcp.NS.103 | + + +### google_project +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | gcp | MEDIUM | Ensure that the default network does not exist in a project. | accurics.gcp.NS.119 | + + +### google_compute_firewall +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Network Security | gcp | MEDIUM | Ensure that SSH access is restricted from the internet | accurics.gcp.NS.149 | +| Network Security | gcp | MEDIUM | Ensure that SSH access is restricted from the internet | accurics.gcp.NS.148 | +| Network Security | gcp | MEDIUM | Ensure Google compute firewall ingress does not allow unrestricted rdp access. | accurics.gcp.NS.123 | + + +### google_dns_managed_zone +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption & Key Management | gcp | HIGH | Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC. | accurics.gcp.EKM.108 | +| Network Security | gcp | HIGH | Ensure that DNSSEC is enabled for Cloud DNS. | accurics.gcp.NS.107 | + + +### google_compute_disk +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption & Key Management | gcp | MEDIUM | Ensure VM disks for critical VMs are encrypted with Customer Supplied Encryption Keys (CSEK) . | accurics.gcp.EKM.131 | + + +### google_project_iam_member +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity & Access Management | gcp | MEDIUM | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level. | accurics.gcp.IAM.137 | +| Identity & Access Management | gcp | MEDIUM | Ensure that Service Account has no Admin privileges. | accurics.gcp.IAM.138 | + + +### google_storage_bucket_iam_member +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity & Access Management | gcp | HIGH | Ensure that Cloud Storage bucket is not anonymously or publicly Accessible. | accurics.gcp.IAM.120 | + + +### google_compute_ssl_policy +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption & Key Management | gcp | MEDIUM | Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suites. | accurics.gcp.EKM.134 | + + +### google_storage_bucket +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Logging | gcp | HIGH | Ensure that logging is enabled for Cloud storage buckets. | accurics.gcp.LOG.147 | +| Logging | gcp | HIGH | Ensure that object versioning is enabled on log-buckets. | accurics.gcp.LOG.146 | +| Identity & Access Management | gcp | MEDIUM | Ensure that Cloud Storage buckets have uniform bucket-level access enabled. | accurics.gcp.IAM.122 | + + +### google_kms_crypto_key +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Encryption & Key Management | gcp | MEDIUM | Ensure Encryption keys are rotated within a period of 90 days. | accurics.gcp.EKM.139 | +| Encryption & Key Management | gcp | HIGH | Ensure Encryption keys are rotated within a period of 365 days. | accurics.gcp.EKM.007 | + + +### google_project_iam_binding +| Category | Resource | Severity | Description | Reference ID | +| -------- | -------- | -------- | ----------- | ------------ | +| Identity & Access Management | gcp | MEDIUM | Ensure that IAM users are not assigned the Service Account User or Service Account Token Creator roles at project level. | accurics.gcp.IAM.136 | +| Identity and Access Management | gcp | HIGH | Ensure that corporate login credentials are used instead of Gmail accounts. | accurics.gcp.IAM.150 | + + diff --git a/docs/providers.md b/docs/providers.md deleted file mode 100644 index 8f4fe3c58..000000000 --- a/docs/providers.md +++ /dev/null @@ -1,3 +0,0 @@ -# Provider Reference - -## Terraform (HCL2) diff --git a/docs/requirements.txt b/docs/requirements.txt index 3883dfad2..51260e82f 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,2 +1,3 @@ mkdocs==1.1.2 mkdocs-material==5.5.6 +mkdocs-diagrams==0.0.2 diff --git a/mkdocs.yml b/mkdocs.yml index 74e8a49a9..cea7b3d11 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -40,13 +40,17 @@ nav: - Home: index.md - Getting Started: getting-started.md - Architecture: architecture.md - - Provider Reference: providers.md - - Policies: policies.md - - Educational Resources: learning.md + - Policies: + - Policy Reference: policies.md + - AWS: policies/aws.md + - GCP: policies/gcp.md + - Azure: policies/azure.md + # - Educational Resources: learning.md - Contributing: contributing.md - Changelog: changelog.md - About: about.md +# Extensions markdown_extensions: - pymdownx.highlight - pymdownx.inlinehilite @@ -54,3 +58,16 @@ markdown_extensions: - pymdownx.snippets - toc: permalink: true + +google_analytics: + - UA-XXXXXXXX-X + - auto + +# Plugins +plugins: + - diagrams + - search + +extra_javascript: + - https://cdnjs.cloudflare.com/ajax/libs/tablesort/5.2.1/tablesort.min.js + - javascripts/tables.js