From c06c1ed55c0aa3616309bef4a925a68abd97e44e Mon Sep 17 00:00:00 2001 From: Thereal SomeEODDude <46727149+jonrau1@users.noreply.github.com> Date: Sat, 10 Feb 2024 15:47:25 -0500 Subject: [PATCH] CIS AWS BM v3 storage controls --- .../aws/AWS_Security_Services_Auditor.py | 6 ++-- eeauditor/auditors/aws/Amazon_EBS_Auditor.py | 6 ++-- eeauditor/auditors/aws/Amazon_EFS_Auditor.py | 6 ++-- eeauditor/auditors/aws/Amazon_RDS_Auditor.py | 18 +++++++++--- eeauditor/auditors/aws/Amazon_S3_Auditor.py | 28 +++++++++++++------ 5 files changed, 46 insertions(+), 18 deletions(-) diff --git a/eeauditor/auditors/aws/AWS_Security_Services_Auditor.py b/eeauditor/auditors/aws/AWS_Security_Services_Auditor.py index 291c1386..580e54aa 100644 --- a/eeauditor/auditors/aws/AWS_Security_Services_Auditor.py +++ b/eeauditor/auditors/aws/AWS_Security_Services_Auditor.py @@ -271,7 +271,8 @@ def macie_in_use_check(cache: dict, session, awsAccountId: str, awsRegion: str, "ISO 27001:2013 A.16.1.1", "ISO 27001:2013 A.16.1.4", "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.4", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.3" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.3", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.1.3" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -368,7 +369,8 @@ def macie_in_use_check(cache: dict, session, awsAccountId: str, awsRegion: str, "ISO 27001:2013 A.16.1.1", "ISO 27001:2013 A.16.1.4", "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.4", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.3" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.3", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.1.3" ] }, "Workflow": {"Status": "NEW"}, diff --git a/eeauditor/auditors/aws/Amazon_EBS_Auditor.py b/eeauditor/auditors/aws/Amazon_EBS_Auditor.py index b886086e..23958fe4 100644 --- a/eeauditor/auditors/aws/Amazon_EBS_Auditor.py +++ b/eeauditor/auditors/aws/Amazon_EBS_Auditor.py @@ -1036,7 +1036,8 @@ def ebs_account_encryption_by_default_check(cache: dict, session, awsAccountId: "AICPA TSC CC6.1", "ISO 27001:2013 A.8.2.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.2.1", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.2.1" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.2.1", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.2.1" ] }, "Workflow": {"Status": "NEW"}, @@ -1094,7 +1095,8 @@ def ebs_account_encryption_by_default_check(cache: dict, session, awsAccountId: "AICPA TSC CC6.1", "ISO 27001:2013 A.8.2.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.2.1", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.2.1" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.2.1", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.2.1" ] }, "Workflow": {"Status": "RESOLVED"}, diff --git a/eeauditor/auditors/aws/Amazon_EFS_Auditor.py b/eeauditor/auditors/aws/Amazon_EFS_Auditor.py index b52767d8..b199783b 100644 --- a/eeauditor/auditors/aws/Amazon_EFS_Auditor.py +++ b/eeauditor/auditors/aws/Amazon_EFS_Auditor.py @@ -101,7 +101,8 @@ def efs_filesys_encryption_check(cache: dict, session, awsAccountId: str, awsReg "AICPA TSC CC6.1", "ISO 27001:2013 A.8.2.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.4.1", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.4.1" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.4.1", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.4.1" ] }, "Workflow": {"Status": "NEW"}, @@ -162,7 +163,8 @@ def efs_filesys_encryption_check(cache: dict, session, awsAccountId: str, awsReg "AICPA TSC CC6.1", "ISO 27001:2013 A.8.2.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.4.1", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.4.1" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.4.1", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.4.1" ] }, "Workflow": {"Status": "RESOLVED"}, diff --git a/eeauditor/auditors/aws/Amazon_RDS_Auditor.py b/eeauditor/auditors/aws/Amazon_RDS_Auditor.py index f640909f..b9e31bef 100644 --- a/eeauditor/auditors/aws/Amazon_RDS_Auditor.py +++ b/eeauditor/auditors/aws/Amazon_RDS_Auditor.py @@ -485,7 +485,8 @@ def rds_instance_public_access_check(cache: dict, session, awsAccountId: str, aw "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.3.3", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.3" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.3", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.3.2", ] }, "Workflow": {"Status": "NEW"}, @@ -602,7 +603,8 @@ def rds_instance_public_access_check(cache: dict, session, awsAccountId: str, aw "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.3.3", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.3" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.3", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.3.2", ] }, "Workflow": {"Status": "RESOLVED"}, @@ -692,6 +694,7 @@ def rds_instance_storage_encryption_check(cache: dict, session, awsAccountId: st "ISO 27001:2013 A.8.2.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.3.1", "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.1", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.3.1", "CIS AWS Database Services Benchmark V1.0 3.5", "CIS AWS Database Services Benchmark V1.0 3.11" ] @@ -764,6 +767,7 @@ def rds_instance_storage_encryption_check(cache: dict, session, awsAccountId: st "ISO 27001:2013 A.8.2.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.3.1", "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.1", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.3.1", "CIS AWS Database Services Benchmark V1.0 3.5", "CIS AWS Database Services Benchmark V1.0 3.11" ], @@ -2205,7 +2209,8 @@ def rds_snapshot_public_share_check(cache: dict, session, awsAccountId: str, aws "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.3.3", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.3" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.3", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.3.2", ] }, "Workflow": {"Status": "NEW"}, @@ -2314,7 +2319,8 @@ def rds_snapshot_public_share_check(cache: dict, session, awsAccountId: str, aws "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.3.3", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.3" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.3", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.3.2", ] }, "Workflow": {"Status": "RESOLVED"}, @@ -2573,6 +2579,7 @@ def rds_aurora_cluster_encryption_check(cache: dict, session, awsAccountId: str, "ISO 27001:2013 A.8.2.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.3.1", "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.1", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.3.1", "CIS AWS Database Services Benchmark V1.0 2.3" ] }, @@ -2646,6 +2653,7 @@ def rds_aurora_cluster_encryption_check(cache: dict, session, awsAccountId: str, "ISO 27001:2013 A.8.2.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.3.1", "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.1", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.3.1", "CIS AWS Database Services Benchmark V1.0 2.3", ] }, @@ -4364,6 +4372,7 @@ def rds_instance_minor_version_upgrade_check(cache: dict, session, awsAccountId: "ISO 27001:2013 A.11.2.6", "CIS Amazon Web Services Foundations Benchmark V1.5 2.3.2", "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.2", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.3.2", "CIS AWS Database Services Benchmark V1.0 3.8", "CIS AWS Database Services Benchmark V1.0 3.11" ] @@ -4436,6 +4445,7 @@ def rds_instance_minor_version_upgrade_check(cache: dict, session, awsAccountId: "ISO 27001:2013 A.11.2.6", "CIS Amazon Web Services Foundations Benchmark V1.5 2.3.2", "CIS Amazon Web Services Foundations Benchmark V2.0 2.3.2", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.3.2", "CIS AWS Database Services Benchmark V1.0 3.8", "CIS AWS Database Services Benchmark V1.0 3.11" ] diff --git a/eeauditor/auditors/aws/Amazon_S3_Auditor.py b/eeauditor/auditors/aws/Amazon_S3_Auditor.py index c9d02f84..75623a84 100644 --- a/eeauditor/auditors/aws/Amazon_S3_Auditor.py +++ b/eeauditor/auditors/aws/Amazon_S3_Auditor.py @@ -648,7 +648,8 @@ def aws_s3_bucket_policy_allows_public_access_check(cache: dict, session, awsAcc "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.5", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.4" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.4", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.1.4" ] }, "Workflow": {"Status": "NEW"}, @@ -757,7 +758,8 @@ def aws_s3_bucket_policy_allows_public_access_check(cache: dict, session, awsAcc "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.5", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.4" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.4", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.1.4" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -882,7 +884,9 @@ def aws_s3_bucket_policy_check(cache: dict, session, awsAccountId: str, awsRegio "ISO 27001:2013 A.13.2.4", "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", - "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.5" + "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.5", + "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.4", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.1.4" ] }, "Workflow": {"Status": "NEW"}, @@ -987,7 +991,9 @@ def aws_s3_bucket_policy_check(cache: dict, session, awsAccountId: str, awsRegio "ISO 27001:2013 A.13.2.4", "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", - "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.5" + "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.5", + "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.4", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.1.4" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -1332,7 +1338,9 @@ def s3_account_level_block(cache: dict, session, awsAccountId: str, awsRegion: s "ISO 27001:2013 A.13.2.4", "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", - "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.5" + "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.5", + "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.4", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.1.4" ] }, "Workflow": {"Status": "RESOLVED"}, @@ -1438,7 +1446,9 @@ def s3_account_level_block(cache: dict, session, awsAccountId: str, awsRegion: s "ISO 27001:2013 A.13.2.4", "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", - "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.5" + "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.5", + "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.4", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.1.4" ] }, "Workflow": {"Status": "NEW"}, @@ -1529,7 +1539,8 @@ def aws_s3_bucket_deny_http_access_check(cache: dict, session, awsAccountId: str "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.2", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.1" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.1", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.1.1" ] }, "Workflow": {"Status": "NEW"}, @@ -1591,7 +1602,8 @@ def aws_s3_bucket_deny_http_access_check(cache: dict, session, awsAccountId: str "ISO 27001:2013 A.14.1.2", "ISO 27001:2013 A.14.1.3", "CIS Amazon Web Services Foundations Benchmark V1.5 2.1.2", - "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.1" + "CIS Amazon Web Services Foundations Benchmark V2.0 2.1.1", + "CIS Amazon Web Services Foundations Benchmark V3.0 2.1.1" ] }, "Workflow": {"Status": "RESOLVED"},