Skip to content

Commit

Permalink
Merge pull request #68 from jkufro/awsConfig
Browse files Browse the repository at this point in the history
  • Loading branch information
rx294 authored Mar 1, 2021
2 parents 8a0ba6d + ec7cf15 commit 1ddece6
Show file tree
Hide file tree
Showing 9 changed files with 461 additions and 2 deletions.
21 changes: 21 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ HeimdallTools supplies several methods to convert output from various tools to "
- **nikto_mapper** - open-source web server scanner
- **jfrog_xray_mapper** - package vulnerability scanner
- **dbprotect_mapper** - database vulnerability scanner
- **aws_config_mapper** - assess, audit, and evaluate AWS resources

Ruby 2.4 or higher (check using "ruby -v")

Expand Down Expand Up @@ -213,6 +214,26 @@ FLAGS:
example: heimdall_tools dbprotect_mapper -x check_results_details_report.xml -o db_protect_hdf.json
```

## aws_config_mapper

aws_config_mapper pulls Ruby AWS SDK data to translate AWS Config Rule results into HDF format json to be viewable in Heimdall

### AWS Config Rule Mapping:
The mapping of AWS Config Rules to 800-53 Controls was sourced from [this link](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html).

### Authentication with AWS:
[Developer Guide for configuring Ruby AWS SDK for authentication](https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html)

```
USAGE: heimdall_tools aws_config_mapper [OPTIONS] -o <hdf-scan-results.json>
FLAGS:
-o --output <scan-results> : path to output scan-results json.
-V --verbose : verbose run [optional].
example: heimdall_tools aws_config_mapper -o aws_config_results_hdf.json
```

## version

Prints out the gem version
Expand Down
1 change: 1 addition & 0 deletions heimdall_tools.gemspec
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ Gem::Specification.new do |spec| # rubocop:disable Metrics/BlockLength
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
spec.require_paths = ['lib']

spec.add_runtime_dependency 'aws-sdk-configservice', '~> 1'
spec.add_runtime_dependency 'nokogiri', '~> 1.10.9'
spec.add_runtime_dependency 'thor', '~> 0.19'
spec.add_runtime_dependency 'json', '~> 2.3'
Expand Down
107 changes: 107 additions & 0 deletions lib/data/aws-config-mapping.csv
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
AwsConfigRuleName,NIST-ID,Rev
secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4
iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4
iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4
access-keys-rotated,AC-2(1)|AC-2(j),4
iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4
securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4
iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4
s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4
emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4
iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4
s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4
s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
lambda-inside-vpc,AC-4|SC-7|SC-7(3),4
ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4
restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4
restricted-ssh,AC-4|SC-7|SC-7(3),4
vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4
vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4
acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4
ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4
emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4
internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4
codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4
ec2-imdsv2-check,AC-6,4
iam-no-inline-policy-check,AC-6,4
alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4
redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4
cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4
cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4
s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4
cw-loggroup-retention-period-check,AU-11|SI-12,4
ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4
rds-enhanced-monitoring-enabled,CA-7(a)(b),4
ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4
ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4
ec2-stopped-instance,CM-2,4
ec2-volume-inuse-check,CM-2|SC-4,4
elb-deletion-protection-enabled,CM-2|CP-10,4
cloudtrail-security-trail-enabled,CM-2,4
ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4
db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4
dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4
elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4
dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4
ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4
dynamodb-autoscaling-enabled,CP-10|SC-5,4
rds-multi-az-support,CP-10|SC-5|SC-36,4
s3-bucket-versioning-enabled,CP-10|SI-12,4
vpc-vpn-2-tunnels-up,CP-10,4
elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4
root-account-hardware-mfa-enabled,IA-2(1)(11),4
mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4
iam-user-mfa-enabled,IA-2(1)(2)(11),4
guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4
codebuild-project-source-repo-url-check,SA-3(a),4
autoscaling-group-elb-healthcheck-required,SC-5,4
rds-instance-deletion-protection-enabled,SC-5,4
alb-waf-enabled,SC-7|SI-4(a)(b)(c),4
elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4
cmk-backing-key-rotation-enabled,SC-12,4
kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4
api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4
efs-encrypted-check,SC-13|SC-28,4
elasticsearch-encrypted-at-rest,SC-13|SC-28,4
encrypted-volumes,SC-13|SC-28,4
rds-storage-encrypted,SC-13|SC-28,4
s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4
sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4
sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4
sns-encrypted-kms,SC-13|SC-28,4
dynamodb-table-encrypted-kms,SC-13,4
s3-bucket-default-lock-enabled,SC-28,4
ec2-ebs-encryption-by-default,SC-28,4
rds-snapshot-encrypted,SC-28,4
cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4
1 change: 1 addition & 0 deletions lib/heimdall_tools.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,4 +14,5 @@ module HeimdallTools
autoload :NiktoMapper, 'heimdall_tools/nikto_mapper'
autoload :JfrogXrayMapper, 'heimdall_tools/jfrog_xray_mapper'
autoload :DBProtectMapper, 'heimdall_tools/dbprotect_mapper'
autoload :AwsConfigMapper, 'heimdall_tools/aws_config_mapper'
end
Loading

0 comments on commit 1ddece6

Please sign in to comment.