Spaces:
Sleeping
Sleeping
File size: 8,810 Bytes
f4ff0e8 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 | """
Security rules configuration for different IaC platforms
"""
from typing import Dict, List
from models import SecurityRule
def get_terraform_rules() -> List[SecurityRule]:
"""Get Terraform security rules"""
return [
SecurityRule(
rule_id="TF001",
title="Public S3 Bucket",
severity="high",
patterns=[
r'acl\s*=\s*["\']public-read["\']',
r'acl\s*=\s*["\']public-read-write["\']',
r'block_public_acls\s*=\s*false',
r'ignore_public_acls\s*=\s*false',
r'block_public_policy\s*=\s*false',
r'restrict_public_buckets\s*=\s*false'
],
description="S3 bucket is configured with public access, which may expose sensitive data to unauthorized users.",
recommendation="Use private ACL and configure specific bucket policies. Enable S3 bucket public access block.",
fix_example='acl = "private"\n\nbucket_public_access_block {\n block_public_acls = true\n block_public_policy = true\n ignore_public_acls = true\n restrict_public_buckets = true\n}',
category="Data Protection",
cwe_id="CWE-200",
cvss_score=7.5
),
SecurityRule(
rule_id="TF002",
title="Unencrypted EBS Volume",
severity="high",
patterns=[
r'resource\s+["\']aws_ebs_volume["\'][^}]*?(?!.*encrypted\s*=\s*true)[^}]*?}',
r'ebs_block_device\s*{[^}]*?(?!.*encrypted\s*=\s*true)[^}]*?}'
],
description="EBS volumes are not encrypted, potentially exposing sensitive data at rest.",
recommendation="Enable encryption for all EBS volumes using AWS KMS keys to protect data at rest.",
fix_example='encrypted = true\nkms_key_id = aws_kms_key.ebs.arn',
category="Encryption",
cwe_id="CWE-311",
cvss_score=6.5
),
SecurityRule(
rule_id="TF003",
title="Open Security Group - Inbound",
severity="critical",
patterns=[
r'ingress\s*{[^}]*cidr_blocks\s*=\s*\[[^]]*["\']0\.0\.0\.0/0["\'][^]]*\]',
r'from_port\s*=\s*0[^}]*to_port\s*=\s*65535[^}]*cidr_blocks\s*=\s*\[[^]]*["\']0\.0\.0\.0/0["\']',
r'protocol\s*=\s*["\']tcp["\'][^}]*from_port\s*=\s*22[^}]*cidr_blocks\s*=\s*\[[^]]*["\']0\.0\.0\.0/0["\']'
],
description="Security group allows unrestricted inbound access from the internet (0.0.0.0/0).",
recommendation="Restrict inbound rules to specific IP ranges, security groups, or use AWS Systems Manager Session Manager for SSH access.",
fix_example='cidr_blocks = ["10.0.0.0/8", "172.16.0.0/12"]\n# Or use security group references\nsecurity_groups = [aws_security_group.app.id]',
category="Network Security",
cwe_id="CWE-16",
cvss_score=9.0
),
SecurityRule(
rule_id="TF004",
title="Unencrypted RDS Instance",
severity="high",
patterns=[
r'resource\s+["\']aws_db_instance["\'][^}]*?(?!.*storage_encrypted\s*=\s*true)[^}]*?}'
],
description="RDS database instance is not encrypted, potentially exposing sensitive data.",
recommendation="Enable encryption for RDS instances and consider encryption in transit.",
fix_example='storage_encrypted = true\nkms_key_id = aws_kms_key.rds.arn',
category="Database Security",
cwe_id="CWE-311",
cvss_score=7.0
),
SecurityRule(
rule_id="TF005",
title="IAM Policy with Wildcard Actions",
severity="medium",
patterns=[
r'["\']Action["\']\s*[:=]\s*["\'][*]["\']',
r'["\']Resource["\']\s*[:=]\s*["\'][*]["\']'
],
description="IAM policy uses wildcard (*) for actions or resources, potentially granting excessive permissions.",
recommendation="Follow the principle of least privilege by specifying exact actions and resources.",
fix_example='"Action": ["s3:GetObject", "s3:PutObject"],\n"Resource": ["arn:aws:s3:::my-bucket/*"]',
category="Access Control",
cwe_id="CWE-269",
cvss_score=5.5
)
]
def get_cloudformation_rules() -> List[SecurityRule]:
"""Get CloudFormation security rules"""
return [
SecurityRule(
rule_id="CF001",
title="Public S3 Bucket Access",
severity="high",
patterns=[
r'AccessControl["\']?\s*:\s*["\']?PublicRead',
r'AccessControl["\']?\s*:\s*["\']?PublicReadWrite',
r'Principal["\']?\s*:\s*["\']?\*["\']?'
],
description="S3 bucket allows public access which may expose sensitive data.",
recommendation="Configure proper bucket policies and disable public access blocks.",
fix_example='"AccessControl": "Private",\n"PublicAccessBlockConfiguration": {\n "BlockPublicAcls": true,\n "BlockPublicPolicy": true\n}',
category="Data Protection",
cwe_id="CWE-200",
cvss_score=7.5
),
SecurityRule(
rule_id="CF002",
title="Open Security Group",
severity="critical",
patterns=[
r'CidrIp["\']?\s*:\s*["\']?0\.0\.0\.0/0["\']?',
r'IpProtocol["\']?\s*:\s*["\']?-1["\']?'
],
description="Security group allows traffic from any IP address or all protocols.",
recommendation="Restrict access to specific IP ranges and required protocols only.",
fix_example='"CidrIp": "10.0.0.0/8",\n"IpProtocol": "tcp",\n"FromPort": 80,\n"ToPort": 80',
category="Network Security",
cwe_id="CWE-16",
cvss_score=9.0
)
]
def get_kubernetes_rules() -> List[SecurityRule]:
"""Get Kubernetes security rules"""
return [
SecurityRule(
rule_id="K8S001",
title="Container Running as Root",
severity="high",
patterns=[
r'runAsUser\s*:\s*0',
r'runAsRoot\s*:\s*true',
r'(?!.*runAsNonRoot\s*:\s*true)'
],
description="Container is configured to run as root user, increasing attack surface.",
recommendation="Configure containers to run as non-root user with minimal privileges.",
fix_example='securityContext:\n runAsUser: 1000\n runAsNonRoot: true\n readOnlyRootFilesystem: true',
category="Container Security",
cwe_id="CWE-250",
cvss_score=6.0
),
SecurityRule(
rule_id="K8S002",
title="Privileged Container",
severity="critical",
patterns=[
r'privileged\s*:\s*true',
r'allowPrivilegeEscalation\s*:\s*true'
],
description="Container is running in privileged mode, which grants access to host resources.",
recommendation="Avoid privileged containers unless absolutely necessary. Use specific capabilities instead.",
fix_example='securityContext:\n privileged: false\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - ALL',
category="Container Security",
cwe_id="CWE-250",
cvss_score=8.5
),
SecurityRule(
rule_id="K8S003",
title="Missing Resource Limits",
severity="medium",
patterns=[
r'containers\s*:(?!.*limits\s*:)',
r'(?!.*resources\s*:.*limits)'
],
description="Container has no resource limits defined, which may lead to resource exhaustion.",
recommendation="Set appropriate CPU and memory limits to prevent resource starvation.",
fix_example='resources:\n limits:\n cpu: "500m"\n memory: "512Mi"\n requests:\n cpu: "250m"\n memory: "256Mi"',
category="Resource Management",
cwe_id="CWE-400",
cvss_score=4.0
)
]
def get_all_security_rules() -> Dict[str, List[SecurityRule]]:
"""Get all security rules for different IaC platforms"""
return {
"terraform": get_terraform_rules(),
"cloudformation": get_cloudformation_rules(),
"kubernetes": get_kubernetes_rules()
} |