Closed gpt-satyam closed 1 year ago
Hi, we have details of how to use the built guard rules located in our docs. What you will need to do is download the latest release archive file and access the built rule set from there.
We also have a generic docker build that contains all the releases which can be used with github actions or gitlab-ci (basically any CI solution that can use a container for its CI processes). Additionally, to make it easy to test out, we have a simplified GitHub Action called guard-action that can be added to your workflow for CI testing. The guard-action leverages the generic docker container that has the latest rule sets built into it.
Hi @grolston ,
Thanks for your response. I understand and gone through User guide. But it is not so clear how to use built in guard rules.
For example, like I have mentioned, suppose if I want to use AWS Guard rule set for Amazon Web Services' Well-Architected Framework Security Pillar i.e wa-Security-Pillar ruleset. If I go through the mapping file I can see following file in the repo,and in the json file there are many different "guardFilePath" for different guard rules based on services.
aws-guard-rules-registry/mappings/rule_set_wa-Security-Pillar.json
So how should be use above json file with cfn-guard command like below so that we can execute all the guards inside the json or may be I misunderstand something here?
cfn-guard validate --rules ./NIST800-53Rev4.guard --data myCloudFormation.yml --show-summary fail -p
Or do we have to take individual guard rules from "guardFilePath" of json and use against my environment?
We are not using Docker environment in our pipeline.
Also, if I look some of the .guard files under rules/aws , they are empty. Is that means those rules are still not published or we may have write based on our use-case?
For example
cat wafv2_logging_enabled.guard
## Config Rule Name : wafv2-logging-enabled
## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/wafv2-logging-enabled.html"
Thanks again for looking and clarifying.
Yes, you are correct. Within the registry we have individual guard rules each created in its own file. This allows us to re-use these rules for compliance frameworks or take various rules you want to use and create your own rule set. The intent is to allow users to get started with guard and creating policy as code.
To leverage a compliance framework best practice (built rule set), you do exactly what you stated. You download the latest release, then leverage the built rule set file such as if wanting AWS Guard rule set for Amazon Web Services' Well-Architected Framework Security Pillar
you would do something like the following:
cfn-guard validate --rules ./wa-Security-Pillar.guard --data myCloudFormation.yml --show-summary fail -p
the --rules
parameter is the file path for the built rule set file from the release you want to run your compliance checks against.
the --data
is the file you want to run against (either json or yml). If you specify a file directory, it will look for any json or yml files in the directory. This works well if you are creating nested stacks which require multiple files.
Thanks @grolston for your respond.
I have observed some of the rules files are empty inside rules/aws. Is there any reason or they will be published soon ?
Though I can create those rules for my project, but just curious to know as they seems are important validations.
KMS = kms_cmk_not_scheduled_for_deletion.guard APIGW = api_gw_associated_with_waf.guard APIGW = api_gw_ssl_enabled.guard DynamoDB = dynamodb_table_encrypted_kms.guard ACM = acm_certificate_expiration_check.guard ALB = alb_http_drop_invalid_header_enabled.guard ALB = alb_http_to_https_redirection_check.guard ALB= alb_waf_enabled.guard ASG = autoscaling_launch_config_public_ip_disabled.guard ECS = ecs_task_definition_user_for_host_mode_check.guard EB = elastic_beanstalk_managed_updates_enabled.guard ELB = elb_acm_certificate_required.guard ELB = elb_logging_enabled.guard ELB = elb_tls_https_listeners_only.guard ELB= elbv2_acm_certificate_required.guard EMR = emr_kerberos_enabled.guard EMR = emr_master_no_public_ip.guard
Thanks again.
We are continuously working on adding rules and any one can contribute. The staged files that are empty are rules that need to be created that correspond (best effort) to AWS config managed rules. If you would like, feel free to develop and push your own rules here as well. A lot of the rules you listed above are being merged here shortly as well so keep watch and we should get most of those done here over next week if schedules align.
Thanks for your response and feedback.
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
General Issue
Checked
The Question
Hello,
I am trying to use git hub aws-guard-rules-registry. I understand we can consume Managed Rules sets based on sample AWS conformance packs.
For example, let’s say AWS Guard rule set for Amazon Web Services' Well-Architected Framework Security Pillar wa-Security-Pillar
I understand these rule sets are defined under mapping folders like below: aws-guard-rules-registry/mappings/rule_set_wa-Security-Pillar.json
However, it is not so clear how we can consume these rule set against our template. I have gone through Using Guard Rules Registry document, but not really sure how to use these json files in my environment.
In the guide it says, cfn-guard validate --rules ./NIST800-53Rev4.guard --data myCloudFormation.yml --show-summary fail -p
What NIST800-53Rev4.guard indicate here?
It will be great if you can show some example on how to use
Also, if I look some of the .guard files under rules/aws , they are empty. Is that means those rules are still not published or we may have write based on our use-case?
For example cat wafv2_logging_enabled.guard
Config Rule Name : wafv2-logging-enabled
Will appreciate your help here.
CloudFormation Guard Version
cfn-guard 2.1.0
OS
Ubuntu
OS Version
X-86
Other information
No response