search

aws-cloudformation / aws-guard-rules-registry

Rules Registry for Compliance Frameworks
Apache License 2.0
106 stars 21 forks source link

How to use Managed Rule Sets. #226

Closed gpt-satyam closed 1 year ago

gpt-satyam commented 1 year ago

General Issue

Checked

The Question

Hello,

I am trying to use git hub aws-guard-rules-registry. I understand we can consume Managed Rules sets based on sample AWS conformance packs.

For example, let’s say AWS Guard rule set for Amazon Web Services' Well-Architected Framework Security Pillar wa-Security-Pillar

I understand these rule sets are defined under mapping folders like below: aws-guard-rules-registry/mappings/rule_set_wa-Security-Pillar.json

However, it is not so clear how we can consume these rule set against our template. I have gone through Using Guard Rules Registry document, but not really sure how to use these json files in my environment.

In the guide it says, cfn-guard validate --rules ./NIST800-53Rev4.guard --data myCloudFormation.yml --show-summary fail -p

What NIST800-53Rev4.guard indicate here?

It will be great if you can show some example on how to use

Also, if I look some of the .guard files under rules/aws , they are empty. Is that means those rules are still not published or we may have write based on our use-case?

For example cat wafv2_logging_enabled.guard

Config Rule Name : wafv2-logging-enabled

## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/wafv2-logging-enabled.html"

Will appreciate your help here.

CloudFormation Guard Version

cfn-guard 2.1.0

OS

Ubuntu

OS Version

X-86

Other information

No response

grolston commented 1 year ago

Hi, we have details of how to use the built guard rules located in our docs. What you will need to do is download the latest release archive file and access the built rule set from there.

We also have a generic docker build that contains all the releases which can be used with github actions or gitlab-ci (basically any CI solution that can use a container for its CI processes). Additionally, to make it easy to test out, we have a simplified GitHub Action called guard-action that can be added to your workflow for CI testing. The guard-action leverages the generic docker container that has the latest rule sets built into it.

gpt-satyam commented 1 year ago

Hi @grolston ,

Thanks for your response. I understand and gone through User guide. But it is not so clear how to use built in guard rules.

For example, like I have mentioned, suppose if I want to use AWS Guard rule set for Amazon Web Services' Well-Architected Framework Security Pillar i.e wa-Security-Pillar ruleset. If I go through the mapping file I can see following file in the repo,and in the json file there are many different "guardFilePath" for different guard rules based on services.

aws-guard-rules-registry/mappings/rule_set_wa-Security-Pillar.json

So how should be use above json file with cfn-guard command like below so that we can execute all the guards inside the json or may be I misunderstand something here?

cfn-guard validate --rules ./NIST800-53Rev4.guard --data myCloudFormation.yml --show-summary fail -p Or do we have to take individual guard rules from "guardFilePath" of json and use against my environment?

We are not using Docker environment in our pipeline.

Also, if I look some of the .guard files under rules/aws , they are empty. Is that means those rules are still not published or we may have write based on our use-case?

For example

cat wafv2_logging_enabled.guard
## Config Rule Name : wafv2-logging-enabled
## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/wafv2-logging-enabled.html"

Thanks again for looking and clarifying.

grolston commented 1 year ago

Yes, you are correct. Within the registry we have individual guard rules each created in its own file. This allows us to re-use these rules for compliance frameworks or take various rules you want to use and create your own rule set. The intent is to allow users to get started with guard and creating policy as code.

To leverage a compliance framework best practice (built rule set), you do exactly what you stated. You download the latest release, then leverage the built rule set file such as if wanting AWS Guard rule set for Amazon Web Services' Well-Architected Framework Security Pillar you would do something like the following:

cfn-guard validate --rules ./wa-Security-Pillar.guard --data myCloudFormation.yml --show-summary fail -p

the --rules parameter is the file path for the built rule set file from the release you want to run your compliance checks against.

the --data is the file you want to run against (either json or yml). If you specify a file directory, it will look for any json or yml files in the directory. This works well if you are creating nested stacks which require multiple files.

gpt-satyam commented 1 year ago

Thanks @grolston for your respond.

I have observed some of the rules files are empty inside rules/aws. Is there any reason or they will be published soon ?

Though I can create those rules for my project, but just curious to know as they seems are important validations.

KMS = kms_cmk_not_scheduled_for_deletion.guard APIGW = api_gw_associated_with_waf.guard APIGW = api_gw_ssl_enabled.guard DynamoDB = dynamodb_table_encrypted_kms.guard ACM = acm_certificate_expiration_check.guard ALB = alb_http_drop_invalid_header_enabled.guard ALB = alb_http_to_https_redirection_check.guard ALB= alb_waf_enabled.guard ASG = autoscaling_launch_config_public_ip_disabled.guard ECS = ecs_task_definition_user_for_host_mode_check.guard EB = elastic_beanstalk_managed_updates_enabled.guard ELB = elb_acm_certificate_required.guard ELB = elb_logging_enabled.guard ELB = elb_tls_https_listeners_only.guard ELB= elbv2_acm_certificate_required.guard EMR = emr_kerberos_enabled.guard EMR = emr_master_no_public_ip.guard

Thanks again.

grolston commented 1 year ago

We are continuously working on adding rules and any one can contribute. The staged files that are empty are rules that need to be created that correspond (best effort) to AWS config managed rules. If you would like, feel free to develop and push your own rules here as well. A lot of the rules you listed above are being merged here shortly as well so keep watch and we should get most of those done here over next week if schedules align.

gpt-satyam commented 1 year ago

Thanks for your response and feedback.

github-actions[bot] commented 1 year ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.