Reimplement the GoC bucket guardrail test with CSPM configuration rule

[ActionAnalytics]

Describe the issue There was a large set of artisenal autotests from the Government of Canada over at https://github.com/canada-ca/cloud-guardrails-aws that were evaluated and discarded in favour initially of CloudCustodian bcgov/cloud-custodian-policies, but then eventually settled on CloudGuard CSPM (Cloud Security Posture Management).

Additional context

• There exists an SEA guardrail that should prevent the creation of any public writeable buckets.
• Use the existing CSPM until the real CSPM is up in Canada by June
• We are ignoring CloudCustodian with the hope that CSPM is easier to use and more powerful in that it tells us if something is misconfigured or insecure in our current cloud posture.

Definition of done

• Factor in a lot of learning debt into this ticket
• Do this in ECF AWS Prod
• Create and define a CSPM rule with Bruce to ensure across all our Workload Environments that we don't have any public writeable buckets.
• Create an auto-test similar to https://github.com/canada-ca/cloud-guardrails-aws/blob/master/tools/prowler/checks/check_extragc61 using our AWS CLI that tries to create a bucket in one of our AWS guardrailled Workload Environments -- after the test, check if CSPM can detect if anything is there
• Create an auto-test in the CLI same as above that tries to create a bucket in one of our AWS SandBox Workload Environments that are without guardrails -- after the test, check if CSPM can detect if anything is there

[crochcunill]

What is CSPM (Cloud Security Posture Management). https://www.techtarget.com/searchsecurity/definition/Cloud-Security-Posture-Management-CSPM

CloudGuard CSPM Posture Management Introduction (Jan 2021) https://www.youtube.com/watch?v=B1-lpObBZdA

CloudGuard CSPM Network Training Video https://www.youtube.com/watch?v=3tAX3_PtGZo

CloudGuard CSPM Training It includes CSPM for Kubernetes, threat hunting, Ali Baba... I have added this link here for completion https://www.youtube.com/playlist?list=PLMAKXIJBvfAjnkhEkg9RGj9hfkwUAwna1

Quick intro to Governance Specification Language (GSL) https://sc1.checkpoint.com/documents/CloudGuard_Dome9/Documentation/PostureManagement/GSL.htm?cshid=compliance_engine_gsl

CloudGuard Advanced Posture Management: Introduction to GSL "getResources()" Syntax (1.5 suggested Playback speed( https://www.youtube.com/watch?v=dhQOcyzRwjE

[ActionAnalytics]

Poke around CloudGuard CSPM and see if you can detect a misconfigured account that has an S3 bucket publicly writeable - now this could be hard to test because the guardrails won't let you open a bucket like that but you can still write the test and we can simulate it later. However, there may be an account still "misconfigured" on purpose from our hackathon.

[CRC] The ticket focus has shifted from reimplementing the GoC guardrails test to learning to work with CloudGuard and how implement the GSL rules to follow.

[crochcunill]

Created a suite a of rules (https://secure.dome9.com/v2/compliance-engine/policy/682703) to find possible security problems

Among other checks, I run the following GSL rule

SecurityGroup should not have inboundRules contain-any [ port=21 or port=22 ] and outboundRules contain-any [ port=21 or port=22 ]

The result is that all environments have the ports 21 and 22 blocked

Similarly, I checked if any S# bucket was publicly available with

S3Bucket should have( accountAccessPublicBlock.blockPublicAcls=true or accessPublicBlock.blockPublicAcls=true )