Closed chrisdlangton closed 3 years ago
@chrisdlangton Oh, this seems like a version issue. Regula is currently using v1.2.0
of the CIS Benchmarks, and the one you are referring to is v1.3.0
, which came out very recently. It's very unfortunate and confusing that the numbering changed. I'll see if we can either add versioning, or move to to the latest version.
As Jasper mentioned, Regula today includes CIS AWS 1.2 mappings. We're looking into adding the CIS AWS 1.3 mappings and will report back with an update there. Closing this issue.
Given 1.3.0 was versioned FINAL in 2018, you may be confused with a revision in mid 2020 as the released date.
But you don't need to worry about version 1.3.0 any more (nearly 3 years late) because version 1.4.0 has been released this year.
Hello maintainers.
Please consider addressing CIS benchmarks 1.3.0 correctly. You are writing about 1.22 from AWS Foundations in the README and the rule defined here; https://github.com/fugue/regula/blob/master/rules/aws/iam_admin_policy.rego
Seems you have not checked what the CIS 1.22 intent should be, because you are looking for "overly permissive" policy (which is great to have a rule for it just is not CIS 1.22).
You can view this rule here; https://workbench.cisecurity.org/sections/43739/recommendations/939514
Here is a copy from the site if you have not registered for an account
As you can see the intent is for federation via an identity provider (like Okta, Auth0, AzureAD, JumpCloud, etc) and I would suggest that AWS SOO or Cognito are also equally acceptable solutions to address this rule.
Happy to help you with any other CIS interpretations, but the rule basically speaks for itself, do not hesitate to ask.
This overly permissive rule is actually CIS 1.16. which strangely you have ;
You can renumber 1.22 as 1.16 to correct the first issue.
EBS is storage, and CIS is broken into 5 categories where Storage is category 2. So an EBS rule would start with a 2;
2.xx
not a 1.Again, happy to help with CIS interpretations, but they are pretty straightforward as far as security standards go i'd say they are extremely simple and very well documented.