Open Ranybaug opened 6 years ago
Do any of those standards have specific rules for CloudFormation templates? If so, point me to them and I can evaluate adding a set of rules in a compliance profile.
Yeah , I got these from AWS site :
For CIS https://aws.amazon.com/quickstart/architecture/accelerator-cis-benchmark/
Hello,
Is it possible for add these checks inside tool ?
Sorry, I haven't had time to review these documents - there's quite a bit of information here to go over.
The one thing I can say is that cfn_nag is definitely better at finding things that are obviously wrong vs. proving compliance. For high-level compliance standards like this, there are probably going to be a number of ways to make that compliance and using static analysis to prove that isn't likely a good approach. On the other hand, we might be able to extract a few decent rules from these standards
I don't think the goal should be proving compliance. I see that as far more complicated than static code analysis can handle. There are so many variables to include stack drift or resources outside of CloudFormation such that "because cfn_nag says so" could unfortunately never stand on its own as proof of compliance.
Rather, I'd suggest the goal be education. I don't see anything wrong in suggesting that a cfn_nag check could be related to a check captured in another framework. For example, you could suggest that rule F1 might be related to NIST 800-53 r4 SC-28(1). That doesn't say that if you don't have F1 errors that you are meeting the NIST control, but nevertheless it provides helpful information for developers and security auditors alike.
https://github.com/stelligent/cfn_nag/issues/310 , do contain cwe:s used in cfn-nag https://github.com/Hack23/sonar-cloudformation-plugin/blob/master/src/main/resources/cloudformation-rules.xml
CWE-311 - Missing Encryption of Sensitive Data CWE-326 - Inadequate Encryption Strength CWE-732 - Incorrect Permission Assignment for Critical Resource CWE-257 - Storing Passwords in a Recoverable Format CWE-778 - Insufficient Logging CWE-272 - Least Privilege Violation CWE-286 - Incorrect User Management CWE-770: Allocation of Resources Without Limits or Throttling
Some mapping of CWE -> NIST https://github.com/mitre/heimdall_tools/blob/master/lib/data/cwe-nist-mapping.csv (not complete) .
But agree cannot be used for compliance alone but "CWE-778 - Insufficient Logging" connected to AU-12 Audit Generation.
CWE-311 Missing Encryption of Sensitive Data -> SC-8 Transmission Confidentiality and Integrity
https://github.com/Hack23/sonar-cloudformation-plugin/blob/master/src/main/resources/cloudformation-rules.xml contains mapping to
Group the cfn-nag rules to NIST 800-53 800-53-AC-4 AC-4 INFORMATION FLOW ENFORCEMENT https://nvd.nist.gov/800-53/Rev4/control/AC-4
800-53-AC-6 AC-6 LEAST PRIVILEGE https://nvd.nist.gov/800-53/Rev4/control/AC-6
800-53-AU-12 AU-12 AUDIT GENERATION https://nvd.nist.gov/800-53/Rev4/control/AU-12
800-53-IA-5 IA-5 AUTHENTICATOR MANAGEMENT https://nvd.nist.gov/800-53/Rev4/control/IA-5
800-53-SC-8 SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY https://nvd.nist.gov/800-53/Rev4/control/SC-8
800-53-SC-12 SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT https://nvd.nist.gov/800-53/Rev4/control/SC-12
800-53-SC-13 SC-13 CRYPTOGRAPHIC PROTECTION https://nvd.nist.gov/800-53/Rev4/control/SC-13
800-53-CP-9 CP-9 INFORMATION SYSTEM BACKUP https://nvd.nist.gov/800-53/Rev4/control/CP-9
800-53-RA-5 RA-5 VULNERABILITY SCANNING https://nvd.nist.gov/800-53/Rev4/control/RA-5
800-53-AU-11 AU-11 AUDIT RECORD RETENTION https://nvd.nist.gov/800-53/Rev4/control/AU-11
Hello,
Can we have policy compliance scanning using benchmarks such as HIPPA, CIS, NIST using this tool in CI/CD pipeline before deployment (i.e cloudformation template as input to tool)
Thanks, Rany