Can we have policy compliance scanning such as HIPAA,CIS etc..

[Ranybaug]

Hello,

Can we have policy compliance scanning using benchmarks such as HIPPA, CIS, NIST using this tool in CI/CD pipeline before deployment (i.e cloudformation template as input to tool)

Thanks, Rany

[ghost]

Do any of those standards have specific rules for CloudFormation templates? If so, point me to them and I can evaluate adding a set of rules in a compliance profile.

[Ranybaug]

Yeah , I got these from AWS site :

For NIST https://aws.amazon.com/about-aws/whats-new/2016/01/nist-800-53-standardized-architecture-on-the-aws-cloud-quick-start-reference-deployment/

For HIPPA https://aws.amazon.com/blogs/security/how-to-automate-hipaa-compliance-part-1-use-the-cloud-to-protect-the-cloud/

For CIS https://aws.amazon.com/quickstart/architecture/accelerator-cis-benchmark/

[Ranybaug]

Hello,

Is it possible for add these checks inside tool ?

[ghost]

Sorry, I haven't had time to review these documents - there's quite a bit of information here to go over.

The one thing I can say is that cfn_nag is definitely better at finding things that are obviously wrong vs. proving compliance. For high-level compliance standards like this, there are probably going to be a number of ways to make that compliance and using static analysis to prove that isn't likely a good approach. On the other hand, we might be able to extract a few decent rules from these standards

[atkinsonm]

I don't think the goal should be proving compliance. I see that as far more complicated than static code analysis can handle. There are so many variables to include stack drift or resources outside of CloudFormation such that "because cfn_nag says so" could unfortunately never stand on its own as proof of compliance.

Rather, I'd suggest the goal be education. I don't see anything wrong in suggesting that a cfn_nag check could be related to a check captured in another framework. For example, you could suggest that rule F1 might be related to NIST 800-53 r4 SC-28(1). That doesn't say that if you don't have F1 errors that you are meeting the NIST control, but nevertheless it provides helpful information for developers and security auditors alike.

[pethers]

https://github.com/stelligent/cfn_nag/issues/310 , do contain cwe:s used in cfn-nag https://github.com/Hack23/sonar-cloudformation-plugin/blob/master/src/main/resources/cloudformation-rules.xml

CWE-311 - Missing Encryption of Sensitive Data CWE-326 - Inadequate Encryption Strength CWE-732 - Incorrect Permission Assignment for Critical Resource CWE-257 - Storing Passwords in a Recoverable Format CWE-778 - Insufficient Logging CWE-272 - Least Privilege Violation CWE-286 - Incorrect User Management CWE-770: Allocation of Resources Without Limits or Throttling

Some mapping of CWE -> NIST https://github.com/mitre/heimdall_tools/blob/master/lib/data/cwe-nist-mapping.csv (not complete) .

But agree cannot be used for compliance alone but "CWE-778 - Insufficient Logging" connected to AU-12 Audit Generation.

CWE-311 Missing Encryption of Sensitive Data -> SC-8 Transmission Confidentiality and Integrity  

[pethers]

https://github.com/Hack23/sonar-cloudformation-plugin/blob/master/src/main/resources/cloudformation-rules.xml contains mapping to

Group the cfn-nag rules to NIST 800-53 800-53-AC-4 AC-4 INFORMATION FLOW ENFORCEMENT https://nvd.nist.gov/800-53/Rev4/control/AC-4

800-53-AC-6 AC-6 LEAST PRIVILEGE https://nvd.nist.gov/800-53/Rev4/control/AC-6

800-53-AU-12 AU-12 AUDIT GENERATION https://nvd.nist.gov/800-53/Rev4/control/AU-12

800-53-IA-5 IA-5 AUTHENTICATOR MANAGEMENT https://nvd.nist.gov/800-53/Rev4/control/IA-5

800-53-SC-8 SC-8 TRANSMISSION CONFIDENTIALITY AND INTEGRITY https://nvd.nist.gov/800-53/Rev4/control/SC-8

800-53-SC-12 SC-12 CRYPTOGRAPHIC KEY ESTABLISHMENT AND MANAGEMENT https://nvd.nist.gov/800-53/Rev4/control/SC-12

800-53-SC-13 SC-13 CRYPTOGRAPHIC PROTECTION https://nvd.nist.gov/800-53/Rev4/control/SC-13

800-53-CP-9 CP-9 INFORMATION SYSTEM BACKUP https://nvd.nist.gov/800-53/Rev4/control/CP-9

800-53-RA-5 RA-5 VULNERABILITY SCANNING https://nvd.nist.gov/800-53/Rev4/control/RA-5

800-53-AU-11 AU-11 AUDIT RECORD RETENTION https://nvd.nist.gov/800-53/Rev4/control/AU-11