Skip to content

Commit 1ddece6

Browse files
rx294rx294
authored
Merge pull request #68 from jkufro/awsConfig
2 parents 8a0ba6d + ec7cf15 commit 1ddece6

9 files changed

+461
-2
lines changed

README.md

+21
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ HeimdallTools supplies several methods to convert output from various tools to "
1414
- **nikto_mapper** - open-source web server scanner
1515
- **jfrog_xray_mapper** - package vulnerability scanner
1616
- **dbprotect_mapper** - database vulnerability scanner
17+
- **aws_config_mapper** - assess, audit, and evaluate AWS resources
1718

1819
Ruby 2.4 or higher (check using "ruby -v")
1920

@@ -213,6 +214,26 @@ FLAGS:
213214
example: heimdall_tools dbprotect_mapper -x check_results_details_report.xml -o db_protect_hdf.json
214215
```
215216

217+
## aws_config_mapper
218+
219+
aws_config_mapper pulls Ruby AWS SDK data to translate AWS Config Rule results into HDF format json to be viewable in Heimdall
220+
221+
### AWS Config Rule Mapping:
222+
The mapping of AWS Config Rules to 800-53 Controls was sourced from [this link](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-nist-800-53_rev_4.html).
223+
224+
### Authentication with AWS:
225+
[Developer Guide for configuring Ruby AWS SDK for authentication](https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html)
226+
227+
```
228+
USAGE: heimdall_tools aws_config_mapper [OPTIONS] -o <hdf-scan-results.json>
229+
230+
FLAGS:
231+
-o --output <scan-results> : path to output scan-results json.
232+
-V --verbose : verbose run [optional].
233+
234+
example: heimdall_tools aws_config_mapper -o aws_config_results_hdf.json
235+
```
236+
216237
## version
217238

218239
Prints out the gem version

heimdall_tools.gemspec

+1
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ Gem::Specification.new do |spec| # rubocop:disable Metrics/BlockLength
2626
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
2727
spec.require_paths = ['lib']
2828

29+
spec.add_runtime_dependency 'aws-sdk-configservice', '~> 1'
2930
spec.add_runtime_dependency 'nokogiri', '~> 1.10.9'
3031
spec.add_runtime_dependency 'thor', '~> 0.19'
3132
spec.add_runtime_dependency 'json', '~> 2.3'

lib/data/aws-config-mapping.csv

+107
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
AwsConfigRuleName,NIST-ID,Rev
2+
secretsmanager-scheduled-rotation-success-check,AC-2(1)|AC-2(j),4
3+
iam-user-group-membership-check,AC-2(1)|AC-2(j)|AC-3|AC-6,4
4+
iam-password-policy,AC-2(1)|AC-2(f)|AC-2(j)|IA-2|IA-5(1)(a)(d)(e)|IA-5(4),4
5+
access-keys-rotated,AC-2(1)|AC-2(j),4
6+
iam-user-unused-credentials-check,AC-2(1)|AC-2(3)|AC-2(f)|AC-3|AC-6,4
7+
securityhub-enabled,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|SA-10|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
8+
guardduty-enabled-centralized,AC-2(1)|AC-2(4)|AC-2(12)(a)|AC-2(g)|AC-17(1)|AU-6(1)(3)|CA-7(a)(b)|RA-5|SA-10|SI-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(16)|SI-4(a)(b)(c),4
9+
cloud-trail-cloud-watch-logs-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-6(1)(3)|AU-7(1)|AU-12(a)(c)|CA-7(a)(b)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
10+
cloudtrail-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
11+
multi-region-cloudtrail-enabled,AC-2(4)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
12+
rds-logging-enabled,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
13+
cloudwatch-alarm-action-check,AC-2(4)|AU-6(1)(3)|AU-7(1)|CA-7(a)(b)|IR-4(1)|SI-4(2)|SI-4(4)|SI-4(5)|SI-4(a)(b)(c),4
14+
redshift-cluster-configuration-check,AC-2(4)|AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-13|SC-28,4
15+
iam-root-access-key-check,AC-2(f)|AC-2(j)|AC-3|AC-6|AC-6(10),4
16+
s3-bucket-logging-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
17+
cloudtrail-s3-dataevents-enabled,AC-2(g)|AU-2(a)(d)|AU-3|AU-12(a)(c),4
18+
root-account-mfa-enabled,AC-2(j)|IA-2(1)(11),4
19+
emr-kerberos-enabled,AC-2(j)|AC-3|AC-5(c)|AC-6,4
20+
iam-group-has-users-check,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
21+
iam-policy-no-statements-with-admin-access,AC-2(j)|AC-3|AC-5(c)|AC-6|SC-2,4
22+
iam-user-no-policies-check,AC-2(j)|AC-3|AC-5(c)|AC-6,4
23+
s3-bucket-public-write-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
24+
lambda-function-public-access-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
25+
rds-snapshots-public-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
26+
redshift-cluster-public-access-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
27+
s3-bucket-policy-grantee-check,AC-3|AC-6|SC-7|SC-7(3),4
28+
s3-bucket-public-read-prohibited,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
29+
s3-account-level-public-access-blocks,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
30+
dms-replication-not-public,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
31+
ebs-snapshot-public-restorable-check,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
32+
sagemaker-notebook-no-direct-internet-access,AC-3|AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
33+
rds-instance-public-access-check,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
34+
lambda-inside-vpc,AC-4|SC-7|SC-7(3),4
35+
ec2-instances-in-vpc,AC-4|SC-7|SC-7(3),4
36+
restricted-common-ports,AC-4|CM-2|SC-7|SC-7(3),4
37+
restricted-ssh,AC-4|SC-7|SC-7(3),4
38+
vpc-default-security-group-closed,AC-4|SC-7|SC-7(3),4
39+
vpc-sg-open-only-to-authorized-ports,AC-4|SC-7|SC-7(3),4
40+
acm-certificate-expiration-check,AC-4|AC-17(2)|SC-12,4
41+
ec2-instance-no-public-ip,AC-4|AC-6|AC-21(b)|SC-7|SC-7(3),4
42+
elasticsearch-in-vpc-only,AC-4|SC-7|SC-7(3),4
43+
emr-master-no-public-ip,AC-4|AC-21(b)|SC-7|SC-7(3),4
44+
internet-gateway-authorized-vpc-only,AC-4|AC-17(3)|SC-7|SC-7(3),4
45+
codebuild-project-envvar-awscred-check,AC-6|IA-5(7)|SA-3(a),4
46+
ec2-imdsv2-check,AC-6,4
47+
iam-no-inline-policy-check,AC-6,4
48+
alb-http-to-https-redirection-check,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13|SC-23,4
49+
redshift-require-tls-ssl,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
50+
s3-bucket-ssl-requests-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
51+
elb-acm-certificate-required,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-13,4
52+
alb-http-drop-invalid-header-enabled,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
53+
elb-tls-https-listeners-only,AC-17(2)|SC-7|SC-8|SC-8(1)|SC-23,4
54+
api-gw-execution-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
55+
elb-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
56+
vpc-flow-logs-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c),4
57+
wafv2-logging-enabled,AU-2(a)(d)|AU-3|AU-12(a)(c)|SC-7|SI-4(a)(b)(c),4
58+
cloud-trail-encryption-enabled,AU-9|SC-13|SC-28,4
59+
cloudwatch-log-group-encrypted,AU-9|SC-13|SC-28,4
60+
s3-bucket-replication-enabled,AU-9(2)|CP-9(b)|CP-10|SC-5|SC-36,4
61+
cw-loggroup-retention-period-check,AU-11|SI-12,4
62+
ec2-instance-detailed-monitoring-enabled,CA-7(a)(b)|SI-4(2)|SI-4(a)(b)(c),4
63+
rds-enhanced-monitoring-enabled,CA-7(a)(b),4
64+
ec2-instance-managed-by-systems-manager,CM-2|CM-7(a)|CM-8(1)|CM-8(3)(a)|SA-3(a)|SA-10|SI-2(2)|SI-7(1),4
65+
ec2-managedinstance-association-compliance-status-check,CM-2|CM-7(a)|CM-8(3)(a)|SI-2(2),4
66+
ec2-stopped-instance,CM-2,4
67+
ec2-volume-inuse-check,CM-2|SC-4,4
68+
elb-deletion-protection-enabled,CM-2|CP-10,4
69+
cloudtrail-security-trail-enabled,CM-2,4
70+
ec2-managedinstance-patch-compliance-status-check,CM-8(3)(a)|SI-2(2)|SI-7(1),4
71+
db-instance-backup-enabled,CP-9(b)|CP-10|SI-12,4
72+
dynamodb-pitr-enabled,CP-9(b)|CP-10|SI-12,4
73+
elasticache-redis-cluster-automatic-backup-check,CP-9(b)|CP-10|SI-12,4
74+
dynamodb-in-backup-plan,CP-9(b)|CP-10|SI-12,4
75+
ebs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
76+
efs-in-backup-plan,CP-9(b)|CP-10|SI-12,4
77+
rds-in-backup-plan,CP-9(b)|CP-10|SI-12,4
78+
dynamodb-autoscaling-enabled,CP-10|SC-5,4
79+
rds-multi-az-support,CP-10|SC-5|SC-36,4
80+
s3-bucket-versioning-enabled,CP-10|SI-12,4
81+
vpc-vpn-2-tunnels-up,CP-10,4
82+
elb-cross-zone-load-balancing-enabled,CP-10|SC-5,4
83+
root-account-hardware-mfa-enabled,IA-2(1)(11),4
84+
mfa-enabled-for-iam-console-access,IA-2(1)(2)(11),4
85+
iam-user-mfa-enabled,IA-2(1)(2)(11),4
86+
guardduty-non-archived-findings,IR-4(1)|IR-6(1)|IR-7(1)|RA-5|SA-10|SI-4(a)(b)(c),4
87+
codebuild-project-source-repo-url-check,SA-3(a),4
88+
autoscaling-group-elb-healthcheck-required,SC-5,4
89+
rds-instance-deletion-protection-enabled,SC-5,4
90+
alb-waf-enabled,SC-7|SI-4(a)(b)(c),4
91+
elasticsearch-node-to-node-encryption-check,SC-7|SC-8|SC-8(1),4
92+
cmk-backing-key-rotation-enabled,SC-12,4
93+
kms-cmk-not-scheduled-for-deletion,SC-12|SC-28,4
94+
api-gw-cache-enabled-and-encrypted,SC-13|SC-28,4
95+
efs-encrypted-check,SC-13|SC-28,4
96+
elasticsearch-encrypted-at-rest,SC-13|SC-28,4
97+
encrypted-volumes,SC-13|SC-28,4
98+
rds-storage-encrypted,SC-13|SC-28,4
99+
s3-bucket-server-side-encryption-enabled,SC-13|SC-28,4
100+
sagemaker-endpoint-configuration-kms-key-configured,SC-13|SC-28,4
101+
sagemaker-notebook-instance-kms-key-configured,SC-13|SC-28,4
102+
sns-encrypted-kms,SC-13|SC-28,4
103+
dynamodb-table-encrypted-kms,SC-13,4
104+
s3-bucket-default-lock-enabled,SC-28,4
105+
ec2-ebs-encryption-by-default,SC-28,4
106+
rds-snapshot-encrypted,SC-28,4
107+
cloud-trail-log-file-validation-enabled,SI-7|SI-7(1),4

lib/heimdall_tools.rb

+1
Original file line numberDiff line numberDiff line change
@@ -14,4 +14,5 @@ module HeimdallTools
1414
autoload :NiktoMapper, 'heimdall_tools/nikto_mapper'
1515
autoload :JfrogXrayMapper, 'heimdall_tools/jfrog_xray_mapper'
1616
autoload :DBProtectMapper, 'heimdall_tools/dbprotect_mapper'
17+
autoload :AwsConfigMapper, 'heimdall_tools/aws_config_mapper'
1718
end

0 commit comments

Comments
 (0)