refactor(checks): migrate AWS ec2 to Rego

Signed-off-by: Nikita Pivkin <[email protected]>

avd_docs/aws/ec2/AVD-AWS-0008/docs.md

@@ -1,8 +1,9 @@
 
 Block devices should be encrypted to ensure sensitive data is held securely at rest.
 
+
 ### Impact
-The block device could be compromised and read from
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0009/docs.md

@@ -1,8 +1,9 @@
 
 You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application.
 
+
 ### Impact
-The instance or configuration is publicly accessible
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0026/docs.md

@@ -1,8 +1,9 @@
 
 By enabling encryption on EBS volumes you protect the volume, the disk I/O and any derived snapshots from compromise if intercepted.
 
+
 ### Impact
-Unencrypted sensitive data is vulnerable to compromise.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0027/docs.md

@@ -1,8 +1,9 @@
 
 Encryption using AWS keys provides protection for your EBS volume. To increase control of the encryption and manage factors like rotation use customer managed keys.
 
+
 ### Impact
-Using AWS managed keys does not allow for fine grained control
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0028/docs.md

@@ -1,12 +1,13 @@
 
-
 IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
-By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
+
+By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
+
 To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
 
 
 ### Impact
-Instance metadata service can be interacted with freely
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0029/docs.md

@@ -1,8 +1,9 @@
 
 EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.
 
+
 ### Impact
-User data is visible through the AWS Management console
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0099/docs.md

@@ -3,8 +3,9 @@ Security groups should include a description for auditing purposes.
 
 Simplifies auditing, debugging, and managing security groups.
 
+
 ### Impact
-Descriptions provide context for the firewall rule reasons
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0101/docs.md

@@ -1,8 +1,9 @@
 
 Default VPC does not have a lot of the critical security features that standard VPC comes with, new resources should not be created in the default VPC and it should not be present in the Terraform.
 
+
 ### Impact
-The default VPC does not have critical security features applied
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0102/docs.md

@@ -1,8 +1,9 @@
 
 Ensure access to specific required ports is allowed, and nothing else.
 
+
 ### Impact
-All ports exposed for ingressing/egressing data
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0104/docs.md

@@ -1,8 +1,9 @@
 
 Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.
 
+
 ### Impact
-Your port is egressing data to the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0105/docs.md

@@ -1,8 +1,9 @@
 
 Opening up ACLs to the public internet is potentially dangerous. You should restrict access to IP addresses or ranges that explicitly require it where possible.
 
+
 ### Impact
-The ports are exposed for ingressing data to the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0107/docs.md

@@ -1,8 +1,9 @@
 
 Opening up ports to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that explicitly require it where possible.
 
+
 ### Impact
-Your port exposed to the internet
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0122/docs.md

@@ -1,8 +1,9 @@
 
 When creating Launch Configurations, user data can be used for the initial configuration of the instance. User data must not contain any sensitive data.
 
+
 ### Impact
-Sensitive credentials in user data can be leaked
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0124/docs.md

@@ -3,8 +3,9 @@ Security group rules should include a description for auditing purposes.
 
 Simplifies auditing, debugging, and managing security groups.
 
+
 ### Impact
-Descriptions provide context for the firewall rule reasons
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0129/docs.md

@@ -1,8 +1,9 @@
 
 EC2 instance data is used to pass start up information into the EC2 instance. This userdata must not contain access key credentials. Instead use an IAM Instance Profile assigned to the instance to grant access to other AWS Services.
 
+
 ### Impact
-User data is visible through the AWS Management console
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0130/docs.md

@@ -1,12 +1,13 @@
 
-
 IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.
-By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional. 
+
+By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.
+
 To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.
 
 
 ### Impact
-Instance metadata service can be interacted with freely
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0131/docs.md

@@ -1,8 +1,9 @@
 
 Block devices should be encrypted to ensure sensitive data is held securely at rest.
 
+
 ### Impact
-The block device could be compromised and read from
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0164/docs.md

@@ -1,8 +1,9 @@
 
 You should limit the provision of public IP addresses for resources. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application.
 
+
 ### Impact
-The instance is publicly accessible
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0173/docs.md

@@ -1,12 +1,13 @@
 
-
 Configuring all VPC default security groups to restrict all traffic will encourage least
+
 privilege security group development and mindful placement of AWS resources into
+
 security groups which will in-turn reduce the exposure of those resources.
 
 
 ### Impact
-Easier to accidentally expose resources - goes against principle of least privilege
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

avd_docs/aws/ec2/AVD-AWS-0178/docs.md

@@ -1,8 +1,9 @@
 
 VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.
 
+
 ### Impact
-Without VPC flow logs, you risk not having enough information about network traffic flow to investigate incidents or identify security issues.
+<!-- Add Impact here -->
 
 <!-- DO NOT CHANGE -->
 {{ remediationActions }}

checks/cloud/aws/ec2/add_description_to_security_group.go

@@ -36,7 +36,8 @@ Simplifies auditing, debugging, and managing security groups.`,
 			Links:               cloudFormationAddDescriptionToSecurityGroupLinks,
 			RemediationMarkdown: cloudFormationAddDescriptionToSecurityGroupRemediationMarkdown,
 		},
-		Severity: severity.Low,
+		Severity:   severity.Low,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, group := range s.AWS.EC2.SecurityGroups {

checks/cloud/aws/ec2/add_description_to_security_group.rego

@@ -0,0 +1,51 @@
+# METADATA
+# title: Missing description for security group.
+# description: |
+#   Security groups should include a description for auditing purposes.
+#
+#   Simplifies auditing, debugging, and managing security groups.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html
+# custom:
+#   id: AVD-AWS-0099
+#   avd_id: AVD-AWS-0099
+#   provider: aws
+#   service: ec2
+#   severity: LOW
+#   short_code: add-description-to-security-group
+#   recommended_action: Add descriptions for all security groups
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: ec2
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
+#     good_examples: checks/cloud/aws/ec2/add_description_to_security_group.tf.go
+#     bad_examples: checks/cloud/aws/ec2/add_description_to_security_group.tf.go
+#   cloudformation:
+#     good_examples: checks/cloud/aws/ec2/add_description_to_security_group.cf.go
+#     bad_examples: checks/cloud/aws/ec2/add_description_to_security_group.cf.go
+package builtin.aws.ec2.aws0099
+
+import rego.v1
+
+deny contains res if {
+	some sg in input.aws.ec2.securitygroups
+	sg.__defsec_metadata.managed
+	sg.description.value == ""
+	res := result.new("Security group does not have a description.", sg)
+}
+
+deny contains res if {
+	some sg in input.aws.ec2.securitygroups
+	sg.__defsec_metadata.managed
+	sg.description.value == "Managed by Terraform"
+	res := result.new("Security group explicitly uses the default description.", sg)
+}

checks/cloud/aws/ec2/add_description_to_security_group_rule.go

@@ -36,7 +36,8 @@ Simplifies auditing, debugging, and managing security groups.`,
 			Links:               cloudFormationAddDescriptionToSecurityGroupRuleLinks,
 			RemediationMarkdown: cloudFormationAddDescriptionToSecurityGroupRuleRemediationMarkdown,
 		},
-		Severity: severity.Low,
+		Severity:   severity.Low,
+		Deprecated: true,
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, group := range s.AWS.EC2.SecurityGroups {

checks/cloud/aws/ec2/add_description_to_security_group_rule.rego

@@ -0,0 +1,47 @@
+# METADATA
+# title: Missing description for security group rule.
+# description: |
+#   Security group rules should include a description for auditing purposes.
+#
+#   Simplifies auditing, debugging, and managing security groups.
+# scope: package
+# schemas:
+#   - input: schema["cloud"]
+# related_resources:
+#   - https://www.cloudconformity.com/knowledge-base/aws/EC2/security-group-rules-description.html
+# custom:
+#   id: AVD-AWS-0124
+#   avd_id: AVD-AWS-0124
+#   provider: aws
+#   service: ec2
+#   severity: LOW
+#   short_code: add-description-to-security-group-rule
+#   recommended_action: Add descriptions for all security groups rules
+#   input:
+#     selector:
+#       - type: cloud
+#         subtypes:
+#           - service: ec2
+#             provider: aws
+#   terraform:
+#     links:
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group
+#       - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule
+#     good_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.tf.go
+#     bad_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.tf.go
+#   cloudformation:
+#     good_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.cf.go
+#     bad_examples: checks/cloud/aws/ec2/add_description_to_security_group_rule.cf.go
+package builtin.aws.ec2.aws0124
+
+import rego.v1
+
+deny contains res if {
+	some group in input.aws.ec2.securitygroups
+	some rule in array.concat(
+		object.get(group, "egressrules", []),
+		object.get(group, "ingressrules", []),
+	)
+	rule.description.value == ""
+	res := result.new("Security group rule does not have a description.", rule.description)
+}