AWS new Categories (#581)

* aws category and rule_ids change * Fixing changes as requested after review * final changes
tenable · Mar 9, 2021 · cca6d2f · cca6d2f
1 parent dbb5a91
commit cca6d2f
Show file tree

Hide file tree

Showing 167 changed files with 371 additions and 401 deletions.
diff --git a/...Encryption&KeyManagement.Medium.0688.json → .../rego/aws/aws_ami/AC-AW-IS-AM-M-0005.json b/...Encryption&KeyManagement.Medium.0688.json → .../rego/aws/aws_ami/AC-AW-IS-AM-M-0005.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable AWS AMI Encryption",
-    "reference_id": "AWS.EC2.Encryption\u0026KeyManagement.Medium.0688",
-    "category": "Encryption \u0026 KeyManagement",
+    "reference_id": "AC-AW-IS-AM-M-0005",
+    "category": "Infrastructure Security",
     "version": 1
 }
diff --git a/...ch_permission/AWS.AMI.NS.Medium.1040.json → ...launch_permission/AC-AW-IS-PE-M-0006.json b/...ch_permission/AWS.AMI.NS.Medium.1040.json → ...launch_permission/AC-AW-IS-PE-M-0006.json
@@ -6,7 +6,7 @@
     },
     "severity": "MEDIUM",
     "description": "Limit access to AWS AMIs",
-    "reference_id": "AWS.AMI.NS.Medium.1040",
-    "category": "Network Security",
+    "reference_id": "AC-AW-IS-PE-M-0006",
+    "category": "Infrastructure Security",
     "version": 2
 }
diff --git a/.../AWS.API Gateway.Logging.Medium.0569.json → ...y_method_settings/AC-AW-LM-AG-M-0007.json b/.../AWS.API Gateway.Logging.Medium.0569.json → ...y_method_settings/AC-AW-LM-AG-M-0007.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable Detailed CloudWatch Metrics for APIs",
-    "reference_id": "AWS.API Gateway.Logging.Medium.0569",
-    "category": "Logging",
+    "reference_id": "AC-AW-LM-AG-M-0007",
+    "category": "Logging and Monitoring",
     "version": 2
 }
diff --git a/..._rest_api/AWS.APIGateway.Medium.0568.json → ..._gateway_rest_api/AC-AW-IS-AP-M-0010.json b/..._rest_api/AWS.APIGateway.Medium.0568.json → ..._gateway_rest_api/AC-AW-IS-AP-M-0010.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable Content Encoding",
-    "reference_id": "AWS.APIGateway.Medium.0568",
-    "category": " ",
+    "reference_id": "AC-AW-IS-AP-M-0010",
+    "category": "Infrastructure Security",
     "version": 1
 }
diff --git a/...Gateway.Network Security.Medium.0570.json → ..._gateway_rest_api/AC-AW-IS-AP-M-0011.json b/...Gateway.Network Security.Medium.0570.json → ..._gateway_rest_api/AC-AW-IS-AP-M-0011.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "API Gateway Private Endpoints",
-    "reference_id": "AWS.APIGateway.Network Security.Medium.0570",
-    "category": "Network Security",
+    "reference_id": "AC-AW-IS-AP-M-0011",
+    "category": "Infrastructure Security",
     "version": 1
 }
diff --git a/...Gateway.Network Security.Medium.0565.json → ...api_gateway_stage/AC-AW-IS-AS-M-0013.json b/...Gateway.Network Security.Medium.0565.json → ...api_gateway_stage/AC-AW-IS-AS-M-0013.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable SSL Client Certificate",
-    "reference_id": "AWS.API Gateway.Network Security.Medium.0565",
-    "category": "Network Security",
+    "reference_id": "AC-AW-IS-AS-M-0013",
+    "category": "Infrastructure Security",
     "version": 1
 }
diff --git a/.../AWS.API Gateway.Logging.Medium.0572.json → ...api_gateway_stage/AC-AW-LM-AS-M-0012.json b/.../AWS.API Gateway.Logging.Medium.0572.json → ...api_gateway_stage/AC-AW-LM-AS-M-0012.json
@@ -6,7 +6,7 @@
     },
     "severity": "MEDIUM",
     "description": "Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level.",
-    "reference_id": "AWS.API Gateway.Logging.Medium.0572",
-    "category": "Logging",
+    "reference_id": "AC-AW-LM-AS-M-0012",
+    "category": "Logging and Monitoring",
     "version": 2
 }
diff --git a/.../AWS.API Gateway.Logging.Medium.0567.json → ...api_gateway_stage/AC-AW-LM-AS-M-0014.json b/.../AWS.API Gateway.Logging.Medium.0567.json → ...api_gateway_stage/AC-AW-LM-AS-M-0014.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable AWS CloudWatch Logs for APIs",
-    "reference_id": "AWS.API Gateway.Logging.Medium.0567",
-    "category": "Logging",
+    "reference_id": "AC-AW-LM-AS-M-0014",
+    "category": "Logging and Monitoring",
     "version": 1
 }
diff --git a/.../AWS.API Gateway.Logging.Medium.0571.json → ...api_gateway_stage/AC-AW-LM-AS-M-0015.json b/.../AWS.API Gateway.Logging.Medium.0571.json → ...api_gateway_stage/AC-AW-LM-AS-M-0015.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable Active Tracing",
-    "reference_id": "AWS.API Gateway.Logging.Medium.0571",
-    "category": "Logging",
+    "reference_id": "AC-AW-LM-AS-M-0015",
+    "category": "Logging and Monitoring",
     "version": 2
 }
diff --git a/...tewayV2Api.AccessControl.Medium.0630.json → ..._apigatewayv2_api/AC-AW-SP-AG-M-0368.json b/...tewayV2Api.AccessControl.Medium.0630.json → ..._apigatewayv2_api/AC-AW-SP-AG-M-0368.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "Medium",
     "description": "Insecure Cross-Origin Resource Sharing Configuration allowing all domains",
-    "reference_id": "AWS.ApiGatewayV2Api.AccessControl.0630",
-    "category": "AccessControl",
+    "reference_id": "AC-AW-SP-AG-M-0368",
+    "category": "Security Best Practices",
     "version": 2
 }
diff --git a/...S.ApiGatewayV2Stage.Logging.Low.0630.json → ...pigatewayv2_stage/AC-AW-SP-S2-L-0369.json b/...S.ApiGatewayV2Stage.Logging.Low.0630.json → ...pigatewayv2_stage/AC-AW-SP-S2-L-0369.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "Low",
     "description": "AWS API Gateway V2 Stage is missing access logs",
-    "reference_id": "AWS.ApiGatewayV2Stage.Logging.0630",
-    "category": "Logging",
+    "reference_id": "AC-AW-SP-S2-L-0369",
+    "category": "Logging and Monitoring",
     "version": 2
 }
diff --git a/...stack/AWS.CloudFormation.Medium.0599.json → ...udformation_stack/AC-AW-SP-CS-M-0019.json b/...stack/AWS.CloudFormation.Medium.0599.json → ...udformation_stack/AC-AW-SP-CS-M-0019.json
@@ -7,7 +7,7 @@
     },
     "severity": "MEDIUM",
     "description": "AWS CloudFormation Not In Use",
-    "reference_id": "AWS.CloudFormation.Medium.0599",
-    "category": " ",
+    "reference_id": "AC-AW-SP-CS-M-0019",
+    "category": "Security Best Practices",
     "version": 1
 }
diff --git a/...stack/AWS.CloudFormation.Medium.0603.json → ...udformation_stack/AC-AW-SP-CS-M-0021.json b/...stack/AWS.CloudFormation.Medium.0603.json → ...udformation_stack/AC-AW-SP-CS-M-0021.json
@@ -7,7 +7,7 @@
     },
     "severity": "MEDIUM",
     "description": "Enable AWS CloudFormation Stack Notifications",
-    "reference_id": "AWS.CloudFormation.Medium.0603",
-    "category": " ",
+    "reference_id": "AC-AW-SP-CS-M-0021",
+    "category": "Security Best Practices",
     "version": 1
 }
diff --git a/...stack/AWS.CloudFormation.Medium.0605.json → ...udformation_stack/AC-AW-SP-CS-M-0022.json b/...stack/AWS.CloudFormation.Medium.0605.json → ...udformation_stack/AC-AW-SP-CS-M-0022.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Enable AWS CloudFormation Stack Termination Protection",
-    "reference_id": "AWS.CloudFormation.Medium.0605",
-    "category": " ",
+    "reference_id": "AC-AW-SP-CS-M-0022",
+    "category": "Security Best Practices",
     "version": 1
 }
diff --git a/pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0604.json b/pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0604.json
diff --git a/...EncryptionandKeyManagement.High.0408.json → ...ront_distribution/AC-AW-DP-CD-H-0023.json b/...EncryptionandKeyManagement.High.0408.json → ...ront_distribution/AC-AW-DP-CD-H-0023.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "Secure ciphers are not used in CloudFront distribution",
-    "reference_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0408",
-    "category": "Encryption and Key Management",
+    "reference_id": "AC-AW-DP-CD-H-0023",
+    "category": "Data Protection",
     "version": 2
 }
diff --git a/...EncryptionandKeyManagement.High.0407.json → ...ront_distribution/AC-AW-DP-CD-H-0024.json b/...EncryptionandKeyManagement.High.0407.json → ...ront_distribution/AC-AW-DP-CD-H-0024.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "Use encrypted connection between CloudFront and origin server",
-    "reference_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0407",
-    "category": "Encryption and Key Management",
+    "reference_id": "AC-AW-DP-CD-H-0024",
+    "category": "Data Protection",
     "version": 2
 }
diff --git a/...ront_distribution/AC-AW-IS-CD-M-0026.json → ...ront_distribution/AC-AW-IS-CD-L-0026.json b/...ront_distribution/AC-AW-IS-CD-M-0026.json → ...ront_distribution/AC-AW-IS-CD-L-0026.json
@@ -4,9 +4,9 @@
     "template_args": {
         "prefix": ""
     },
-    "severity": "Medium",
+    "severity": "LOW",
     "description": "Ensure that geo restriction is enabled for your Amazon CloudFront CDN distribution to whitelist or blacklist a country in order to allow or restrict users in specific locations from accessing web application content.",
-    "reference_id": "AC-AW-IS-CD-M-0026",
+    "reference_id": "AC-AW-IS-CD-L-0026",
     "category": "Infrastructure Security",
     "version": 2
 }
diff --git a/...ront_distribution/AC-AW-IS-CD-M-1186.json → ...ront_distribution/AC-AW-IS-CD-M-0032.json b/...ront_distribution/AC-AW-IS-CD-M-1186.json → ...ront_distribution/AC-AW-IS-CD-M-0032.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "Medium",
     "description": "Ensure that cloud-front has web application firewall enabled",
-    "reference_id": "AC-AW-IS-CD-M-1186",
-    "category": "Encryption and Key Management",
+    "reference_id": "AC-AW-IS-CD-M-0032",
+    "category": "Infrastructure Security",
     "version": 2
 }
diff --git a/...n/AWS.CloudFront.Logging.Medium.0567.json → ...ront_distribution/AC-AW-LM-CD-M-0025.json b/...n/AWS.CloudFront.Logging.Medium.0567.json → ...ront_distribution/AC-AW-LM-CD-M-0025.json
@@ -6,7 +6,7 @@
     },
     "severity": "MEDIUM",
     "description": "Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).",
-    "reference_id": "AWS.CloudFront.Logging.Medium.0567",
-    "category": "Logging",
+    "reference_id": "AC-AW-LM-CD-M-0025",
+    "category": "Logging and Monitoring",
     "version": 2
 }
diff --git a/...ail/AWS.CloudTrail.Logging.High.0399.json → ...ws/aws_cloudtrail/AC-AW-LM-CT-H-0033.json b/...ail/AWS.CloudTrail.Logging.High.0399.json → ...ws/aws_cloudtrail/AC-AW-LM-CT-H-0033.json
@@ -5,8 +5,8 @@
         "prefix": ""
     },
     "severity": "HIGH",
-    "description": "Cloud Trail Log Not Enabled",
-    "reference_id": "AWS.CloudTrail.Logging.High.0399",
-    "category": "Logging",
+    "description": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs",
+    "reference_id": "AC-AW-LM-CT-H-0033",
+    "category": "Logging and Monitoring",
     "version": 2
 }
diff --git a/...l/AWS.CloudTrail.Logging.Medium.0460.json → ...ws/aws_cloudtrail/AC-AW-LM-CT-M-0034.json b/...l/AWS.CloudTrail.Logging.Medium.0460.json → ...ws/aws_cloudtrail/AC-AW-LM-CT-M-0034.json
@@ -6,7 +6,7 @@
     },
     "severity": "MEDIUM",
     "description": "Cloud Trail Multi Region not enabled",
-    "reference_id": "AWS.CloudTrail.Logging.Medium.0460",
-    "category": "Logging",
+    "reference_id": "AC-AW-LM-CT-M-0034",
+    "category": "Logging and Monitoring",
     "version": 2
 }
diff --git a/...rail/AWS.CloudTrail.Logging.Low.0559.json → ...ws/aws_cloudtrail/AC-AW-LM-CT-M-0035.json b/...rail/AWS.CloudTrail.Logging.Low.0559.json → ...ws/aws_cloudtrail/AC-AW-LM-CT-M-0035.json
@@ -6,7 +6,7 @@
     },
     "severity": "MEDIUM",
     "description": "Ensure appropriate subscribers to each SNS topic",
-    "reference_id": "AWS.CloudTrail.Logging.Low.0559",
-    "category": "Logging",
+    "reference_id": "AC-AW-LM-CT-M-0035",
+    "category": "Logging and Monitoring",
     "version": 1
 }
diff --git a/...EncryptionandKeyManagement.High.0632.json → ...ws/aws_cloudwatch/AC-AW-DP-CW-H-0370.json b/...EncryptionandKeyManagement.High.0632.json → ...ws/aws_cloudwatch/AC-AW-DP-CW-H-0370.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "HIGH",
     "description": "AWS CloudWatch log group is not encrypted with a KMS CMK",
-    "reference_id": "AWS.CloudWatch.EncryptionandKeyManagement.High.0632",
-    "category": "Encryption and Key Management",
+    "reference_id": "AC-AW-DP-CW-H-0370",
+    "category": "Data Protection",
     "version": 2
 }
diff --git a/...h/AWS.CloudWatch.Logging.Medium.0631.json → ...ws/aws_cloudwatch/AC-AW-LM-CW-M-0041.json b/...h/AWS.CloudWatch.Logging.Medium.0631.json → ...ws/aws_cloudwatch/AC-AW-LM-CW-M-0041.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "App-Tier CloudWatch Log Group Retention Period",
-    "reference_id": "AWS.CloudWatch.Logging.Medium.0631",
-    "category": "Logging",
+    "reference_id": "AC-AW-LM-CW-M-0041",
+    "category": "Logging and Monitoring",
     "version": 2
 }
diff --git a/...Encryption&KeyManagement.Medium.0660.json → ...go/aws/aws_config/AC-AW-DP-CO-M-0048.json b/...Encryption&KeyManagement.Medium.0660.json → ...go/aws/aws_config/AC-AW-DP-CO-M-0048.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "MEDIUM",
     "description": "Ensure AWS Config Rule is enabled for Encrypted Volumes",
-    "reference_id": "AWS.Config.Encryption\u0026KeyManagement.Medium.0660",
-    "category": "Encryption \u0026 Key Management",
+    "reference_id": "AC-AW-DP-CO-M-0048",
+    "category": "Data Protection",
     "version": 1
 }
diff --git a/...regator/AWS.Config.Logging.HIGH.0590.json → ...ration_aggregator/AC-AW-LM-CC-H-0049.json b/...regator/AWS.Config.Logging.HIGH.0590.json → ...ration_aggregator/AC-AW-LM-CC-H-0049.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "Ensure AWS Config is enabled in all regions",
-    "reference_id": "AWS.Config.Logging.HIGH.0590",
-    "category": "Logging",
+    "reference_id": "AC-AW-LM-CC-H-0049",
+    "category": "Logging and Monitoring",
     "version": 2
 }
diff --git a/...tance/AWS.RDS.DataSecurity.High.0577.json → ...s/aws_db_instance/AC-AW-DP-DI-H-0053.json b/...tance/AWS.RDS.DataSecurity.High.0577.json → ...s/aws_db_instance/AC-AW-DP-DI-H-0053.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "Ensure that your RDS database has IAM Authentication enabled.",
-    "reference_id": "AWS.RDS.DataSecurity.High.0577",
-    "category": "Data Security",
+    "reference_id": "AC-AW-DP-DI-H-0053",
+    "category": "Data Protection",
     "version": 2
 }
diff --git a/...aws_db_instance/AWS.RDS.DS.High.1041.json → ...s/aws_db_instance/AC-AW-DP-DI-H-0056.json b/...aws_db_instance/AWS.RDS.DS.High.1041.json → ...s/aws_db_instance/AC-AW-DP-DI-H-0056.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "RDS Instance Auto Minor Version Upgrade flag disabled",
-    "reference_id": "AWS.RDS.DS.High.1041",
-    "category": "Data Security",
+    "reference_id": "AC-AW-DP-DI-H-0056",
+    "category": "Data Protection",
     "version": 2
 }
diff --git a/...aws_db_instance/AWS.RDS.DS.High.1042.json → ...s/aws_db_instance/AC-AW-DP-DI-H-0057.json b/...aws_db_instance/AWS.RDS.DS.High.1042.json → ...s/aws_db_instance/AC-AW-DP-DI-H-0057.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "Ensure Certificate used in RDS instance is updated",
-    "reference_id": "AWS.RDS.DS.High.1042",
-    "category": "Data Security",
+    "reference_id": "AC-AW-DP-DI-H-0057",
+    "category": "Data Protection",
     "version": 2
 }
diff --git a/...tance/AWS.RDS.DataSecurity.High.0414.json → ...s/aws_db_instance/AC-AW-DP-DI-H-0058.json b/...tance/AWS.RDS.DataSecurity.High.0414.json → ...s/aws_db_instance/AC-AW-DP-DI-H-0058.json
@@ -4,7 +4,7 @@
     "template_args": null,
     "severity": "HIGH",
     "description": "Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.",
-    "reference_id": "AWS.RDS.DataSecurity.High.0414",
-    "category": "Data Security",
+    "reference_id": "AC-AW-DP-DI-H-0058",
+    "category": "Data Protection",
     "version": 1
 }
diff --git a/...db_instance/AWS.AWS RDS.NS.High.0101.json → ...s/aws_db_instance/AC-AW-IS-DI-H-0054.json b/...db_instance/AWS.AWS RDS.NS.High.0101.json → ...s/aws_db_instance/AC-AW-IS-DI-H-0054.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "RDS Instance publicly_accessible flag is true",
-    "reference_id": "AWS.AWS RDS.NS.High.0101",
-    "category": "Network Security",
+    "reference_id": "AC-AW-IS-DI-H-0054",
+    "category": "Infrastructure Security",
     "version": 2
 }
diff --git a/...up/AWS.RDS.NetworkSecurity.High.0103.json → ...db_security_group/AC-AW-IS-DS-H-0065.json b/...up/AWS.RDS.NetworkSecurity.High.0103.json → ...db_security_group/AC-AW-IS-DS-H-0065.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "RDS should not be open to a large scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
-    "reference_id": "AWS.RDS.NetworkSecurity.High.0103",
-    "category": "Network Security",
+    "reference_id": "AC-AW-IS-DS-H-0065",
+    "category": "Infrastructure Security",
     "version": 2
 }
diff --git a/...up/AWS.RDS.NetworkSecurity.High.0101.json → ...db_security_group/AC-AW-IS-DS-H-0066.json b/...up/AWS.RDS.NetworkSecurity.High.0101.json → ...db_security_group/AC-AW-IS-DS-H-0066.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "RDS should not be defined with public interface. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
-    "reference_id": "AWS.RDS.NetworkSecurity.High.0101",
-    "category": "Network Security",
+    "reference_id": "AC-AW-IS-DS-H-0066",
+    "category": "Infrastructure Security",
     "version": 2
 }
diff --git a/...up/AWS.RDS.NetworkSecurity.High.0102.json → ...db_security_group/AC-AW-IS-DS-H-0067.json b/...up/AWS.RDS.NetworkSecurity.High.0102.json → ...db_security_group/AC-AW-IS-DS-H-0067.json
@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "RDS should not be open to a public scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
-    "reference_id": "AWS.RDS.NetworkSecurity.High.0102",
-    "category": "Network Security",
+    "reference_id": "AC-AW-IS-DS-H-0067",
+    "category": "Infrastructure Security",
     "version": 2
 }