AWS Risk Category Changes (#603)

* Risk Category Changes

* Reverting some changes

pkg/policies/opa/rego/aws/aws_ami/AWS.EC2.Encryption&KeyManagement.Medium.0688.json

@@ -5,6 +5,6 @@
     "severity": "MEDIUM",
     "description": "Enable AWS AMI Encryption",
     "reference_id": "AWS.EC2.Encryption\u0026KeyManagement.Medium.0688",
-    "category": "Encryption \u0026 KeyManagement",
+    "category": "Infrastructure Security",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_ami_launch_permission/AWS.AMI.NS.Medium.1040.json

@@ -7,6 +7,6 @@
     "severity": "MEDIUM",
     "description": "Limit access to AWS AMIs",
     "reference_id": "AWS.AMI.NS.Medium.1040",
-    "category": "Network Security",
+    "category": "Infrastructure Security",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_api_gateway_method_settings/AWS.API Gateway.Logging.Medium.0569.json

@@ -5,6 +5,6 @@
     "severity": "MEDIUM",
     "description": "Enable Detailed CloudWatch Metrics for APIs",
     "reference_id": "AWS.API Gateway.Logging.Medium.0569",
-    "category": "Logging",
+    "category": "Logging and Monitoring",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_api_gateway_rest_api/AWS.APIGateway.Medium.0568.json

@@ -1,10 +1,10 @@
 {
-    "name": "apiGatewayContentEncoding",
-    "file": "apiGatewayContentEncoding.rego",
-    "template_args": null,
-    "severity": "MEDIUM",
-    "description": "Enable Content Encoding",
-    "reference_id": "AWS.APIGateway.Medium.0568",
-    "category": " ",
-    "version": 1
-}
+  "name": "apiGatewayContentEncoding",
+  "file": "apiGatewayContentEncoding.rego",
+  "template_args": null,
+  "severity": "MEDIUM",
+  "description": "Enable Content Encoding",
+  "reference_id": "AWS.APIGateway.Medium.0568",
+  "category": "Infrastructure Security",
+  "version": 1
+}

pkg/policies/opa/rego/aws/aws_api_gateway_rest_api/AWS.APIGateway.Network Security.Medium.0570.json

@@ -5,6 +5,6 @@
     "severity": "MEDIUM",
     "description": "API Gateway Private Endpoints",
     "reference_id": "AWS.APIGateway.Network Security.Medium.0570",
-    "category": "Network Security",
+    "category": "Infrastructure Security",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0567.json

@@ -5,6 +5,6 @@
     "severity": "MEDIUM",
     "description": "Enable AWS CloudWatch Logs for APIs",
     "reference_id": "AWS.API Gateway.Logging.Medium.0567",
-    "category": "Logging",
+    "category": "Logging and Monitoring",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0571.json

@@ -5,6 +5,6 @@
     "severity": "MEDIUM",
     "description": "Enable Active Tracing",
     "reference_id": "AWS.API Gateway.Logging.Medium.0571",
-    "category": "Logging",
+    "category": "Logging and Monitoring",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Logging.Medium.0572.json

@@ -7,6 +7,6 @@
     "severity": "MEDIUM",
     "description": "Ensure that AWS CloudWatch logs are enabled for all your APIs created with Amazon API Gateway service in order to track and analyze execution behavior at the API stage level.",
     "reference_id": "AWS.API Gateway.Logging.Medium.0572",
-    "category": "Logging",
+    "category": "Logging and Monitoring",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_api_gateway_stage/AWS.API Gateway.Network Security.Medium.0565.json

@@ -5,6 +5,6 @@
     "severity": "MEDIUM",
     "description": "Enable SSL Client Certificate",
     "reference_id": "AWS.API Gateway.Network Security.Medium.0565",
-    "category": "Network Security",
+    "category": "Infrastructure Security",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_apigatewayv2_api/AWS.ApiGatewayV2Api.AccessControl.Medium.0630.json

@@ -5,6 +5,6 @@
     "severity": "Medium",
     "description": "Insecure Cross-Origin Resource Sharing Configuration allowing all domains",
     "reference_id": "AWS.ApiGatewayV2Api.AccessControl.0630",
-    "category": "AccessControl",
+    "category": "Security Best Practices",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_apigatewayv2_stage/AWS.ApiGatewayV2Stage.Logging.Low.0630.json

@@ -5,6 +5,6 @@
     "severity": "Low",
     "description": "AWS API Gateway V2 Stage is missing access logs",
     "reference_id": "AWS.ApiGatewayV2Stage.Logging.0630",
-    "category": "Logging",
+    "category": "Logging and Monitoring",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0599.json

@@ -8,6 +8,6 @@
     "severity": "MEDIUM",
     "description": "AWS CloudFormation Not In Use",
     "reference_id": "AWS.CloudFormation.Medium.0599",
-    "category": " ",
+    "category": "Security Best Practices",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0603.json

@@ -8,6 +8,6 @@
     "severity": "MEDIUM",
     "description": "Enable AWS CloudFormation Stack Notifications",
     "reference_id": "AWS.CloudFormation.Medium.0603",
-    "category": " ",
+    "category": "Security Best Practices",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0604.json

@@ -8,6 +8,6 @@
     "severity": "MEDIUM",
     "description": "AWS CloudFormation Stack Policy",
     "reference_id": "AWS.CloudFormation.Medium.0604",
-    "category": " ",
+    "category": "Security Best Practices",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_cloudformation_stack/AWS.CloudFormation.Medium.0605.json

@@ -5,6 +5,6 @@
     "severity": "MEDIUM",
     "description": "Enable AWS CloudFormation Stack Termination Protection",
     "reference_id": "AWS.CloudFormation.Medium.0605",
-    "category": " ",
+    "category": "Security Best Practices",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AC-AW-IS-CD-M-1186.json

@@ -5,6 +5,6 @@
     "severity": "Medium",
     "description": "Ensure that cloud-front has web application firewall enabled",
     "reference_id": "AC-AW-IS-CD-M-1186",
-    "category": "Encryption and Key Management",
+    "category": "Infrastructure Security",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0407.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "Use encrypted connection between CloudFront and origin server",
     "reference_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0407",
-    "category": "Encryption and Key Management",
+    "category": "Data Protection",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.EncryptionandKeyManagement.High.0408.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "Secure ciphers are not used in CloudFront distribution",
     "reference_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0408",
-    "category": "Encryption and Key Management",
+    "category": "Data Protection",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AWS.CloudFront.Logging.Medium.0567.json

@@ -7,6 +7,6 @@
     "severity": "MEDIUM",
     "description": "Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).",
     "reference_id": "AWS.CloudFront.Logging.Medium.0567",
-    "category": "Logging",
+    "category": "Logging and Monitoring",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.High.0399.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "Cloud Trail Log Not Enabled",
     "reference_id": "AWS.CloudTrail.Logging.High.0399",
-    "category": "Logging",
+    "category": "Logging and Monitoring",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Low.0559.json

@@ -7,6 +7,6 @@
     "severity": "MEDIUM",
     "description": "Ensure appropriate subscribers to each SNS topic",
     "reference_id": "AWS.CloudTrail.Logging.Low.0559",
-    "category": "Logging",
+    "category": "Logging and Monitoring",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_cloudtrail/AWS.CloudTrail.Logging.Medium.0460.json

@@ -7,6 +7,6 @@
     "severity": "MEDIUM",
     "description": "Cloud Trail Multi Region not enabled",
     "reference_id": "AWS.CloudTrail.Logging.Medium.0460",
-    "category": "Logging",
+    "category": "Logging and Monitoring",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.EncryptionandKeyManagement.High.0632.json

@@ -5,6 +5,6 @@
     "severity": "HIGH",
     "description": "AWS CloudWatch log group is not encrypted with a KMS CMK",
     "reference_id": "AWS.CloudWatch.EncryptionandKeyManagement.High.0632",
-    "category": "Encryption and Key Management",
+    "category": "Data Protection",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_cloudwatch/AWS.CloudWatch.Logging.Medium.0631.json

@@ -5,6 +5,6 @@
     "severity": "MEDIUM",
     "description": "App-Tier CloudWatch Log Group Retention Period",
     "reference_id": "AWS.CloudWatch.Logging.Medium.0631",
-    "category": "Logging",
+    "category": "Logging and Monitoring",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_config/AWS.Config.Encryption&KeyManagement.Medium.0660.json

@@ -5,6 +5,6 @@
     "severity": "MEDIUM",
     "description": "Ensure AWS Config Rule is enabled for Encrypted Volumes",
     "reference_id": "AWS.Config.Encryption\u0026KeyManagement.Medium.0660",
-    "category": "Encryption \u0026 Key Management",
+    "category": "Data Protection",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_config_configuration_aggregator/AWS.Config.Logging.HIGH.0590.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "Ensure AWS Config is enabled in all regions",
     "reference_id": "AWS.Config.Logging.HIGH.0590",
-    "category": "Logging",
+    "category": "Logging and Monitoring",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_db_instance/AWS.RDS.DS.High.1041.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "RDS Instance Auto Minor Version Upgrade flag disabled",
     "reference_id": "AWS.RDS.DS.High.1041",
-    "category": "Data Security",
+    "category": "Data Protection",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_db_instance/AWS.RDS.DS.High.1042.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "Ensure Certificate used in RDS instance is updated",
     "reference_id": "AWS.RDS.DS.High.1042",
-    "category": "Data Security",
+    "category": "Data Protection",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_db_instance/AWS.RDS.DataSecurity.High.0414.json

@@ -5,6 +5,6 @@
     "severity": "HIGH",
     "description": "Ensure that your RDS database instances encrypt the underlying storage. Encrypted RDS instances use the industry standard AES-256 encryption algorithm to encrypt data on the server that hosts RDS DB instances. After data is encrypted, RDS handles authentication of access and descryption of data transparently with minimal impact on performance.",
     "reference_id": "AWS.RDS.DataSecurity.High.0414",
-    "category": "Data Security",
+    "category": "Data Protection",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_db_instance/AWS.RDS.DataSecurity.High.0577.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "Ensure that your RDS database has IAM Authentication enabled.",
     "reference_id": "AWS.RDS.DataSecurity.High.0577",
-    "category": "Data Security",
+    "category": "Data Protection",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_db_instance/AWS.AWS RDS.NS.High.0101.json → pkg/policies/opa/rego/aws/aws_db_instance/AWS.RDS.NS.High.0101.json

@@ -6,7 +6,7 @@
     },
     "severity": "HIGH",
     "description": "RDS Instance publicly_accessible flag is true",
-    "reference_id": "AWS.AWS RDS.NS.High.0101",
-    "category": "Network Security",
+    "reference_id": "AWS.RDS.NS.High.0101",
+    "category": "Infrastructure Security",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_db_security_group/AWS.RDS.NetworkSecurity.High.0101.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "RDS should not be defined with public interface. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
     "reference_id": "AWS.RDS.NetworkSecurity.High.0101",
-    "category": "Network Security",
+    "category": "Infrastructure Security",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_db_security_group/AWS.RDS.NetworkSecurity.High.0102.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "RDS should not be open to a public scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
     "reference_id": "AWS.RDS.NetworkSecurity.High.0102",
-    "category": "Network Security",
+    "category": "Infrastructure Security",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_db_security_group/AWS.RDS.NetworkSecurity.High.0103.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "RDS should not be open to a large scope. Firewall and router configurations should be used to restrict connections between untrusted networks and any system components in the cloud environment.",
     "reference_id": "AWS.RDS.NetworkSecurity.High.0103",
-    "category": "Network Security",
+    "category": "Infrastructure Security",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_ebs_encryption_by_default/AWS.EBS.DataSecurity.High.0580.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "Ensure that the AWS EBS that hold sensitive and critical data is encrypted by default to fulfill compliance requirements for data-at-rest encryption.",
     "reference_id": "AWS.EBS.DataSecurity.High.0580",
-    "category": "Data Security",
+    "category": "Data Protection",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_ebs_volume/AWS.EBS.EKM.Medium.0682.json

@@ -8,6 +8,6 @@
     "severity": "HIGH",
     "description": "Enable AWS EBS Snapshot Encryption",
     "reference_id": "AWS.EBS.EKM.Medium.0682",
-    "category": "Encryption and Key Management",
+    "category": "Data Protection",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_ebs_volume/AWS.EcsCluster.EncryptionandKeyManagement.High.0413.json

@@ -8,6 +8,6 @@
     "severity": "HIGH",
     "description": "Ensure that AWS EBS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS EBS clusters and associated cache storage systems.",
     "reference_id": "AWS.EcsCluster.EncryptionandKeyManagement.High.0413",
-    "category": "Encryption and Key Management",
+    "category": "Data Protection",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_ecr_repository/AWS.ECR.DataSecurity.High.0578.json

@@ -7,6 +7,6 @@
     "severity": "MEDIUM",
     "description": "Unscanned images may contain vulnerabilities",
     "reference_id": "AWS.ECR.DataSecurity.High.0578",
-    "category": "Data Security",
+    "category": "Configuration and Vulnerability Analysis",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_ecr_repository_policy/AWS.ECR.DataSecurity.High.0579.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "Identify any exposed Amazon ECR image repositories available within your AWS account and update their permissions in order to protect against unauthorized access. Amazon Elastic Container Registry (ECR) is a managed Docker registry service that makes it easy for DevOps teams to store, manage and deploy Docker container images. An ECR repository is a collection of Docker images available on AWS cloud.",
     "reference_id": "AWS.ECR.DataSecurity.High.0579",
-    "category": "Data Security",
+    "category": "Identity and Access Management",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_ecs_task_definition/AWS.EcsCluster.NetworkSecurity.High.0104.json

@@ -7,6 +7,6 @@
     "severity": "HIGH",
     "description": "Like any other EC2 instance it is recommended to place ECS instance within a VPC. AWS VPCs provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations",
     "reference_id": "AWS.EcsCluster.NetworkSecurity.High.0104",
-    "category": "Network Security",
+    "category": "Infrastructure Security",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_ecs_task_definition/AWS.LaunchConfiguration.DataSecurity.High.0101.json

@@ -9,6 +9,6 @@
     "severity": "HIGH",
     "description": "Sensitive Information Disclosure",
     "reference_id": "AWS.LaunchConfiguration.DataSecurity.High.0101",
-    "category": "Data Security",
+    "category": "Data Protection",
     "version": 1
 }

pkg/policies/opa/rego/aws/aws_efs_file_system/AWS.EFS.EncryptionandKeyManagement.High.0409.json

@@ -8,6 +8,6 @@
     "severity": "HIGH",
     "description": "Enable encryption of your EFS file systems in order to protect your data and metadata from breaches or unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization.",
     "reference_id": "AWS.EFS.EncryptionandKeyManagement.High.0409",
-    "category": "Encryption and Key Management",
+    "category": "Data Protection",
     "version": 2
 }

pkg/policies/opa/rego/aws/aws_efs_file_system/AWS.EFS.EncryptionandKeyManagement.High.0410.json

@@ -8,6 +8,6 @@
     "severity": "HIGH",
     "description": "Enable encryption of your EFS file systems in order to protect your data and metadata from breaches or unauthorized access and fulfill compliance requirements for data-at-rest encryption within your organization.",
     "reference_id": "AWS.EFS.EncryptionandKeyManagement.High.0410",
-    "category": "Encryption and Key Management",
+    "category": "Data Protection",
     "version": 2
 }