kics icon indicating copy to clipboard operation
kics copied to clipboard
verified publisher icon Checkmarx

KICS Auto Remediation: support for CloudFormation queries

Open rafaela-soares opened this issue 3 years ago • 0 comments

Description

At the moment, KICS provides auto remediation for simple replacements and simple additions in a single line in Terraform queries. It would be great if this feature was also implemented for CloudFormation queries.

Not that it will be necessary to create the remediation according to the extension (.yaml or .json)

Steps

  1. Add remediation and remediation_type in the following queries:
QUERY NAME QUERY ID REMEDIATION
High Access Key Rotation Period 800fa019-49dd-421b-9042-7331fdd83fa2 Replacement Addition
ALB Listening on HTTP 275a3217-ca37-40c1-a6cf-bb57d245ab32 Replacement
API Gateway With Invalid Compression d6653eee-2d4d-4e6a-976f-6794a497999a Replacement Addition
API Gateway With Open Access 1056dfbb-5802-4762-bf2b-8b9b9684b1b0 Replacement
API Gateway Without Security Policy 8275fab0-68ec-4705-bbf4-86975edb170e Replacement Addition
Cognito UserPool Without MFA 74a18d1a-cf02-4a31-8791-ed0967ad7fdc Replacement Addition
Connection Between CloudFront Origin Not Encrypted a5366a50-932f-4085-896b-41402714a388 Replacement
ECR Image Tag Not Immutable 33f41d31-86b1-46a4-81f7-9c9a671f59ac Replacement Addition
ECS Cluster Not Encrypted At Rest NOTE: It will be necessary to add searchLine 6c131358-c54d-419b-9dd6-1f7dd41d180c Replacement
ECS Task Definition Network Mode Not Recommended 027a4b7a-8a59-4938-a04f-ed532512cf45 Replacement Addition
ElastiCache Nodes Not Created Across Multi AZ cfdef2e5-1fe4-4ef4-bea8-c56e08963150 Replacement Addition
ElastiCache With Disabled at Rest Encryption e4ee3903-9225-4b6a-bdfb-e62dbadef821 Replacement Addition
ElastiCache With Disabled Transit Encryption 3b02569b-fc6f-4153-b3a3-ba91022fed68 Replacement Addition
ELB Using Insecure Protocols 61a94903-3cd3-4780-88ec-fc918819b9c8 Replacement Addition
ELB Without Secure Protocol 80908a75-586b-4c61-ab04-490f4f4525b8 Replacement Addition
Geo Restriction Disabled 7f8843f0-9ea5-42b4-a02b-753055113195 Replacement Addition
GitHub Repository Set To Public 5906092d-5f74-490d-9a03-78febe0f65e1 Replacement Addition
Lambda Functions Without X-Ray Tracing 9488c451-074e-4cd3-aee3-7db6104f542c Replacement Addition
Lambda Permission Misconfigured 9b83114b-b2a1-4534-990d-06da015e47aa Replacement
Memcached Disabled dd0971a6-09c3-4168-8474-a7ef8fbfd99d Replacement
MSK Cluster Encryption Disabled a976d63f-af0e-46e8-b714-8c1a9c4bf768 Replacement
Low RDS Backup Retention Period e649a218-d099-4550-86a4-1231e1fcb60d Replacement Addition
RDS With Backup Disabled 8c415f6f-7b90-4a27-a44a-51047e1506f9 Replacement
Redshift Not Encrypted 3b316b05-564c-44a7-9c3f-405bb95e211e Replacement Addition
S3 Bucket Without Versioning a227ec01-f97a-4084-91a4-47b350c1db54 Replacement Addition
SageMaker Enabling Internet Access 88d55d94-315d-4564-beee-d2d725feab11 Replacement Addition
Secure Ciphers Disabled be96849c-3df6-49c2-bc16-778a7be2519c Replacement Addition
Viewer Protocol Policy Allows HTTP 31733ee2-fef0-4e87-9778-65da22a8ecf1 Replacement Addition
Permissive Web ACL Default Action 6d64f311-3da6-45f3-80f1-14db9771ea40 Replacement
API Gateway Cache Cluster Disabled 52790cad-d60d-41d5-8483-146f9f21208d Replacement Addition
API Gateway Cache Encrypted Disabled 37cca703-b74c-48ba-ac81-595b53398e9b Replacement Addition
API Gateway Method Does Not Contains An API Key 3641d5b4-d339-4bc2-bfb9-208fe8d3477f Replacement Addition
API Gateway X-Ray Disabled 4ab10c48-bedb-4deb-8f3b-ff12783b61de Replacement Addition
Automatic Minor Upgrades Disabled f0104061-8bfc-4b45-8a7d-630eb502f281 Replacement Addition
Batch Job Definition With Privileged Container Properties 76ddf32c-85b1-4808-8935-7eef8030ab36 Replacement Addition
CDN Configuration Is Missing e4f54ff4-d352-40e8-a096-5141073c37a2 Replacement Addition
CloudFront Without Minimum Protocol TLS 1.2 dc17ee4b-ddf2-4e23-96e8-7a36abad1303 Replacement Addition
CloudTrail Log File Validation Disabled 2a3560fe-52ca-4443-b34f-bf0ed5eb74c8 Replacement Addition
CloudTrail Logging Disabled 5c0b06d5-b7a4-484c-aeb0-75a836269ff0 Replacement
CloudTrail Multi Region Disabled 058ac855-989f-4378-ba4d-52d004020da7 Replacement Addition
CloudWatch Metrics Disabled 5d3c1807-acb3-4bb0-be4e-0440230feeaf Replacement Addition
CMK Is Unusable 2844c749-bd78-4cd1-90e8-b179df827602 Replacement
CMK Rotation Disabled 1c07bfaf-663c-4f6f-b22b-8e2d481e4df5 Replacement
Configuration Aggregator to All Regions Disabled 9f3cf08e-72a2-4eb1-8007-e3b1b0e10d4d" Replacement Addition
EBS Volume Encryption Disabled 80b7ac3f-d2b7-4577-9b10-df7913497162 Replacement Addition
EFS Not Encrypted 2ff8e83c-90e1-4d68-a300-6d652112e622 Replacement
ElasticSearch Not Encrypted At Rest 86a248ab-0e01-4564-a82a-878303e253bb Replacement Addition
EMR Security Configuration Encryption Disabled 5b033ec8-f079-4323-b5c8-99d4620433a9 Replacement Addition
GuardDuty Detector Disabled a25cd877-375c-4121-a640-730929936fac Replacement
KMS Key Rotation Disabled 235ca980-eb71-48f4-9030-df0c371029eb Replacement Addition
MQ Broker Is Publicly Accessible 68b6a789-82f8-4cfd-85de-e95332fe6a61 Replacement
RDS Storage Encryption Disabled 65844ba3-03a1-40a8-b3dd-919f122e8c95 Replacement Addition
IAM Database Auth Not Enabled 9fcd0a0a-9b6f-4670-a215-d94e6bf3f184 Replacement Addition
RDS With Deletion Protection Disabled 2c161e58-cb52-454f-abea-6470c37b5e6e Replacement Addition
RDS Multi-AZ Deployment Disabled 2b1d4935-9acf-48a7-8466-10d18bf51a69 Replacement Addition
RDS Storage Not Encrypted 5beacce3-4020-4a3d-9e1d-a36f953df630 Replacement Addition
Redshift Publicly Accessible bdf8dcb4-75df-4370-92c4-606e4ae6c4d3 Replacement Addition
Stack Retention Disabled fe974ae9-858e-4991-bbd5-e040a834679f Replacement Addition
Unscanned ECR Image 9025b2b3-e554-4842-ba87-db7aeec36d35 Replacement Addition
IAM User Without Password Reset a964d6e3-8e1e-4d93-8120-61fa640dd55a Replacement Addition
Workspace Without Encryption 89827c57-5a8a-49eb-9731-976a606d70db Replacement Addition
DB Instance Publicly Accessible de38e1d5-54cb-4111-a868-6f7722695007 Replacement
DynamoDB With Aws Owned CMK NOTE: searchKey should be fixed c8dee387-a2e6-4a73-a942-183c975549ac Replacement Addition
EC2 Instance Has Public IP b3de4e4c-14be-4159-b99d-9ad194365e4c Replacement
MSK Cluster Logging Disabled fc7c2c15-f5d0-4b80-adb2-c89019f8f62b Replacement
Neptune Cluster With IAM Database Authentication Disabled a3aa0087-8228-4e7e-b202-dc9036972d02 Replacement Addition
Neptune Database Cluster Encryption Disabled bf4473f1-c8a2-4b1b-8134-bd32efabab93 Replacement
Vulnerable Default SSL Certificate b4d9c12b-bfba-4aeb-9cb8-2358546d8041 Replacement
Serverless API Cache Cluster Disabled 60a05ede-0a68-4d0d-a58f-f538cf55ff79 Replacement Addition
Serverless API Endpoint Config Not Private 6b5b0313-771b-4319-ad7a-122ee78700ef Replacement Addition
Serverless API Without Content Encoding a2f2800e-614b-4bc8-89e6-fec8afd24800 Replacement Addition
Serverless API X-Ray Tracing Disabled c757c6a3-ac87-4b9d-b28d-e5a5add6a315 Replacement Addition
Serverless Function Without X-Ray Tracing dc1ab429-1481-4540-9b1d-280e3f15f1f8 Replacement Addition

  1. Change test/queries_test.go (line 262) and pkg/remediation/utils.go (line 37)

  2. Test through go test ./test --timeout 1500s -v

Documentation

KICS AR docs

PR KICS AR support

rafaela-soares avatar Oct 03 '22 15:10 rafaela-soares