diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json index 54a1b3e0dcb..d38726904c9 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/metadata.json @@ -4,9 +4,9 @@ "severity": "HIGH", "category": "Encryption", "descriptionText": "Ensure that AWS ECS clusters are encrypted. Data encryption at rest, prevents unauthorized users from accessing sensitive data on your AWS ECS clusters and associated cache storage systems.", - "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecs-taskdefinition.html", + "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-ec2-instance.html#cfn-ec2-instance-blockdevicemappings", "platform": "CloudFormation", "descriptionID": "512ea20d", "cloudProvider": "aws", - "cwe": "311" + "cwe": "312" } \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/query.rego b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/query.rego index 3b470ddccdd..9575c6b4335 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/query.rego +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/query.rego @@ -3,70 +3,130 @@ package Cx import data.generic.common as common_lib import data.generic.cloudformation as cf_lib + CxPolicy[result] { + # Case of undefined field(s) during path checking - EC2::LaunchTemplate resource := input.document[i].Resources elem := resource[key] - elem.Type == "AWS::ECS::Service" - elem.Properties.Cluster - taskdefinitionkey := getTaskDefinitionName(elem) - taskDefinition := resource[taskdefinitionkey] + elem.Type == "AWS::EC2::LaunchTemplate" + template_data := elem.Properties.LaunchTemplateData + path := check_valid_path(template_data,key) + not path.value + + result := { + "documentId": input.document[i].id, + "resourceType": elem.Type, + "resourceName": cf_lib.get_resource_name(resource, key), + "searchKey": sprintf("Resources.%s.Properties.LaunchTemplateData%s", [key,path.path_tail]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("Resources.%s.Properties.LaunchTemplateData.BlockDeviceMappings.Ebs.Encrypted should be defined and true", [key]), + "keyActualValue": sprintf("%s is not defined.", [path.missing_resource]), + "searchLine": common_lib.build_search_line(path.searchLine,[]), + } +} - count(taskDefinition.Properties.ContainerDefinitions) > 0 - res := is_transit_encryption_disabled(taskDefinition, taskdefinitionkey) +CxPolicy[result] { + # Case of "encrypted" defined but set to false - EC2::LaunchTemplate + resource := input.document[i].Resources + elem := resource[key] + elem.Type == "AWS::EC2::LaunchTemplate" + template_data := elem.Properties.LaunchTemplateData + path := check_valid_path(template_data,key) + path.value + + cf_lib.isCloudFormationFalse(template_data.BlockDeviceMappings[path.index].Ebs.Encrypted) result := { "documentId": input.document[i].id, "resourceType": elem.Type, "resourceName": cf_lib.get_resource_name(resource, key), - "searchKey": sprintf("Resources.%s.Properties.Volumes", [taskdefinitionkey]), - "issueType": res["issueT"], - "keyExpectedValue": res["kev"], - "keyActualValue": res["kav"], + "searchKey": sprintf("Resources.%s.Properties.LaunchTemplateData.BlockDeviceMappings.Ebs.Encrypted", [key]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("Resources.%s.Properties.LaunchTemplateData.BlockDeviceMappings.Ebs.Encrypted should be defined and true", [key]), + "keyActualValue": "Encrypted is set to false.", + "searchLine": common_lib.build_search_line(path.searchLine,[]), } } -CxPolicy[result] { +CxPolicy[result] { + # Case of undefined field(s) during path checking - EC2::Instance resource := input.document[i].Resources elem := resource[key] - elem.Type == "AWS::ECS::Service" - elem.Properties.Cluster - taskdefinitionkey := getTaskDefinitionName(elem) - not common_lib.valid_key(resource, taskdefinitionkey) + elem.Type == "AWS::EC2::Instance" + template_data := elem.Properties + path := check_valid_path(template_data,key) + not path.value + + searchLine := [x | x := path.searchLine[_]; x != "LaunchTemplateData"] result := { "documentId": input.document[i].id, "resourceType": elem.Type, - "resourceName": cf_lib.get_resource_name(resource, key), - "searchKey": sprintf("Resources.%s", [taskdefinitionkey]), + "resourceName": cf_lib.get_resource_name(resource, key), + "searchKey": sprintf("Resources.%s.Properties%s", [key,path.path_tail]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s should be defined", [taskdefinitionkey]), - "keyActualValue": sprintf("Resources.%s is not defined.", [taskdefinitionkey]), + "keyExpectedValue": sprintf("Resources.%s.Properties.BlockDeviceMappings.Ebs.Encrypted should be defined and true", [key]), + "keyActualValue": sprintf("%s is not defined.", [path.missing_resource]), + "searchLine": common_lib.build_search_line(searchLine,[]), } } -is_transit_encryption_disabled(taskDefinition, taskdefinitionkey) = res { - volume := taskDefinition.Properties.Volumes[j] - common_lib.valid_key(volume.EFSVolumeConfiguration, "TransitEncryption") - volume.EFSVolumeConfiguration.TransitEncryption == "DISABLED" - res := { - "issueT": "IncorrectValue", - "kev": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption should be enabled", [taskdefinitionkey, j]), - "kav": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption is disabled", [taskdefinitionkey, j]), - } -} else = res { - volume := taskDefinition.Properties.Volumes[j] - efsVolumeConfiguration := volume.EFSVolumeConfiguration - not common_lib.valid_key(efsVolumeConfiguration, "TransitEncryption") - res := { - "issueT": "MissingAttribute", - "kev": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption should be defined", [taskdefinitionkey, j]), - "kav": sprintf("Resources.%s.Properties.Volumes[%d].EFSVolumeConfiguration.TransitEncryption is not defined (set to DISABLED by default)", [taskdefinitionkey, j]), - } -} +CxPolicy[result] { + # Case of "encrypted" defined but set to false - EC2::Instance + resource := input.document[i].Resources + elem := resource[key] + elem.Type == "AWS::EC2::Instance" + template_data := elem.Properties + path := check_valid_path(template_data,key) + path.value -getTaskDefinitionName(resource) := name { - name := resource.Properties.TaskDefinition - not common_lib.valid_key(name, "Ref") -} else := name { - name := resource.Properties.TaskDefinition.Ref + cf_lib.isCloudFormationFalse(template_data.BlockDeviceMappings[path.index].Ebs.Encrypted) + + searchLine := [x | x := path.searchLine[_]; x != "LaunchTemplateData"] + + result := { + "documentId": input.document[i].id, + "resourceType": elem.Type, + "resourceName": cf_lib.get_resource_name(resource, key), + "searchKey": sprintf("Resources.%s.Properties.BlockDeviceMappings.Ebs.Encrypted", [key]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("Resources.%s.Properties.BlockDeviceMappings.Ebs.Encrypted should be defined and true", [key]), + "keyActualValue": "Encrypted is set to false.", + "searchLine": common_lib.build_search_line(searchLine,[]), + } } + +check_valid_path(template_data,key) = path { + common_lib.valid_key(template_data.BlockDeviceMappings[i].Ebs,"Encrypted") + path := { + "value": true, + "searchLine": ["Resources",key,"Properties","LaunchTemplateData","BlockDeviceMappings",i,"Ebs","Encrypted"], + "path_tail": sprintf(".BlockDeviceMappings[%d].Ebs.Encrypted",[i]), + "index": i + } +} else = path { + common_lib.valid_key(template_data.BlockDeviceMappings[i],"Ebs") + path := { + "value": false, + "searchLine": ["Resources",key,"Properties","LaunchTemplateData","BlockDeviceMappings",i,"Ebs"], + "path_tail": sprintf(".BlockDeviceMappings[%d].Ebs.Encrypted",[i]), + "missing_resource": "Encrypted" + } +} else = path { + common_lib.valid_key(template_data,"BlockDeviceMappings") + path := { + "value": false, + "searchLine": ["Resources",key,"Properties","LaunchTemplateData","BlockDeviceMappings"], + "path_tail": ".BlockDeviceMappings[x].Ebs", + "missing_resource": "Ebs" + } +} else = path { + path := { + "value": false, + "searchLine": ["Resources",key,"Properties","LaunchTemplateData"], + "path_tail": ".BlockDeviceMappings", + "missing_resource": "BlockDeviceMappings" + } +} + + diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative1.yaml b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative1.yaml index 2f22ea66562..5dbf41d6651 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative1.yaml +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative1.yaml @@ -1,133 +1,19 @@ -AWSTemplateFormatVersion: 2010-09-09 -Description: Creating ECS service -Parameters: - AppName: - Type: String - Description: Name of app requiring ELB exposure - Default: simple-app - AppContainerPort: - Type: Number - Description: Container port of app requiring ELB exposure - Default: '80' - AppHostPort: - Type: Number - Description: Host port of app requiring ELB exposure - Default: '80' - ServiceName: - Type: String - LoadBalancerName: - Type: String - HealthCheckGracePeriodSeconds: - Type: String Resources: - cluster: - Type: AWS::ECS::Cluster - taskdefinition: - Type: AWS::ECS::TaskDefinition + ECSLaunchTemplate: + Type: AWS::EC2::LaunchTemplate Properties: - ContainerDefinitions: - - Name: !Ref AppName - MountPoints: - - SourceVolume: my-vol - ContainerPath: /var/www/my-vol - Image: amazon/amazon-ecs-sample - Cpu: '10' - PortMappings: - - ContainerPort: !Ref AppContainerPort - HostPort: !Ref AppHostPort - EntryPoint: - - /usr/sbin/apache2 - - '-D' - - FOREGROUND - Memory: '500' - Essential: true - - Name: busybox - Image: busybox - Cpu: '10' - EntryPoint: - - sh - - '-c' - Memory: '500' - Command: - - >- - /bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep - 1; done" - Essential: false - VolumesFrom: - - SourceContainer: !Ref AppName - Volumes: - - Host: - SourcePath: /var/lib/docker/vfs/dir/ - Name: my-vol - EFSVolumeConfiguration: - TransitEncryption: ENABLED - TransitEncryptionPort: 8080 + LaunchTemplateName: ECS-Encrypted-LT + LaunchTemplateData: + ImageId: ami-xxxxxxxxxxxxxx # ECS-optimized AMI + InstanceType: t3.micro + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeSize: 30 + VolumeType: gp2 + Encrypted: true + UserData: + Fn::Base64: !Sub | + #!/bin/bash + echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config - service: - Type: AWS::ECS::Service - Properties: - Cluster: !Ref cluster - DeploymentConfiguration: - MaximumPercent: 200 - MinimumHealthyPercent: 100 - DesiredCount: 0 - HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds - LoadBalancers: - - ContainerName: !Ref AppName - ContainerPort: !Ref AppContainerPort - LoadBalancerName: !Ref elb - PlacementStrategies: - - Type: binpack - Field: memory - - Type: spread - Field: host - PlacementConstraints: - - Type: memberOf - Expression: 'attribute:ecs.availability-zone != us-east-1d' - - Type: distinctInstance - TaskDefinition: !Ref taskdefinition - ServiceName: !Ref ServiceName - Role: !Ref Role - elb: - Type: AWS::ElasticLoadBalancing::LoadBalancer - Properties: - LoadBalancerName: !Ref LoadBalancerName - Listeners: - - InstancePort: !Ref AppHostPort - LoadBalancerPort: '80' - Protocol: HTTP - Subnets: - - !Ref Subnet1 - DependsOn: GatewayAttachment - VPC: - Type: AWS::EC2::VPC - Properties: - CidrBlock: 10.0.0.0/24 - Subnet1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref VPC - CidrBlock: 10.0.0.0/25 - InternetGateway: - Type: AWS::EC2::InternetGateway - GatewayAttachment: - Type: AWS::EC2::VPCGatewayAttachment - Properties: - InternetGatewayId: !Ref InternetGateway - VpcId: !Ref VPC - Role: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2008-10-17 - Statement: - - Sid: '' - Effect: Allow - Principal: - Service: ecs.amazonaws.com - Action: 'sts:AssumeRole' - ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' -Outputs: - Cluster: - Value: !Ref cluster \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative2.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative2.json deleted file mode 100644 index b1c7749fb18..00000000000 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative2.json +++ /dev/null @@ -1,204 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", - "Description": "Creating ECS service", - "Parameters": { - "HealthCheckGracePeriodSeconds": { - "Type": "String" - }, - "AppName": { - "Type": "String", - "Description": "Name of app requiring ELB exposure", - "Default": "simple-app" - }, - "AppContainerPort": { - "Type": "Number", - "Description": "Container port of app requiring ELB exposure", - "Default": "80" - }, - "AppHostPort": { - "Type": "Number", - "Description": "Host port of app requiring ELB exposure", - "Default": "80" - }, - "ServiceName": { - "Type": "String" - }, - "LoadBalancerName": { - "Type": "String" - } - }, - "Resources": { - "InternetGateway": { - "Type": "AWS::EC2::InternetGateway" - }, - "GatewayAttachment": { - "Type": "AWS::EC2::VPCGatewayAttachment", - "Properties": { - "InternetGatewayId": "InternetGateway", - "VpcId": "VPC" - } - }, - "Role": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2008-10-17T00:00:00Z", - "Statement": [ - { - "Action": "sts:AssumeRole", - "Sid": "", - "Effect": "Allow", - "Principal": { - "Service": "ecs.amazonaws.com" - } - } - ] - }, - "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole" - ] - } - }, - "cluster": { - "Type": "AWS::ECS::Cluster" - }, - "service": { - "Type": "AWS::ECS::Service", - "Properties": { - "DeploymentConfiguration": { - "MaximumPercent": 200, - "MinimumHealthyPercent": 100 - }, - "TaskDefinition": "taskdefinition", - "Role": "Role", - "LoadBalancers": [ - { - "ContainerName": "AppName", - "ContainerPort": "AppContainerPort", - "LoadBalancerName": "elb" - } - ], - "PlacementStrategies": [ - { - "Type": "binpack", - "Field": "memory" - }, - { - "Type": "spread", - "Field": "host" - } - ], - "PlacementConstraints": [ - { - "Type": "memberOf", - "Expression": "attribute:ecs.availability-zone != us-east-1d" - }, - { - "Type": "distinctInstance" - } - ], - "ServiceName": "ServiceName", - "Cluster": "cluster", - "DesiredCount": 0, - "HealthCheckGracePeriodSeconds": "HealthCheckGracePeriodSeconds" - } - }, - "elb": { - "Type": "AWS::ElasticLoadBalancing::LoadBalancer", - "Properties": { - "Subnets": [ - "Subnet1" - ], - "LoadBalancerName": "LoadBalancerName", - "Listeners": [ - { - "LoadBalancerPort": "80", - "Protocol": "HTTP", - "InstancePort": "AppHostPort" - } - ] - }, - "DependsOn": "GatewayAttachment" - }, - "VPC": { - "Type": "AWS::EC2::VPC", - "Properties": { - "CidrBlock": "10.0.0.0/24" - } - }, - "Subnet1": { - "Type": "AWS::EC2::Subnet", - "Properties": { - "CidrBlock": "10.0.0.0/25", - "VpcId": "VPC" - } - }, - "taskdefinition": { - "Type": "AWS::ECS::TaskDefinition", - "Properties": { - "ContainerDefinitions": [ - { - "Image": "amazon/amazon-ecs-sample", - "Cpu": "10", - "PortMappings": [ - { - "HostPort": "AppHostPort", - "ContainerPort": "AppContainerPort" - } - ], - "EntryPoint": [ - "/usr/sbin/apache2", - "-D", - "FOREGROUND" - ], - "Memory": "500", - "Essential": true, - "Name": "AppName", - "MountPoints": [ - { - "SourceVolume": "my-vol", - "ContainerPath": "/var/www/my-vol" - } - ] - }, - { - "Cpu": "10", - "EntryPoint": [ - "sh", - "-c" - ], - "Memory": "500", - "Command": [ - "/bin/sh -c \"while true; do /bin/date \u003e /var/www/my-vol/date; sleep 1; done\"" - ], - "Essential": false, - "VolumesFrom": [ - { - "SourceContainer": "AppName" - } - ], - "Name": "busybox", - "Image": "busybox" - } - ], - "Volumes": [ - { - "Host": { - "SourcePath": "/var/lib/docker/vfs/dir/" - }, - "Name": "my-vol", - "EFSVolumeConfiguration": { - "TransitEncryption": "ENABLED", - "TransitEncryptionPort": 8080 - } - } - ] - } - } - }, - "Outputs": { - "Cluster": { - "Value": "cluster" - } - } -} diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative2.yaml b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative2.yaml new file mode 100644 index 00000000000..cede35ba742 --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative2.yaml @@ -0,0 +1,19 @@ +Resources: + ECSLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateName: ECS-Encrypted-LT + LaunchTemplateData: + ImageId: ami-xxxxxxxxxxxxxx # ECS-optimized AMI + InstanceType: t3.micro + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeSize: 30 + VolumeType: gp2 + Encrypted: "true" + UserData: + Fn::Base64: !Sub | + #!/bin/bash + echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config + diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative3.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative3.json new file mode 100644 index 00000000000..f615b353a7c --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative3.json @@ -0,0 +1,29 @@ +{ + "Resources": { + "ECSLaunchTemplate": { + "Type": "AWS::EC2::LaunchTemplate", + "Properties": { + "LaunchTemplateName": "ECS-Encrypted-LT", + "LaunchTemplateData": { + "ImageId": "ami-xxxxxxxxxxxxxx", + "InstanceType": "t3.micro", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "VolumeSize": 30, + "VolumeType": "gp2", + "Encrypted": true + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Sub": "#!/bin/bash\necho ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config" + } + } + } + } + } + } +} diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative3.yaml b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative3.yaml deleted file mode 100755 index 825f0d8955b..00000000000 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative3.yaml +++ /dev/null @@ -1,62 +0,0 @@ -Resources: - TaskDef54694570: - Type: AWS::ECS::TaskDefinition - Properties: - ContainerDefinitions: - - Environment: - - Name: DEPLOYMENT_TIMESTAMP - Value: "2024-08-20T00:41:57.620Z" - Essential: true - HealthCheck: - Command: - - CMD-SHELL - - curl -f http://localhost:3000/health || exit - Interval: 30 - Retries: 3 - StartPeriod: 30 - Timeout: 5 - Image: - Fn::Join: - - "" - - - 123456789012.dkr.ecr.us-west-2. - - Ref: AWS::URLSuffix - - /example-nms:latest - ExecutionRoleArn: - Fn::GetAtt: - - TaskDefExecutionRoleB4775C97 - - Arn - RequiresCompatibilities: - - EC2 - Tags: - - Key: classification - Value: internal - - Key: component - Value: example-nms - - Key: env - Value: development - - Key: owner - Value: example@owner.com - - Key: product - Value: internal_tools - TaskRoleArn: - Fn::GetAtt: - - EcsTaskRole8DFA0181 - - Arn - ExampleNameMatchService0992A2E7: - Type: AWS::ECS::Service - Properties: - Cluster: example-ecs - SchedulingStrategy: REPLICA - Tags: - - Key: classification - Value: internal - - Key: component - Value: example-nms - - Key: env - Value: development - - Key: owner - Value: example@owner.com - - Key: product - Value: internal_tools - TaskDefinition: - Ref: TaskDef54694570 diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative4.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative4.json new file mode 100644 index 00000000000..48b5aebdf3e --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative4.json @@ -0,0 +1,29 @@ +{ + "Resources": { + "ECSLaunchTemplate": { + "Type": "AWS::EC2::LaunchTemplate", + "Properties": { + "LaunchTemplateName": "ECS-Encrypted-LT", + "LaunchTemplateData": { + "ImageId": "ami-xxxxxxxxxxxxxx", + "InstanceType": "t3.micro", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "VolumeSize": 30, + "VolumeType": "gp2", + "Encrypted": "true" + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Sub": "#!/bin/bash\necho ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config" + } + } + } + } + } + } +} diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative5.yaml b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative5.yaml new file mode 100644 index 00000000000..7fcae656c2f --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative5.yaml @@ -0,0 +1,18 @@ +Resources: + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + InstanceType: t2.micro + ImageId: ami-xxxxxxxxxxxxxx # ECS-optimized AMI + InstanceType: t3.micro + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeSize: 30 + VolumeType: gp2 + Encrypted: true + UserData: + Fn::Base64: !Sub | + #!/bin/bash + echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config + diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative6.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative6.json new file mode 100644 index 00000000000..e04006e61cc --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/negative6.json @@ -0,0 +1,26 @@ +{ + "Resources": { + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "t3.micro", + "ImageId": "ami-xxxxxxxxxxxxxx", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "VolumeSize": 30, + "VolumeType": "gp2", + "Encrypted": true + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Sub": "#!/bin/bash\necho ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config" + } + } + } + } + } +} diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive1.yaml b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive1.yaml index 3e8c7c2a75f..bf516bf55cc 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive1.yaml +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive1.yaml @@ -1,108 +1,19 @@ Resources: - cluster: - Type: AWS::ECS::Cluster - taskdefinition: - Type: AWS::ECS::TaskDefinition + ECSLaunchTemplate: + Type: AWS::EC2::LaunchTemplate Properties: - ContainerDefinitions: - - Name: !Ref AppName - MountPoints: - - SourceVolume: my-vol - ContainerPath: /var/www/my-vol - Image: amazon/amazon-ecs-sample - Cpu: '10' - PortMappings: - - ContainerPort: !Ref AppContainerPort - HostPort: !Ref AppHostPort - EntryPoint: - - /usr/sbin/apache2 - - '-D' - - FOREGROUND - Memory: '500' - Essential: true - - Name: busybox - Image: busybox - Cpu: '10' - EntryPoint: - - sh - - '-c' - Memory: '500' - Command: - - >- - /bin/sh -c "while true; do /bin/date > /var/www/my-vol/date; sleep - 1; done" - Essential: false - VolumesFrom: - - SourceContainer: !Ref AppName - Volumes: - - Host: - SourcePath: /var/lib/docker/vfs/dir/ - Name: my-vol - EFSVolumeConfiguration: - TransitEncryption: DISABLED - TransitEncryptionPort: 8080 - service: - Type: AWS::ECS::Service - Properties: - Cluster: !Ref cluster - DeploymentConfiguration: - MaximumPercent: 200 - MinimumHealthyPercent: 100 - DesiredCount: 0 - HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds - LoadBalancers: - - ContainerName: !Ref AppName - ContainerPort: !Ref AppContainerPort - LoadBalancerName: !Ref elb - PlacementStrategies: - - Type: binpack - Field: memory - - Type: spread - Field: host - PlacementConstraints: - - Type: memberOf - Expression: 'attribute:ecs.availability-zone != us-east-1d' - - Type: distinctInstance - TaskDefinition: !Ref taskdefinition - ServiceName: !Ref ServiceName - Role: !Ref Role - elb: - Type: AWS::ElasticLoadBalancing::LoadBalancer - Properties: - LoadBalancerName: !Ref LoadBalancerName - Listeners: - - InstancePort: !Ref AppHostPort - LoadBalancerPort: '80' - Protocol: HTTP - Subnets: - - !Ref Subnet1 - DependsOn: GatewayAttachment - VPC: - Type: AWS::EC2::VPC - Properties: - CidrBlock: 10.0.0.0/24 - Subnet1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref VPC - CidrBlock: 10.0.0.0/25 - InternetGateway: - Type: AWS::EC2::InternetGateway - GatewayAttachment: - Type: AWS::EC2::VPCGatewayAttachment - Properties: - InternetGatewayId: !Ref InternetGateway - VpcId: !Ref VPC - Role: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2008-10-17 - Statement: - - Sid: '' - Effect: Allow - Principal: - Service: ecs.amazonaws.com - Action: 'sts:AssumeRole' - ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' + LaunchTemplateName: ECS-Encrypted-LT + LaunchTemplateData: + ImageId: ami-xxxxxxxxxxxxxx # ECS-optimized AMI + InstanceType: t3.micro + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeSize: 30 + VolumeType: gp2 + Encrypted: false + UserData: + Fn::Base64: !Sub | + #!/bin/bash + echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config + diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive10.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive10.json new file mode 100644 index 00000000000..1d5c0bacb3b --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive10.json @@ -0,0 +1,26 @@ +{ + "Resources": { + "MyEC2Instance": { + "Type": "AWS::EC2::Instance", + "Properties": { + "InstanceType": "t3.micro", + "ImageId": "ami-xxxxxxxxxxxxxx", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "VolumeSize": 30, + "VolumeType": "gp2", + "Encrypted": false + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Sub": "#!/bin/bash\necho ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config" + } + } + } + } + } +} diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive2.yaml b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive2.yaml index 95f07d8e795..34d02c6fd63 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive2.yaml +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive2.yaml @@ -1,68 +1,19 @@ Resources: - cluster: - Type: AWS::ECS::Cluster - service: - Type: AWS::ECS::Service + ECSLaunchTemplate: + Type: AWS::EC2::LaunchTemplate Properties: - Cluster: !Ref cluster - DeploymentConfiguration: - MaximumPercent: 200 - MinimumHealthyPercent: 100 - DesiredCount: 0 - HealthCheckGracePeriodSeconds: !Ref HealthCheckGracePeriodSeconds - LoadBalancers: - - ContainerName: !Ref AppName - ContainerPort: !Ref AppContainerPort - LoadBalancerName: !Ref elb - PlacementStrategies: - - Type: binpack - Field: memory - - Type: spread - Field: host - PlacementConstraints: - - Type: memberOf - Expression: 'attribute:ecs.availability-zone != us-east-1d' - - Type: distinctInstance - TaskDefinition: !Ref taskdefinition1 - ServiceName: !Ref ServiceName - Role: !Ref Role - elb: - Type: AWS::ElasticLoadBalancing::LoadBalancer - Properties: - LoadBalancerName: !Ref LoadBalancerName - Listeners: - - InstancePort: !Ref AppHostPort - LoadBalancerPort: '80' - Protocol: HTTP - Subnets: - - !Ref Subnet1 - DependsOn: GatewayAttachment - VPC2: - Type: AWS::EC2::VPC - Properties: - CidrBlock: 10.0.0.0/24 - Subnet1: - Type: AWS::EC2::Subnet - Properties: - VpcId: !Ref VPC - CidrBlock: 10.0.0.0/25 - InternetGateway: - Type: AWS::EC2::InternetGateway - GatewayAttachment: - Type: AWS::EC2::VPCGatewayAttachment - Properties: - InternetGatewayId: !Ref InternetGateway - VpcId: !Ref VPC - Role: - Type: AWS::IAM::Role - Properties: - AssumeRolePolicyDocument: - Version: 2008-10-17 - Statement: - - Sid: '' - Effect: Allow - Principal: - Service: ecs.amazonaws.com - Action: 'sts:AssumeRole' - ManagedPolicyArns: - - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' + LaunchTemplateName: ECS-Encrypted-LT + LaunchTemplateData: + ImageId: ami-xxxxxxxxxxxxxx # ECS-optimized AMI + InstanceType: t3.micro + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeSize: 30 + VolumeType: gp2 + UserData: + Fn::Base64: !Sub | + #!/bin/bash + echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config + + diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive3.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive3.json deleted file mode 100644 index 8c091c8f59c..00000000000 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive3.json +++ /dev/null @@ -1,171 +0,0 @@ -{ - "Resources": { - "cluster": { - "Type": "AWS::ECS::Cluster" - }, - "service": { - "Type": "AWS::ECS::Service", - "Properties": { - "LoadBalancers": [ - { - "ContainerName": "AppName", - "ContainerPort": "AppContainerPort", - "LoadBalancerName": "elb" - } - ], - "PlacementStrategies": [ - { - "Type": "binpack", - "Field": "memory" - }, - { - "Type": "spread", - "Field": "host" - } - ], - "PlacementConstraints": [ - { - "Expression": "attribute:ecs.availability-zone != us-east-1d", - "Type": "memberOf" - }, - { - "Type": "distinctInstance" - } - ], - "Role": "Role", - "DeploymentConfiguration": { - "MaximumPercent": 200, - "MinimumHealthyPercent": 100 - }, - "DesiredCount": 0, - "TaskDefinition": "taskdefinition", - "ServiceName": "ServiceName", - "Cluster": "cluster", - "HealthCheckGracePeriodSeconds": "HealthCheckGracePeriodSeconds" - } - }, - "elb": { - "DependsOn": "GatewayAttachment", - "Type": "AWS::ElasticLoadBalancing::LoadBalancer", - "Properties": { - "LoadBalancerName": "LoadBalancerName", - "Listeners": [ - { - "LoadBalancerPort": "80", - "Protocol": "HTTP", - "InstancePort": "AppHostPort" - } - ], - "Subnets": [ - "Subnet1" - ] - } - }, - "InternetGateway": { - "Type": "AWS::EC2::InternetGateway" - }, - "GatewayAttachment": { - "Type": "AWS::EC2::VPCGatewayAttachment", - "Properties": { - "VpcId": "VPC", - "InternetGatewayId": "InternetGateway" - } - }, - "taskdefinition": { - "Type": "AWS::ECS::TaskDefinition", - "Properties": { - "ContainerDefinitions": [ - { - "Essential": true, - "Name": "AppName", - "MountPoints": [ - { - "SourceVolume": "my-vol", - "ContainerPath": "/var/www/my-vol" - } - ], - "Image": "amazon/amazon-ecs-sample", - "Cpu": "10", - "PortMappings": [ - { - "ContainerPort": "AppContainerPort", - "HostPort": "AppHostPort" - } - ], - "EntryPoint": [ - "/usr/sbin/apache2", - "-D", - "FOREGROUND" - ], - "Memory": "500" - }, - { - "Memory": "500", - "Command": [ - "/bin/sh -c \"while true; do /bin/date \u003e /var/www/my-vol/date; sleep 1; done\"" - ], - "Essential": false, - "VolumesFrom": [ - { - "SourceContainer": "AppName" - } - ], - "Name": "busybox", - "Image": "busybox", - "Cpu": "10", - "EntryPoint": [ - "sh", - "-c" - ] - } - ], - "Volumes": [ - { - "Host": { - "SourcePath": "/var/lib/docker/vfs/dir/" - }, - "Name": "my-vol", - "EFSVolumeConfiguration": { - "TransitEncryption": "DISABLED", - "TransitEncryptionPort": 8080 - } - } - ] - } - }, - "VPC": { - "Type": "AWS::EC2::VPC", - "Properties": { - "CidrBlock": "10.0.0.0/24" - } - }, - "Subnet1": { - "Type": "AWS::EC2::Subnet", - "Properties": { - "VpcId": "VPC", - "CidrBlock": "10.0.0.0/25" - } - }, - "Role": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2008-10-17T00:00:00Z", - "Statement": [ - { - "Principal": { - "Service": "ecs.amazonaws.com" - }, - "Action": "sts:AssumeRole", - "Sid": "", - "Effect": "Allow" - } - ] - }, - "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole" - ] - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive3.yaml b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive3.yaml new file mode 100644 index 00000000000..be4091aebda --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive3.yaml @@ -0,0 +1,15 @@ +Resources: + ECSLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateName: ECS-Encrypted-LT + LaunchTemplateData: + ImageId: ami-xxxxxxxxxxxxxx # ECS-optimized AMI + InstanceType: t3.micro + BlockDeviceMappings: + - DeviceName: /dev/xvda + UserData: + Fn::Base64: !Sub | + #!/bin/bash + echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config + diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive4.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive4.json deleted file mode 100644 index fd72cd1b08d..00000000000 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive4.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "Resources": { - "InternetGateway": { - "Type": "AWS::EC2::InternetGateway" - }, - "GatewayAttachment": { - "Properties": { - "InternetGatewayId": "InternetGateway", - "VpcId": "VPC" - }, - "Type": "AWS::EC2::VPCGatewayAttachment" - }, - "Role": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Statement": [ - { - "Sid": "", - "Effect": "Allow", - "Principal": { - "Service": "ecs.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ], - "Version": "2008-10-17T00:00:00Z" - }, - "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole" - ] - } - }, - "cluster": { - "Type": "AWS::ECS::Cluster" - }, - "service": { - "Type": "AWS::ECS::Service", - "Properties": { - "PlacementConstraints": [ - { - "Type": "memberOf", - "Expression": "attribute:ecs.availability-zone != us-east-1d" - }, - { - "Type": "distinctInstance" - } - ], - "ServiceName": "ServiceName", - "Role": "Role", - "Cluster": "cluster", - "DesiredCount": 0, - "HealthCheckGracePeriodSeconds": "HealthCheckGracePeriodSeconds", - "TaskDefinition": "taskdefinition1", - "DeploymentConfiguration": { - "MaximumPercent": 200, - "MinimumHealthyPercent": 100 - }, - "LoadBalancers": [ - { - "ContainerName": "AppName", - "ContainerPort": "AppContainerPort", - "LoadBalancerName": "elb" - } - ], - "PlacementStrategies": [ - { - "Type": "binpack", - "Field": "memory" - }, - { - "Type": "spread", - "Field": "host" - } - ] - } - }, - "elb": { - "Type": "AWS::ElasticLoadBalancing::LoadBalancer", - "Properties": { - "LoadBalancerName": "LoadBalancerName", - "Listeners": [ - { - "LoadBalancerPort": "80", - "Protocol": "HTTP", - "InstancePort": "AppHostPort" - } - ], - "Subnets": [ - "Subnet1" - ] - }, - "DependsOn": "GatewayAttachment" - }, - "VPC2": { - "Type": "AWS::EC2::VPC", - "Properties": { - "CidrBlock": "10.0.0.0/24" - } - }, - "Subnet1": { - "Type": "AWS::EC2::Subnet", - "Properties": { - "VpcId": "VPC", - "CidrBlock": "10.0.0.0/25" - } - } - } -} diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive4.yaml b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive4.yaml new file mode 100644 index 00000000000..56168d493e3 --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive4.yaml @@ -0,0 +1,12 @@ +Resources: + ECSLaunchTemplate: + Type: AWS::EC2::LaunchTemplate + Properties: + LaunchTemplateName: ECS-Encrypted-LT + LaunchTemplateData: + ImageId: ami-xxxxxxxxxxxxxx # ECS-optimized AMI + InstanceType: t3.micro + UserData: + Fn::Base64: !Sub | + #!/bin/bash + echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive5.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive5.json index f4cd40c8513..e0f455d102c 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive5.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive5.json @@ -1,64 +1,28 @@ { "Resources": { - "cluster": { - "Type": "AWS::ECS::Cluster" - }, - "service": { - "Type": "AWS::ECS::Service", + "ECSLaunchTemplate": { + "Type": "AWS::EC2::LaunchTemplate", "Properties": { - "ServiceName": "ServiceName", - "Cluster": "cluster", - "TaskDefinition": "taskdefinition", - "DesiredCount": 1, - "Role": "Role" - } - }, - "taskdefinition": { - "Type": "AWS::ECS::TaskDefinition", - "Properties": { - "ContainerDefinitions": [ - { - "Name": "AppContainer", - "Image": "amazon/amazon-ecs-sample", - "Essential": true, - "Memory": 512, - "Cpu": 100, - "MountPoints": [ - { - "SourceVolume": "my-efs-vol", - "ContainerPath": "/mnt/efs" + "LaunchTemplateName": "ECS-Encrypted-LT", + "LaunchTemplateData": { + "ImageId": "ami-xxxxxxxxxxxxxx", + "InstanceType": "t3.micro", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "VolumeSize": 30, + "VolumeType": "gp2", + "Encrypted": false } - ] - } - ], - "Volumes": [ - { - "Name": "my-efs-vol", - "EFSVolumeConfiguration": { - "FilesystemId": "fs-12345678" } - } - ] - } - }, - "Role": { - "Type": "AWS::IAM::Role", - "Properties": { - "AssumeRolePolicyDocument": { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": "ecs.amazonaws.com" - }, - "Action": "sts:AssumeRole" + ], + "UserData": { + "Fn::Base64": { + "Fn::Sub": "#!/bin/bash\necho ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config" } - ] - }, - "ManagedPolicyArns": [ - "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole" - ] + } + } } } } diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive6.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive6.json new file mode 100644 index 00000000000..f19720ee935 --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive6.json @@ -0,0 +1,28 @@ +{ + "Resources": { + "ECSLaunchTemplate": { + "Type": "AWS::EC2::LaunchTemplate", + "Properties": { + "LaunchTemplateName": "ECS-Encrypted-LT", + "LaunchTemplateData": { + "ImageId": "ami-xxxxxxxxxxxxxx", + "InstanceType": "t3.micro", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "VolumeSize": 30, + "VolumeType": "gp2" + } + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Sub": "#!/bin/bash\necho ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config" + } + } + } + } + } + } +} diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive7.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive7.json new file mode 100644 index 00000000000..ed87991f694 --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive7.json @@ -0,0 +1,24 @@ +{ + "Resources": { + "ECSLaunchTemplate": { + "Type": "AWS::EC2::LaunchTemplate", + "Properties": { + "LaunchTemplateName": "ECS-Encrypted-LT", + "LaunchTemplateData": { + "ImageId": "ami-xxxxxxxxxxxxxx", + "InstanceType": "t3.micro", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda" + } + ], + "UserData": { + "Fn::Base64": { + "Fn::Sub": "#!/bin/bash\necho ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config" + } + } + } + } + } + } +} diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive8.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive8.json new file mode 100644 index 00000000000..aa8093a641a --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive8.json @@ -0,0 +1,19 @@ +{ + "Resources": { + "ECSLaunchTemplate": { + "Type": "AWS::EC2::LaunchTemplate", + "Properties": { + "LaunchTemplateName": "ECS-Encrypted-LT", + "LaunchTemplateData": { + "ImageId": "ami-xxxxxxxxxxxxxx", + "InstanceType": "t3.micro", + "UserData": { + "Fn::Base64": { + "Fn::Sub": "#!/bin/bash\necho ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config" + } + } + } + } + } + } +} diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive9.yaml b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive9.yaml new file mode 100644 index 00000000000..cbb7ebf5cb9 --- /dev/null +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive9.yaml @@ -0,0 +1,18 @@ +Resources: + MyEC2Instance: + Type: AWS::EC2::Instance + Properties: + InstanceType: t2.micro + ImageId: ami-xxxxxxxxxxxxxx # ECS-optimized AMI + InstanceType: t3.micro + BlockDeviceMappings: + - DeviceName: /dev/xvda + Ebs: + VolumeSize: 30 + VolumeType: gp2 + Encrypted: false + UserData: + Fn::Base64: !Sub | + #!/bin/bash + echo ECS_CLUSTER=${ECSCluster} >> /etc/ecs/ecs.config + diff --git a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json index b09dcb3ebf8..b03c6e487dc 100644 --- a/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/ecs_cluster_not_encrypted_at_rest/test/positive_expected_result.json @@ -2,31 +2,61 @@ { "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", - "line": 37, + "line": 14, "fileName": "positive1.yaml" }, { + "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", - "line": 26, - "fileName": "positive2.yaml", - "queryName": "ECS Cluster Not Encrypted At Rest" + "line": 11, + "fileName": "positive2.yaml" }, { + "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", - "line": 122, - "fileName": "positive3.json", - "queryName": "ECS Cluster Not Encrypted At Rest" + "line": 9, + "fileName": "positive3.yaml" }, { "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", - "line": 54, - "fileName": "positive4.json" + "line": 6, + "fileName": "positive4.yaml" }, { "queryName": "ECS Cluster Not Encrypted At Rest", "severity": "HIGH", - "line": 34, + "line": 16, "fileName": "positive5.json" + }, + { + "queryName": "ECS Cluster Not Encrypted At Rest", + "severity": "HIGH", + "line": 13, + "fileName": "positive6.json" + }, + { + "queryName": "ECS Cluster Not Encrypted At Rest", + "severity": "HIGH", + "line": 10, + "fileName": "positive7.json" + }, + { + "queryName": "ECS Cluster Not Encrypted At Rest", + "severity": "HIGH", + "line": 7, + "fileName": "positive8.json" + }, + { + "queryName": "ECS Cluster Not Encrypted At Rest", + "severity": "HIGH", + "line": 13, + "fileName": "positive9.yaml" + }, + { + "queryName": "ECS Cluster Not Encrypted At Rest", + "severity": "HIGH", + "line": 14, + "fileName": "positive10.json" } ]