mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
feat(compliance): add FedRAMP 20x KSI Low compliance frameworks (#9198)
Co-authored-by: pedrooot <pedromarting3@gmail.com>
This commit is contained in:
@@ -82,9 +82,9 @@ prowler dashboard
|
||||
|
||||
| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
|
||||
|---|---|---|---|---|---|---|
|
||||
| AWS | 576 | 82 | 38 | 10 | Official | UI, API, CLI |
|
||||
| GCP | 79 | 13 | 12 | 3 | Official | UI, API, CLI |
|
||||
| Azure | 162 | 19 | 12 | 4 | Official | UI, API, CLI |
|
||||
| AWS | 576 | 82 | 39 | 10 | Official | UI, API, CLI |
|
||||
| GCP | 79 | 13 | 13 | 3 | Official | UI, API, CLI |
|
||||
| Azure | 162 | 19 | 13 | 4 | Official | UI, API, CLI |
|
||||
| Kubernetes | 83 | 7 | 5 | 7 | Official | UI, API, CLI |
|
||||
| GitHub | 17 | 2 | 1 | 0 | Official | Stable | UI, API, CLI |
|
||||
| M365 | 70 | 7 | 3 | 2 | Official | UI, API, CLI |
|
||||
|
||||
@@ -0,0 +1,46 @@
|
||||
import warnings
|
||||
|
||||
from dashboard.common_methods import get_section_containers_cis
|
||||
|
||||
warnings.filterwarnings("ignore")
|
||||
|
||||
|
||||
def get_table(data):
|
||||
aux = data[
|
||||
[
|
||||
"REQUIREMENTS_ID",
|
||||
"REQUIREMENTS_DESCRIPTION",
|
||||
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
||||
"CHECKID",
|
||||
"STATUS",
|
||||
"REGION",
|
||||
"ACCOUNTID",
|
||||
"RESOURCEID",
|
||||
]
|
||||
].copy()
|
||||
|
||||
# Shorten the long FedRAMP KSI descriptions for better display
|
||||
ksi_short_names = {
|
||||
"A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
|
||||
"A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
|
||||
"A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
|
||||
"A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
|
||||
"A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
|
||||
"A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
|
||||
"A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
|
||||
"A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
|
||||
"A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
|
||||
"A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
|
||||
}
|
||||
|
||||
# Replace long descriptions with short names - use contains for partial matching
|
||||
if not aux.empty:
|
||||
for long_desc, short_name in ksi_short_names.items():
|
||||
mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
|
||||
long_desc, na=False, regex=False
|
||||
)
|
||||
aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
|
||||
|
||||
return get_section_containers_cis(
|
||||
aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
|
||||
)
|
||||
@@ -0,0 +1,46 @@
|
||||
import warnings
|
||||
|
||||
from dashboard.common_methods import get_section_containers_cis
|
||||
|
||||
warnings.filterwarnings("ignore")
|
||||
|
||||
|
||||
def get_table(data):
|
||||
aux = data[
|
||||
[
|
||||
"REQUIREMENTS_ID",
|
||||
"REQUIREMENTS_DESCRIPTION",
|
||||
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
||||
"CHECKID",
|
||||
"STATUS",
|
||||
"REGION",
|
||||
"ACCOUNTID",
|
||||
"RESOURCEID",
|
||||
]
|
||||
].copy()
|
||||
|
||||
# Shorten the long FedRAMP KSI descriptions for better display
|
||||
ksi_short_names = {
|
||||
"A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
|
||||
"A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
|
||||
"A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
|
||||
"A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
|
||||
"A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
|
||||
"A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
|
||||
"A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
|
||||
"A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
|
||||
"A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
|
||||
"A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
|
||||
}
|
||||
|
||||
# Replace long descriptions with short names - use contains for partial matching
|
||||
if not aux.empty:
|
||||
for long_desc, short_name in ksi_short_names.items():
|
||||
mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
|
||||
long_desc, na=False, regex=False
|
||||
)
|
||||
aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
|
||||
|
||||
return get_section_containers_cis(
|
||||
aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
|
||||
)
|
||||
@@ -0,0 +1,46 @@
|
||||
import warnings
|
||||
|
||||
from dashboard.common_methods import get_section_containers_cis
|
||||
|
||||
warnings.filterwarnings("ignore")
|
||||
|
||||
|
||||
def get_table(data):
|
||||
aux = data[
|
||||
[
|
||||
"REQUIREMENTS_ID",
|
||||
"REQUIREMENTS_DESCRIPTION",
|
||||
"REQUIREMENTS_ATTRIBUTES_SECTION",
|
||||
"CHECKID",
|
||||
"STATUS",
|
||||
"REGION",
|
||||
"ACCOUNTID",
|
||||
"RESOURCEID",
|
||||
]
|
||||
].copy()
|
||||
|
||||
# Shorten the long FedRAMP KSI descriptions for better display
|
||||
ksi_short_names = {
|
||||
"A secure cloud service offering will protect user data, control access, and apply zero trust principles": "Identity and Access Management",
|
||||
"A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system": "Cloud Native Architecture",
|
||||
"A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly": "Change Management",
|
||||
"A secure cloud service provider will continuously educate their employees on cybersecurity measures, testing them regularly": "Cybersecurity Education",
|
||||
"A secure cloud service offering will document, report, and analyze security incidents to ensure regulatory compliance and continuous security improvement": "Incident Reporting",
|
||||
"A secure cloud service offering will monitor, log, and audit all important events, activity, and changes": "Monitoring, Logging, and Auditing",
|
||||
"A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured": "Policy and Inventory",
|
||||
"A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss": "Recovery Planning",
|
||||
"A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources": "Service Configuration",
|
||||
"A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources": "Third-Party Information Resources",
|
||||
}
|
||||
|
||||
# Replace long descriptions with short names - use contains for partial matching
|
||||
if not aux.empty:
|
||||
for long_desc, short_name in ksi_short_names.items():
|
||||
mask = aux["REQUIREMENTS_DESCRIPTION"].str.contains(
|
||||
long_desc, na=False, regex=False
|
||||
)
|
||||
aux.loc[mask, "REQUIREMENTS_DESCRIPTION"] = short_name
|
||||
|
||||
return get_section_containers_cis(
|
||||
aux, "REQUIREMENTS_ID", "REQUIREMENTS_ATTRIBUTES_SECTION"
|
||||
)
|
||||
@@ -19,6 +19,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
|
||||
- Add multiple compliance improvements [(#9145)](https://github.com/prowler-cloud/prowler/pull/9145)
|
||||
- Added validation for invalid checks, services, and categories in `load_checks_to_execute` function [(#8971)](https://github.com/prowler-cloud/prowler/pull/8971)
|
||||
- NIST CSF 2.0 compliance framework for the AWS provider [(#9185)](https://github.com/prowler-cloud/prowler/pull/9185)
|
||||
- Add FedRAMP 20x KSI Low for AWS, Azure and GCP [(#9198)](https://github.com/prowler-cloud/prowler/pull/9198)
|
||||
|
||||
### Changed
|
||||
- Update AWS Direct Connect service metadata to new format [(#8855)](https://github.com/prowler-cloud/prowler/pull/8855)
|
||||
|
||||
@@ -0,0 +1,347 @@
|
||||
{
|
||||
"Framework": "FedRAMP-20x-KSI-Low",
|
||||
"Name": "FedRAMP 20x Key Security Indicators (KSIs) - Low Impact Level v25.05C",
|
||||
"Version": "25.05C",
|
||||
"Provider": "AWS",
|
||||
"Description": "FedRAMP 20x Key Security Indicators (KSIs) Low Impact Level represent core security indicators for cloud service providers, focusing on automation, continuous monitoring, and cloud-native security principles per FedRAMP 20x Phase One pilot requirements for Low impact systems.",
|
||||
"Requirements": [
|
||||
{
|
||||
"Id": "ksi-cmt",
|
||||
"Name": "KSI-CMT: Change Management",
|
||||
"Description": "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-cmt",
|
||||
"Section": "Change Management",
|
||||
"Service": "aws"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"cloudtrail_multi_region_enabled",
|
||||
"cloudtrail_log_file_validation_enabled",
|
||||
"cloudtrail_s3_dataevents_read_enabled",
|
||||
"cloudtrail_s3_dataevents_write_enabled",
|
||||
"cloudwatch_changes_to_network_acls_alarm_configured",
|
||||
"cloudwatch_changes_to_network_gateways_alarm_configured",
|
||||
"cloudwatch_changes_to_network_route_tables_alarm_configured",
|
||||
"cloudwatch_changes_to_vpcs_alarm_configured",
|
||||
"cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled",
|
||||
"cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled",
|
||||
"cloudwatch_log_metric_filter_aws_organizations_changes",
|
||||
"cloudwatch_log_metric_filter_for_s3_bucket_policy_changes",
|
||||
"cloudwatch_log_metric_filter_policy_changes",
|
||||
"cloudwatch_log_metric_filter_security_group_changes",
|
||||
"config_recorder_all_regions_enabled",
|
||||
"ec2_instance_managed_by_ssm",
|
||||
"ec2_instance_older_than_specific_days",
|
||||
"ssm_managed_compliant_patching",
|
||||
"ssm_managed_instance_compliance_association_compliant",
|
||||
"ssm_managed_instance_compliance_patch_compliant"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-cna",
|
||||
"Name": "KSI-CNA: Cloud Native Architecture",
|
||||
"Description": "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-cna",
|
||||
"Section": "Cloud Native Architecture",
|
||||
"Service": "aws"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"autoscaling_group_multiple_az",
|
||||
"autoscaling_group_multiple_instance_types",
|
||||
"autoscaling_group_capacity_rebalance_enabled",
|
||||
"dynamodb_tables_pitr_enabled",
|
||||
"dynamodb_tables_deletion_protection_enabled",
|
||||
"ec2_instance_imdsv2_enabled",
|
||||
"ec2_networkacl_allow_ingress_any_port",
|
||||
"ec2_securitygroup_default_restrict_traffic",
|
||||
"ec2_securitygroup_allow_ingress_from_internet_to_any_port",
|
||||
"eks_cluster_network_policy_enabled",
|
||||
"eks_cluster_not_publicly_accessible",
|
||||
"eks_cluster_private_nodes_enabled",
|
||||
"eks_cluster_uses_a_supported_version",
|
||||
"elb_cross_zone_load_balancing_enabled",
|
||||
"elbv2_alb_multi_az_scheme",
|
||||
"elbv2_waf_acl_attached",
|
||||
"rds_instance_multi_az",
|
||||
"rds_cluster_multi_az",
|
||||
"vpc_subnet_auto_assign_public_ip_disabled",
|
||||
"vpc_default_security_group_restricts_traffic",
|
||||
"vpc_peering_connection_routing_tables_with_least_privilege"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-iam",
|
||||
"Name": "KSI-IAM: Identity and Access Management",
|
||||
"Description": "A secure cloud service offering will protect user data, control access, and apply zero trust principles",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-iam",
|
||||
"Section": "Identity and Access Management",
|
||||
"Service": "aws"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"iam_administrator_access_with_mfa",
|
||||
"iam_aws_attached_policy_no_administrative_privileges",
|
||||
"iam_customer_attached_policy_no_administrative_privileges",
|
||||
"iam_inline_policy_no_administrative_privileges",
|
||||
"iam_no_custom_policy_permissive_role_assumption",
|
||||
"iam_no_root_access_key",
|
||||
"iam_password_policy_expires_passwords_within_90_days_or_less",
|
||||
"iam_password_policy_lowercase",
|
||||
"iam_password_policy_minimum_length_14",
|
||||
"iam_password_policy_number",
|
||||
"iam_password_policy_reuse_24",
|
||||
"iam_password_policy_symbol",
|
||||
"iam_password_policy_uppercase",
|
||||
"iam_policy_attached_only_to_group_or_roles",
|
||||
"iam_policy_no_full_access_to_cloudtrail",
|
||||
"iam_policy_no_full_access_to_kms",
|
||||
"iam_root_hardware_mfa_enabled",
|
||||
"iam_root_mfa_enabled",
|
||||
"iam_rotate_access_key_90_days",
|
||||
"iam_user_accesskey_unused",
|
||||
"iam_user_console_access_unused",
|
||||
"iam_user_hardware_mfa_enabled",
|
||||
"iam_user_mfa_enabled_console_access",
|
||||
"iam_user_two_active_access_key",
|
||||
"organizations_scp_check_deny_regions",
|
||||
"organizations_opt_out_ai_services_policy"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-inr",
|
||||
"Name": "KSI-INR: Incident Response",
|
||||
"Description": "A secure cloud service offering will respond to incidents according to FedRAMP requirements and cloud service provider policies",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-inr",
|
||||
"Section": "Incident Response",
|
||||
"Service": "aws"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"guardduty_centrally_managed",
|
||||
"guardduty_ec2_malware_protection_enabled",
|
||||
"guardduty_eks_audit_log_enabled",
|
||||
"guardduty_eks_protection_enabled",
|
||||
"guardduty_eks_runtime_monitoring_enabled",
|
||||
"guardduty_is_enabled",
|
||||
"guardduty_lambda_protection_enabled",
|
||||
"guardduty_malware_protection_enabled",
|
||||
"guardduty_no_high_severity_findings",
|
||||
"guardduty_rds_protection_enabled",
|
||||
"guardduty_s3_protection_enabled",
|
||||
"inspector2_is_enabled",
|
||||
"inspector2_active_findings_exist",
|
||||
"securityhub_enabled",
|
||||
"sns_topics_kms_encryption_at_rest_enabled"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-mla",
|
||||
"Name": "KSI-MLA: Monitoring, Logging, and Auditing",
|
||||
"Description": "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-mla",
|
||||
"Section": "Monitoring, Logging, and Auditing",
|
||||
"Service": "aws"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"apigateway_restapi_logging_enabled",
|
||||
"cloudtrail_cloudwatch_logging_enabled",
|
||||
"cloudtrail_kms_encryption_enabled",
|
||||
"cloudtrail_log_file_validation_enabled",
|
||||
"cloudtrail_multi_region_enabled",
|
||||
"cloudtrail_s3_dataevents_read_enabled",
|
||||
"cloudtrail_s3_dataevents_write_enabled",
|
||||
"cloudwatch_log_group_kms_encryption_enabled",
|
||||
"cloudwatch_log_group_retention_policy_specific_days_enabled",
|
||||
"ecs_cluster_container_insights_enabled",
|
||||
"eks_cluster_control_plane_audit_logging_enabled",
|
||||
"elb_logging_enabled",
|
||||
"elbv2_logging_enabled",
|
||||
"inspector2_is_enabled",
|
||||
"opensearch_service_domains_cloudwatch_logging_enabled",
|
||||
"rds_instance_enhanced_monitoring_enabled",
|
||||
"rds_instance_integration_cloudwatch_logs",
|
||||
"redshift_cluster_audit_logging",
|
||||
"s3_bucket_server_access_logging_enabled",
|
||||
"vpc_flow_logs_enabled",
|
||||
"wafv2_webacl_logging_enabled"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-piy",
|
||||
"Name": "KSI-PIY: Policy and Inventory",
|
||||
"Description": "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-piy",
|
||||
"Section": "Policy and Inventory",
|
||||
"Service": "aws"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"config_recorder_all_regions_enabled",
|
||||
"config_recorder_using_aws_service_role",
|
||||
"ec2_instance_managed_by_ssm",
|
||||
"organizations_account_part_of_organizations",
|
||||
"organizations_delegated_administrators",
|
||||
"organizations_scp_check_deny_regions",
|
||||
"organizations_tags_policies_enabled_and_attached",
|
||||
"resourceexplorer_indexes_found",
|
||||
"ssm_managed_instance_compliance_association_compliant",
|
||||
"trustedadvisor_premium_support_plan_subscribed"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-rpl",
|
||||
"Name": "KSI-RPL: Recovery Planning",
|
||||
"Description": "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-rpl",
|
||||
"Section": "Recovery Planning",
|
||||
"Service": "aws"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"backup_plans_exist",
|
||||
"backup_reportplans_exist",
|
||||
"backup_vaults_exist",
|
||||
"backup_vaults_encrypted",
|
||||
"backup_recovery_point_encrypted",
|
||||
"backup_recovery_point_manual_deletion_disabled",
|
||||
"backup_recovery_point_minimum_retention_days",
|
||||
"dlm_ebs_snapshot_lifecycle_policy_exists",
|
||||
"dynamodb_tables_pitr_enabled",
|
||||
"dynamodb_tables_deletion_protection_enabled",
|
||||
"efs_have_backup_enabled",
|
||||
"fsx_file_system_copy_tags_to_backups",
|
||||
"rds_instance_backup_enabled",
|
||||
"rds_instance_backup_retention_policy",
|
||||
"rds_instance_deletion_protection",
|
||||
"rds_cluster_deletion_protection",
|
||||
"rds_snapshots_encrypted",
|
||||
"redshift_cluster_automated_snapshot"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-svc",
|
||||
"Name": "KSI-SVC: Service Configuration",
|
||||
"Description": "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-svc",
|
||||
"Section": "Service Configuration",
|
||||
"Service": "aws"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"acm_certificates_expiration_check",
|
||||
"apigateway_restapi_cache_encrypted",
|
||||
"cloudtrail_kms_encryption_enabled",
|
||||
"dax_cluster_encryption_enabled",
|
||||
"dynamodb_table_encryption_enabled",
|
||||
"dynamodb_table_encryption_uses_cmks",
|
||||
"ebs_volume_encryption_enabled",
|
||||
"ec2_ebs_default_encryption",
|
||||
"ec2_instance_ebs_optimized",
|
||||
"efs_encryption_at_rest_enabled",
|
||||
"eks_cluster_envelope_encryption_enabled",
|
||||
"elasticache_redis_cluster_encryption_at_rest_enabled",
|
||||
"elasticache_redis_cluster_encryption_at_transit_enabled",
|
||||
"elbv2_ssl_listeners",
|
||||
"fsx_file_system_encryption_at_rest_enabled",
|
||||
"kinesis_stream_encrypted_at_rest",
|
||||
"kms_cmk_rotation_enabled",
|
||||
"kms_cmk_not_scheduled_for_deletion",
|
||||
"kms_key_not_publicly_accessible",
|
||||
"rds_instance_storage_encrypted",
|
||||
"rds_instance_storage_encrypted_with_cmk",
|
||||
"rds_cluster_storage_encrypted",
|
||||
"redshift_cluster_encryption_at_rest",
|
||||
"redshift_cluster_encryption_in_transit",
|
||||
"s3_bucket_server_side_encryption_enabled",
|
||||
"s3_bucket_default_encryption",
|
||||
"s3_bucket_secure_transport_policy",
|
||||
"sagemaker_notebook_instance_encryption_enabled",
|
||||
"sns_topics_kms_encryption_at_rest_enabled",
|
||||
"sqs_queue_server_side_encryption_enabled"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-tpr",
|
||||
"Name": "KSI-TPR: Third-Party Information Resources",
|
||||
"Description": "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-tpr",
|
||||
"Section": "Third-Party Information Resources",
|
||||
"Service": "aws"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"ecr_registry_scan_images_on_push_enabled",
|
||||
"ecr_repositories_lifecycle_policy_enabled",
|
||||
"ecr_repositories_not_publicly_accessible",
|
||||
"ecr_repositories_scan_on_push_enabled",
|
||||
"ecr_repositories_scan_vulnerabilities_in_latest_image",
|
||||
"ecr_repositories_tag_immutability",
|
||||
"inspector2_active_findings_exist",
|
||||
"inspector2_is_enabled",
|
||||
"awslambda_function_using_supported_runtimes",
|
||||
"ssm_managed_compliant_patching",
|
||||
"trustedadvisor_premium_support_plan_subscribed",
|
||||
"guardduty_no_high_severity_findings"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-iam-07",
|
||||
"Name": "KSI-IAM-07: Account Lifecycle Management",
|
||||
"Description": "Securely manage the lifecycle and privileges of all accounts, roles, and groups",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-iam-07",
|
||||
"Section": "Identity and Access Management",
|
||||
"Service": "aws"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"iam_no_root_access_key",
|
||||
"iam_policy_attached_only_to_group_or_roles",
|
||||
"iam_rotate_access_key_90_days",
|
||||
"iam_user_accesskey_unused",
|
||||
"iam_user_console_access_unused",
|
||||
"organizations_delegated_administrators"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-mla-07",
|
||||
"Name": "KSI-MLA-07: Monitoring and Logging Inventory",
|
||||
"Description": "Maintain a list of information resources and event types that will be monitored, logged, and audited",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-mla-07",
|
||||
"Section": "Monitoring, Logging, and Auditing",
|
||||
"Service": "aws"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"cloudtrail_multi_region_enabled",
|
||||
"cloudwatch_log_group_retention_policy_specific_days_enabled",
|
||||
"config_recorder_all_regions_enabled",
|
||||
"inspector2_is_enabled",
|
||||
"resourceexplorer_indexes_found"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,358 @@
|
||||
{
|
||||
"Framework": "FedRAMP-20x-KSI-Low",
|
||||
"Name": "FedRAMP 20x Key Security Indicators (KSIs) - Low Impact Level v25.05C",
|
||||
"Version": "25.05C",
|
||||
"Provider": "Azure",
|
||||
"Description": "FedRAMP 20x Key Security Indicators (KSIs) Low Impact Level represent core security indicators for cloud service providers, focusing on automation, continuous monitoring, and cloud-native security principles per FedRAMP 20x Phase One pilot requirements for Low impact systems.",
|
||||
"Requirements": [
|
||||
{
|
||||
"Id": "ksi-cmt",
|
||||
"Name": "KSI-CMT: Change Management",
|
||||
"Description": "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-cmt",
|
||||
"Section": "Change Management",
|
||||
"Service": "azure"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"monitor_activity_log_alert_cmk_delete",
|
||||
"monitor_activity_log_alert_create_policy_assignment",
|
||||
"monitor_activity_log_alert_create_update_delete_network_sg",
|
||||
"monitor_activity_log_alert_create_update_delete_network_sg_rule",
|
||||
"monitor_activity_log_alert_create_update_delete_sql_server_fw_rule",
|
||||
"monitor_activity_log_alert_create_update_nsg",
|
||||
"monitor_activity_log_alert_create_update_public_ip_address",
|
||||
"monitor_activity_log_alert_create_update_security_solution",
|
||||
"monitor_activity_log_alert_delete_nsg",
|
||||
"monitor_activity_log_alert_delete_policy_assignment",
|
||||
"monitor_activity_log_alert_delete_public_ip_address",
|
||||
"monitor_activity_log_alert_delete_security_solution",
|
||||
"monitor_log_profile_all_categories",
|
||||
"monitor_log_profile_all_regions",
|
||||
"vm_agent_installed",
|
||||
"vm_antimalware_solution_installed",
|
||||
"vm_endpoint_protection_installed",
|
||||
"vm_guest_configuration_installed",
|
||||
"vm_guest_configuration_with_no_managed_identity",
|
||||
"vm_guest_configuration_with_user_identity"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-cna",
|
||||
"Name": "KSI-CNA: Cloud Native Architecture",
|
||||
"Description": "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-cna",
|
||||
"Section": "Cloud Native Architecture",
|
||||
"Service": "azure"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"aks_clusters_created_with_private_nodes",
|
||||
"aks_clusters_public_access_disabled",
|
||||
"aks_network_policy_enabled",
|
||||
"app_function_vnet_integration_enabled",
|
||||
"app_function_not_publicly_accessible",
|
||||
"containerregistry_not_publicly_accessible",
|
||||
"containerregistry_uses_private_link",
|
||||
"cosmosdb_account_use_private_endpoints",
|
||||
"cosmosdb_account_firewall_use_selected_networks",
|
||||
"databricks_workspace_vnet_injection_enabled",
|
||||
"keyvault_access_only_through_private_endpoints",
|
||||
"keyvault_private_endpoints",
|
||||
"network_bastion_host_exists",
|
||||
"network_flow_logs_enabled",
|
||||
"network_security_group_not_empty",
|
||||
"network_sg_ssh_access_restricted",
|
||||
"network_sg_rdp_access_restricted",
|
||||
"network_sg_open_all_ports_to_any_source",
|
||||
"network_watcher_enabled",
|
||||
"postgresql_flexible_server_public_network_access_disabled",
|
||||
"sqlserver_public_network_access_disabled",
|
||||
"storage_default_network_access_rule_set_to_deny",
|
||||
"vm_availability_zones_enabled",
|
||||
"vm_availability_set_deployed"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-iam",
|
||||
"Name": "KSI-IAM: Identity and Access Management",
|
||||
"Description": "A secure cloud service offering will protect user data, control access, and apply zero trust principles",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-iam",
|
||||
"Section": "Identity and Access Management",
|
||||
"Service": "azure"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"entra_conditional_access_policy_require_mfa_for_management_api",
|
||||
"entra_global_admin_in_less_than_five_users",
|
||||
"entra_non_privileged_user_has_mfa",
|
||||
"entra_policy_default_users_cannot_create_security_groups",
|
||||
"entra_policy_ensure_default_user_cannot_create_apps",
|
||||
"entra_policy_ensure_default_user_cannot_create_tenants",
|
||||
"entra_policy_guest_invite_only_for_admin_roles",
|
||||
"entra_policy_guest_users_access_restrictions",
|
||||
"entra_policy_restricts_user_consent_for_apps",
|
||||
"entra_policy_user_consent_for_verified_apps",
|
||||
"entra_privileged_user_has_mfa",
|
||||
"entra_security_defaults_enabled",
|
||||
"entra_trusted_named_locations_exists",
|
||||
"entra_user_with_vm_access_has_mfa",
|
||||
"entra_users_cannot_create_microsoft_365_groups",
|
||||
"iam_custom_role_has_permissions_to_administer_resource_locks",
|
||||
"iam_role_user_access_admin_restricted",
|
||||
"iam_subscription_roles_owner_custom_not_created",
|
||||
"keyvault_rbac_enabled",
|
||||
"app_function_identity_is_configured",
|
||||
"app_function_identity_without_admin_privileges",
|
||||
"app_ensure_auth_is_set_up",
|
||||
"app_register_with_identity",
|
||||
"vm_managed_identity_enabled"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-inr",
|
||||
"Name": "KSI-INR: Incident Response",
|
||||
"Description": "A secure cloud service offering will respond to incidents according to FedRAMP requirements and cloud service provider policies",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-inr",
|
||||
"Section": "Incident Response",
|
||||
"Service": "azure"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"defender_attack_path_notifications_properly_configured",
|
||||
"defender_ensure_notify_alerts_severity_is_high",
|
||||
"defender_ensure_notify_emails_to_owners",
|
||||
"defender_additional_email_configured_with_a_security_contact",
|
||||
"defender_container_images_resolved_vulnerabilities",
|
||||
"defender_container_images_scan_enabled",
|
||||
"defender_ensure_defender_for_app_services_is_on",
|
||||
"defender_ensure_defender_for_arm_is_on",
|
||||
"defender_ensure_defender_for_azure_sql_databases_is_on",
|
||||
"defender_ensure_defender_for_containers_is_on",
|
||||
"defender_ensure_defender_for_cosmosdb_is_on",
|
||||
"defender_ensure_defender_for_databases_is_on",
|
||||
"defender_ensure_defender_for_dns_is_on",
|
||||
"defender_ensure_defender_for_keyvault_is_on",
|
||||
"defender_ensure_defender_for_os_relational_databases_is_on",
|
||||
"defender_ensure_defender_for_server_is_on",
|
||||
"defender_ensure_defender_for_sql_servers_is_on",
|
||||
"defender_ensure_defender_for_storage_is_on",
|
||||
"defender_ensure_iot_hub_defender_is_on",
|
||||
"defender_ensure_wdatp_is_enabled"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-mla",
|
||||
"Name": "KSI-MLA: Monitoring, Logging, and Auditing",
|
||||
"Description": "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-mla",
|
||||
"Section": "Monitoring, Logging, and Auditing",
|
||||
"Service": "azure"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"app_function_application_insights_enabled",
|
||||
"app_http_logs_enabled",
|
||||
"appinsights_ensure_is_configured",
|
||||
"defender_auto_provisioning_log_analytics_agent_vms_on",
|
||||
"defender_auto_provisioning_vulnerabilty_assessments_machines_on",
|
||||
"keyvault_logging_enabled",
|
||||
"monitor_activity_log_retention_policy_set",
|
||||
"monitor_diagnostic_logs_categories",
|
||||
"monitor_diagnostic_setting_deployed_for_all_resources",
|
||||
"monitor_diagnostic_settings_captures_proper_categories",
|
||||
"monitor_log_profile_all_categories",
|
||||
"monitor_log_profile_all_regions",
|
||||
"monitor_log_profile_captures_all_activities",
|
||||
"monitor_log_profile_retention_policy_at_least_365",
|
||||
"network_flow_logs_enabled",
|
||||
"network_flow_log_retention_policy_at_least_90",
|
||||
"network_watcher_enabled",
|
||||
"postgresql_flexible_server_audit_logs_enabled",
|
||||
"postgresql_flexible_server_log_checkpoints_enabled",
|
||||
"postgresql_flexible_server_log_connections_enabled",
|
||||
"postgresql_flexible_server_log_disconnections_enabled",
|
||||
"sqlserver_auditing_on",
|
||||
"sqlserver_auditing_retention_90_days",
|
||||
"storage_storage_account_logging_queue_read_write_delete_enabled"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-piy",
|
||||
"Name": "KSI-PIY: Policy and Inventory",
|
||||
"Description": "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-piy",
|
||||
"Section": "Policy and Inventory",
|
||||
"Service": "azure"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"policy_ensure_asc_for_aks_is_enabled",
|
||||
"policy_ensure_asc_for_app_services_is_enabled",
|
||||
"policy_ensure_asc_for_azure_sql_is_enabled",
|
||||
"policy_ensure_asc_for_key_vault_is_enabled",
|
||||
"policy_ensure_asc_for_servers_is_enabled",
|
||||
"policy_ensure_asc_for_sql_servers_is_enabled",
|
||||
"policy_ensure_asc_for_storage_is_enabled",
|
||||
"policy_ensure_allowed_extensions_are_installed",
|
||||
"policy_ensure_allowed_locations_is_enabled",
|
||||
"policy_ensure_allowed_resource_types_is_enabled",
|
||||
"policy_ensure_audit_diagnostic_log_enabled_for_all_services",
|
||||
"policy_ensure_not_allowed_resource_types_is_enabled",
|
||||
"vm_guest_configuration_installed",
|
||||
"vm_guest_configuration_with_no_managed_identity",
|
||||
"vm_guest_configuration_with_user_identity"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-rpl",
|
||||
"Name": "KSI-RPL: Recovery Planning",
|
||||
"Description": "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-rpl",
|
||||
"Section": "Recovery Planning",
|
||||
"Service": "azure"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"mysql_flexible_server_geo_redundant_backup_enabled",
|
||||
"mysql_flexible_server_retain_backup_35_days",
|
||||
"postgresql_flexible_server_geo_redundant_backup_enabled",
|
||||
"postgresql_flexible_server_backup_retention_period_35_days",
|
||||
"recovery_services_vault_uses_private_link",
|
||||
"recovery_services_vault_uses_private_link_for_backup",
|
||||
"sqlserver_database_long_term_geo_redundant_backup",
|
||||
"sqlserver_database_retention_policy_exceeds_90_days",
|
||||
"storage_default_storage_account_encrypted_with_cmk_not_stored_in_storage_account",
|
||||
"storage_geo_redundant_enabled",
|
||||
"storage_infrastructure_encryption_is_enabled",
|
||||
"storage_soft_delete_containers_enabled",
|
||||
"storage_soft_delete_enabled",
|
||||
"vm_backup_enabled",
|
||||
"vm_sufficient_daily_backup_retention_period"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-svc",
|
||||
"Name": "KSI-SVC: Service Configuration",
|
||||
"Description": "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-svc",
|
||||
"Section": "Service Configuration",
|
||||
"Service": "azure"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"app_client_certificates_on",
|
||||
"app_ensure_http_is_redirected_to_https",
|
||||
"app_minimum_tls_version_12",
|
||||
"containerregistry_admin_user_disabled",
|
||||
"cosmosdb_account_use_aad_and_rbac",
|
||||
"databricks_workspace_cmk_encryption_enabled",
|
||||
"keyvault_key_expiration_set_in_non_rbac",
|
||||
"keyvault_key_rotation_enabled",
|
||||
"keyvault_non_rbac_secret_expiration_set",
|
||||
"mysql_flexible_server_encrypted_at_rest_using_cmk",
|
||||
"mysql_flexible_server_encrypted_in_transit",
|
||||
"mysql_flexible_server_minimum_tls_version_tls12",
|
||||
"postgresql_flexible_server_encrypted_at_rest_using_cmk",
|
||||
"postgresql_flexible_server_encrypted_in_transit",
|
||||
"postgresql_flexible_server_minimum_tls_version_tls12",
|
||||
"sqlserver_advanced_data_security_enabled",
|
||||
"sqlserver_database_encryption_with_cmk",
|
||||
"sqlserver_database_tde_encryption_enabled",
|
||||
"sqlserver_minimum_tls_version_12",
|
||||
"storage_secure_transfer_required_enabled",
|
||||
"storage_default_storage_account_encrypted_with_cmk",
|
||||
"storage_infrastructure_encryption_is_enabled",
|
||||
"storage_storage_account_encrypted_with_cmk",
|
||||
"storage_storage_account_minimum_tls_version_tls12",
|
||||
"vm_encrypted_at_host",
|
||||
"vm_data_disks_encrypted_with_cmk",
|
||||
"vm_managed_disks_encrypted_with_cmk",
|
||||
"vm_os_disk_are_encrypted_with_cmk",
|
||||
"vm_temporary_disks_and_cache_encrypted"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-tpr",
|
||||
"Name": "KSI-TPR: Third-Party Information Resources",
|
||||
"Description": "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-tpr",
|
||||
"Section": "Third-Party Information Resources",
|
||||
"Service": "azure"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"app_ensure_java_version_is_latest",
|
||||
"app_ensure_php_version_is_latest",
|
||||
"app_ensure_python_version_is_latest",
|
||||
"app_function_latest_runtime_version",
|
||||
"defender_container_images_resolved_vulnerabilities",
|
||||
"defender_container_images_scan_enabled",
|
||||
"defender_ensure_system_updates_are_applied",
|
||||
"vm_agent_installed",
|
||||
"vm_antimalware_solution_installed",
|
||||
"vm_endpoint_protection_installed",
|
||||
"vm_os_update_system_updates",
|
||||
"vm_security_patch_assessment"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-iam-07",
|
||||
"Name": "KSI-IAM-07: Account Lifecycle Management",
|
||||
"Description": "Securely manage the lifecycle and privileges of all accounts, roles, and groups",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-iam-07",
|
||||
"Section": "Identity and Access Management",
|
||||
"Service": "azure"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"entra_non_privileged_user_has_mfa",
|
||||
"entra_privileged_user_has_mfa",
|
||||
"entra_user_with_vm_access_has_mfa",
|
||||
"iam_custom_role_has_permissions_to_administer_resource_locks",
|
||||
"iam_role_user_access_admin_restricted",
|
||||
"app_function_identity_is_configured",
|
||||
"vm_managed_identity_enabled"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-mla-07",
|
||||
"Name": "KSI-MLA-07: Monitoring and Logging Inventory",
|
||||
"Description": "Maintain a list of information resources and event types that will be monitored, logged, and audited",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-mla-07",
|
||||
"Section": "Monitoring, Logging, and Auditing",
|
||||
"Service": "azure"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"monitor_log_profile_all_categories",
|
||||
"monitor_log_profile_all_regions",
|
||||
"monitor_log_profile_captures_all_activities",
|
||||
"monitor_diagnostic_setting_deployed_for_all_resources",
|
||||
"network_watcher_enabled"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
@@ -0,0 +1,293 @@
|
||||
{
|
||||
"Framework": "FedRAMP-20x-KSI-Low",
|
||||
"Name": "FedRAMP 20x Key Security Indicators (KSIs) - Low Impact Level v25.05C",
|
||||
"Version": "25.05C",
|
||||
"Provider": "GCP",
|
||||
"Description": "FedRAMP 20x Key Security Indicators (KSIs) Low Impact Level represent core security indicators for cloud service providers, focusing on automation, continuous monitoring, and cloud-native security principles per FedRAMP 20x Phase One pilot requirements for Low impact systems.",
|
||||
"Requirements": [
|
||||
{
|
||||
"Id": "ksi-cmt",
|
||||
"Name": "KSI-CMT: Change Management",
|
||||
"Description": "A secure cloud service provider will ensure that all system changes are properly documented and configuration baselines are updated accordingly",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-cmt",
|
||||
"Section": "Change Management",
|
||||
"Service": "gcp"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"iam_audit_logs_enabled",
|
||||
"iam_cloud_asset_inventory_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_custom_role_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled",
|
||||
"compute_instance_serial_ports_in_use",
|
||||
"compute_project_os_login_enabled"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-cna",
|
||||
"Name": "KSI-CNA: Cloud Native Architecture",
|
||||
"Description": "A secure cloud service offering will use cloud native architecture and design principles to enforce and enhance the Confidentiality, Integrity and Availability of the system",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-cna",
|
||||
"Section": "Cloud Native Architecture",
|
||||
"Service": "gcp"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"cloudsql_instance_private_ip_assignment",
|
||||
"cloudsql_instance_public_access",
|
||||
"cloudsql_instance_public_ip",
|
||||
"cloudstorage_bucket_uniform_bucket_level_access",
|
||||
"compute_firewall_rdp_access_from_the_internet_allowed",
|
||||
"compute_firewall_ssh_access_from_the_internet_allowed",
|
||||
"compute_instance_block_project_wide_ssh_keys_disabled",
|
||||
"compute_instance_confidential_computing_enabled",
|
||||
"compute_instance_ip_forwarding_is_enabled",
|
||||
"compute_instance_public_ip",
|
||||
"compute_instance_shielded_vm_enabled",
|
||||
"compute_loadbalancer_logging_enabled",
|
||||
"compute_network_default_in_use",
|
||||
"compute_network_dns_logging_enabled",
|
||||
"compute_network_not_legacy",
|
||||
"compute_subnet_flow_logs_enabled",
|
||||
"gke_cluster_no_default_service_account"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-iam",
|
||||
"Name": "KSI-IAM: Identity and Access Management",
|
||||
"Description": "A secure cloud service offering will protect user data, control access, and apply zero trust principles",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-iam",
|
||||
"Section": "Identity and Access Management",
|
||||
"Service": "gcp"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"apikeys_api_restrictions_configured",
|
||||
"apikeys_key_exists",
|
||||
"apikeys_key_rotated_in_90_days",
|
||||
"compute_instance_default_service_account_in_use",
|
||||
"compute_instance_default_service_account_in_use_with_full_api_access",
|
||||
"iam_no_service_roles_at_project_level",
|
||||
"iam_role_kms_enforce_separation_of_duties",
|
||||
"iam_role_sa_enforce_separation_of_duties",
|
||||
"iam_sa_no_administrative_privileges",
|
||||
"iam_sa_no_user_managed_keys",
|
||||
"iam_sa_user_managed_key_rotate_90_days",
|
||||
"iam_sa_user_managed_key_unused",
|
||||
"iam_service_account_unused"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-inr",
|
||||
"Name": "KSI-INR: Incident Response",
|
||||
"Description": "A secure cloud service offering will respond to incidents according to FedRAMP requirements and cloud service provider policies",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-inr",
|
||||
"Section": "Incident Response",
|
||||
"Service": "gcp"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"iam_organization_essential_contacts_configured",
|
||||
"iam_account_access_approval_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_custom_role_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-mla",
|
||||
"Name": "KSI-MLA: Monitoring, Logging, and Auditing",
|
||||
"Description": "A secure cloud service offering will monitor, log, and audit all important events, activity, and changes",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-mla",
|
||||
"Section": "Monitoring, Logging, and Auditing",
|
||||
"Service": "gcp"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"cloudsql_instance_postgres_enable_pgaudit_flag",
|
||||
"cloudsql_instance_postgres_log_connections_flag",
|
||||
"cloudsql_instance_postgres_log_disconnections_flag",
|
||||
"cloudsql_instance_postgres_log_error_verbosity_flag",
|
||||
"cloudsql_instance_postgres_log_min_duration_statement_flag",
|
||||
"cloudsql_instance_postgres_log_min_error_statement_flag",
|
||||
"cloudsql_instance_postgres_log_min_messages_flag",
|
||||
"cloudsql_instance_postgres_log_statement_flag",
|
||||
"cloudsql_instance_sqlserver_trace_flag",
|
||||
"cloudstorage_bucket_log_retention_policy_lock",
|
||||
"compute_loadbalancer_logging_enabled",
|
||||
"compute_network_dns_logging_enabled",
|
||||
"compute_subnet_flow_logs_enabled",
|
||||
"iam_audit_logs_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_audit_configuration_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_custom_role_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_project_ownership_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_sql_instance_configuration_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_firewall_rule_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_network_changes_enabled",
|
||||
"logging_log_metric_filter_and_alert_for_vpc_network_route_changes_enabled",
|
||||
"logging_sink_created"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-piy",
|
||||
"Name": "KSI-PIY: Policy and Inventory",
|
||||
"Description": "A secure cloud service offering will have intentional, organized, universal guidance for how every information resource, including personnel, is secured",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-piy",
|
||||
"Section": "Policy and Inventory",
|
||||
"Service": "gcp"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"iam_cloud_asset_inventory_enabled",
|
||||
"iam_organization_essential_contacts_configured",
|
||||
"iam_audit_logs_enabled",
|
||||
"compute_project_os_login_enabled",
|
||||
"compute_instance_serial_ports_in_use",
|
||||
"compute_instance_block_project_wide_ssh_keys_disabled",
|
||||
"logging_sink_created"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-rpl",
|
||||
"Name": "KSI-RPL: Recovery Planning",
|
||||
"Description": "A secure cloud service offering will define, maintain, and test incident response plan(s) and recovery capabilities to ensure minimal service disruption and data loss",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-rpl",
|
||||
"Section": "Recovery Planning",
|
||||
"Service": "gcp"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"cloudsql_instance_automated_backups",
|
||||
"cloudstorage_bucket_log_retention_policy_lock",
|
||||
"cloudstorage_bucket_versioning_enabled",
|
||||
"cloudstorage_bucket_lifecycle_management_enabled"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-svc",
|
||||
"Name": "KSI-SVC: Service Configuration",
|
||||
"Description": "A secure cloud service offering will follow FedRAMP encryption policies, continuously verify information resource integrity, and restrict access to third-party information resources",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-svc",
|
||||
"Section": "Service Configuration",
|
||||
"Service": "gcp"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"bigquery_dataset_cmk_encryption",
|
||||
"bigquery_table_cmk_encryption",
|
||||
"cloudsql_instance_mysql_local_infile_flag",
|
||||
"cloudsql_instance_mysql_skip_show_database_flag",
|
||||
"cloudsql_instance_postgres_enable_pgaudit_flag",
|
||||
"cloudsql_instance_postgres_log_connections_flag",
|
||||
"cloudsql_instance_postgres_log_disconnections_flag",
|
||||
"cloudsql_instance_postgres_log_error_verbosity_flag",
|
||||
"cloudsql_instance_postgres_log_min_duration_statement_flag",
|
||||
"cloudsql_instance_postgres_log_min_error_statement_flag",
|
||||
"cloudsql_instance_postgres_log_min_messages_flag",
|
||||
"cloudsql_instance_postgres_log_statement_flag",
|
||||
"cloudsql_instance_sqlserver_contained_database_authentication_flag",
|
||||
"cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag",
|
||||
"cloudsql_instance_sqlserver_external_scripts_enabled_flag",
|
||||
"cloudsql_instance_sqlserver_remote_access_flag",
|
||||
"cloudsql_instance_sqlserver_trace_flag",
|
||||
"cloudsql_instance_sqlserver_user_connections_flag",
|
||||
"cloudsql_instance_sqlserver_user_options_flag",
|
||||
"cloudsql_instance_ssl_connections",
|
||||
"compute_instance_encryption_with_csek_enabled",
|
||||
"compute_instance_shielded_vm_enabled",
|
||||
"dataproc_encrypted_with_cmks_disabled",
|
||||
"dns_dnssec_disabled",
|
||||
"dns_rsasha1_in_use_to_key_sign_in_dnssec",
|
||||
"dns_rsasha1_in_use_to_zone_sign_in_dnssec",
|
||||
"kms_key_not_publicly_accessible",
|
||||
"kms_key_rotation_enabled"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-tpr",
|
||||
"Name": "KSI-TPR: Third-Party Information Resources",
|
||||
"Description": "A secure cloud service offering will understand, monitor, and manage supply chain risks from third-party information resources",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-tpr",
|
||||
"Section": "Third-Party Information Resources",
|
||||
"Service": "gcp"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"artifacts_container_analysis_enabled",
|
||||
"gcr_container_scanning_enabled",
|
||||
"compute_public_address_shodan",
|
||||
"cloudsql_instance_automated_backups",
|
||||
"iam_sa_user_managed_key_rotate_90_days",
|
||||
"iam_service_account_unused"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-iam-07",
|
||||
"Name": "KSI-IAM-07: Account Lifecycle Management",
|
||||
"Description": "Securely manage the lifecycle and privileges of all accounts, roles, and groups",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-iam-07",
|
||||
"Section": "Identity and Access Management",
|
||||
"Service": "gcp"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"apikeys_key_rotated_in_90_days",
|
||||
"iam_sa_user_managed_key_rotate_90_days",
|
||||
"iam_sa_user_managed_key_unused",
|
||||
"iam_service_account_unused",
|
||||
"compute_instance_default_service_account_in_use"
|
||||
]
|
||||
},
|
||||
{
|
||||
"Id": "ksi-mla-07",
|
||||
"Name": "KSI-MLA-07: Monitoring and Logging Inventory",
|
||||
"Description": "Maintain a list of information resources and event types that will be monitored, logged, and audited",
|
||||
"Attributes": [
|
||||
{
|
||||
"ItemId": "ksi-mla-07",
|
||||
"Section": "Monitoring, Logging, and Auditing",
|
||||
"Service": "gcp"
|
||||
}
|
||||
],
|
||||
"Checks": [
|
||||
"iam_audit_logs_enabled",
|
||||
"iam_cloud_asset_inventory_enabled",
|
||||
"logging_sink_created",
|
||||
"compute_subnet_flow_logs_enabled",
|
||||
"compute_network_dns_logging_enabled"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user