The CloudGraph rules engine validates compliance checks for the various benchmarks we currently support. It is responsible for executing each rule using various operators that allow for the building of the required conditions necessary to validate. If you are interested in writing your own compliance checks (or any kind of. checks for that matter) then this section is for you.
Calculates how many days have passed by giving a specific date. Returns an integer that represents the number of days between the provided date and the current one.
In the following rule, you can see how to use the daysAgo operator. In this case, passwordLastUsed is a valid date that will be converted to days before comparing with another operator to match a result.
export default {
id: 'rule-id',
description:
'Password should have been used in the last 90 days',
gql: `{
queryawsIamUser {
id
__typename
passwordLastUsed
}
}`,
resource: 'queryawsIamUser[*]',
severity: 'warning',
conditions: {
value: { daysAgo: {}, path: '@.passwordLastUsed' },
lessThanInclusive: 90,
},
}
Calculates the difference in days between a given date and today. Returns an integer that represents the number of days between the provided date and the current one.
In the following rule, you can see how to use the daysDiff operator. In this case, nextRotationTimeisa valid date that will be converted to days before comparing with another operator to match a result.
export default {
id: 'rule-id',
title: 'Ensure nextRotationTime is <= 90 days from current date',
gql: `{
querygcpKmsKeyRing {
id
__typename
kmsCryptoKeys {
nextRotationTime
}
}
}`,
resource: 'querygcpKmsKeyRing[*]',
severity: 'unknown',
conditions: {
path: '@.kmsCryptoKeys',
array_any: {
value: { daysDiff: {}, path: '[*].nextRotationTime' },
lessThanInclusive: 90,
},
},
}
Compares that two elements are equal. Returns a boolean that determines when the comparison matches or not.
The next rule shows how to use the equal operator. Notice that the mfaActive field is a boolean.
export default {
id: 'rule-id',
description: "Ensure MFA is enabled for the 'root' account",
gql: `{
queryawsIamUser(filter: { name: { eq: "root" } }) {
id
__typename
name
mfaActive
}
}`,
resource: 'queryawsIamUser[*]',
severity: 'danger',
conditions: {
path: '@.mfaActive',
equal: true,
},
}
Compares that two elements aren't equal. Returns a boolean that determines when the comparison matches or not.
The next rule shows how to use the notEqual operator. Notice that the mfaActive field is a boolean.
export default {
id: 'rule-id',
description: "Ensure MFA is disabled for the 'root' account",
gql: `{
queryawsIamUser(filter: { name: { eq: "root" } }) {
id
__typename
name
mfaActive
}
}`,
resource: 'queryawsIamUser[*]',
severity: 'danger',
conditions: {
path: '@.mfaActive',
notEqual: true,
},
}
Indicates when the provided data is less than the value to compare. Returns a boolean that represents when the condition matches or not.
The following rule indicates that the field maxPasswordAge should be less than 30.
export default {
id: 'rule-id',
description:
'Ensure IAM password policy expires passwords within 90 days or less',
gql: `{
queryawsIamPasswordPolicy {
id
__typename
maxPasswordAge
}
}`,
resource: 'queryawsIamPasswordPolicy[*]',
severity: 'warning',
conditions: {
path: '@.maxPasswordAge',
lessThan: 30,
},
}
Indicates when the provided data is equal or less than the value to compare. Returns a boolean that represents when the condition matches or not.
The following rule indicates that the field maxPasswordAge should be less than or equal to 90.
export default {
id: 'rule-id',
description:
'Ensure IAM password policy expires passwords within 90 days or less',
gql: `{
queryawsIamPasswordPolicy {
id
__typename
maxPasswordAge
}
}`,
resource: 'queryawsIamPasswordPolicy[*]',
severity: 'warning',
conditions: {
path: '@.maxPasswordAge',
lessThanInclusive: 90,
},
}
Indicates when the provided data is greater than the value to compare. Returns a boolean that represents when the condition matches or not.
The following rule indicates that the field minimumPasswordLength should be greater than 24.
export default {
id: 'rule-id',
description:
'Ensure IAM password policy prevents password reuse',
gql: `{
queryawsIamPasswordPolicy {
id
__typename
passwordReusePrevention
}
}`,
resource: 'queryawsIamPasswordPolicy[*]',
severity: 'warning',
conditions: {
path: '@.passwordReusePrevention',
greaterThan: 24,
},
}
Indicates when the provided data is equal or greater than the value to compare. Returns a boolean that represents when the condition matches or not.
The following rule indicates that the field minimumPasswordLength should be equal to or greater than 14.
export default {
id: 'rule-id',
description:
"Ensure IAM password policy requires minimum length of 14 or greater',
gql: `{
queryawsIamPasswordPolicy {
id
__typename
minimumPasswordLength
}
}`,
resource: 'queryawsIamPasswordPolicy[*]',
severity: 'warning',
conditions: {
path: '@.minimumPasswordLength',
greaterThanInclusive: 14,
},
}
Search for a group of elements is present in an Array. Returns a boolean that represents when the condition matches or not.
The next rule says that the field source should be between the range between 0.0.0.0/0 and::/0.
export default {
id: 'rule-id',
description:
'Ensure security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)',
gql: `{
queryawsSecurityGroup{
id
__typename
inboundRules{
source
toPort
fromPort
}
}
}`,
resource: 'queryawsSecurityGroup[*]',
severity: 'danger',
conditions: {
path: '@.inboundRules',
array_any: [
{
path: '[*].source',
in: ['0.0.0.0/0', '::/0'],
},
],
},
}
Search for a group of elements that isn't present in an Array. Returns a boolean that represents when the condition matches or not.
The next rule says that the field source shouldn't be between the range between 0.0.0.0/0 and::/0.
export default {
id: 'rule-id',
description:
'Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 (Scored)',
gql: `{
queryawsSecurityGroup{
id
__typename
inboundRules{
source
toPort
fromPort
}
}
}`,
resource: 'queryawsSecurityGroup[*]',
severity: 'danger',
conditions: {
path: '@.inboundRules',
array_any: [
{
path: '[*].source',
notIn: ['0.0.0.0/0', '::/0'],
},
],
},
}
Verify that a specific Array is empty or not depending on the given parameter. Returns a boolean that represents when the condition matches or not.
The following rule demonstrates the use of the isEmpty operator. When isEmtpy is false it expects the field, in this case, flowLogs, to be a non-empty array. Conversely, if isEmpty was true, that indicates that the compared array should be empty.
export default {
id: 'rule-id',
description:
'Ensure VPC flow logging is enabled in all VPCs (Scored)',
gql: `{
queryawsVpc {
id
__typename
flowLogs {
resourceId
}
}
}`,
resource: 'queryawsVpc[*]',
severity: 'warning',
conditions: {
path: '@.flowLogs',
isEmpty: false,
},
}
Verifies that the field doesn't follow the given regular expression. Returns true when the condition matches and false when it doesn't.
The next condition validates when a user is using a valid email or not with the regular expression below
export default {
id: 'rule-id',
description:
"Ensure that the user has a valid email",
gql: `{
queryawsIamUser(filter: { name: { eq: "root" } }) {
id
__typename
email
}
}`,
resource: 'queryawsIamUser[*]',
severity: 'danger',
conditions: {
path: '@.email',
match: /[\w\d.-]+@[\w\d.-]+\.[\w\d.-]+/,
},
}
Verifies that the field doesn't follow the given regular expression. Returns false when the condition matches and true when it doesn't.
The next condition validates when a user is using a valid email with the regular expression below
export default {
id: 'rule-id',
description:
"Ensure that the user has not a valid email",
gql: `{
queryawsIamUser(filter: { name: { eq: "root" } }) {
id
__typename
email
}
}`,
resource: 'queryawsIamUser[*]',
severity: 'danger',
conditions: {
path: '@.email',
mismatch: /[\w\d.-]+@[\w\d.-]+\.[\w\d.-]+/,
},
}
Joins two or more conditions. When they are all true it returns true, if one of them is false the whole clause is false.
The rule will pass when both conditions inside the and array are true.
export default {
id: 'rule-id',
description:
"Avoid the use of 'root' account. Show used in last 30 days (Scored)",
gql: `{
queryawsIamUser(filter: { name: { eq: "root" } }) {
id
__typename
passwordLastUsed
passwordEnabled
}
}`,
resource: 'queryawsIamUser[*]',
severity: 'danger',
conditions: {
and: [
{
path: '@.passwordEnabled',
equal: true,
},
{
value: { daysAgo: {}, path: '@.passwordLastUsed' },
greaterThan: 30,
},
],
},
}
Joins two or more conditions. When they are all false it returns false, if one of them is true the whole clause is true.
The rule should pass if at least one of the conditions within the or array is true.
export default {
id: 'rule-id',
description:
'Ensure rotation for customer created CMKs is enabled (Scored)',
gql: `{
queryawsKms {
id
__typename
keyManager
keyRotationEnabled
}
}`,
resource: 'queryawsKms[*]',
severity: 'warning',
conditions: {
or: [
{
and: [
{
path: '@.keyManager',
equal: 'AWS',
},
{
path: '@.keyRotationEnabled',
equal: 'Yes',
},
],
},
{
and: [
{
path: '@.keyManager',
equal: 'CUSTOMER',
},
{
path: '@.keyRotationEnabled',
equal: 'Yes',
},
],
},
],
},
}
This operator detects when at least one of the elements of the given array match one of the provided conditions. It can be combined with other nested operators like and/or
The following rule verifies that the access keys should satisfy the condition that all S3 buckets should have logging enabled.
export default {
id: 'rule-id',
description:
'Ensure S3 bucket access logging is enabled on the CloudTrail S3 bucket',
gql: `{
queryawsCloudtrail {
id
__typename
s3 {
logging
}
}
}`,
resource: 'queryawsCloudtrail[*]',
severity: 'warning',
conditions: {
path: '@.s3',
array_any: {
path: '[*].logging',
equal: 'Enabled',
},
},
}
This evaluator uses node-jq wrapper for jq. jq is a lightweight and flexible command-line JSON processor. You can slice, filter, map and transform structured data in a simple and powerful way.
The following rule verifies that IAM have hardware MFA enabled for the root account.
If any MFA Serial Number is queal to the following SerialNumber: arn:aws:iam::_<aws_account_number>_:mfa/root-account-mfa-device, it means the MFA is virtual, not hardware.
export default {
id: 'rule-id',
description:
'IAM should have hardware MFA enabled for the root account',
gql: `{
queryawsIamUser(filter: { name: { eq: "root" } }) {
id
arn
accountId
__typename
name
mfaActive
virtualMfaDevices {
serialNumber
}
}
}`,
resource: 'queryawsIamUser[*]',
severity: 'high',
conditions: {
and: [
{
path: '@.mfaActive',
equal: true,
},
{
jq: '[select("arn:aws:iam::" + .accountId + ":mfa/root-account-mfa-device" == .virtualMfaDevices[].serialNumber)] | { "mfaIsVirtual" : (length > 0) }',
path: '@',
and: [
{
path: '@.mfaIsVirtual',
notEqual: true,
},
],
},
],
},
}
The following rule verifies a log metric filter and alarm exist for unauthorized API calls
The jq query makes a join between cloudwatch and metricFilters by the metric name to get the metricFilters of each cloudwatch.
export default {
id: 'rule-id',
description:
'Ensure a log metric filter and alarm exist for unauthorized API calls',
gql: `{
queryawsAccount {
id
__typename
cloudtrail {
cloudwatchLog {
cloudwatch {
metric
}
metricFilters {
filterPattern
metricTransformations {
metricName
}
}
}
}
}
}`,
resource: 'queryawsAccount[*]',
severity: 'medium',
conditions: {
path: '@.cloudtrail',
array_any: {
and: [
{
path: '[*].cloudwatchLog',
jq: '[.[].metricFilters[] + .[].cloudwatch[] | select(.metricTransformations[].metricName == .metric)]',
array_any: {
and: [
{
path: '[*].filterPattern',
match: /(\$.errorCode)\s*=\s*"UnauthorizedOperation"/,
},
{
path: '[*].filterPattern',
match: /(\$.errorCode)\s*=\s*"AccessDenied"/,
},
],
},
},
],
},
},
}
