added ECS rules matching AWS SecurityHub

Author: ViktorLindstrm

ql/src/security/CloudFormation/ECS/ContainerInsights.ql

@@ -0,0 +1,18 @@
+/**
+ * @name ECS clusters should use Container Insights
+ * @kind problem
+ * @problem.severity warning
+ * @id iac/ecs/container-insights
+ * @tags security
+ *       aws/ecs/12
+ *       NIST/800-53/AU-6(3)
+ *       NIST/800-53/AU-6(4)
+ *       NIST/800-53/CA-7
+ *       NIST/800-53/SI-2
+ */
+
+import iac
+
+from CloudFormation::ECSCluster cluster
+where not cluster.getContainerInsights().toString() = "'enabled'"
+select cluster, "ECS Cluster should have cluster settings enabled"

ql/src/security/CloudFormation/ECS/LatestVersion.ql

@@ -0,0 +1,33 @@
+/**
+ * @name ECS Fargate services should run on the latest Fargate platform version
+ * @kind problem
+ * @problem.severity warning
+ * @id iac/ecs/latest-version
+ * @tags security
+ *       experimental
+ *       aws/ecs/10
+ *       NIST/800-53/SI-2
+ *       NIST/800-53/SI-2(2)
+ *       NIST/800-53/SI-2(4)
+ *       NIST/800-53/SI-2(5)
+ *       PCI-DSS/4.0.1
+ *       PCI-DSS/6.3.3
+ * 
+ */
+
+// need to figure out how to make !Ref to be recognized, then and this should be possible to be used properly, used as "Experimental for now
+import iac
+from CloudFormation::ECSService ecs, CloudFormation::TaskDefinition td
+//where ecs.getPlatformVersion().toString() = ["'LATEST'", "'1.4.0'"] or ecs.getPlatformVersion().toString() = ["'LATEST'", "'1.0.0'"]
+//where td.getRuntimePlatform().toString() = "'LINUX'" or td.getRuntimePlatform().toString() = "'WINDOWS'"
+where
+        ((ecs.getPlatformVersion().toString() = ["'LATEST'", "'1.4.0'"] or not exists(ecs.getPlatformVersion())) 
+        and 
+        (td.getRuntimePlatform().toString() ="'LINUX'" or not exists(td.getRuntimePlatform())) )
+        or 
+        ((ecs.getPlatformVersion().toString() = ["'LATEST'", "'1.0.0'"] or not exists(ecs.getPlatformVersion())) 
+        and 
+        (exists(td.getRuntimePlatform()) and td.getRuntimePlatform().toString() !="'LINUX'"))
+
+select td, "ContainerDefinitions must have a log configuration"
+

ql/src/security/CloudFormation/ECS/LogConfiguration.ql

@@ -0,0 +1,25 @@
+/**
+ * @name ECS task definitions should have a logging configuration
+ * @kind problem
+ * @problem.severity warning
+ * @id iac/ecs/log-configuration
+ * @tags security
+ *       aws/ecs/9
+ *       NIST/800-53/AC-4(26)
+ *       NIST/800-53/AU-10
+ *       NIST/800-53/AU-12
+ *       NIST/800-53/AU-2
+ *       NIST/800-53/AU-3
+ *       NIST/800-53/AU-6(3)
+ *       NIST/800-53/AU-6(4)
+ *       NIST/800-53/CA-7
+ *       NIST/800-53/SC-7(9)
+ *       NIST/800-53/SI-7(8)
+ */
+
+import iac
+
+from CloudFormation::ContainerDefinition cd
+where not exists(cd.getLogConfiguration())
+select cd, "ContainerDefinitions must have a log configuration"
+

ql/src/security/CloudFormation/ECS/NetworkMode.ql

@@ -0,0 +1,25 @@
+/**
+ * @name Amazon ECS task definitions should have secure networking modes and user definitions.
+ * @kind problem
+ * @problem.severity warning
+ * @id iac/ecs/networkmode
+ * @tags security
+ *       experimental
+ *       /aws/config/ecs/1
+ *       /NIST/800-53/AC-2(1)
+ *       /NIST/800-53/AC-3
+ *       /NIST/800-53/AC-3(15)
+ *       /NIST/800-53/AC-3(7)
+ *       /NIST/800-53/AC-5
+ *       /NIST/800-53/AC-6
+ */
+
+import iac
+
+//Check for NetworkMode to not be host in taskdefinition, this is very much experimental -> Experimental
+from CloudFormation::ContainerDefinition cd, CloudFormation::TaskDefinition td
+where
+  (cd.getUser().toString() = "'root'" or cd.getPrivileged() = "true") and
+  td.getNetworkMode().toString() = "'host'"
+select td,
+  "ContainerDefinitions must not run as root or be privileged when networkmode Host is used"

ql/src/security/CloudFormation/ECS/NonPriv.ql

@@ -0,0 +1,20 @@
+/**
+ * @name ECS containers should run as non-privileged
+ * @kind problem
+ * @problem.severity warning
+ * @id iac/ecs/non-priv
+ * @tags security
+ *       aws/ecs/4
+ *       NIST/800-53/AC-2(1)
+ *       NIST/800-53/AC-3
+ *       NIST/800-53/AC-3(15)
+ *       NIST/800-53/AC-3(7)
+ *       NIST/800-53/AC-5
+ *       NIST/800-53/AC-6
+ */
+
+import iac
+
+from CloudFormation::ContainerDefinition cd
+where not cd.getPrivileged() = "false"
+select cd, "ContainerDefinitions must be explictly configured privileged mode to false"

ql/src/security/CloudFormation/ECS/PidMode.ql

@@ -0,0 +1,16 @@
+/**
+ * @name ECS task definitions should not share the host's process namespace
+ * @kind problem
+ * @problem.severity warning
+ * @id iac/ecs/pidmode
+ * @tags security
+ *       aws/ecs/3
+ *       NIST/800-53/CA-9(1)
+ *       NIST/800-53/CM-2
+ */
+
+import iac
+
+from CloudFormation::TaskDefinition td
+where not td.getPidMode().toString() = "task"
+select td, "PidMode should be \"task\" for ECS tasks"

ql/src/security/CloudFormation/ECS/PublicIP.ql

@@ -0,0 +1,30 @@
+/**
+ * @name ECS task sets should not automatically assign public IP addresses
+ * @kind problem
+ * @problem.severity warning
+ * @id iac/ecs/assignpublicip
+ * @tags security
+ *       aws/ecs/2
+ *       NIST/800-53/AC-21
+ *       NIST/800-53/AC-3
+ *       NIST/800-53/AC-3(7)
+ *       NIST/800-53/AC-4
+ *       NIST/800-53/AC-4(21)
+ *       NIST/800-53/AC-6
+ *       NIST/800-53/SC-7
+ *       NIST/800-53/SC-7(11)
+ *       NIST/800-53/SC-7(16)
+ *       NIST/800-53/SC-7(20)
+ *       NIST/800-53/SC-7(21)
+ *       NIST/800-53/SC-7(3)
+ *       NIST/800-53/SC-7(4)
+ *       NIST/800-53/SC-7(9)
+ *       PCI-DSS/4.0.1
+ *       PCI-DSS/1.4.4
+ */
+
+import iac
+
+from CloudFormation::ECSNetworkConfiguration ecsnetwork
+where not ecsnetwork.getAssignPublicIp().toString() = ["'DISABLED'","DISABLED"]
+select ecsnetwork.getAssignPublicIp(), "AssignPublicIp should be \"DISABLED\" for ECS tasks"

ql/src/security/CloudFormation/ECS/PublicIPTaskSet.ql

@@ -0,0 +1,17 @@
+/**
+ * @name ECS task sets should not automatically assign public IP addresses
+ * @kind problem
+ * @problem.severity warning
+ * @id iac/ecs/assign-publicip-taskset
+ * @tags security
+ *       cloudformation
+ *       aws/ecs/16
+ *       PCI-DSS/4.0.1
+ *       PCI-DSS/1.4.4
+ */
+
+import iac
+
+from CloudFormation::ECSTaskSet ts
+//where not ts.getAssignPublicIp().toString() = ["'DISABLED'","DISABLED"]
+select ts, "AssignPublicIp must be \"DISABLED\" for ECS tasks"

ql/src/security/CloudFormation/ECS/ReadOnlyRootFileSystem.ql

@@ -0,0 +1,20 @@
+/**
+ * @name ECS containers should be limited to read-only access to root filesystems
+ * @kind problem
+ * @problem.severity warning
+ * @id iac/ecs/read-only-root-filesystem
+ * @tags security
+ *       aws/ecs/5
+ *       NIST/800-53/AC-2(1)
+ *       NIST/800-53/AC-3
+ *       NIST/800-53/AC-3(15)
+ *       NIST/800-53/AC-3(7)
+ *       NIST/800-53/AC-5
+ *       NIST/800-53/AC-6
+ */
+
+import iac
+
+from CloudFormation::ContainerDefinition cd
+where not cd.getReadOnlyRootFilesystem() = "true"
+select cd, "Containers must have explictly only read only root filesystem"

ql/src/security/CloudFormation/ECS/Secrets.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Secrets should not be passed as container environment variables
+ * @kind problem
+ * @problem.severity warning
+ * @id iac/ecs/secrets
+ * @tags security
+ *       aws/ecs/8
+ *       NIST/800-53/AC-2(1)
+ *       NIST/800-53/AC-3
+ *       NIST/800-53/AC-3(15)
+ *       NIST/800-53/AC-3(7)
+ *       NIST/800-53/AC-5
+ *       NIST/800-53/AC-6
+ */
+
+import iac
+
+from CloudFormation::ContainerDefinition cd
+//where cd.getSecrets().getAChild().getAChild().toString() = ["'AWS_ACCESS_KEY_ID'", "'AWS_SECRET_ACCESS_KEY'", "'ECS_ENGINE_AUTH_DATA'"]
+select cd.getSecrets(), "Containers must not pass secret thorugh environment variables"