Skip to content

Commit

Permalink
feat(HIPAA Security): CodeBuild checks (#340)
Browse files Browse the repository at this point in the history 
Closes #174
Closes #175 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
@dontirun
dontirun authored Sep 11, 2021
1 parent e6af24d commit e6cbc8d
Show file tree
Hide file tree
Showing 8 changed files with 397 additions and 9 deletions.
4 changes: 3 additions & 1 deletion RULES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,8 @@ There are currently no warnings for this rule pack.
| [HIPAA.Security-CloudTrailCloudWatchLogsEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-cloud-watch-logs-enabled.html) | The trail does not have CloudWatch logs enabled. | Use Amazon CloudWatch to centrally collect and manage log event activity. Inclusion of AWS CloudTrail data provides details of API call activity within your AWS account. | 164.308(a)(3)(ii)(A), 164.312(b) |
| [HIPAA.Security-CloudTrailEncryptionEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-encryption-enabled.html) | The trail does not have encryption enabled. | Because sensitive data may exist and to help protect data at rest, ensure encryption is enabled for your AWS CloudTrail trails. | 164.312(a)(2)(iv), 164.312(e)(2)(ii) |
| [HIPAA.Security-CloudTrailLogFileValidationEnabled](https://docs.aws.amazon.com/config/latest/developerguide/cloud-trail-log-file-validation-enabled.html) | The trail does not have log file validation enabled. | Utilize AWS CloudTrail log file validation to check the integrity of CloudTrail logs. Log file validation helps determine if a log file was modified or deleted or unchanged after CloudTrail delivered it. This feature is built using industry standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. | 164.312(c)(1), 164.312(c)(2) |
| [HIPAA.Security-CodeBuildProjectEnvVarAwsCred](https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-envvar-awscred-check.html) | The Codebuild environment stores sensitive credentials (such as AWS_ACCESS_KEY_ID and/or AWS_SECRET_ACCESS_KEY) as plaintext environment variables. | Do not store these variables in clear text. Storing these variables in clear text leads to unintended data exposure and unauthorized access. | 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1) |
| [HIPAA.Security-CodeBuildProjectSourceRepoUrl](https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html) | The Codebuild project which utilizes either a GitHub or BitBucket repository does not utilize OAUTH. | OAUTH is the most secure method of authenticating your Codebuild application. Use OAuth instead of personal access tokens or a user name and password to grant authorization for accessing GitHub or Bitbucket repositories. | 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1) |
| [HIPAA.Security-CloudWatchAlarmAction](https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-action-check.html) | The CloudWatch alarm does not have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled. | Amazon CloudWatch alarms alert when a metric breaches the threshold for a specified number of evaluation periods. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods. | 164.312(b) |
| [HIPAA.Security-CloudWatchLogGroupEncrypted](https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-log-group-encrypted.html) | The CloudWatch Log Group is not encrypted with an AWS KMS key. | To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups. | 164.312(a)(2)(iv), 164.312(e)(2)(ii) |
| [HIPAA.Security-EC2InstanceDetailedMonitoringEnabled](https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-detailed-monitoring-enabled.html) | The EC2 instance does not have detailed monitoring enabled. | Enable this rule to help improve Amazon Elastic Compute Cloud (Amazon EC2) instance monitoring on the Amazon EC2 console, which displays monitoring graphs with a 1-minute period for the instance. | 164.312(b) |
Expand Down Expand Up @@ -231,7 +233,7 @@ The [Operational Best Practices for NIST 800-53 rev 4](https://docs.aws.amazon.c
| [NIST.800.53-CloudWatchAlarmAction](https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-alarm-action-check.html) | The CloudWatch alarm does not have at least one alarm action, one INSUFFICIENT_DATA action, or one OK action enabled. | Amazon CloudWatch alarms alert when a metric breaches the threshold for a specified number of evaluation periods. The alarm performs one or more actions based on the value of the metric or expression relative to a threshold over a number of time periods. | AC-2(4), AU-6(1)(3), AU-7(1), CA-7(a)(b), IR-4(1), SI-4(2), SI-4(4), SI-4(5), SI-4(a)(b)(c) |
| [NIST.800.53-CloudWatchLogGroupEncrypted](https://docs.aws.amazon.com/config/latest/developerguide/cloudwatch-log-group-encrypted.html) | The CloudWatch Log Group is not encrypted with an AWS KMS key. | To help protect sensitive data at rest, ensure encryption is enabled for your Amazon CloudWatch Log Groups. | AU-9, SC-13, SC-28 |
| [NIST.800.53-CodeBuildCheckEnvVars](https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-envvar-awscred-check.html) | The Codebuild environment stores sensitive credentials (such as AWS_ACCESS_KEY_ID and/or AWS_SECRET_ACCESS_KEY) as plaintext environment variables. | Do not store these variables in clear text. Storing these variables in clear text leads to unintended data exposure and unauthorized access. | AC-6, IA-5(7), SA-3(a) |
| [NIST.800.53-CodeBuildURLCheck](https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html) | The Codebuild project which utilizes either a GitHub or BitBucket repository does not utilize OAUTH. | OAUTH is the most secure method of authenticating your Codebuild application. Use OAuth instead of personal access tokens or a user name and password to grant authorization for accessing GitHub or Bitbucket repositories. | SA-3(a |
| [NIST.800.53-CodeBuildURLCheck](https://docs.aws.amazon.com/config/latest/developerguide/codebuild-project-source-repo-url-check.html) | The Codebuild project which utilizes either a GitHub or BitBucket repository does not utilize OAUTH. | OAUTH is the most secure method of authenticating your Codebuild application. Use OAuth instead of personal access tokens or a user name and password to grant authorization for accessing GitHub or Bitbucket repositories. | SA-3(a) |
| [NIST.800.53-DMSReplicationNotPublic](https://docs.aws.amazon.com/config/latest/developerguide/dms-replication-not-public.html) | The DMS replication instance is public. | DMS replication instances can contain sensitive information and access control is required for such accounts. | AC-4 |
| [NIST.800.53-DynamoDBPITREnabled](https://docs.aws.amazon.com/config/latest/developerguide/dynamodb-pitr-enabled.html) | The DynamoDB table does not have Point-in-time Recovery enabled. | The recovery maintains continuous backups of your table for the last 35 days. | CP-9(b), CP-10, SI-12 |
| [NIST.800.53-EC2CheckCommonPortsRestricted](https://docs.aws.amazon.com/config/latest/developerguide/restricted-common-ports.html) | The EC2 instance allows unrestricted inbound IPv4 TCP traffic on one or more common ports (by default these ports include 20, 21, 3389, 3309, 3306, 4333). | Not restricting access to ports to trusted sources can lead to attacks against the availability, integrity and confidentiality of systems. By default, common ports which should be restricted include port numbers 20, 21, 3389, 3306, and 4333. | AC-4, CM-2, SC-7, SC-7(3) |
Expand Down
51 changes: 45 additions & 6 deletions src/HIPAA-Security/hipaa-security.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ import {
hipaaSecurityCloudWatchAlarmAction,
hipaaSecurityCloudWatchLogGroupEncrypted,
} from './rules/cloudwatch';
import {
hipaaSecurityCodeBuildProjectEnvVarAwsCred,
hipaaSecurityCodeBuildProjectSourceRepoUrl,
} from './rules/codebuild';
import {
hipaaSecurityEC2InstanceDetailedMonitoringEnabled,
hipaaSecurityEC2InstancesInVPC,
Expand All @@ -42,6 +46,8 @@ export class HIPAASecurityChecks extends NagPack {
this.checkAPIGW(node, ignores);
this.checkAutoScaling(node, ignores);
this.checkCloudTrail(node, ignores);
// this.checkCloudWatch(node, ignores);
this.checkCodeBuild(node, ignores);
this.checkCloudWatch(node, ignores);
// this.checkCodeBuild(node, ignores);
// this.checkDMS(node, ignores);
Expand Down Expand Up @@ -259,12 +265,45 @@ export class HIPAASecurityChecks extends NagPack {
}
}

// /**
// * Check CodeBuild Resources
// * @param node the IConstruct to evaluate
// * @param ignores list of ignores for the resource
// */
// private checkCodeBuild(node: CfnResource, ignores: any): void {}
/**
* Check CodeBuild Resources
* @param node the IConstruct to evaluate
* @param ignores list of ignores for the resource
*/
private checkCodeBuild(node: CfnResource, ignores: any): void {
if (
!this.ignoreRule(
ignores,
'HIPAA.Security-CodeBuildProjectEnvVarAwsCred'
) &&
!hipaaSecurityCodeBuildProjectEnvVarAwsCred(node)
) {
const ruleId = 'HIPAA.Security-CodeBuildProjectEnvVarAwsCred';
const info =
'The CodeBuild environment stores sensitive credentials (such as AWS_ACCESS_KEY_ID and/or AWS_SECRET_ACCESS_KEY) as plaintext environment variables - (Control IDs: 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1)).';
const explanation =
'Do not store these variables in clear text. Storing these variables in clear text leads to unintended data exposure and unauthorized access.';
Annotations.of(node).addError(
this.createMessage(ruleId, info, explanation)
);
}
if (
!this.ignoreRule(
ignores,
'HIPAA.Security-CodeBuildProjectSourceRepoUrl'
) &&
!hipaaSecurityCodeBuildProjectSourceRepoUrl(node)
) {
const ruleId = 'HIPAA.Security-CodeBuildProjectSourceRepoUrl';
const info =
'The CodeBuild project which utilizes either a GitHub or BitBucket source repository does not utilize OAUTH - (Control IDs: 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1)).';
const explanation =
'OAUTH is the most secure method of authenticating your CodeBuild application. Use OAuth instead of personal access tokens or a user name and password to grant authorization for accessing GitHub or Bitbucket repositories.';
Annotations.of(node).addError(
this.createMessage(ruleId, info, explanation)
);
}
}

// /**
// * Check DMS Resources
Expand Down
40 changes: 40 additions & 0 deletions src/HIPAA-Security/rules/codebuild/hipaaSecurityCodeBuildProjectEnvVarAwsCred.ts
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
/*
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
*/

import { CfnProject } from '@aws-cdk/aws-codebuild';
import { IConstruct, Stack } from '@aws-cdk/core';

/**
* CodeBuild projects do not store AWS credentials as plaintext environment variables - (Control IDs: 164.308(a)(3)(i), 164.308(a)(4)(ii)(A), 164.308(a)(4)(ii)(C), 164.312(a)(1))
* @param node the CfnResource to check
*/
export default function (node: IConstruct): boolean {
if (node instanceof CfnProject) {
//Check for the presence of OAUTH
const environment = Stack.of(node).resolve(node.environment);
const environmentVars = Stack.of(node).resolve(
environment.environmentVariables
);
if (environmentVars != undefined) {
//For each envvar, check if its a sensitive credential being stored
for (const envVar of environmentVars) {
const resolvedEnvVar = Stack.of(node).resolve(envVar);
if (
resolvedEnvVar.name == 'AWS_ACCESS_KEY_ID' ||
resolvedEnvVar.name == 'AWS_SECRET_ACCESS_KEY'
) {
//is this credential being stored as plaintext?
if (
resolvedEnvVar.type == undefined ||
resolvedEnvVar.type == 'PLAINTEXT'
) {
return false;
}
}
}
}
}
return true;
}
Loading

0 comments on commit e6cbc8d

Please sign in to comment.