Merge pull request #56 from mdr-engineering/feature/ftd_MSOCI-1314_password_policy

Updates CIS Policies

base/account_standards/iam_password_policy.tf

@@ -0,0 +1,26 @@
+resource "aws_iam_account_password_policy" "cis" {
+  # 1.5
+  require_uppercase_characters = true
+
+  # 1.6
+  require_lowercase_characters = true
+
+  # 1.7
+  require_symbols = true
+
+  # 1.8
+  require_numbers = true
+
+  # 1.9
+  minimum_password_length = 14
+
+  # 1.10
+  password_reuse_prevention = 24
+
+  # 1.11
+  max_password_age = 90
+
+  allow_users_to_change_password = true
+
+  hard_expiry = true
+}

base/account_standards/to_be_reviewed/files/root_account_check.py

@@ -1,35 +0,0 @@
-import boto3
-
-
-def send_notifications(message):
-    # TODO
-    return True
-
-
-def lambda_handler(event, context):
-    iam = boto3.client('iam')
-    message_body = ""
-
-    account_summary = iam.get_account_summary()
-
-    if account_summary['SummaryMap']['AccountAccessKeysPresent'] != 0:
-        notification = "Root account has an access key. It should be removed\n"
-        print notification
-        message_body += notification
-
-    if account_summary['SummaryMap']['AccountMFAEnabled'] != 1:
-        notification = "Root account does not have MFA set up\n"
-
-    # TODO
-    # There will be check if the root account's MFA device is a hardware oneself.
-    # First, I need to have one that I can test while I develop
-
-    if message_body:
-        send_notifications(message_body)
-    else:
-        print 'Everything seems fine'
-
-# if __name__ == "__main__":
-#    event = 1
-#    context = 1
-#    lambda_handler(event, context)

base/account_standards/to_be_reviewed/files/support_group_check.py

@@ -1,75 +0,0 @@
-import os
-import boto3
-
-iam = boto3.client('iam')
-
-
-def answer_no(x): return True if str(x).lower() in [
-    '0', 'no', 'false'] else False
-
-
-def answer_yes(x): return True if str(x).lower() in [
-    '1', 'yes', 'true'] else False
-
-
-def send_notifications(message):
-    # TODO:
-    return True
-
-
-def if_policy_attached_to_any_group(arn):
-    entities = iam.list_entities_for_policy(
-        PolicyArn=arn,
-        EntityFilter='Group',
-    )
-    return entities['PolicyGroups']
-
-
-def if_any_group_has_users(groups):
-    for group in groups:
-        group_detail = iam.get_group(
-            GroupName=group['GroupName'],
-            MaxItems=1,
-        )
-        if len(group_detail['Users']) > 0:
-            return True
-    return False
-
-
-def lambda_handler(event, context):
-    rc = 1
-    message = "Checking if the AWSSupportAccess policy attached to any group"
-    print message
-
-    paginator = iam.get_paginator('list_policies')
-    page_iterator = paginator.paginate()
-    # Filter with JMESPath and find out instances without an IAM Instance profile
-    filtered_iterator = page_iterator.search(
-        'Policies[?PolicyName == `AWSSupportAccess`].Arn')
-
-    for arn in filtered_iterator:
-        groups = if_policy_attached_to_any_group(arn)
-
-        if len(groups) > 0:
-            groups_has_user = if_any_group_has_users(groups)
-            if groups_has_user:
-                notification = 'Everthing is fine.'
-                print notification
-                message += notification
-                rc = 0
-            else:
-                notification = 'None of the groups have user attached'
-                print notification
-                message += notification
-        else:
-            notification = 'AWSSupportAccess is not attached to any group'
-            print notification
-            message += notification + "\n"
-    send_notifications(message)
-    exit(rc)
-
-
-# if __name__ == "__main__":
-#    event = 1
-#    context = 1
-#    lambda_handler(event, context)

base/account_standards/to_be_reviewed/section-1_12.tf

@@ -1,74 +0,0 @@
-# Inactivity check and disable function
-## IAM Policy
-data "template_file" "root_account_check_policy" {
-  template = file("${path.module}/templates/lambda_root_account_check_policy.json.tpl")
-}
-
-resource "aws_iam_role" "root_account_check" {
-  name               = "${var.resource_name_prefix}-root-account-check"
-  path               = "/lambda/"
-  assume_role_policy = data.template_file.iam_lambda_assume_role_policy.rendered
-}
-
-resource "aws_iam_role_policy" "root_account_check" {
-  name   = "${var.resource_name_prefix}-lambda-root-account-check"
-  role   = aws_iam_role.root_account_check.id
-  policy = data.template_file.root_account_check_policy.rendered
-}
-
-## /IAM Policy
-
-## Create the function
-data "archive_file" "root_account_check" {
-  type        = "zip"
-  source_file = "${path.module}/files/root_account_check.py"
-  output_path = "${var.temp_artifacts_dir}/root_account_check.zip"
-}
-
-resource "aws_lambda_function" "root_account_check" {
-  filename         = "${var.temp_artifacts_dir}/root_account_check.zip"
-  function_name    = "${var.resource_name_prefix}-root-account-check"
-  role             = aws_iam_role.root_account_check.arn
-  handler          = "root_account_check.lambda_handler"
-  source_code_hash = data.archive_file.root_account_check.output_base64sha256
-  runtime          = "python2.7"
-  timeout          = var.lambda_timeout
-
-  environment {
-    variables = {
-      DRY_RUN                = var.lambda_dry_run
-      AGGRESSIVE             = var.lambda_aggressive
-      INACTIVITY_LIMIT       = var.lambda_user_inactivity_limit
-      IGNORE_IAM_USER_PREFIX = var.lambda_mfa_checker_user_prefix
-      IGNORE_IAM_USER_SUFFIX = var.lambda_mfa_checker_user_suffix
-    }
-  }
-
-  tags = merge(var.standard_tags, var.tags)
-}
-
-## /Create the function
-
-## Schedule the lambda function
-resource "aws_cloudwatch_event_rule" "root_account_check" {
-  name                = "${var.resource_name_prefix}-root-account-check"
-  description         = "disables inactive users"
-  schedule_expression = var.lambda_cron_schedule
-}
-
-resource "aws_cloudwatch_event_target" "root_account_check" {
-  rule      = aws_cloudwatch_event_rule.root_account_check.name
-  target_id = "${var.resource_name_prefix}-root-account-check"
-  arn       = aws_lambda_function.root_account_check.arn
-}
-
-resource "aws_lambda_permission" "root_account_check" {
-  statement_id  = "AllowExecutionFromCloudWatch"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.root_account_check.function_name
-  principal     = "events.amazonaws.com"
-  source_arn    = aws_cloudwatch_event_rule.root_account_check.arn
-}
-
-## /Schedule the lambda function
-# /MFA check and disable function

base/account_standards/to_be_reviewed/section-1_17.tfskip

@@ -1,17 +0,0 @@
-data "aws_billing_service_account" "main" {}
-
-data "template_file" "billing-s3-bucket-name" {
-  template = "${file("${path.module}/templates/billing-s3-bucket-name.json.tpl")}"
-
-  vars {
-    bucket_name                     = "${lookup(local.workspace-dps-s3-cloudtrail-bucket,terraform.workspace,"")}"
-    aws_billing_service_account_arn = "${data.aws_billing_service_account.main.arn}"
-  }
-}
-
-resource "aws_s3_bucket" "billing_logs" {
-  bucket = "${lookup(local.workspace-dps-s3-cloudtrail-bucket,terraform.workspace,"")}"
-  acl    = "private"
-
-  policy = "${var.billing_s3_bucket_policy}"
-}

base/account_standards/to_be_reviewed/section-1_22.tf

@@ -1,65 +0,0 @@
-# Support group check and delete function
-## IAM Policy
-data "template_file" "support_group_check_policy" {
-  template = file("${path.module}/templates/lambda_support_group_check_policy.json.tpl")
-}
-
-resource "aws_iam_role" "support_group_check" {
-  path               = "/lambda/"
-  name               = "${var.resource_name_prefix}-support-group-check"
-  assume_role_policy = data.template_file.iam_lambda_assume_role_policy.rendered
-}
-
-resource "aws_iam_role_policy" "support_group_check" {
-  name   = "${var.resource_name_prefix}-lambda-support-group-check"
-  role   = aws_iam_role.support_group_check.id
-  policy = data.template_file.support_group_check_policy.rendered
-}
-
-## /IAM Policy
-
-## Create the function
-data "archive_file" "support_group_check" {
-  type        = "zip"
-  source_file = "${path.module}/files/support_group_check.py"
-  output_path = "${var.temp_artifacts_dir}/support_group_check.zip"
-}
-
-resource "aws_lambda_function" "support_group_check" {
-  filename         = "${var.temp_artifacts_dir}/support_group_check.zip"
-  function_name    = "${var.resource_name_prefix}-support-group-check"
-  role             = aws_iam_role.support_group_check.arn
-  handler          = "support_group_check.lambda_handler"
-  source_code_hash = data.archive_file.support_group_check.output_base64sha256
-  runtime          = "python2.7"
-  timeout          = var.lambda_timeout
-
-  tags = merge(var.standard_tags, var.tags)
-}
-
-## /Create the function
-
-## Schedule the lambda function
-resource "aws_cloudwatch_event_rule" "support_group_check" {
-  name                = "${var.resource_name_prefix}-support-group-check"
-  description         = "remove expiring access keys"
-  schedule_expression = var.lambda_cron_schedule
-}
-
-resource "aws_cloudwatch_event_target" "support_group_check" {
-  rule      = aws_cloudwatch_event_rule.support_group_check.name
-  target_id = "${var.resource_name_prefix}-support-group-check"
-  arn       = aws_lambda_function.support_group_check.arn
-}
-
-resource "aws_lambda_permission" "support_group_check" {
-  statement_id  = "AllowExecutionFromCloudWatch"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.support_group_check.function_name
-  principal     = "events.amazonaws.com"
-  source_arn    = aws_cloudwatch_event_rule.support_group_check.arn
-}
-
-## /Schedule the lambda function
-# /Support group check and delete function
-

base/account_standards/to_be_reviewed/section-1_5.tf

@@ -1,105 +0,0 @@
-resource "aws_iam_account_password_policy" "cis" {
-  # 1.5
-  require_uppercase_characters = var.iam_require_uppercase_characters
-
-  # 1.6
-  require_lowercase_characters = var.iam_require_lowercase_characters
-
-  # 1.7
-  require_symbols = var.iam_require_symbols
-
-  # 1.8
-  require_numbers = var.iam_require_numbers
-
-  # 1.9
-  minimum_password_length = var.iam_minimum_password_length
-
-  # 1.10
-  password_reuse_prevention = var.iam_password_reuse_prevention
-
-  # 1.11
-  max_password_age = var.iam_max_password_age
-
-  allow_users_to_change_password = var.iam_allow_users_to_change_password
-
-  hard_expiry = var.iam_hard_expiry
-}
-
-# Password policy check function
-## IAM Policy
-data "template_file" "password_policy_check_policy" {
-  template = file("${path.module}/templates/lambda_password_policy_check_policy.json.tpl")
-}
-
-resource "aws_iam_role" "password_policy_check" {
-  name               = "${var.resource_name_prefix}-password-policy-check"
-  path               = "/lambda/"
-  assume_role_policy = data.template_file.iam_lambda_assume_role_policy.rendered
-}
-
-resource "aws_iam_role_policy" "password_policy_check" {
-  name   = "${var.resource_name_prefix}-lambda-password-policy-check"
-  role   = aws_iam_role.password_policy_check.id
-  policy = data.template_file.password_policy_check_policy.rendered
-}
-
-## /IAM Policy
-
-## Create the function
-data "archive_file" "password_policy_check" {
-  type        = "zip"
-  source_file = "${path.module}/files/password_policy_check.py"
-  output_path = "${var.temp_artifacts_dir}/password_policy_check.zip"
-}
-
-resource "aws_lambda_function" "password_policy_check" {
-  filename         = "${var.temp_artifacts_dir}/password_policy_check.zip"
-  function_name    = "${var.resource_name_prefix}-password-policy-check"
-  role             = aws_iam_role.password_policy_check.arn
-  handler          = "password_policy_check.lambda_handler"
-  source_code_hash = data.archive_file.password_policy_check.output_base64sha256
-  runtime          = "python2.7"
-  timeout          = var.lambda_timeout
-
-  environment {
-    variables = {
-      REQUIRE_UPPERCASE_CHARACTERS   = var.iam_require_uppercase_characters
-      REQUIRE_LOWERCASE_CHARACTERS   = var.iam_require_lowercase_characters
-      REQUIRE_SYMBOLS                = var.iam_require_symbols
-      REQUIRE_NUMBERS                = var.iam_require_numbers
-      MINIMUM_PASSWORD_LENGTH        = var.iam_minimum_password_length
-      PASSWORD_REUSE_PREVENTION      = var.iam_password_reuse_prevention
-      MAX_PASSWORD_AGE               = var.iam_max_password_age
-      ALLOW_USERS_TO_CHANGE_PASSWORD = var.iam_allow_users_to_change_password
-      HARD_EXPIRY                    = var.iam_hard_expiry
-    }
-  }
-
-  tags = merge(var.standard_tags, var.tags)
-}
-
-## /Create the function
-
-## Schedule the lambda function
-resource "aws_cloudwatch_event_rule" "password_policy_check" {
-  name                = "${var.resource_name_prefix}-password-policy-check"
-  description         = "Check if password policy is in desired state"
-  schedule_expression = var.lambda_cron_schedule
-}
-
-resource "aws_cloudwatch_event_target" "password_policy_check" {
-  rule      = aws_cloudwatch_event_rule.password_policy_check.name
-  target_id = "${var.resource_name_prefix}-password-policy-check"
-  arn       = aws_lambda_function.password_policy_check.arn
-}
-
-resource "aws_lambda_permission" "password_policy_check" {
-  statement_id  = "AllowExecutionFromCloudWatch"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.password_policy_check.function_name
-  principal     = "events.amazonaws.com"
-  source_arn    = aws_cloudwatch_event_rule.password_policy_check.arn
-}
-
-## /Schedule the lambda function
-# /Password policy check function

base/account_standards/to_be_reviewed/section-2_1.tf.TODO

@@ -1,135 +0,0 @@
-# TODO
-# this needs to be split into two modules:
-#   1) Set up the centralized key and s3 bucket
-#   2) Set up the logging from the client
-data "aws_caller_identity" "current" {}
-
-data "template_file" "cloudtrail_kms" {
-  template = file("${path.module}/templates/cloudtrail_kms_policy.json.tpl")
-
-  vars {
-    aws_account_id = data.aws_caller_identity.current.account_id
-  }
-}
-
-resource "aws_kms_key" "cloudtrail" {
-  description             = "Encrypt/Decrypt cloudtrail logs"
-  deletion_window_in_days = 30
-  is_enabled              = true
-  enable_key_rotation     = true
-
-  policy = var.cloudtrail_kms_policy != "" ? var.cloudtrail_kms_policy : data.template_file.cloudtrail_kms.rendered}
-
-  tags = merge(var.standard_tags, var.tags)
-}
-
-resource "aws_kms_alias" "cloudtrail" {
-  name          = "alias/${var.resource_name_prefix}-cloudtrail"
-  target_key_id = "${aws_kms_key.cloudtrail.key_id}"
-}
-
-resource "aws_s3_bucket" "dps-mdr-cloudtrail" {
-  bucket = "${lookup(local.workspace-dps-s3-cloudtrail-bucket,terraform.workspace,"")}"
-  acl    = "private"
-  region = "us-east-1"
-  policy = "${file("${path.module}/templates/${lookup(local.workspace-dps-s3-cloudtrail-bucket-policy,terraform.workspace,"")}")}" 
-
-  tags {
-    Billing = "MSSP - MSOC Infrastrucutre"
-  }
-
-}
-
-resource "aws_cloudtrail" "cloudtrail" {
-  name                          = "${var.resource_name_prefix}-trail"
-  s3_bucket_name                = "${lookup(local.workspace-dps-s3-cloudtrail-bucket,terraform.workspace,"")}"
-  is_multi_region_trail         = true
-  include_global_service_events = true
-  enable_log_file_validation    = true
-  kms_key_id                    = "${aws_kms_key.cloudtrail.arn}"
-  cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.aws-cis-logs.arn}"
-  cloud_watch_logs_role_arn     = "${aws_iam_role.cloudtrail_cloudwatchlogs_role.arn}"
-
-  event_selector {
-    read_write_type           = "${var.clodtrail_event_selector_type}"
-    include_management_events = true
-
-    data_resource {
-      type   = "AWS::S3::Object"
-      values = ["arn:aws:s3"]
-    }
-
-    data_resource {
-      type   = "AWS::Lambda::Function"
-      values = ["arn:aws:lambda"]
-    }
-  }
-
-  tags = merge(var.standard_tags, var.tags)
-}
-
-# CloudTrail check
-## IAM Policy
-data "template_file" "cloudtrail_status_check_policy" {
-  template = "${file("${path.module}/templates/lambda_cloudtrail_status_check_policy.json.tpl")}"
-}
-
-resource "aws_iam_role" "cloudtrail_status_check" {
-  provider           = "aws.iam_admin"
-  name               = "${var.resource_name_prefix}-cloudtrail-status-check"
-  assume_role_policy = "${data.template_file.iam_lambda_assume_role_policy.rendered}"
-}
-
-resource "aws_iam_role_policy" "cloudtrail_status_check" {
-  provider           = "aws.iam_admin"
-  name   = "${var.resource_name_prefix}-lambda-cloudtrail-status-check"
-  role   = "${aws_iam_role.cloudtrail_status_check.id}"
-  policy = "${data.template_file.cloudtrail_status_check_policy.rendered}"
-}
-
-## /IAM Policy
-
-## Create the function
-data "archive_file" "cloudtrail_status_check" {
-  type        = "zip"
-  source_file = "${path.module}/files/cloudtrail_status_check.py"
-  output_path = "${var.temp_artifacts_dir}/cloudtrail_status_check.zip"
-}
-
-resource "aws_lambda_function" "cloudtrail_status_check" {
-  filename         = "${var.temp_artifacts_dir}/cloudtrail_status_check.zip"
-  function_name    = "${var.resource_name_prefix}-cloudtrail-status-check"
-  role             = "${aws_iam_role.cloudtrail_status_check.arn}"
-  handler          = "cloudtrail_status_check.lambda_handler"
-  source_code_hash = "${data.archive_file.cloudtrail_status_check.output_base64sha256}"
-  runtime          = "python2.7"
-  timeout          = "${var.lambda_timeout}"
-
-  tags = merge(var.standard_tags, var.tags)
-}
-
-## /Create the function
-
-## Schedule the lambda function
-resource "aws_cloudwatch_event_rule" "cloudtrail_status_check" {
-  name                = "${var.resource_name_prefix}-cloudtrail-status-check"
-  description         = "remove expiring access keys"
-  schedule_expression = "${var.lambda_cron_schedule}"
-}
-
-resource "aws_cloudwatch_event_target" "cloudtrail_status_check" {
-  rule      = "${aws_cloudwatch_event_rule.cloudtrail_status_check.name}"
-  target_id = "${var.resource_name_prefix}-cloudtrail-status-check"
-  arn       = "${aws_lambda_function.cloudtrail_status_check.arn}"
-}
-
-resource "aws_lambda_permission" "cloudtrail_status_check" {
-  statement_id  = "AllowExecutionFromCloudWatch"
-  action        = "lambda:InvokeFunction"
-  function_name = "${aws_lambda_function.cloudtrail_status_check.function_name}"
-  principal     = "events.amazonaws.com"
-  source_arn    = "${aws_cloudwatch_event_rule.cloudtrail_status_check.arn}"
-}
-
-## /Schedule the lambda function
-# /# CloudTrail check