def policy(resource): if not IN_PCI_SCOPE(resource): return True # pylint: disable=line-too-long default_id = f"arn:aws:ec2:{resource['Region']}:{resource['AccountId']}:network-acl/{resource['DefaultNetworkAclId']}" default_acl = resource_lookup(default_id) return not default_acl['Entries']
def policy(resource): if not IN_PCI_SCOPE(resource): return True if not resource["TimeToLiveDescription"]: return False return deep_get(resource, "TimeToLiveDescription", "TimeToLiveStatus") == "ENABLED"
def policy(resource): if not IN_PCI_SCOPE(resource): return True for acl in resource['NetworkAcls']: if acl['IsDefault']: return not acl['Entries'] return False
def policy(resource): if not IN_PCI_SCOPE(resource): return True if not resource['TimeToLiveDescription']: return False return resource['TimeToLiveDescription']['TimeToLiveStatus'] == 'ENABLED'
def policy(resource): if not IN_PCI_SCOPE(resource): return True for entry in resource["Entries"]: if entry["RuleAction"] == "allow" and not entry["Egress"]: # Check if entry is set to "All Ports" if entry["PortRange"] is None: return False return True
def policy(resource): if not IN_PCI_SCOPE(resource): return True for entry in resource['Entries']: if entry['RuleAction'] == 'allow' and entry['Egress']: # Check if entry is set to "All Ports" if entry['PortRange'] is None: return False return True
def policy(resource): if not IN_PCI_SCOPE(resource): return True for rule in resource['Rules'] or []: # Must block the XSS if rule['Action']['Type'] != 'BLOCK': continue # Only passes if there is an XSS matching predicate for predicate in rule['Predicates']: if predicate['Type'] == 'XssMatch': return True return False
def policy(resource): if not IN_PCI_SCOPE(resource): return True for rule in resource["Rules"] or []: # Must block the XSS if deep_get(rule, "Action", "Type") != "BLOCK": continue # Only passes if there is an XSS matching predicate for predicate in rule["Predicates"]: if predicate["Type"] == "XssMatch": return True return False
def policy(resource): if not IN_PCI_SCOPE(resource): return True if resource['IpPermissions'] is None: return True for permission in resource['IpPermissions']: # Check if the permission is set to "All Ports" if permission['FromPort'] is None or permission['ToPort'] is None: return False # Check if the permission is set to "All TCP" or "All UDP" ports if permission['FromPort'] == 0 and permission['ToPort'] == 65535: return False return True
def policy(resource): # Only apply this policy to security groups in scope for PCI if not IN_PCI_SCOPE(resource): return True for permission in resource["IpPermissions"] or []: # Check if any traffic is allowed from public IP space for ip_range in permission["IpRanges"] or []: if ip_range["CidrIp"] == "0.0.0.0/0" or not ip_network( ip_range["CidrIp"]).is_private: return False for ip_range in permission["Ipv6Ranges"] or []: if ip_range["CidrIpv6"] == "::/0" or not ip_network( ip_range["CidrIpv6"]).is_private: return False return True
def policy(resource): # Only apply this policy if the Security Group is in scope for PCI if not IN_PCI_SCOPE(resource): return True for permission in resource['IpPermissionsEgress'] or []: # Check if any traffic can leave this security group to public IP space for ip_range in permission['IpRanges'] or []: if ip_range['CidrIp'] == '0.0.0.0/0' or not ip_network( ip_range['CidrIp']).is_private: return False for ip_range in permission['Ipv6Ranges'] or []: if ip_range['CidrIpv6'] == '::/0' or not ip_network( ip_range['CidrIpv6']).is_private: return False return True
def policy(resource): if not IN_PCI_SCOPE(resource): return True object_lock = resource['ObjectLockConfiguration'] # Object lock configuration is not enabled, or enabled without a rule if not object_lock or object_lock[ 'ObjectLockEnabled'] != 'Enabled' or not object_lock['Rule']: return False # Ensure ObjectLockConfiguration is in COMPLIANCE mode, not GOVERNANCE mode if object_lock['Rule']['DefaultRetention']['Mode'] != 'COMPLIANCE': return False return object_lock['Rule']['DefaultRetention'][ 'Days'] >= RETENTION_PERIOD_DAYS
def policy(resource): if not IN_PCI_SCOPE(resource): return True object_lock = resource["ObjectLockConfiguration"] # Object lock configuration is not enabled, or enabled without a rule if not object_lock or object_lock["ObjectLockEnabled"] != "Enabled" or not object_lock["Rule"]: return False # Ensure ObjectLockConfiguration is in COMPLIANCE mode, not GOVERNANCE mode if deep_get(object_lock, "Rule", "DefaultRetention", "Mode") != "COMPLIANCE": return False return ( deep_get(object_lock, "Rule", "DefaultRetention", "Days", default=0) >= RETENTION_PERIOD_DAYS )
def policy(resource): if not IN_PCI_SCOPE(resource): return True for entry in resource['Entries']: # Look for ingress rules from any IP. # This could be modified in the future to inspect the size # of the source network with the ipaddress.ip_network.num_addresses call. if entry['Egress']: continue # This indicates that all protocols are allowed, and the port range is ignored if entry['Protocol'] == '-1' or not entry['PortRange']: return False if any(entry['PortRange']['From'] <= port <= entry['PortRange']['To'] for port in INSECURE_PORTS): return False return True
def policy(resource): if not IN_PCI_SCOPE(resource): return True if resource["IpPermissions"] is None: return True for permission in resource["IpPermissions"]: # Only check Security Group -> Security Group permissions if not permission["UserIdGroupPairs"]: continue # Check if the permission is set to "All Ports" if permission["FromPort"] is None or permission["ToPort"] is None: return False # Check if the permission is set to "All TCP" or "All UDP" ports if permission["FromPort"] == 0 and permission["ToPort"] == 65535: return False return True
def policy(resource): if not IN_PCI_SCOPE(resource): return True if resource["IpPermissions"] is None: return True for permission in resource["IpPermissions"]: # Check if the permission is set to "All Ports" if permission["FromPort"] is None or permission["ToPort"] is None: return False # Check if the permission allows too many ports. Alternatively, this can be modified to sum # open ports to have one running total. if permission["ToPort"] - permission[ "FromPort"] > MAX_PORTS_PER_PERMISSION: return False if any(permission["FromPort"] <= port <= permission["ToPort"] for port in RESTRICTED_PORTS): return False return True
def policy(resource): # Only check the volumes that are in scope for PCI if not IN_PCI_SCOPE(resource): return True return bool(resource["Encrypted"])
def policy(resource): if not IN_PCI_SCOPE(resource): return True return MIN_RETENTION_DAYS <= resource[ "BackupRetentionPeriod"] <= MAX_RETENTION_DAYS
def policy(resource): if not IN_PCI_SCOPE(resource): return True return MIN_RETENTION_DAYS <= resource[ 'AutomatedSnapshotRetentionPeriod'] <= MAX_RETENTION_DAYS
def policy(resource): if not IN_PCI_SCOPE(resource): return True # Casting to Bool as this may be None and we cannot return a NoneType return bool(resource["SSLPolicies"])