def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
# pylint: disable=line-too-long
default_id = f"arn:aws:ec2:{resource['Region']}:{resource['AccountId']}:network-acl/{resource['DefaultNetworkAclId']}"
default_acl = resource_lookup(default_id)
return not default_acl['Entries']
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
if not resource["TimeToLiveDescription"]:
return False
return deep_get(resource, "TimeToLiveDescription", "TimeToLiveStatus") == "ENABLED"
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
for acl in resource['NetworkAcls']:
if acl['IsDefault']:
return not acl['Entries']
return False
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
if not resource['TimeToLiveDescription']:
return False
return resource['TimeToLiveDescription']['TimeToLiveStatus'] == 'ENABLED'
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
for entry in resource["Entries"]:
if entry["RuleAction"] == "allow" and not entry["Egress"]:
# Check if entry is set to "All Ports"
if entry["PortRange"] is None:
return False
return True
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
for entry in resource['Entries']:
if entry['RuleAction'] == 'allow' and entry['Egress']:
# Check if entry is set to "All Ports"
if entry['PortRange'] is None:
return False
return True
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
for rule in resource['Rules'] or []:
# Must block the XSS
if rule['Action']['Type'] != 'BLOCK':
continue
# Only passes if there is an XSS matching predicate
for predicate in rule['Predicates']:
if predicate['Type'] == 'XssMatch':
return True
return False
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
for rule in resource["Rules"] or []:
# Must block the XSS
if deep_get(rule, "Action", "Type") != "BLOCK":
continue
# Only passes if there is an XSS matching predicate
for predicate in rule["Predicates"]:
if predicate["Type"] == "XssMatch":
return True
return False
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
if resource['IpPermissions'] is None:
return True
for permission in resource['IpPermissions']:
# Check if the permission is set to "All Ports"
if permission['FromPort'] is None or permission['ToPort'] is None:
return False
# Check if the permission is set to "All TCP" or "All UDP" ports
if permission['FromPort'] == 0 and permission['ToPort'] == 65535:
return False
return True
def policy(resource):
# Only apply this policy to security groups in scope for PCI
if not IN_PCI_SCOPE(resource):
return True
for permission in resource["IpPermissions"] or []:
# Check if any traffic is allowed from public IP space
for ip_range in permission["IpRanges"] or []:
if ip_range["CidrIp"] == "0.0.0.0/0" or not ip_network(
ip_range["CidrIp"]).is_private:
return False
for ip_range in permission["Ipv6Ranges"] or []:
if ip_range["CidrIpv6"] == "::/0" or not ip_network(
ip_range["CidrIpv6"]).is_private:
return False
return True
def policy(resource):
# Only apply this policy if the Security Group is in scope for PCI
if not IN_PCI_SCOPE(resource):
return True
for permission in resource['IpPermissionsEgress'] or []:
# Check if any traffic can leave this security group to public IP space
for ip_range in permission['IpRanges'] or []:
if ip_range['CidrIp'] == '0.0.0.0/0' or not ip_network(
ip_range['CidrIp']).is_private:
return False
for ip_range in permission['Ipv6Ranges'] or []:
if ip_range['CidrIpv6'] == '::/0' or not ip_network(
ip_range['CidrIpv6']).is_private:
return False
return True
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
object_lock = resource['ObjectLockConfiguration']
# Object lock configuration is not enabled, or enabled without a rule
if not object_lock or object_lock[
'ObjectLockEnabled'] != 'Enabled' or not object_lock['Rule']:
return False
# Ensure ObjectLockConfiguration is in COMPLIANCE mode, not GOVERNANCE mode
if object_lock['Rule']['DefaultRetention']['Mode'] != 'COMPLIANCE':
return False
return object_lock['Rule']['DefaultRetention'][
'Days'] >= RETENTION_PERIOD_DAYS
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
object_lock = resource["ObjectLockConfiguration"]
# Object lock configuration is not enabled, or enabled without a rule
if not object_lock or object_lock["ObjectLockEnabled"] != "Enabled" or not object_lock["Rule"]:
return False
# Ensure ObjectLockConfiguration is in COMPLIANCE mode, not GOVERNANCE mode
if deep_get(object_lock, "Rule", "DefaultRetention", "Mode") != "COMPLIANCE":
return False
return (
deep_get(object_lock, "Rule", "DefaultRetention", "Days", default=0)
>= RETENTION_PERIOD_DAYS
)
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
for entry in resource['Entries']:
# Look for ingress rules from any IP.
# This could be modified in the future to inspect the size
# of the source network with the ipaddress.ip_network.num_addresses call.
if entry['Egress']:
continue
# This indicates that all protocols are allowed, and the port range is ignored
if entry['Protocol'] == '-1' or not entry['PortRange']:
return False
if any(entry['PortRange']['From'] <= port <= entry['PortRange']['To']
for port in INSECURE_PORTS):
return False
return True
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
if resource["IpPermissions"] is None:
return True
for permission in resource["IpPermissions"]:
# Only check Security Group -> Security Group permissions
if not permission["UserIdGroupPairs"]:
continue
# Check if the permission is set to "All Ports"
if permission["FromPort"] is None or permission["ToPort"] is None:
return False
# Check if the permission is set to "All TCP" or "All UDP" ports
if permission["FromPort"] == 0 and permission["ToPort"] == 65535:
return False
return True
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
if resource["IpPermissions"] is None:
return True
for permission in resource["IpPermissions"]:
# Check if the permission is set to "All Ports"
if permission["FromPort"] is None or permission["ToPort"] is None:
return False
# Check if the permission allows too many ports. Alternatively, this can be modified to sum
# open ports to have one running total.
if permission["ToPort"] - permission[
"FromPort"] > MAX_PORTS_PER_PERMISSION:
return False
if any(permission["FromPort"] <= port <= permission["ToPort"]
for port in RESTRICTED_PORTS):
return False
return True
def policy(resource):
# Only check the volumes that are in scope for PCI
if not IN_PCI_SCOPE(resource):
return True
return bool(resource["Encrypted"])
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
return MIN_RETENTION_DAYS <= resource[
"BackupRetentionPeriod"] <= MAX_RETENTION_DAYS
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
return MIN_RETENTION_DAYS <= resource[
'AutomatedSnapshotRetentionPeriod'] <= MAX_RETENTION_DAYS
def policy(resource):
if not IN_PCI_SCOPE(resource):
return True
# Casting to Bool as this may be None and we cannot return a NoneType
return bool(resource["SSLPolicies"])
