drudgesentinel/CIS-v1.4.0-sentinel-policies
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

let's not commit providers again pls

Browse source
This commit is contained in:
worm 2023-11-15 16:02:19 -08:00
parent b45c493781
commit d466d45961
7 changed files with 486 additions and 201 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1 +1 @@
terraform_v1.4.0/.terraform*
terraform_v1.4.0/*/.terraform*

1
terraform_v1.4.0/nohup.out
View file

@ -1 +0,0 @@
Opening in existing browser session.

2
v1.4.0/CloudTrail.1.sentinel
View file

@ -6,6 +6,8 @@
# By default, when no event filter is provided, read and write management events are captured:
# # Without an event selector specified, CloudTrail logs all read and write management events by default
# https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_EventSelector.html
#As such, this policy will look for the presence of a single trail without an event selector
import "tfplan/v2" as tfplan
param actions default [

57
v1.4.0/mocks/cloudtrail-multiregion-mock-tfconfig-v2.sentinel
View file

@ -66,11 +66,66 @@ resources = {
"provisioners": [],
"type": "aws_cloudtrail",
},
"aws_cloudtrail.example-with-event-selector": {
"address": "aws_cloudtrail.example-with-event-selector",
"config": {
"event_selector": [
{
"data_resource": [
{
"type": {
"constant_value": "AWS::S3::Object",
},
"values": {
"references": [
"var.s3_bucket_arn",
],
},
},
],
"include_management_events": {
"constant_value": true,
},
"read_write_type": {
"constant_value": "All",
},
},
],
"include_global_service_events": {
"constant_value": true,
},
"is_multi_region_trail": {
"constant_value": true,
},
"name": {
"constant_value": "example-with-event-selector",
},
"s3_bucket_name": {
"constant_value": "stm-cloudtrail-sentinel",
},
},
"count": {},
"depends_on": [],
"for_each": {},
"mode": "managed",
"module_address": "",
"name": "example-with-event-selector",
"provider_config_key": "aws",
"provisioners": [],
"type": "aws_cloudtrail",
},
}
provisioners = {}
variables = {}
variables = {
"s3_bucket_arn": {
"default": null,
"description": "The ARN of the CloudTrail bucket",
"module_address": "",
"name": "s3_bucket_arn",
},
}
outputs = {}

532
v1.4.0/mocks/cloudtrail-multiregion-mock-tfplan-v2.sentinel
View file

@ -15,26 +15,22 @@ planned_values = {
"tainted": false,
"type": "aws_cloudtrail",
"values": {
"advanced_event_selector": [],
"arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example",
"cloud_watch_logs_group_arn": "",
"cloud_watch_logs_role_arn": "",
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"home_region": "us-west-2",
"id": "example",
"advanced_event_selector": [],
"cloud_watch_logs_group_arn": null,
"cloud_watch_logs_role_arn": null,
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"include_global_service_events": false,
"insight_selector": [],
"is_multi_region_trail": false,
"is_organization_trail": false,
"kms_key_id": "",
"kms_key_id": null,
"name": "example",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": "",
"sns_topic_name": "",
"tags": {},
"tags_all": {},
"s3_key_prefix": null,
"sns_topic_name": null,
"tags": null,
},
},
"aws_cloudtrail.example-multi-region": {
@ -67,63 +63,95 @@ planned_values = {
"tags": null,
},
},
"aws_cloudtrail.example-with-event-selector": {
"address": "aws_cloudtrail.example-with-event-selector",
"depends_on": [],
"deposed_key": "",
"index": null,
"mode": "managed",
"module_address": "",
"name": "example-with-event-selector",
"provider_name": "registry.terraform.io/hashicorp/aws",
"tainted": false,
"type": "aws_cloudtrail",
"values": {
"advanced_event_selector": [],
"cloud_watch_logs_group_arn": null,
"cloud_watch_logs_role_arn": null,
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [
{
"data_resource": [
{
"type": "AWS::S3::Object",
"values": [
"arn:aws:s3:::s3-cloudtrail-cis/",
],
},
],
"exclude_management_event_sources": null,
"include_management_events": true,
"read_write_type": "All",
},
],
"include_global_service_events": true,
"insight_selector": [],
"is_multi_region_trail": true,
"is_organization_trail": false,
"kms_key_id": null,
"name": "example-with-event-selector",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": null,
"sns_topic_name": null,
"tags": null,
},
},
},
}
variables = {}
variables = {
"s3_bucket_arn": {
"name": "s3_bucket_arn",
"value": "arn:aws:s3:::s3-cloudtrail-cis",
},
}
resource_changes = {
"aws_cloudtrail.example": {
"address": "aws_cloudtrail.example",
"change": {
"actions": [
"no-op",
"create",
],
"after": {
"advanced_event_selector": [],
"arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example",
"cloud_watch_logs_group_arn": "",
"cloud_watch_logs_role_arn": "",
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"home_region": "us-west-2",
"id": "example",
"advanced_event_selector": [],
"cloud_watch_logs_group_arn": null,
"cloud_watch_logs_role_arn": null,
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"include_global_service_events": false,
"insight_selector": [],
"is_multi_region_trail": false,
"is_organization_trail": false,
"kms_key_id": "",
"kms_key_id": null,
"name": "example",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": "",
"sns_topic_name": "",
"tags": {},
"tags_all": {},
"s3_key_prefix": null,
"sns_topic_name": null,
"tags": null,
},
"after_unknown": {},
"before": {
"after_unknown": {
"advanced_event_selector": [],
"arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example",
"cloud_watch_logs_group_arn": "",
"cloud_watch_logs_role_arn": "",
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"home_region": "us-west-2",
"id": "example",
"include_global_service_events": false,
"insight_selector": [],
"is_multi_region_trail": false,
"is_organization_trail": false,
"kms_key_id": "",
"name": "example",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": "",
"sns_topic_name": "",
"tags": {},
"tags_all": {},
"arn": true,
"event_selector": [],
"home_region": true,
"id": true,
"insight_selector": [],
"tags_all": true,
},
"before": null,
},
"deposed": "",
"index": null,
@ -176,6 +204,73 @@ resource_changes = {
"provider_name": "registry.terraform.io/hashicorp/aws",
"type": "aws_cloudtrail",
},
"aws_cloudtrail.example-with-event-selector": {
"address": "aws_cloudtrail.example-with-event-selector",
"change": {
"actions": [
"create",
],
"after": {
"advanced_event_selector": [],
"cloud_watch_logs_group_arn": null,
"cloud_watch_logs_role_arn": null,
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [
{
"data_resource": [
{
"type": "AWS::S3::Object",
"values": [
"arn:aws:s3:::s3-cloudtrail-cis/",
],
},
],
"exclude_management_event_sources": null,
"include_management_events": true,
"read_write_type": "All",
},
],
"include_global_service_events": true,
"insight_selector": [],
"is_multi_region_trail": true,
"is_organization_trail": false,
"kms_key_id": null,
"name": "example-with-event-selector",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": null,
"sns_topic_name": null,
"tags": null,
},
"after_unknown": {
"advanced_event_selector": [],
"arn": true,
"event_selector": [
{
"data_resource": [
{
"values": [
false,
],
},
],
},
],
"home_region": true,
"id": true,
"insight_selector": [],
"tags_all": true,
},
"before": null,
},
"deposed": "",
"index": null,
"mode": "managed",
"module_address": "",
"name": "example-with-event-selector",
"provider_name": "registry.terraform.io/hashicorp/aws",
"type": "aws_cloudtrail",
},
}
output_changes = {}
@ -212,7 +307,7 @@ raw = {
"mode": "managed",
"name": "example",
"provider_config_key": "aws",
"schema_version": 0,
"schema_version": 1,
"type": "aws_cloudtrail",
},
{
@ -234,10 +329,59 @@ raw = {
"mode": "managed",
"name": "example-multi-region",
"provider_config_key": "aws",
"schema_version": 0,
"schema_version": 1,
"type": "aws_cloudtrail",
},
{
"address": "aws_cloudtrail.example-with-event-selector",
"expressions": {
"event_selector": [
{
"data_resource": [
{
"type": {
"constant_value": "AWS::S3::Object",
},
"values": {
"references": [
"var.s3_bucket_arn",
],
},
},
],
"include_management_events": {
"constant_value": true,
},
"read_write_type": {
"constant_value": "All",
},
},
],
"include_global_service_events": {
"constant_value": true,
},
"is_multi_region_trail": {
"constant_value": true,
},
"name": {
"constant_value": "example-with-event-selector",
},
"s3_bucket_name": {
"constant_value": "stm-cloudtrail-sentinel",
},
},
"mode": "managed",
"name": "example-with-event-selector",
"provider_config_key": "aws",
"schema_version": 1,
"type": "aws_cloudtrail",
},
],
"variables": {
"s3_bucket_arn": {
"description": "The ARN of the CloudTrail bucket",
},
},
},
},
"format_version": "1.2",
@ -249,36 +393,31 @@ raw = {
"mode": "managed",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"schema_version": 1,
"sensitive_values": {
"advanced_event_selector": [],
"event_selector": [],
"insight_selector": [],
"tags": {},
"tags_all": {},
},
"type": "aws_cloudtrail",
"values": {
"advanced_event_selector": [],
"arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example",
"cloud_watch_logs_group_arn": "",
"cloud_watch_logs_role_arn": "",
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"home_region": "us-west-2",
"id": "example",
"advanced_event_selector": [],
"cloud_watch_logs_group_arn": null,
"cloud_watch_logs_role_arn": null,
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"include_global_service_events": false,
"insight_selector": [],
"is_multi_region_trail": false,
"is_organization_trail": false,
"kms_key_id": "",
"kms_key_id": null,
"name": "example",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": "",
"sns_topic_name": "",
"tags": {},
"tags_all": {},
"s3_key_prefix": null,
"sns_topic_name": null,
"tags": null,
},
},
{
@ -286,7 +425,7 @@ raw = {
"mode": "managed",
"name": "example-multi-region",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"schema_version": 1,
"sensitive_values": {
"advanced_event_selector": [],
"event_selector": [],
@ -313,54 +452,63 @@ raw = {
"tags": null,
},
},
],
},
},
"prior_state": {
"format_version": "1.0",
"terraform_version": "1.6.3",
"values": {
"root_module": {
"resources": [
{
"address": "aws_cloudtrail.example",
"mode": "managed",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"sensitive_values": {
"advanced_event_selector": [],
"event_selector": [],
"insight_selector": [],
"tags": {},
"tags_all": {},
},
"type": "aws_cloudtrail",
"values": {
"advanced_event_selector": [],
"arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example",
"cloud_watch_logs_group_arn": "",
"cloud_watch_logs_role_arn": "",
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"home_region": "us-west-2",
"id": "example",
"include_global_service_events": false,
"insight_selector": [],
"is_multi_region_trail": false,
"is_organization_trail": false,
"kms_key_id": "",
"name": "example",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": "",
"sns_topic_name": "",
"tags": {},
"tags_all": {},
},
{
"address": "aws_cloudtrail.example-with-event-selector",
"mode": "managed",
"name": "example-with-event-selector",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 1,
"sensitive_values": {
"advanced_event_selector": [],
"event_selector": [
{
"data_resource": [
{
"values": [
false,
],
},
],
},
],
"insight_selector": [],
"tags_all": {},
},
],
},
"type": "aws_cloudtrail",
"values": {
"advanced_event_selector": [],
"cloud_watch_logs_group_arn": null,
"cloud_watch_logs_role_arn": null,
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [
{
"data_resource": [
{
"type": "AWS::S3::Object",
"values": [
"arn:aws:s3:::s3-cloudtrail-cis/",
],
},
],
"exclude_management_event_sources": null,
"include_management_events": true,
"read_write_type": "All",
},
],
"include_global_service_events": true,
"insight_selector": [],
"is_multi_region_trail": true,
"is_organization_trail": false,
"kms_key_id": null,
"name": "example-with-event-selector",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": null,
"sns_topic_name": null,
"tags": null,
},
},
],
},
},
"resource_changes": [
@ -368,67 +516,43 @@ raw = {
"address": "aws_cloudtrail.example",
"change": {
"actions": [
"no-op",
"create",
],
"after": {
"advanced_event_selector": [],
"arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example",
"cloud_watch_logs_group_arn": "",
"cloud_watch_logs_role_arn": "",
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"home_region": "us-west-2",
"id": "example",
"advanced_event_selector": [],
"cloud_watch_logs_group_arn": null,
"cloud_watch_logs_role_arn": null,
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"include_global_service_events": false,
"insight_selector": [],
"is_multi_region_trail": false,
"is_organization_trail": false,
"kms_key_id": "",
"kms_key_id": null,
"name": "example",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": "",
"sns_topic_name": "",
"tags": {},
"tags_all": {},
"s3_key_prefix": null,
"sns_topic_name": null,
"tags": null,
},
"after_sensitive": {
"advanced_event_selector": [],
"event_selector": [],
"insight_selector": [],
"tags": {},
"tags_all": {},
},
"after_unknown": {},
"before": {
"after_unknown": {
"advanced_event_selector": [],
"arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example",
"cloud_watch_logs_group_arn": "",
"cloud_watch_logs_role_arn": "",
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"home_region": "us-west-2",
"id": "example",
"include_global_service_events": false,
"insight_selector": [],
"is_multi_region_trail": false,
"is_organization_trail": false,
"kms_key_id": "",
"name": "example",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": "",
"sns_topic_name": "",
"tags": {},
"tags_all": {},
},
"before_sensitive": {
"advanced_event_selector": [],
"event_selector": [],
"insight_selector": [],
"tags": {},
"tags_all": {},
"arn": true,
"event_selector": [],
"home_region": true,
"id": true,
"insight_selector": [],
"tags_all": true,
},
"before": null,
"before_sensitive": false,
},
"mode": "managed",
"name": "example",
@ -482,6 +606,92 @@ raw = {
"provider_name": "registry.terraform.io/hashicorp/aws",
"type": "aws_cloudtrail",
},
{
"address": "aws_cloudtrail.example-with-event-selector",
"change": {
"actions": [
"create",
],
"after": {
"advanced_event_selector": [],
"cloud_watch_logs_group_arn": null,
"cloud_watch_logs_role_arn": null,
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [
{
"data_resource": [
{
"type": "AWS::S3::Object",
"values": [
"arn:aws:s3:::s3-cloudtrail-cis/",
],
},
],
"exclude_management_event_sources": null,
"include_management_events": true,
"read_write_type": "All",
},
],
"include_global_service_events": true,
"insight_selector": [],
"is_multi_region_trail": true,
"is_organization_trail": false,
"kms_key_id": null,
"name": "example-with-event-selector",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": null,
"sns_topic_name": null,
"tags": null,
},
"after_sensitive": {
"advanced_event_selector": [],
"event_selector": [
{
"data_resource": [
{
"values": [
false,
],
},
],
},
],
"insight_selector": [],
"tags_all": {},
},
"after_unknown": {
"advanced_event_selector": [],
"arn": true,
"event_selector": [
{
"data_resource": [
{
"values": [
false,
],
},
],
},
],
"home_region": true,
"id": true,
"insight_selector": [],
"tags_all": true,
},
"before": null,
"before_sensitive": false,
},
"mode": "managed",
"name": "example-with-event-selector",
"provider_name": "registry.terraform.io/hashicorp/aws",
"type": "aws_cloudtrail",
},
],
"terraform_version": "1.6.3",
"variables": {
"s3_bucket_arn": {
"value": "arn:aws:s3:::s3-cloudtrail-cis",
},
},
}

39
v1.4.0/mocks/cloudtrail-multiregion-mock-tfstate-v2.sentinel
View file

@ -1,40 +1,5 @@
terraform_version = "1.6.3"
terraform_version = undefined
outputs = {}
resources = {
"aws_cloudtrail.example": {
"address": "aws_cloudtrail.example",
"depends_on": [],
"deposed_key": "",
"index": null,
"mode": "managed",
"module_address": "",
"name": "example",
"provider_name": "registry.terraform.io/hashicorp/aws",
"tainted": false,
"type": "aws_cloudtrail",
"values": {
"advanced_event_selector": [],
"arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example",
"cloud_watch_logs_group_arn": "",
"cloud_watch_logs_role_arn": "",
"enable_log_file_validation": false,
"enable_logging": true,
"event_selector": [],
"home_region": "us-west-2",
"id": "example",
"include_global_service_events": false,
"insight_selector": [],
"is_multi_region_trail": false,
"is_organization_trail": false,
"kms_key_id": "",
"name": "example",
"s3_bucket_name": "stm-cloudtrail-sentinel",
"s3_key_prefix": "",
"sns_topic_name": "",
"tags": {},
"tags_all": {},
},
},
}
resources = {}

54
v1.4.0/mocks/mock-tfrun.sentinel Normal file
View file

@ -0,0 +1,54 @@
id = "run-yQNb2wTQM8wgMZog"
created_at = "2023-11-15T23:32:29.814Z"
created_by = "seanmeininger"
message = "Triggered via CLI"
commit_sha = undefined
speculative = false
is_destroy = false
refresh = true
refresh_only = false
replace_addrs = null
target_addrs = null
project = {
"id": "prj-reb8RoikfSwzy97u",
"name": "Default Project",
}
variables = {
"AWS_ACCESS_KEY_ID": {
"category": "env",
"sensitive": false,
},
"AWS_SECRET_ACCESS_KEY": {
"category": "env",
"sensitive": true,
},
"AWS_SESSION_EXPIRATION": {
"category": "env",
"sensitive": false,
},
"AWS_SESSION_TOKEN": {
"category": "env",
"sensitive": true,
},
"s3_bucket_arn": {
"category": "terraform",
"sensitive": false,
},
}
organization = {
"name": "sean-env",
}
workspace = {
"auto_apply": false,
"created_at": "2023-11-06T23:57:08.689Z",
"description": "Work description:\nhttps://docs.google.com/document/d/1FSVcz_-AV2KnP6VOwmZleJsTH5ZbYudo8iO6s0qHkAw/edit",
"execution_mode": "default",
"id": "ws-SiAU345Ch3vMXGXA",
"name": "cis-sentinel-resources",
"tags": [],
"vcs_repo": null,
"working_directory": "",
}