From a8a1a006c4d06a5c3967635e7f32beb928420878 Mon Sep 17 00:00:00 2001 From: mat-williams-sysmech <61142642+mat-williams-sysmech@users.noreply.github.com> Date: Wed, 28 Jun 2023 12:20:17 +0100 Subject: [PATCH 1/2] Update Operational-Best-Practices-for-NCSC-CloudSec-Principles.yaml Add Parameters for InternetGatewayAuthorizedVpcOnly and NoUnrestrictedRouteToIgw --- ...al-Best-Practices-for-NCSC-CloudSec-Principles.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/aws-config-conformance-packs/Operational-Best-Practices-for-NCSC-CloudSec-Principles.yaml b/aws-config-conformance-packs/Operational-Best-Practices-for-NCSC-CloudSec-Principles.yaml index f4f6b58f..17f1f572 100644 --- a/aws-config-conformance-packs/Operational-Best-Practices-for-NCSC-CloudSec-Principles.yaml +++ b/aws-config-conformance-packs/Operational-Best-Practices-for-NCSC-CloudSec-Principles.yaml @@ -10,6 +10,12 @@ ################################################################################## Parameters: + InternetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds: + Default: '' + Type: String + NoUnrestrictedRouteToIgwParamRouteTableIds: + Default: '' + Type: String AccessKeysRotatedParamMaxAccessKeyAge: Default: '90' Type: String @@ -871,6 +877,8 @@ Resources: Source: Owner: AWS SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY + InputParameters: + AuthorizedVpcIds: !Ref InternetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds Type: AWS::Config::ConfigRule KinesisStreamEncrypted: Properties: @@ -945,6 +953,8 @@ Resources: Source: Owner: AWS SourceIdentifier: NO_UNRESTRICTED_ROUTE_TO_IGW + InputParameters: + routeTableIds: !Ref NoUnrestrictedRouteToIgwParamRouteTableIds Type: AWS::Config::ConfigRule OpensearchEncryptedAtRest: Properties: From a3d17156d61d0053b40d851054f389146a60d00c Mon Sep 17 00:00:00 2001 From: Mat Williams Date: Fri, 3 Nov 2023 10:57:37 +0000 Subject: [PATCH 2/2] merge fixes --- ...ractices-for-NCSC-CloudSec-Principles.yaml | 42 +++++++++++++------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/aws-config-conformance-packs/Operational-Best-Practices-for-NCSC-CloudSec-Principles.yaml b/aws-config-conformance-packs/Operational-Best-Practices-for-NCSC-CloudSec-Principles.yaml index 17f1f572..d8873caf 100644 --- a/aws-config-conformance-packs/Operational-Best-Practices-for-NCSC-CloudSec-Principles.yaml +++ b/aws-config-conformance-packs/Operational-Best-Practices-for-NCSC-CloudSec-Principles.yaml @@ -23,13 +23,13 @@ Parameters: Default: '90' Type: String CloudwatchAlarmActionCheckParamAlarmActionRequired: - Default: 'TRUE' + Default: 'true' Type: String CloudwatchAlarmActionCheckParamInsufficientDataActionRequired: - Default: 'TRUE' + Default: 'true' Type: String CloudwatchAlarmActionCheckParamOkActionRequired: - Default: 'FALSE' + Default: 'false' Type: String CwLoggroupRetentionPeriodCheckParamMinRetentionTime: Default: '365' @@ -74,13 +74,13 @@ Parameters: Default: '90' Type: String RedshiftClusterConfigurationCheckParamClusterDbEncrypted: - Default: 'TRUE' + Default: 'true' Type: String RedshiftClusterConfigurationCheckParamLoggingEnabled: - Default: 'TRUE' + Default: 'true' Type: String RedshiftClusterMaintenancesettingsCheckParamAllowVersionUpgrade: - Default: 'TRUE' + Default: 'true' Type: String RestrictedIncomingTrafficParamBlockedPort1: Default: '20' @@ -98,16 +98,16 @@ Parameters: Default: '4333' Type: String S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicAcls: - Default: 'TRUE' + Default: 'true' Type: String S3AccountLevelPublicAccessBlocksPeriodicParamBlockPublicPolicy: - Default: 'TRUE' + Default: 'true' Type: String S3AccountLevelPublicAccessBlocksPeriodicParamIgnorePublicAcls: - Default: 'TRUE' + Default: 'true' Type: String S3AccountLevelPublicAccessBlocksPeriodicParamRestrictPublicBuckets: - Default: 'TRUE' + Default: 'true' Type: String VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts: Default: '443' @@ -878,7 +878,11 @@ Resources: Owner: AWS SourceIdentifier: INTERNET_GATEWAY_AUTHORIZED_VPC_ONLY InputParameters: - AuthorizedVpcIds: !Ref InternetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds + AuthorizedVpcIds: + Fn::If: + - internetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds + - Ref: InternetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds + - Ref: AWS::NoValue Type: AWS::Config::ConfigRule KinesisStreamEncrypted: Properties: @@ -954,7 +958,11 @@ Resources: Owner: AWS SourceIdentifier: NO_UNRESTRICTED_ROUTE_TO_IGW InputParameters: - routeTableIds: !Ref NoUnrestrictedRouteToIgwParamRouteTableIds + routeTableIds: + Fn::If: + - noUnrestrictedRouteToIgwParamRouteTableIds + - Ref: NoUnrestrictedRouteToIgwParamRouteTableIds + - Ref: AWS::NoValue Type: AWS::Config::ConfigRule OpensearchEncryptedAtRest: Properties: @@ -1596,3 +1604,13 @@ Conditions: - Fn::Equals: - '' - Ref: VpcSgOpenOnlyToAuthorizedPortsParamAuthorizedTcpPorts + internetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds: + Fn::Not: + - Fn::Equals: + - '' + - Ref: InternetGatewayAuthorizedVpcOnlyParamAuthorizedVpcIds + noUnrestrictedRouteToIgwParamRouteTableIds: + Fn::Not: + - Fn::Equals: + - '' + - Ref: NoUnrestrictedRouteToIgwParamRouteTableIds