檢視次數:

此工作流程將幫助您探索更多使用進階自訂規則邏輯的情境,涉及多個條件。

多重和/或巢狀條件

到目前為止提供的範例使用了非常簡單的邏輯,只有一個條件。您可以使用更多的組合條件來制定自訂規則。

AWS

S3 Bucket 是否具有任何加密(單一屬性) 
{
	"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
	"configuration": {
		"name": "S3 bucket has any Encryption",
		"description": "We want to make sure there is any encryption",
		"service": "S3",
		"resourceType": "s3-bucket",
		"riskLevel": "HIGH",
		"enabled": true,
		"provider": "aws",
		"categories": ["security"],
		"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
		"attributes": [
			{
				"name": "bucketEncryption",
				"path": "data.Encryption",
				"required": true
			}
		],
		"eventRules": [
			{
				"conditions": {
					"all": [
						{
							"fact": "bucketEncryption",
							"operator": "notEqual",
							"value": null
						}
					]
				},
				"description": "Bucket has encryption enabled"
			}
		]
	}
}
S3 Bucket 具有伺服器端加密 AES256(單一屬性,嵌套陣列) 
{
	"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
	"configuration": {
		"name": "S3 bucket has Server Side Encryption",
		"description": "We want to make sure there is correct encryption",
		"service": "S3",
		"resourceType": "s3-bucket",
		"riskLevel": "HIGH",
		"enabled": true,
		"provider": "aws",
		"categories": ["security"],
		"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
		"attributes": [
			{
				"name": "encryptionAlgorithm",
				"path": "data.Encryption.Rules[*].ApplyServerSideEncryptionByDefault.SSEAlgorithm",
				"required": true
			}
		],
		"eventRules": [
			{
				"conditions": {
					"all": [
						{
							"fact": "encryptionAlgorithm",
							"operator": "contains",
							"value": "AES256"
						}
					]
				},
				"description": "has AES256 encryption"
			}
		]
	}
}
S3 存儲桶加密已啟動、存儲桶版本控制已啟動,以及存儲桶生命週期政策已啟動(多個屬性,多個規則) 
{
	"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
	"configuration": {
		"name": "S3 bucket has Encryption Enabled, Versioning Enabled, and Lifecycle Enabled",
		"description": "We want to make sure there is any encryption and versioning enabled",
		"resourceId": "conformity-audit-manager",
		"service": "S3",
		"resourceType": "s3-bucket",
		"riskLevel": "HIGH",
		"enabled": true,
		"provider": "aws",
		"categories": ["operational-excellence"],
		"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
		"attributes": [
			{
				"name": "bucketEncryption",
				"path": "data.Encryption",
				"required": true
			},
			{
				"name": "bucketVersioning",
				"path": "data.BucketVersioning",
				"required": true
			},
			{
				"name": "bucketLifecycle",
				"path": "data.Lifecycle",
				"required": true
			}
		],
		"eventRules": [
			{
				"conditions": {
					"all": [
						{
							"fact": "bucketEncryption",
							"operator": "notEqual",
							"value": null
						}
					]
				},
				"description": "Bucket has encryption enabled"
			},
			{
				"conditions": {
					"all": [
						{
							"fact": "bucketVersioning",
							"operator": "equal",
							"value": "Enabled",
							"path": "$.Status"
						}
					]
				},
				"description": "Bucket has versioning enabled"
			},
			{
				"conditions": {
					"all": [
						{
							"fact": "bucketLifecycle",
							"operator": "notEqual",
							"value": null
						},
						{
							"fact": "bucketLifecycle",
							"operator": "contains",
							"value": "Enabled",
							"path": "$.[*].Status"
						}
					]
				},
				"description": "Bucket has lifecycle enabled"
			}
		]
	}
}
EC2 Security Group 使用埠 22(單一屬性非必需,允許缺少屬性) 
{
	"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
	"configuration": {
		"name": "EC2 Security Group with Port 22",
		"description": "Check the IpPermissions From Port",
		"service": "EC2",
		"resourceType": "ec2-securitygroup",
		"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
		"riskLevel": "MEDIUM",
		"provider": "aws",
		"categories": ["performance-efficiency", "security"],
		"enabled": true,
		"attributes": [
			{
				"name": "securityGroupIpPermissionsFromPort",
				"path": "data.IpPermissions[*].FromPort",
				"required": false
			}
		],
		"eventRules": [
			{
				"conditions": {
					"all": [
						{
							"value": 22,
							"operator": "contains",
							"fact": "securityGroupIpPermissionsFromPort"
						}
					]
				},
				"description": "securityGroupIpPermissionsFromPort"
			}
		]
	}
}
IAM 角色具有正確的標籤鍵、名稱中包含部署區域,且名稱長度小於 64 個字元(單一規則中包含多個屬性和多個條件) 
{
	"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
	"configuration": {
		"name": "IAM Role with right tag key, region and name length",
		"description": "We want to make sure that IAM roles adhere to serverless format for multi-region deployment. Role should be tagged with Key 'Service' or 'service', role name should be less than 64, and contain the region in the name",
		"remediationNote": "If this is a failure, please contact the service owner and follow these steps:\n1. Step one \n2. Step two\n",
		"service": "IAM",
		"resourceType": "iam-role",
		"attributes": [
			{
				"name": "roleName",
				"path": "data.RoleName",
				"required": true
			},
			{
				"name": "serviceTag",
				"path": "data.Tags",
				"required": true
			}
		],
		"riskLevel": "HIGH",
		"provider": "aws",
		"categories": ["security"],
		"enabled": true,
		"eventRules": [
			{
				"conditions": {
					"any": [
						{
							"path": "$.length",
							"fact": "serviceTag",
							"value": 0,
							"operator": "equal"
						},
						{
							"all": [
								{
									"path": "$.[*].Key",
									"fact": "serviceTag",
									"value": "Service",
									"operator": "doesNotContain"
								},
								{
									"path": "$.[*].Key",
									"fact": "serviceTag",
									"value": "service",
									"operator": "doesNotContain"
								}
							]
						},
						{
							"all": [
								{
									"fact": "roleName",
									"operator": "pattern",
									"value": "^([a-zA-Z0-9_-]){1,64}$"
								},
								{
									"fact": "roleName",
									"operator": "pattern",
									"value": "(us-west-2|us-east-1|ap-southeast-2|eu-west-1)"
								}
							]
						}
					]
				},
				"description": "Is tagged service, name not longer than 64 chars and has region in name"
			}
		]
	}
}

Azure

具有公共訪問權限的儲存Blob(單一屬性,單一規則) 
{
	"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
	"configuration": {
		"name": "Storage Blob with Public Access",
		"description": "Checking public access for storage account blob container",
		"service": "StorageAccounts",
		"resourceType": "storage-accounts-blob-containers",
		"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
		"riskLevel": "HIGH",
		"provider": "azure",
		"categories": ["security"],
		"enabled": true,
		"attributes": [
			{
				"name": "blobPublicAccess",
				"path": "data.publicAccess",
				"required": true
			}
		],
		"eventRules": [
			{
				"conditions": {
					"all": [
						{
							"value": "None",
							"operator": "notEqual",
							"fact": "blobPublicAccess"
						}
					]
				},
				"description": "Storage blob has public access."
			}
		]
	}
}
StorageAccounts 環境標籤(單一屬性,單一規則與嵌套屬性) 
{
	"accountId": "a0b1c2d3-e4f5-a6b7-c8d9-e0f1a2b3c4d5",
	"configuration": {
		"name": "StorageAccounts Environment Tags",
		"description": "Check for correct tag key and value for storage accounts",
		"service": "StorageAccounts",
		"resourceType": "storage-accounts",
		"remediationNote": "If this is broken, please follow these steps:\n1. Step one \n2. Step two\n",
		"riskLevel": "MEDIUM",
		"provider": "azure",
		"categories": ["security"],
		"enabled": true,
		"attributes": [
			{
				"name": "serviceTag",
				"path": "data.Tags",
				"required": true
			}
		],
		"eventRules": [
			{
				"conditions": {
					"all": [
						{
							"path": "$.[?(@.Key=='Environment'&& @.Value=='Sandbox')].Value",
							"fact": "serviceTag",
							"value": "Sandbox",
							"operator": "contains"
						}
					]
				},
				"description": "has tags Key: Environment and Value: Sandbox"
			}
		]
	}
}