Skip to content

Commit

Permalink
adding rule to check if waf is enabled at cloud front distribution
Browse files Browse the repository at this point in the history
  • Loading branch information
@harkirat22
harkirat22 committed Jan 9, 2021
1 parent 5a19951 commit ab0ebc6
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 0 deletions.
10 changes: 10 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudfront_distribution/AC-AW-IS-CD-M-1186.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
"name": "noWafEnabled",
"file": "noWafEnabled.rego",
"template_args": null,
"severity": "Medium",
"description": "Ensure that cloud-front has web application firewall enabled",
"reference_id": "AC-AW-IS-CD-M-1186",
"category": "Encryption and Key Management",
"version": 2
}
17 changes: 17 additions & 0 deletions pkg/policies/opa/rego/aws/aws_cloudfront_distribution/noWafEnabled.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
package accurics

noWafEnabled[retVal] {
cloudfront := input.aws_cloudfront_distribution[_]
not cloudfront.config.web_acl_id

traverse = "web_acl_id"
retVal := { "Id": cloudfront.id, "ReplaceType": "add", "CodeType": "attribute", "Traverse": traverse, "Attribute": traverse, "AttributeDataType": "string", "Expected": "<arn-of-waf-acl>", "Actual": null }
}

noWafEnabled[retVal] {
cloudfront := input.aws_cloudfront_distribution[_]
cloudfront.config.web_acl_id == null

traverse = "web_acl_id"
retVal := { "Id": cloudfront.id, "ReplaceType": "add", "CodeType": "attribute", "Traverse": traverse, "Attribute": traverse, "AttributeDataType": "string", "Expected": "<arn-of-waf-acl>", "Actual": null }
}

0 comments on commit ab0ebc6

Please sign in to comment.