CIS AWS rule 2.1.5 can now handle missing public block config (#234)

elastic · May 15, 2023 · caa0435 · caa0435
1 parent 3a998e9
commit caa0435
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 11 deletions.
diff --git a/bundle/compliance/cis_aws/rules/cis_2_1_5/test.rego b/bundle/compliance/cis_aws/rules/cis_2_1_5/test.rego
@@ -12,26 +12,32 @@ test_violation {
 	eval_fail with input as rule_input(true, true, false, true, true, true, false, true)
 	eval_fail with input as rule_input(true, false, true, true, true, false, true, true)
 	eval_fail with input as rule_input(false, true, true, true, false, true, true, true)
+
+	# No public access block config
+	eval_fail with input as test_data.generate_s3_bucket("Bucket", "", null, null, null, null)
+
+	# Only bucket-level public access block config
+	eval_fail with input as test_data.generate_s3_bucket("Bucket", "", null, null, test_data.generate_s3_public_access_block_configuration(true, false, true, true), null)
+
+	# Only account-level public access block config
+	eval_fail with input as test_data.generate_s3_bucket("Bucket", "", null, null, null, test_data.generate_s3_public_access_block_configuration(true, true, false, true))
 }
 
 test_pass {
 	eval_pass with input as rule_input(true, true, true, true, false, false, false, false)
 	eval_pass with input as rule_input(false, false, false, false, true, true, true, true)
 	eval_pass with input as rule_input(true, false, true, false, false, true, false, true)
 	eval_pass with input as rule_input(false, true, false, true, true, false, true, false)
+
+	# Only bucket-level public access block config
+	eval_pass with input as test_data.generate_s3_bucket("Bucket", "", null, null, test_data.generate_s3_public_access_block_configuration(true, true, true, true), null)
+
+	# Only account-level public access block config
+	eval_pass with input as test_data.generate_s3_bucket("Bucket", "", null, null, null, test_data.generate_s3_public_access_block_configuration(true, true, true, true))
 }
 
 test_not_evaluated {
 	not_eval with input as test_data.not_evaluated_s3_bucket
-
-	# A bucket without any public access block config
-	not_eval with input as test_data.generate_s3_bucket("Bucket", "", null, null, null, null)
-
-	# A bucket without an account-level public access block config
-	not_eval with input as test_data.generate_s3_bucket("Bucket", "", null, null, test_data.generate_s3_public_access_block_configuration(true, true, true, true), null)
-
-	# A bucket without a bucket-level public access block config
-	not_eval with input as test_data.generate_s3_bucket("Bucket", "", null, null, null, test_data.generate_s3_public_access_block_configuration(true, true, true, true))
 }
 
 rule_input(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets, account_block_public_acls, account_block_public_policy, account_ignore_public_acls, account_restrict_public_buckets) = test_data.generate_s3_bucket("Bucket", "", null, null, test_data.generate_s3_public_access_block_configuration(block_public_acls, block_public_policy, ignore_public_acls, restrict_public_buckets), test_data.generate_s3_public_access_block_configuration(account_block_public_acls, account_block_public_policy, account_ignore_public_acls, account_restrict_public_buckets))

diff --git a/bundle/compliance/policy/aws_s3/ensure_block_public_access.rego b/bundle/compliance/policy/aws_s3/ensure_block_public_access.rego
@@ -5,19 +5,41 @@ import data.compliance.lib.common as lib_common
 import data.compliance.policy.aws_s3.data_adapter
 import future.keywords.in
 
+public_access_block_config_is_blocked(config) {
+	config.BlockPublicAcls == true
+	config.BlockPublicPolicy == true
+	config.IgnorePublicAcls == true
+	config.RestrictPublicBuckets == true
+} else = false
+
 default rule_evaluation = false
 
+# If we got public access block config for both account and bucket
 rule_evaluation {
+	not data_adapter.public_access_block_configuration == null
+	not data_adapter.account_public_access_block_configuration == null
 	assert.some_true([data_adapter.public_access_block_configuration.BlockPublicAcls, data_adapter.account_public_access_block_configuration.BlockPublicAcls])
 	assert.some_true([data_adapter.public_access_block_configuration.BlockPublicPolicy, data_adapter.account_public_access_block_configuration.BlockPublicPolicy])
 	assert.some_true([data_adapter.public_access_block_configuration.IgnorePublicAcls, data_adapter.account_public_access_block_configuration.IgnorePublicAcls])
 	assert.some_true([data_adapter.public_access_block_configuration.RestrictPublicBuckets, data_adapter.account_public_access_block_configuration.RestrictPublicBuckets])
 }
 
+# If we got only account-level public access block config
+rule_evaluation {
+	not data_adapter.account_public_access_block_configuration == null
+	data_adapter.public_access_block_configuration == null
+	public_access_block_config_is_blocked(data_adapter.account_public_access_block_configuration)
+}
+
+# If we got only bucket-level public access block config
+rule_evaluation {
+	not data_adapter.public_access_block_configuration == null
+	data_adapter.account_public_access_block_configuration == null
+	public_access_block_config_is_blocked(data_adapter.public_access_block_configuration)
+}
+
 finding = result {
 	data_adapter.is_s3
-	not data_adapter.public_access_block_configuration == null
-	not data_adapter.account_public_access_block_configuration == null
 
 	result := lib_common.generate_result_without_expected(
 		lib_common.calculate_result(rule_evaluation),