GSL Examples - How to

In this topic:

    Security Group

    • These default security groups (that cannot be deleted) should contain no rules

      SecurityGroup where name='default'should have inboundRules.length=0 and outboundRules.length=0

    • Same for security groups discarding the default security groups (that cannot be deleted)

      SecurityGroup where not name='default'should have vpc

    • Will check if a Security group have referencing security groups

      SecurityGroup should have inboundRules with [scope like '%sg%'] or outboundRules with [scope like '%sg%']

    • Will check if a security group is empty and have referencing security groups
      Security Group where name != 'default' should not have networkAssetsStats contain-all [ count = 0 ] and ( inboundRules with [scope like '%sg%'] or outboundRules with [scope like '%sg%'])



    • Will make sure that all instances are running inside the VPC and not in EC2 classic. 
      Instance should have vpc

    • Run only in supported regions
      Instance should have region in ('us_west_2','us_east_1')

    • Query the length of arrays/collections

      Instance where nics.length>1 should have tags contain[key='router']

    • Here we test the existence of publicIpAddress property in any of the nics and then create a complex match against both port and scope of the inboundRules.

      Note that isPublic() is an internal function to determine if this scope is a public IP / CIDR.

      Instance where nics contains[publicIpAddress] should not have inboundRules with[port=22 and scope isPublic()]

    • Showing how to match a property against a list of approved values

      Instance where platform='linux' should have image in ('ami-05355a6c','ami-12345')

    • Similar but a bit more complex, here at least one of the tags should satisfy the condition

      Instance should have tags with [key in ('owner', 'Application', 'application', 'app', 'ApprovedBy')]

    • Note that the functions before() and after() should receive a negative number in order to specify a past event.

      Instance where launchTime before(-3,'months') should have tags with [key='ApprovedBy']


    S3 Bucket

    • Shows if the bucket policy mandates that all uploads are server-side encrypted

      S3Bucket should have policy.Statement contain [Effect='Deny' and (Action='s3:PutObject' and Condition.Null.s3:x-amz-server-side-encryption='true')])

    • Make sure that S3 bucket is not publicly accessible. It validates that there is no condition that allows specific Source IPs.

      S3Bucket should not have (acl.grants contain [uri like or policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*') and not])

    • Ensure that a certain IAM policy is applied. For example, make sure that an IAM policy enforcing SSL only access is applied on S3 Bucket.

      The IAM policy to enforce: { "Sid": "SSLOnlyAccess", "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "s3:*", "Condition": { "Bool": { "aws:SecureTransport": false } }, "Resource": "arn:aws:s3:::mys3/*" }
      S3Bucket should have policy.Statement contain [Sid = 'SSLOnlyAccess' and Effect='Deny' and Action = 's3:*' and Principal.AWS = '*' and = 'false']

    • Ensure that an S3 bucket should not be publicly exposed, but allows access conditions for a particular source IP or VPC.        
      S3Bucket should not have ( acl.grants contain [uri like] or policy.Statement contain [Effect='Allow' and (Principal='*' or Principal.AWS='*') and not ( = '<vpc-id>' or = '' ) ])

    • This rule will fail any S3 buckets that have a policy statement with 'allow' and the AWS ARN contains 's3:*' in the ARN or if the Principal contains '*'.
      S3Bucket should not have policy.Statement contain [Effect='Allow' and (Principal.AWS contain [$ regexMatch /s3:\*/i] or Principal='*')]

    IAM and IAM related policies

    • Check if a specific IAM role has a specific IAM policy, effect, and at at least one of the specified actions.

      Note the difference in the action clause - in this example the test checks for a list of actions, therefore uses "Action contain".

      IamRole should have combinedPolicies contain[id='arn:aws:iam::<ID>:policy/PowerUsers' and policyDocument.Statement contain [Effect='Deny' and Action contain ['iam:\*'] ] ]


    AWS Inspector

    • Check for specific CVEs (Meltdown and Spectre processor vulnerabilities)

      Instance should not have scanners.findings contain [ ruleId in ( 'CVE-2017-5754','CVE-2017-5753', 'CVE-2017-5715') ]

    • Make sure Inspector scans were completed on the last 7 days

      Instance should have scanners.scans contain [source = 'Inspector' and startTime after(-7, 'days') and state in ('COMPLETED', 'COMPLETED_WITH_ERRORS') ]

    • Make sure instances do not include high severity findings

      Instance should not have scanners.findings contain-any [ruleSeverity='High']