### Copy Example Configuration File Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Copy the example configuration file to start customizing CloudSploit settings. ```bash $ cp config_example.js config.js ``` -------------------------------- ### Copy Example Config and Run with Config Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/upgrading.md Copy the example configuration file and then run CloudSploit specifying the new configuration file. ```bash $ cp config_example.js config.js // Edit your config.js file and pass either a path to a cloud credential file or the credentials themselves. $ ./index.js --config=./config.js ``` -------------------------------- ### Clone and Install CloudSploit (Generic) Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Clone the CloudSploit repository, navigate into the directory, install dependencies, and view help. ```bash $ git clone https://github.com/aquasecurity/cloudsploit.git $ cd cloudsploit $ npm install $ ./index.js -h ``` -------------------------------- ### Azure Configuration Example Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Example configuration for Azure, showing options for using a credential file or environment variables for authentication. ```javascript azure: { // OPTION 1: If using a credential JSON file, enter the path below // credential_file: '/path/to/file.json', // OPTION 2: If using hard-coded credentials, enter them below // application_id: process.env.AZURE_APPLICATION_ID || '', // key_value: process.env.AZURE_KEY_VALUE || '', // directory_id: process.env.AZURE_DIRECTORY_ID || '', // subscription_id: process.env.AZURE_SUBSCRIPTION_ID || '' } ``` -------------------------------- ### Install CloudSploit Dependencies Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Clone the CloudSploit scans repository and install its Node.js dependencies. ```bash $ git clone git@github.com:cloudsploit/scans.git $ npm install ``` -------------------------------- ### Combine Console and CSV Output Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Example of printing output to both the console as a table and saving it to a CSV file. ```bash # Print a table to the console and save a CSV file $ ./index.js --csv=file.csv --console=table ``` -------------------------------- ### Combine Multiple Outputs and Ignore OK Results Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Example of printing to console as text, saving to JSON and JUnit XML files, while ignoring passing results. ```bash # Print text to the console and save a JSON and JUnit file while ignoring passing results $ ./index.js --json=file.json --junit=file.xml --console=text --ignore-ok ``` -------------------------------- ### AWS Credentials via Environment Variables Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Example of how AWS credentials can be configured using environment variables in `config.js`. Ensure the relevant section in `config.js` is uncommented. ```javascript { access_key: process.env.AWS_ACCESS_KEY_ID || '', secret_access_key: process.env.AWS_SECRET_ACCESS_KEY || '', session_token: process.env.AWS_SESSION_TOKEN || '' } ``` -------------------------------- ### Example API Response for getMembership Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/github.md This JSON structure shows the response from the 'orgs:getMembership' API call for individual users, including their membership state and role. ```json "getMembership": { "userone": { "data": { "url": "https://api.github.com/orgs/myorg/memberships/userone", "state": "active", "role": "admin", ... } }, "usertwo": { "data": { "url": "https://api.github.com/orgs/myorg/memberships/usertwo", "state": "active", "role": "admin", ... } } } ``` -------------------------------- ### Suppress All Plugin Results Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Example of suppressing all results for a specific plugin using a wildcard. ```bash # Suppress all results for the acmValidation plugin $ ./index.js --suppress acmValidation:*:* ``` -------------------------------- ### AWS Credential File Format Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Example JSON format for an AWS credential file used with CloudSploit's `credential_file` option. ```json { "accessKeyId": "YOURACCESSKEY", "secretAccessKey": "YOURSECRETKEY" } ``` -------------------------------- ### Run Multiple Compliance Scans Simultaneously Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Allows running multiple compliance modes concurrently by specifying the `--compliance` flag multiple times. Example shows running both CIS Level 1 and Level 2. ```bash $ ./index.js --compliance=cis1 --compliance=cis2 ``` -------------------------------- ### Example API Response for listMembers Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/github.md This JSON structure represents the response from the 'orgs:listMembers' API call, detailing the members of an organization. ```json "listMembers": { "data": [ { "login": "userone", "id": 123456, ... }, { "login": "usertwo", "id": 123576, ... } ] } ``` -------------------------------- ### Suppress All Results in a Region Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Example of suppressing all results from a specific AWS region using a wildcard. ```bash # Suppress all us-east-1 region results $ ./index.js --suppress *:us-east-1:* ``` -------------------------------- ### Suppress Specific Results Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Example of using the --suppress flag to exclude specific findings based on plugin ID, region, or resource ID. ```bash --suppress pluginId:region:resourceId ``` -------------------------------- ### Suppress Results Matching a Regex Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Example of suppressing results matching a regular expression for resource IDs across all plugins and regions. ```bash # Suppress all results matching the regex "certificate/*" in all regions for all plugins $ ./index.js --suppress *:*:certificate/* ``` -------------------------------- ### Declare Oracle Plugin API Calls Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Specifies the CloudSploit API calls that an Oracle plugin will use, such as VCN and subnet listing. This is declared at the start of the plugin file. ```javascript apis: ['vcn:list','subnet:list'] ``` -------------------------------- ### Oracle Collection: Get Specific VCN Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Defines a post-call for Cloudsploit's collection engine to retrieve detailed information about a specific Virtual Cloud Network. It relies on the output of a prior 'list' call. ```json vcn: { get: { api: "core", reliesOnService: ['vcn'], reliesOnCall: ['list'], filterKey: ['vcnId'], filterValue: ['id'], } }, ``` -------------------------------- ### AWS Inline Policy - API Gateway Permissions Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/notes.md This snippet defines an 'Allow' effect for API Gateway GET actions on various API Gateway resources. It is part of an AWS inline policy. ```json { "Effect": "Allow", "Action": [ "apigateway:GET" ], "Resource": [ "arn:aws:apigateway:*::/apis", "arn:aws:apigateway:*::/apis/*/stages", "arn:aws:apigateway:*::/apis/*/stages/*", "arn:aws:apigateway:*::/apis/*/routes", "arn:aws:apigateway:*::/restapis", "arn:aws:apigateway:*::/restapis/*/authorizers", "arn:aws:apigateway:*::/restapis/*/authorizers/*", "arn:aws:apigateway:*::/restapis/*/documentation/versions", "arn:aws:apigateway:*::/restapis/*/resources", "arn:aws:apigateway:*::/restapis/*/resources/*", "arn:aws:apigateway:*::/restapis/*/resources/*/methods/*", "arn:aws:apigateway:*::/restapis/*/stages", "arn:aws:apigateway:*::/restapis/*/stages/*", "arn:aws:apigateway:*::/vpclinks" ] } ``` -------------------------------- ### AWS IAM Inline Policy for Cloudsploit Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/notes.md This policy grants Cloudsploit the necessary permissions to describe and list resources across numerous AWS services. It is provided as an example of a restrictive policy but is not recommended for production use due to potential changes. If a test returns 'UNKNOWN', it may indicate a missing permission. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "*", "Action": [ "acm:Describe*", "acm:List*", "application-autoscaling:Describe*", "appmesh:Describe*", "appmesh:List*", "appsync:List*", "athena:List*", "athena:GetWorkGroup", "autoscaling:Describe*", "batch:DescribeComputeEnvironments", "batch:DescribeJobDefinitions", "chime:List*", "cloud9:Describe*", "cloud9:ListEnvironments", "clouddirectory:ListDirectories", "cloudformation:DescribeStack*", "cloudformation:GetTemplate", "cloudformation:ListStack*", "cloudformation:GetStackPolicy", "cloudfront:Get*", "cloudfront:List*", "cloudhsm:ListHapgs", "cloudhsm:ListHsms", "cloudhsm:ListLunaClients", "cloudsearch:DescribeDomains", "cloudsearch:DescribeServiceAccessPolicies", "cloudtrail:DescribeTrails", "cloudtrail:GetEventSelectors", "cloudtrail:GetTrailStatus", "cloudtrail:ListTags", "cloudtrail:LookupEvents", "cloudwatch:Describe*", "codebuild:ListProjects", "codecommit:BatchGetRepositories", "codecommit:GetBranch", "codecommit:GetObjectIdentifier", "codecommit:GetRepository", "codecommit:List*", "codedeploy:Batch*", "codedeploy:Get*", "codedeploy:List*", "codepipeline:ListPipelines", "codestar:Describe*", "codestar:List*", "cognito-identity:ListIdentityPools", "cognito-idp:ListUserPools", "cognito-sync:Describe*", "cognito-sync:List*", "comprehend:Describe*", "comprehend:List*", "config:BatchGetAggregateResourceConfig", "config:BatchGetResourceConfig", "config:Deliver*", "config:Describe*", "config:Get*", "config:List*", "datapipeline:DescribeObjects", "datapipeline:DescribePipelines", "datapipeline:EvaluateExpression", "datapipeline:GetPipelineDefinition", "datapipeline:ListPipelines", "datapipeline:QueryObjects", "datapipeline:ValidatePipelineDefinition", "datasync:Describe*", "datasync:List*", "dax:Describe*", "dax:ListTags", "directconnect:Describe*", "dms:Describe*", "dms:ListTagsForResource", "ds:DescribeDirectories", "dynamodb:DescribeContinuousBackups", "dynamodb:DescribeGlobalTable", "dynamodb:DescribeTable", "dynamodb:DescribeTimeToLive", "dynamodb:ListBackups", "dynamodb:ListGlobalTables", "dynamodb:ListStreams", "dynamodb:ListTables", "ec2:Describe*", "ecr:DescribeRepositories", "ecr:GetRepositoryPolicy", "ecs:Describe*", "ecs:List*", "eks:DescribeCluster", "eks:ListClusters", "elasticache:Describe*", "elasticbeanstalk:Describe*", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticfilesystem:DescribeMountTargets", "elasticloadbalancing:Describe*", "elasticmapreduce:Describe*", "elasticmapreduce:ListClusters", "elasticmapreduce:ListInstances", "elastictranscoder:ListPipelines", "es:Describe*", "es:ListDomainNames", "events:Describe*", "events:List*", "firehose:Describe*", "firehose:List*", "fms:ListComplianceStatus", "fms:ListPolicies", "fsx:Describe*", "fsx:List*" ] } ] } ``` -------------------------------- ### Build and Run CloudSploit with Docker Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Clone the repository, build a Docker image, and run it to view help or perform scans with specific credentials and compliance checks. ```bash $ git clone https://github.com/aquasecurity/cloudsploit.git $ cd cloudsploit $ docker build . -t cloudsploit:0.0.1 $ docker run cloudsploit:0.0.1 -h $ docker run -e AWS_ACCESS_KEY_ID=XX -e AWS_SECRET_ACCESS_KEY=YY cloudsploit:0.0.1 --compliance=pci ``` -------------------------------- ### Show All CLI Options Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Displays a comprehensive list of available command-line interface options for CloudSploit. Use this to customize scan behavior and output. ```bash $ ./index.js -h ``` -------------------------------- ### Run a Single Plugin Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Command to execute only a specified plugin. ```bash $ ./index.js --plugin acmValidation ``` -------------------------------- ### Azure Virtual Machines Collection Configuration Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Configures the Compute Management Service to use the virtualMachines:listAll call. ARM is enabled for this call. ```javascript virtualMachines: { listAll: { api: "ComputeManagementClient", arm: true } }, ``` -------------------------------- ### Run CIS Benchmarks Compliance Scan Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Initiates a CloudSploit scan for CIS Benchmarks, supporting Level 1 and Level 2 controls. Passing `--compliance=cis` runs both levels. ```bash $ ./index.js --compliance=cis ``` -------------------------------- ### JUnit XML Output Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Command to save CloudSploit results in JUnit XML format. ```bash $ ./index.js --junit=file.xml ``` -------------------------------- ### Handle No VM Extensions Found Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Checks if the VM extensions data returned is empty. If no extensions are found, it adds a score of 0 (PASS) with a corresponding message. ```javascript if (!virtualMachineExtensions.data.length) { helpers.addResult(results, 0, 'No VM Extensions found', location); } ``` -------------------------------- ### Run Remediation for Specified Plugins Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Command to trigger remediation actions for a list of plugins. ```bash The `--remediate` flag can be used if you want to run remediation for the plugins mentioned as part of this argument. This takes a list of plugin names. ``` -------------------------------- ### Collection Output Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Command to save the collected cloud provider API data in JSON format. ```bash $ ./index.js --collection=file.json ``` -------------------------------- ### Define Azure VM ListAll API Call Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Specifies the URL and parameters for listing all Azure virtual machines. This is part of the data collection phase for a plugin. ```json virtualMachines: { listAll: { url: 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2019-12-01' } } ``` -------------------------------- ### Revert to Raw Text Output Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/upgrading.md Use the `--console=text` flag to revert to raw text output when pretty-print tables with colors are not usable. ```bash $ ./index.js --console=text ``` -------------------------------- ### Generate JSON Output File Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/upgrading.md Use the `--json=file.json` flag to create results in a JSON structure, recommended for input to other systems. ```bash $ ./index.js --json=file.json ``` -------------------------------- ### Azure Virtual Machine Extensions Post-Call Configuration Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Defines a post-call for virtualMachineExtensions:list that relies on multiple services and calls. ARM is enabled. ```javascript virtualMachineExtensions: { list: { api: "ComputeManagementClient", reliesOnService: ['resourceGroups', 'virtualMachines'], reliesOnCall: ['list', 'listAll'], filterKey: ['resourceGroupName', 'name'], filterValue: ['resourceGroupName', 'name'], arm: true } }, ``` -------------------------------- ### Run CloudSploit with Default AWS Credentials Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/upgrading.md For AWS users, CloudSploit can now use the default credential handler, allowing execution without specifying a config flag. ```bash $ ./index.js ``` -------------------------------- ### Basic CloudSploit GitHub Plugin Structure Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/github.md This JavaScript code outlines the basic structure for a CloudSploit plugin. It includes essential metadata and the plugin's core 'run' function. ```javascript var async = require('async'); var helpers = require('../../../helpers/github'); module.exports = { title: 'Org Excessive Admins', org: true, category: 'Orgs', description: 'Checks that the org does not have too many admins.', more_info: 'Having too many admins places the organization at risk.', link: 'https://developer.github.com/v3/orgs/#get-an-organization', recommended_action: 'Remove unused or unneeded admins.', apis: ['orgs:listMembers', 'orgs:getMembership'], run: function(cache, settings, callback) { // Plugin functionality callback(null, results, source); } }; ``` -------------------------------- ### Specify Plugin API Calls Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Lists the Azure API calls that the plugin will utilize. This helps CloudSploit manage dependencies and data collection. ```javascript apis: ['virtualMachines:listAll', 'virtualMachineExtensions:list'] ``` -------------------------------- ### Run GitHub Scans Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/github.md Execute CloudSploit GitHub scans using a Node.js script. Ensure you have your GitHub organization name and personal access token ready. ```bash GITHUB_ORG= GITHUB_TOKEN= node index.js ``` -------------------------------- ### Azure Credentials Configuration Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Configuration object for Azure authentication. Replace placeholder values with your Azure credentials. ```json { "ApplicationID": "YOURAZUREAPPLICATIONID", "KeyValue": "YOURAZUREKEYVALUE", "DirectoryID": "YOURAZUREDIRECTORYID", "SubscriptionID": "YOURAZURESUBSCRIPTIONID" } ``` -------------------------------- ### Retrieve Virtual Machines Data Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Retrieves the collected data for virtual machines from the cache using helper functions. This data is used in the plugin's run function. ```javascript var virtualMachines = helpers.addSource(cache, source, ['virtualMachines', 'listAll', location]); ``` -------------------------------- ### Retrieve Virtual Machine Extensions Data Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Fetches detailed extension data for a specific virtual machine using its ID. This is part of processing individual virtual machines within the plugin. ```javascript var virtualMachineExtensions = helpers.addSource(cache, source, ['virtualMachineExtensions', 'list', location, virtualMachine.id]); ``` -------------------------------- ### CI/CD Flags for CloudSploit Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/upgrading.md Helpful flags for integrating CloudSploit into CI/CD pipelines, including ignoring results, setting exit codes, and controlling console output. ```bash // Ignore passing results $ ./index.js --ignore-ok // Exit with a non-zero code if non-passing results found $ ./index.js --exit-code // Prints raw text output instead of the pretty-print tables $ ./index.js --console=text // Suppresses the output (only recommended if using a file output) $ ./index.js --console=none // Creates a JUnit XML file $ ./index.js --junit=file.xml ``` -------------------------------- ### Create Cross-Account IAM Role Steps Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/notes.md Follow these steps in the AWS IAM console to create a cross-account IAM role for secure access sharing. This method is more secure than key-based access. ```text 1. Navigate to the [IAM console](https://console.aws.amazon.com/iam/home). 2. Log into your AWS account and navigate to the IAM console. 3. Create a new IAM role. 4. When prompted for a trusted entity select: "Another AWS account". 5. Enter "057012691312" for the account to trust (Account ID). 6. Check the box to "Require external ID" and enter the external ID displayed below. 7. Ensure that MFA token is not selected. 8. Select the "SecurityAudit" managed policy. 9. Enter a memorable role name and create the role. 10. Then click on the role name and copy the role ARN for use in the next step. ``` -------------------------------- ### CSV Output Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Command to save CloudSploit results to a CSV file. ```bash $ ./index.js --csv=file.csv ``` -------------------------------- ### Run PCI Compliance Scan Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Initiates a CloudSploit scan for PCI DSS compliance. This maps plugins to the Payment Card Industry Data Security Standard. ```bash $ ./index.js --compliance=pci ``` -------------------------------- ### Generate API Key Fingerprint Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/oracle.md Calculates the fingerprint of the API key, which is used to identify the key in OCI. ```bash openssl rsa -pubout -outform DER -in ~/.oci/oci_api_key.pem | openssl md5 -c ``` -------------------------------- ### Handle VM Extensions Error or Missing Data Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Checks if there was an error or no data returned when querying for VM extensions. If so, it adds an error result and returns. ```javascript if (virtualMachineExtensions.err || !virtualMachineExtensions.data) { helpers.addResult(results, 3, Unable to query for VM Extensions: ' + helpers.addError(virtualMachineExtensions), location); return rcb(); } ``` -------------------------------- ### Generate Public API Key Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/oracle.md Derives the public key from the generated private key. This public key is used for verification. ```bash openssl rsa -pubout -in ~/.oci/oci_api_key.pem -out ~/.oci/oci_api_key_public.pem ``` -------------------------------- ### Run HIPAA Compliance Scan Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Initiates a CloudSploit scan specifically for HIPAA compliance. This maps plugins to the Health Insurance Portability and Accountability Act of 1996. ```bash $ ./index.js --compliance=hipaa ``` -------------------------------- ### GCP Service Account Configuration Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Configuration object for GCP service account authentication. This JSON file should be generated directly from the GCP console. ```json { "type": "service_account", "project": "GCPPROJECTNAME", "client_email": "GCPCLIENTEMAIL", "private_key": "GCPPRIVATEKEY" } ``` -------------------------------- ### Declare GCP Plugin API Calls Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Specifies the CloudSploit API calls that a GCP plugin will utilize. This should be included at the beginning of the plugin file. ```javascript apis: ['buckets:list', 'buckets:getIamPolicy'] ``` -------------------------------- ### Generate Private API Key Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/oracle.md Generates a private unencrypted RSA key for API authentication. Ensure this key is stored securely. ```bash openssl genrsa -out ~/.oci/oci_api_key.pem 2048 ``` -------------------------------- ### Declare Plugin API Calls Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Lists the AWS IAM API calls that the plugin will utilize: 'listGroups' and 'getGroup'. ```javascript apis: ['IAM:listGroups', 'IAM:getGroup'], ``` -------------------------------- ### Retrieve Oracle Subnet Data in Plugin Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Fetches the collected subnet data within a plugin's run function using the helpers.addSource utility. This data is essential for subnet-related checks. ```javascript var subnets = helpers.addSource(cache, source, ['subnet', 'list', region]); ``` -------------------------------- ### Oracle OCI Credentials Configuration Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Configuration object for Oracle Cloud Infrastructure (OCI) authentication. Ensure all placeholder values are replaced with your OCI credentials. ```json { "tenancyId": "YOURORACLETENANCYID", "compartmentId": "YOURORACLECOMPARTMENTID", "userId": "YOURORACLEUSERID", "keyFingerprint": "YOURORACLEKEYFINGERPRINT", "keyValue": "YOURORACLEKEYVALUE" } ``` -------------------------------- ### Create GCP IAM Role Command Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md Command to create a custom IAM role in GCP using a YAML definition file. Use '--organization' for org-level roles or '--project' for project-level roles. ```bash gcloud iam roles create AquaCSPMSecurityAudit --organization=YOUR_ORGANIZATION_ID --file=aqua-security-audit-role.yaml ``` -------------------------------- ### GCP Storage Buckets Collection Configuration Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Configures the storage service to use the buckets:list call with the v1 API version. Location is not specified. ```javascript buckets: { list: { api: 'storage', version: 'v1', location: null, } }, ``` -------------------------------- ### AWS CloudFront Collection Configuration Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Configures the CloudFront service to use the listDistributions API call. Results are saved under DistributionList.Items. ```javascript CloudFront: { listDistributions: { property: 'DistributionList', secondProperty: 'Items' } }, ``` -------------------------------- ### Retrieve Group Details in Plugin Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Fetches detailed information for a specific IAM group using its 'GroupName' from the cache. ```javascript var getGroup = helpers.addSource(cache, source, ['iam', 'getGroup', region, group.GroupName]); ``` -------------------------------- ### Define Azure VM Extensions List API Call Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Defines the API call to list extensions for a specific virtual machine, relying on the VM's ID. This is used after collecting the list of virtual machines. ```json virtualMachineExtensions: { list: { reliesOnPath: 'virtualMachines.listAll', properties: ['id'], url: 'https://management.azure.com/{id}/extensions?api-version=2019-12-01' } } ``` -------------------------------- ### Define GCP Storage Bucket List API Call Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Adds the API call to list storage buckets in the collect.js file. This is part of the data collection phase for GCP plugins. ```javascript buckets: { list: { api: 'storage', version: 'v1', location: null, } } ``` -------------------------------- ### Define Oracle VCN List API Call Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Adds the API call to list Virtual Cloud Networks (VCNs) in the collect.js file for Oracle plugins. This is the initial data collection step. ```javascript vcn: { list: { api: "core", filterKey: ['compartmentId'], filterValue: ['compartmentId'], } } ``` -------------------------------- ### Define IAM getGroup API Call with Dependencies Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Defines the 'getGroup' API call for IAM, which relies on 'listGroups' and uses 'GroupName' for filtering. ```javascript IAM: { getGroup: { reliesOnService: 'iam', reliesOnCall: 'listGroups', filterKey: 'GroupName', filterValue: 'GroupName' } }, ``` -------------------------------- ### GCP Storage Buckets GetIamPolicy Post-Call Configuration Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Defines a post-call for buckets:getIamPolicy that relies on the buckets:list call. It filters based on bucket name. ```javascript buckets: { getIamPolicy: { api: 'storage', version: 'v1', location: null, reliesOnService: ['buckets'], reliesOnCall: ['list'], filterKey: ['bucket'], filterValue: ['name'], } }, ``` -------------------------------- ### Triggering Remediation Logic Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-remediation.md This code block shows how the remediation logic is initiated based on user settings and scan results. It checks if remediation is enabled, if the current plugin is targeted, and if the resource status indicates a failure requiring remediation. ```javascript if (settings.remediate && settings.remediate.length) { if (settings.remediate.indexOf(key) > -1) { if (results[r].status === 2) { var resource = results[r].resource; var event = {}; event['remediation_file'] = {}; event['remediation_file'] = initializeFile(event['remediation_file'], 'execute', key, resource); plugin.remediate(cloudConfig, collection, event, resource, (err, result) => { if (err) return console.log(err); return console.log(result); }); } } } ``` -------------------------------- ### Retrieve List of Groups in Plugin Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Retrieves the results of the 'IAM:listGroups' API call from the cache for a specific region. ```javascript var listGroups = helpers.addSource(cache, source, ['iam', 'listGroups', region]); ``` -------------------------------- ### AWS Inline Policy - Storage Gateway and Transfer Permissions Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/notes.md This snippet defines an 'Allow' effect for a set of Storage Gateway, Transfer, Translate, Trusted Advisor, WAF, Workspaces, and X-Ray permissions. It is part of an AWS inline policy. ```json { "Effect": "Allow", "Action": [ "storagegateway:DescribeBandwidthRateLimit", "storagegateway:DescribeCache", "storagegateway:DescribeCachediSCSIVolumes", "storagegateway:DescribeGatewayInformation", "storagegateway:DescribeMaintenanceStartTime", "storagegateway:DescribeNFSFileShares", "storagegateway:DescribeSnapshotSchedule", "storagegateway:DescribeStorediSCSIVolumes", "storagegateway:DescribeTapeArchives", "storagegateway:DescribeTapeRecoveryPoints", "storagegateway:DescribeTapes", "storagegateway:DescribeUploadBuffer", "storagegateway:DescribeVTLDevices", "storagegateway:DescribeWorkingStorage", "storagegateway:List*", "tag:GetResources", "tag:GetTagKeys", "transfer:Describe*", "transfer:List*", "translate:List*", "trustedadvisor:Describe*", "waf:ListWebACLs", "waf-regional:ListWebACLs", "workspaces:Describe*", "xray:Get*" ] } ``` -------------------------------- ### AWS Remediation Configuration Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-remediation.md Specifies the configuration for an AWS remediation, including description, minimum version, API calls for remediation and rollback, required permissions, and real-time triggers. ```javascript remediation_description: 'The impacted bucket will be configured to be have Versioning enabled.', remediation_min_version: '202010160030', apis_remediate: ['S3:listBuckets', 'S3:getBucketVersioning', 'S3:getBucketLocation'], actions: { remediate: ['S3:putBucketVersioning'], rollback: ['S3:putBucketVersioning'], }, permissions: { remediate: ['s3:PutBucketVersioning'], rollback: ['s3:PutBucketVersioning'] }, realtime_triggers: ['s3:CreateBucket'], ``` -------------------------------- ### Define GCP Storage Bucket IAM Policy API Call Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Adds the API call to retrieve the IAM policy for storage buckets in collect.js. This call relies on the bucket list being previously collected. ```javascript buckets: { getIamPolicy: { api: 'storage', version: 'v1', location: null, reliesOnService: ['buckets'], reliesOnCall: ['list'], filterKey: ['bucket'], filterValue: ['name'], } } ``` -------------------------------- ### AWS IAM Post-Call Configuration Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Defines a post-call for IAM getGroup that relies on the IAM:listGroups call. It filters results based on GroupName. ```javascript getGroup: { reliesOnService: 'iam', reliesOnCall: 'listGroups', filterKey: 'GroupName', filterValue: 'GroupName' }, ``` -------------------------------- ### Handle IAM Group User Query Results Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Checks the results of the 'getGroup' API call to determine if the group is empty or if an error occurred. Adds appropriate results to the results array. ```javascript if (!getGroup || getGroup.err || !getGroup.data || !getGroup.data.Users) { helpers.addResult(results, 3, 'Unable to query for group: ' + group.GroupName, 'global', group.Arn); } else if (!getGroup.data.Users.length) { helpers.addResult(results, 0, 'Group: ' + group.GroupName + ' does not contain any users', 'global', group.Arn); return cb(); } else { helpers.addResult(results, 0, 'Group: ' + group.GroupName + ' contains ' + getGroup.data.Users.length + ' user(s)', 'global', group.Arn); } ``` -------------------------------- ### CloudSploit Supplemental IAM Policy Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/notes.md This JSON policy grants read-only access to specific AWS services required by CloudSploit's CSPM scans, including services not covered by the SecurityAudit managed policy. ```json { "Version": "2012-10-17", "Statement": [ { "Action": [ "ses:DescribeActiveReceiptRuleSet", "athena:GetWorkGroup", "logs:DescribeLogGroups", "logs:DescribeMetricFilters", "elastictranscoder:ListPipelines", "elasticfilesystem:DescribeFileSystems", "servicequotas:ListServiceQuotas" ], "Resource": "*", "Effect": "Allow" } ] } ``` -------------------------------- ### Retrieve GCP Bucket IAM Policy Data in Plugin Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Accesses the collected IAM policy data for storage buckets within a plugin's run function. It uses the helpers.addSource function to retrieve data from the cache. ```javascript let bucketPolicyPolicies = helpers.addSource(cache, source, ['buckets', 'getIamPolicy', region]); ``` -------------------------------- ### Handle GCP Bucket IAM Policy Collection Errors Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Checks for errors during the collection of bucket IAM policy data and adds an appropriate result if an error occurred or no data was found. ```javascript if (bucketPolicyPolicies.err || !bucketPolicyPolicies.data) { helpers.addResult(results, 3, 'Unable to query storage buckets: ' + helpers.addError(bucketPolicyPolicies), region); return rcb(); } if (!bucketPolicyPolicies.data.length) { helpers.addResult(results, 0, 'No storage buckets found', region); return rcb(); } ``` -------------------------------- ### CloudSploit Supplemental AWS IAM Policy Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/aws.md This JSON policy grants CloudSploit necessary permissions for various AWS services. It should be attached to the 'cloudsploit' IAM user in addition to the SecurityAudit policy. ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ses:DescribeActiveReceiptRuleSet", "athena:GetWorkGroup", "logs:DescribeLogGroups", "logs:DescribeMetricFilters", "elastictranscoder:ListPipelines", "elasticfilesystem:DescribeFileSystems", "servicequotas:ListServiceQuotas" ], "Resource": "*" } ] } ``` -------------------------------- ### CloudSploit addResult Function Signature Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Illustrates the parameters required by the 'addResult' function for reporting plugin outcomes, including score, message, region, and optional resource. ```javascript (results array, score, message, region, resource) ``` -------------------------------- ### Define Oracle Subnet List API Call Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Adds the API call to list subnets within VCNs in collect.js. This call depends on the VCN list being collected first and uses VCN IDs for filtering. ```javascript subnet: { list: { api: "core", reliesOnService: ['vcn'], reliesOnCall: ['list'], filterKey: ['compartmentId', 'vcnId'], filterValue: ['compartmentId', 'id'], filterConfig: [true, false], } } ``` -------------------------------- ### Oracle Collection: List VCNs Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Defines a Cloudsploit collection engine query for the Compute Management Service using the vcn:list API call. This is used to retrieve a list of Virtual Cloud Networks. ```json vcn: { list: { api: "core", filterKey: ['compartmentId'], filterValue: ['compartmentId'], } }, ``` -------------------------------- ### Suppress Console Output Source: https://github.com/aquasecurity/cloudsploit/blob/master/README.md Command to completely disable any output to the console. ```bash $ ./index.js --console=none ``` -------------------------------- ### Define IAM listGroups API Call Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Specifies the 'listGroups' API call for IAM, indicating the property 'Groups' to extract from the AWS response. ```javascript IAM: { listGroups: { property: 'Groups' } }, ``` -------------------------------- ### AWS S3 Bucket Encryption Remediation Parameters Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-remediation.md This snippet defines the parameters for AWS S3 bucket encryption. It conditionally applies server-side encryption with KMS or AES256 based on whether a KMS Key ID is provided in the settings. ```javascript if (settings.input && settings.input.kmsKeyId) { params = { 'Bucket': bucketName, 'ServerSideEncryptionConfiguration': { 'Rules': [{ 'ApplyServerSideEncryptionByDefault': { 'SSEAlgorithm': 'aws:kms', 'KMSMasterKeyID': config.kmsKeyId } }] } }; } else { params = { 'Bucket': bucketName, 'ServerSideEncryptionConfiguration': { 'Rules': [{ 'ApplyServerSideEncryptionByDefault': { 'SSEAlgorithm': 'AES256', } }] } }; } ``` -------------------------------- ### Define Postcall for Dependent API Calls Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/github.md This JavaScript object defines a 'postcall' that depends on the 'orgs:listMembers' API call. It iterates through members to fetch their specific membership details. ```javascript var postcalls = [ { orgs: { getMembership: { type: 'token', inject_org: true, reliesOnService: 'orgs', reliesOnCall: 'listMembers', filterKey: 'username', filterValue: 'login' } } } ]; ``` -------------------------------- ### GCP Security Audit Role Definition Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md This YAML defines a custom IAM role for Aqua CSPM Security Audit, specifying the permissions required for security assessments. Exclude 'resourcemanager' permissions if not using an organization. ```yaml name: roles/AquaCSPMSecurityAudit title: Aqua CSPM Security Audit includedPermissions: - cloudasset.assets.listResource - cloudkms.cryptoKeys.list - cloudkms.keyRings.list - cloudsql.instances.list - cloudsql.users.list - compute.autoscalers.list - compute.backendServices.list - compute.disks.list - compute.firewalls.list - compute.healthChecks.list - compute.instanceGroups.list - compute.instances.getIamPolicy - compute.instances.list - compute.networks.list - compute.projects.get - compute.securityPolicies.list - compute.subnetworks.list - compute.targetHttpProxies.list - container.clusters.list - dns.managedZones.list - iam.serviceAccountKeys.list - iam.serviceAccounts.list - logging.logMetrics.list - logging.sinks.list - monitoring.alertPolicies.list - resourcemanager.folders.get - resourcemanager.folders.getIamPolicy - resourcemanager.folders.list - resourcemanager.hierarchyNodes.listTagBindings - resourcemanager.organizations.get - resourcemanager.organizations.getIamPolicy - resourcemanager.projects.get - resourcemanager.projects.getIamPolicy - resourcemanager.projects.list - resourcemanager.resourceTagBindings.list - resourcemanager.tagKeys.get - resourcemanager.tagKeys.getIamPolicy - resourcemanager.tagKeys.list - resourcemanager.tagValues.get - resourcemanager.tagValues.getIamPolicy - resourcemanager.tagValues.list - storage.buckets.getIamPolicy - storage.buckets.list - deploymentmanager.deployments.list - dataproc.clusters.list - artifactregistry.repositories.list - composer.environments.list stage: GA ``` -------------------------------- ### Handle Oracle Subnet Collection Errors Source: https://github.com/aquasecurity/cloudsploit/blob/master/docs/writing-plugins.md Validates the collected subnet data for errors or absence, reporting an appropriate message and score if issues are found during the collection phase. ```javascript if ((subnets.err && subnets.err.length) || !subnets.data) { helpers.addResult(results, 3, 'Unable to query for subnets: ' + helpers.addError(subnets), region); return rcb(); } if (!subnets.data.length) { helpers.addResult(results, 0, 'No subnets found', region); return rcb(); } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.