prancer-io / prancer-compliance-test Goto Github PK

on the following rule (registrieswebhooks.rego) we have a empty body

acr_webhooks_miss_err = "Container registy webhook attribute service_uri missing in the resource" {
    
}

and because of that, we faced this error:
found empty body

Please look into the ARM template at https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/locks?tabs=json

this section should a child resource block of existing resource group's resources in the same template.

Rule is checking "microsoft.authorization/locks" 's id property with name 'resourcegroups' which is totally wrong instead it should check if there is a parent resource group resource exist or can use the scope property.

The title of the Policy should change to: Activity log alerts should be enabled and provide an accurate description
this policy is about enabling the activity log alerts:

Indicates whether this activity log alert is enabled. If an activity log alert is not enabled, then none of its actions will be activated.

Please look into file https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/securitycontacts.rego

the regular expression is currently matching only a single email address on resource.properties.emails but as per SecurityContactProperties -> emails at https://docs.microsoft.com/en-us/azure/templates/microsoft.security/securitycontacts?tabs=json emails can have multiple email address though its not defined what will be the separator for this, assuming semicolon (;) but need to confirm by researching.

The regular expression need to match multiple email address.

this can be handy for logic buildup (syntax may vary): https://stackoverflow.com/questions/9809357/regex-for-validating-multiple-e-mail-addresses

at first, according the conditions had written in this storageaccounts.rego file (id = PR-AZR-0092-ARM); we have multiple outputs and because of that we faced this error: complete rules must not produce multiple outputs

and we need two different variables for checking attribute supportsHttpsTrafficOnly because of API version

in latest API from 2019-04-01, supportsHttpsTrafficOnly is true by default if not exist
and
in older API before 2019-04-01, supportsHttpsTrafficOnly is false by default if not exist

As I try to add kubernetes type for post deployment in prancer, I found we are not able to get snapshots type from related function.
file master_snapshot.py line 104:
snapshot_data = mastersnapshot_fns[snapshot_type](mastersnapshot)
file snapshot.py line 86:
snapshot_data = snapshot_fns[snapshot_type](snapshot, container)
None of mastersnapshot,snapshot and container params include snapshot type which declared in snapshot configuration or master snapshot configuration file.
Actually should pass snapshot type as param too, So there is no need to find it from fields as it exist like below example in file snapshot_google.py line 408:
if 'masterSnapshotId' in node: snapshot_data[node['snapshotId']] = node['masterSnapshotId'] else: snapshot_data[node['snapshotId']] = False if error_str else True else: node['status'] = 'inactive' elif 'masterSnapshotId' in node: data = get_all_nodes
prancer version : 1.0.39

on blobservices.rego file (azure-iac) we need 2 different attribute for checking existence and the value
for example we can use azure_attribute_absence and azure_issue
we are doing that to can specify kind of the error

keys, secrets and certificates are optional in the ARM template:
https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults?tabs=json

Other than the count test, we should also if they exist in the template.

master-compliance has duplicate test case PR-AWS-0151-CFR.

I was trying to run masterTestId: "TEST_DB_ADMINISTRATORS" from master-compliance-test.json.
in related rego file at azure\terraform\dbadministrators.rego under azure_issue rule
re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.server_name); is not matching the server name correctly between azurerm_sql_server and azurerm_sql_active_directory_administrator

Regular expression is not correct and it is always returning false event if there is a matching input as well as resource.name should be resource.properties.name

For example : i have azurerm_sql_server name in terraform as prancer-sql-server2 which should be the resource.properties.name and r.properties.server_name should have the same name if we need to do a successful match, otherwise match will fail.

So, if we do the OPA run console to a do a test quickly and put re_match(concat("", ["^.*\\.", "prancer-sql-server2", "\\..*$"]), "prancer-sql-server2") it is returning false but it should return true. which clearly demonstrate the regex is not correct.

There is a true == false at the end of the rule which is actually returning the output and by forcing we are making the rule to send false output which is a pass case scenario here.

on the following rego file:
https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/Redis.rego
we used these conditions:

default enableSslPort = null
# default is false
azure_attribute_absence ["enableSslPort"] {
    resource := input.resources[_]
    lower(resource.type) == "microsoft.cache/redis"
    not resource.properties.enableNonSslPort
}

azure_issue ["enableSslPort"] {
    resource := input.resources[_]
    lower(resource.type) == "microsoft.cache/redis"
    resource.properties.enableNonSslPort != false
}

enableSslPort {
    azure_attribute_absence["enableSslPort"]
}

enableSslPort {
    lower(input.resources[_].type) == "microsoft.cache/redis"
    not azure_issue["servenableSslPorterRole"]
}

enableSslPort = false {
    azure_issue["enableSslPort"]
}

enableSslPort_err = "Redis cache is currently allowing unsecure connection via a non ssl port opened" {
    azure_issue["enableSslPort"]
}

and we use this variable enableSslPort for that except this below part:

not azure_issue["servenableSslPorterRole"]

so servenableSslPorterRole should changes to enableSslPort

Prancer basic new version is released with an upgraded version of python-hcl2.
Update the terraform rego files based on the updated JSON structure of generated terraform snapshots.

There is one extra error variable for all of rego files
for example in below rego file:
https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/activitylogalerts.rego

alerts_err = "Send me emails about alerts is set to OFF in Security Center" {
      azure_issue["alerts"]
}

alerts_miss_err = "Activitylog alerts attribute enabled missing in the resource" {
     azure_attribute_absence["alerts"]
}
      

we have two variables for calling the errors but in our master compliance files, we just call the first one
https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/master-compliance-test.json

{
    "evals": [
        {
             "id": "PR-AZR-0090-ARM",
             "eval": "data.rule.alerts",
             "message": "data.rule.alerts_err",
             "remediationDescription" : ""
             "remediationFunction": ""
        }
    ]
}

In my opinion we can use same variable for both errors
for example:

alerts_err = "Send me emails about alerts is set to OFF in Security Center" {
      azure_issue["alerts"]
}

alerts_err = "Activitylog alerts attribute enabled missing in the resource" {
     azure_attribute_absence["alerts"]
}
      

secrets.rego considering normal string as a secret. and failing the test case also title for the issue is wrong in rego file.

According to the document of the following arm template , it should first check for "publicNetworkAccess" and then the "publicNetworkAccess" value should be "disabled"
https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers

so we need to use this condition as well:

azure_attribute_absence["sql_public_access"] {
    resource := input.resources[_]
    lower(resource.type) == "microsoft.sql/servers"
    resource.properties.publicNetworkAccess
}

also sql-server.rego didn't exist on master-compliance-test

In this following arm template:
https://docs.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/keys

we should check existence of expiration of key vault keys and make sure the value of that is not empty

Rule PR-AWS-0067-CFR : AWS Elastic Load Balancer (ELB) has a security group with no inbound rules.

It should check whether securityGroup has INBOUND rules or not, but It only checks the availability or count of securityGroup.
Also rule Id is mismatch with master-complinace Id.

https://docs.microsoft.com/en-us/azure/templates/microsoft.databricks/workspaces?tabs=json

We should have policies for Azure Databricks, both the ARM template and Terraform

1. Azure Databricks should not use public IP address
2. Azure Databricks should have vnet integration

If the addonProfiles.httpApplicationRouting does not exist, it means it is disabled. the test should pass

File url: https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/terraform/appservice.rego

According to the document of the following arm template, it should first check for "state" and then the "state" value should be "disabled"
https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/securityalertpolicies

so we need to use this condition as well:

azure_attribute_absence["sql_instance_security_alert_disabled"] {
    resource := input.resources[_]
    lower(resource.type) == "microsoft.sql/managedinstances/securityalertpolicies"
    not resource.properties.state
}

also sql_alert_policy.rego didn't exist on master-compliance-test

The aws_acm_certificate resource in terraform can work in three modes:

a. Create an amazon issued certificate
b. Importing an existing certificate
c. Creating a private CA issued certificate

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate

for scenario a & c “domain name” is a required field on which the compliance test is based that:
https://github.com/prancer-io/prancer-compliance-test/blob/master/aws/terraform/master-compliance-test.json

The rego file should be changed to cover scenario b as well.
with the current configuration in the rego file, scenario b always fails for this test which is not correct.

s3.rego is checking for "s3:delete" action. But this action is not listed in AWS available Actions.

We faced an issue when we want to check the existence of a variable and check the value of that has been false
for example on the following policy, at first, we want to check the existence of "enableNonSslPort" and after that, check the value of enableNonSslPort is "false"
https://gsl.dome9.com/D9.AZU.CRY.05.html

so for this arm template https://docs.microsoft.com/en-us/azure/templates/microsoft.cache/redis, when we want to check existence of enableNonSslPort, we used this condition normally :

azure_attribute_absence["enableNonSslPort"] {
    resource := input.resources[_]
    lower(resource.type) == "microsoft.cache/redis"
    resource.properties.enableNonSslPort
}

So according to rules of Open Policy Agent, in this case <resource.properties.enableNonSslPort> checkes

( resource.properties.enableNonSslPort exists ) and ( resource.properties.enableNonSslPort != False )
https://www.openpolicyagent.org/docs/latest/policy-reference/#objects

So the result of this test always failed and if we want to have a passed result, enableNonSslPort must be exists and the value of that must be True and this is opposite of the policy

PR-AWS-0144-CFR : AWS S3 CloudTrail buckets for which access logging is disabled.

As per the AWS documentation, there is no attribute "logging" available in the "statement"

I was trying to run masterTestId: "TEST_DB_AUDITING_DB_SETTINGS_1" from master-compliance-test.json.
in related rego file at azure\terraform\dbauditingdbsettings.rego under azure_issue rule
re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.database_id); is not matching the db name correctly between azurerm_mssql_database and azurerm_mssql_database_extended_auditing_policy

Regular expression is not correct and it is always returning false event if there is a matching input as well as resource.name should be resource.properties.name

For example : i have azurerm_mssql_database name in terraform as prancer-sql-db which should be the resource.properties.name and r.properties.database_id should have the sql db id with format "/subscriptions/{subscription_Id}/resourceGroups/{rg_name}/providers/Microsoft.Sql/servers/{sql_server_name}/databases/prancer-sql-db" . we can see it has the db name at the end. if we need to do a successful match we need to parse the db name out of the r.properties.database_id and match with resource.properties.name , otherwise match will fail.

So, if we do the OPA run console to a do a test quickly and put re_match(concat("", ["^.*\\.", "prancer-sql-db", "\\..*$"]), "/subscriptions/subscription_Id/resourceGroups/rg_name/providers/Microsoft.Sql/servers/sql_server_name/databases/prancer-sql-db") it is returning false but it should return true. which clearly demonstrate the regex is not correct.

There is a true == false at the end of the rule which is actually returning the output and by forcing we are making the rule to send false output which is a pass case scenario here.

In Azure->terraform->keyvaultsecrets.rego azurerm_key_vault_secret expiration is compared by count(resource.properties.expiration_date) = 0 which is clearly an assignment to 0,
this should be count(resource.properties.expiration_date) == 0

Also count function is only checking the length of characters in the variable expiration_date . other then null if some one type 'abcd' instead of valid date, this count will treat this as a valid date, which is invalid as well.

Ref file: https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/terraform/keyvaultsecrets.rego

we have duplicate test cases on master compliance on Azure-IaC

on master compliance test we have this test case:

{
                    "masterTestId": "TEST_SQL_SERVER_ALERT_1",
                    "masterSnapshotId": [
                        "ARM_TEMPLATE_SNAPSHOT"
                    ],
                    "type": "rego",
                    "rule": "file(sql_alert_policy.rego)",
                    "evals": [
                        {
                            "id": "PR-AZR-0102-ARM",
                            "eval": "data.rule.sql_logical_server_alert",
                            "message": "data.rule.sql_logical_server_alert_err",
                            "remediationDescription": "In Resource of type \"Microsoft.sql/servers/securityalertpolicies\" make sure properties.state exists and value is set to \"Enabled\" . \n Please visit https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/securityalertpolicies.",
                            "remediationFunction": "PR_AZR_0102_ARM.py"
                        }
                    ],
                    "severity": "Medium",
                    "title": "Ensure Security Alert is enabled on Azure SQL Logical Server",
                    "description": "Advanced data security should be enabled on your SQL servers.",
                    "tags": [
                        {
                            "cloud": "git",
                            "compliance": [],
                            "service": [
                                "arm"
                            ]
                        }
                    ]
                }

and

{
                    "masterTestId": "TEST_SQL_SERVER_ALERT",
                    "masterSnapshotId": [
                        "ARM_TEMPLATE_SNAPSHOT"
                    ],
                    "type": "rego",
                    "rule": "file(sql_alert_policy.rego)",
                    "evals": [
                        {
                            "id": "PR-AZR-0102-ARM",
                            "eval": "data.rule.sql_server_alert",
                            "message": "data.rule.sql_server_alert_err",
                            "remediationDescription": "Make sure you are following the ARM template guidelines for vpn gateway from this URL : https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/servers/securityalertpolicies",
                            "remediationFunction": "PR_AZR_0102_ARM.py"
                        }
                    ],
                    "severity": "Medium",
                    "title": "Advanced data security should be enabled on your SQL servers.",
                    "description": "Advanced data security should be enabled on your SQL servers.",
                    "tags": [
                        {
                            "cloud": "git",
                            "compliance": [
                                "NIST 800"
                            ],
                            "service": [
                                "arm"
                            ]
                        }
                    ]
                }

and

{
                    "masterTestId": "TEST_SQL_MANAGED_INSTANCE_ALERT",
                    "masterSnapshotId": [
                        "ARM_TEMPLATE_SNAPSHOT"
                    ],
                    "type": "rego",
                    "rule": "file(sql_alert_policy.rego)",
                    "evals": [
                        {
                            "id": "PR-AZR-0102-ARM",
                            "eval": "data.rule.sql_managed_instance_alert",
                            "message": "data.rule.sql_managed_instance_alert_err",
                            "remediationDescription": "Make sure you are following the ARM template guidelines for vpn gateway from this URL : https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/managedinstances/securityalertpolicies",
                            "remediationFunction": "PR_AZR_0102_ARM.py"
                        }
                    ],
                    "severity": "Medium",
                    "title": "Advanced data security should be enabled on your SQL servers.",
                    "description": "Advanced data security should be enabled on your SQL servers.",
                    "tags": [
                        {
                            "cloud": "git",
                            "compliance": [
                                "NIST 800"
                            ],
                            "service": [
                                "arm"
                            ]
                        }
                    ]
                }

as you can see we have 3 test cases with "id": "PR-AZR-0102-ARM" and except the first one, we have the other ones with different ID

and in a few test cases id and remediationFunction aren't match

Terraform rego rule not validating for boolean value defined in string

rule get passed if the value is a blank list

rule get passed if the value is defined as null

aws_redshift_parameter_group property name should be parameter not parameters

Master snapshot configuration file for the Azure cloud should be updated to include these two new resource types:

"type": "Microsoft.Sql/servers/administrators"
and
"type": "Microsoft.Sql/managedInstances/administrators"

These resource types are related to the Azure AD authentication for Azure SQL policies.

we need a master test and master snapshot for AWS >>> ACK that we can use our rego files

on the following rego file:
https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/Redis.rego
we used these conditions:

azure_attribute_absence ["serverRole"] {
   resource := input.resources[_]
   lower(resource.type) == "microsoft.cache/redis/linkedservers"
   not resource.properties.serverRole
}

azure_issue ["serverRole"] {
    resource := input.resources[_]
    lower(resource.type) == "microsoft.cache/redis/linkedservers"
    lower(resource.properties.serverRole) != "secondary"
}


serverRole {
    lower(input.resources[_].type) == "microsoft.cache/redis/linkedservers"
    not azure_attribute_absence["serverRole"]
    not azure_issue["serverRole"]
}


serverRole = false {
    azure_attribute_absence["serverRole"]
}


serverRole = false {
    azure_issue["serverRole"]
}

serverRole_miss_err = "Azure Redis Cache linked server property 'serverRole' is missing from the resource" {
    azure_attribute_absence["serverRole"]
}

serverRole_err = "Azure Redis Cache linked backup server currently does not have secondary role." {
    azure_issue["serverRole"]
}

but in this case, we need to make sure Microsoft.cache/Redis exists in the same template first
so we need to use this condition as well:

azure_attribute_absence ["serverRole"] {
    count([c | input.resources[_].type == "microsoft.cache/redis"; c := 1]) != count([c | input.resources[_].type == "microsoft.cache/redis/linkedservers"; c := 1])
}

In the following arm template
https://docs.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis

we should ensure that the Redis cache accepts only SSL connections

so enableNonSslPort in the arm template should not exists or the value of that must be false

For better security, Azure SQL should have Azure AD authentication enabled instead of local accounts.
We need to cover this policy both for Azure SQL and Azure SQL Managed Instances.

ARM template reference:
https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2019-06-01-preview/servers/administrators?tabs=json

Azure policy to help with the development:

{
  "if": {
    "field": "type",
    "equals": "Microsoft.Sql/managedInstances"
  },
  "then": {
    "effect": "[parameters('effect')]",
    "details": {
       "type": "Microsoft.Sql/managedInstances/administrators",
       "existenceCondition": {
            "allOf": [
                {
                  "field": "Microsoft.Sql/managedInstances/administrators/administratorType",
                  "equals": "ActiveDirectory"
                }
            ]
        }
    }
  }
}

Azure SQL:

{
    "if": {
        "field": "type",
        "equals": "Microsoft.Sql/servers"
      },
      "then": {
        "effect": "[parameters('effect')]",
        "details": {
           "type": "Microsoft.Sql/servers/administrators",
           "existenceCondition": {
                "allOf": [
                    {
                      "field": "Microsoft.Sql/servers/administrators/administratorType",
                      "equals": "ActiveDirectory"
                    }
                ]
            }
        }
      }
}

We need to have the rego file both for the cloud and IaC

The current Rego file is checking for aws_security_group_rule for blocked inbound / outbound rules:
https://github.com/prancer-io/prancer-compliance-test/blob/master/aws/terraform/securitygroup.rego

which is based on terraform best practices.

But also it is possible to write a single ingress/egress rule for aws_security_group as well:

resource "aws_security_group" "allow_tls" {
  name        = "allow_tls"
  description = "Allow TLS inbound traffic"
  vpc_id      = aws_vpc.main.id

  ingress {
    description      = "TLS from VPC"
    from_port        = 443
    to_port          = 443
    protocol         = "tcp"
    cidr_blocks      = [aws_vpc.main.cidr_block]
    ipv6_cidr_blocks = [aws_vpc.main.ipv6_cidr_block]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags = {
    Name = "allow_tls"
  }
}

We need to cover inline ingress/egress in the rego rule as well.

In the following arm template:
https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2014-04-01/servers/administrators

we should Avoid using names like 'Admin' or 'Administrator' for an Azure SQL Server
so the value of login in the arm template should not 'admin' or 'Administrator'

in following rule we have multiple outputs:

# PR-AZR-0092-TRF
#

default storage_secure = null

azure_attribute_absence["storage_secure"] {
    resource := input.resources[_]
    lower(resource.type) == "azurerm_storage_account"
    # Defaults to true if property not available
    not resource.properties.enable_https_traffic_only
}

azure_issue["storage_secure"] {
    resource := input.resources[_]
    lower(resource.type) == "azurerm_storage_account"
    resource.properties.enable_https_traffic_only != true
}

storage_secure {
    lower(input.resources[_].type) == "azurerm_storage_account"
    not azure_attribute_absence["storage_secure"]
    not azure_issue["storage_secure"]
}

storage_secure {
    azure_attribute_absence["storage_secure"]
}

storage_secure = false {
    azure_issue["storage_secure"]
}

storage_secure_err = "Storage Accounts https based secure transfer is not enabled" {
    azure_issue["storage_secure"]
}

according to this rule, storage_secure have multiple outputs and because of that, we faced this error:
complete rules must not produce multiple outputs

The value of remediationDescription and remediationFunction is not set in following terraform compliance configuration files.

• AWS Compliance
• Azure Compliance
• Google Compliance

Also provide new test cases for following resources:

• api_gateway
• cloudformation
• cloudfront
• code_deploy
• code_pipeline
• config
• dms
• ec2networkacl
• ecr
• ecs
• eks
• elasticsearch
• elasticache
• elb
• emr
• iam
• rds
• s3
• ssm

• for rule PR-AWS-0046-CFR if AssociatePublicIpAddress is not defined then its default value is true.

• And opa evaluate not defined value and false equally. so for the rule, we need to check whether AssociatePublicIpAddress has the value true or not defined. but these are both are opposite scenarios for opa.

• so we can't validate both conditions.

We need to add a new test to check if allowBlobPublicAccess is disabled

if it is enabled or the property does not exist, we should fail the test:
https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?tabs=json

We need the test for both IaC and Terraform

This is a sample template for Azure SQL Server:
https://github.com/Azure/azure-quickstart-templates/tree/67165c0ebba1936edabe19bcf92578946a9895ea/quickstarts/microsoft.sql/sql-logical-server

alert setting snippet from the file:

 {
                    "condition": "[parameters('enableADS')]",
                    "type": "securityAlertPolicies",
                    "apiVersion": "2020-02-02-preview",
                    "name": "Default",
                    "dependsOn": [
                        "[resourceId('Microsoft.Sql/servers', parameters('serverName'))]"
                    ],
                    "properties": {
                        "state": "Enabled",
                        "emailAccountAdmins": true
                    }
                }

In this rego file, there is a problem:
https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/iac/sql_alert_policy.rego

in this section of the file:

default sql_managed_instance_alert = null

azure_sql_security_alert_disabled["sql_instance_security_alert_disabled"] {
    resource := input.resources[_]
    lower(resource.type) == "microsoft.sql/managedInstances"
    sql_resources := resource.resources[_]
    lower(sql_resources.type) == "securityalertpolicies"
    sql_resources.properties.state == "Disabled"
}

azure_sql_security_alert_disabled["sql_instance_security_alert_disabled"] {
    resource := input.resources[_]
    lower(resource.type) == "microsoft.sql/managedInstances/securityalertpolicies"
    resource.properties.state == "Disabled"
}

sql_managed_instance_alert {
    not azure_sql_security_alert_disabled["sql_instance_security_alert_disabled"]
}

sql_managed_instance_alert = false {
    azure_sql_security_alert_disabled["sql_instance_security_alert_disabled"]
}

sql_managed_instance_alert_err = "Security alert for SQL managed instance is Disabled" {
    azure_sql_security_alert_disabled["sql_instance_security_alert_disabled"]
}

When you run the template and the rego snippet, it shows the result as true:

./opa eval -i sample.json -d test.rego "data.rule.sql_managed_instance_alert"

{
  "result": [
    {
      "expressions": [
        {
          "value": {
            "sql_managed_instance_alert": true
          },
          "text": "data.rule.sql_managed_instance_alert",
          "location": {
            "row": 1,
            "col": 1
          }
        }
      ]
    }
  ]
}

Because the type of the resource is "type": "Microsoft.Sql/servers", we expect the result to be null

the equivalent Azure policy can be read here:
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json

according to the following docs of arm template, Virtual Machine where isScaleSetVm=false should have availabilitySet
https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachines
https://docs.microsoft.com/en-us/azure/templates/microsoft.compute/virtualmachinescalesets/virtualmachines

so we should check

azure_issue["vm_aset"] {
    resource := input.resources[_]
    lower(resource.type) == "microsoft.compute/virtualmachines"
    not resource.properties.availabilitySet
}

instead of

azure_issue["vm_aset"] {
    resource := input.resources[_]
    lower(resource.type) == "microsoft.compute/virtualmachinescalesets/virtualmachines"
    not resource.properties.availabilitySet
}

in databricks.rego databrics_workspace_has_public_ip_disabled_metadata called twice
and according to rules of OPA, we faced this error
rule named databrics_workspace_has_public_ip_disabled_metadata redeclared
so we should change the name one of them

there is a problem with the Azure rego policy for the storage account.
this is our rego file in IaC:
https://github.com/prancer-io/prancer-compliance-test/blob/kcc-google/azure/iac/storageaccounts.rego

check the supportsHttpsTrafficOnly part
the test is different based on the API version because it seems the api is changed at some time

this is the equivalent Azure policy for the same test:
https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json

"if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Storage/storageAccounts"
          },
          {
            "anyOf": [
              {
                "allOf": [
                  {
                    "value": "[requestContext().apiVersion]",
                    "less": "2019-04-01"
                  },
                  {
                    "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                    "exists": "false"
                  }
                ]
              },
              {
                "field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
                "equals": "false"
              }
            ]
          }
        ]

We need to fix this both for Azure IaC and Cloud

in aks.rego aks_rbac_metadata called twice
and according to rules of OPA, we faced this error
rule named aks_rbac_metadata redeclared at /tmp/tmpqhkh10wy/azure/terraform/aks.rego:399
so we should change one of the name

We need to ensure that SQL Server Auditing is Enabled for Azure >>> IaC
for example in the following arm template, we should check properties.state exists and check the value of that is set to Enabled
https://docs.microsoft.com/en-us/azure/templates/microsoft.sql/2021-02-01-preview/servers/auditingsettings

for more information please see this: https://gsl.dome9.com/D9.AZU.MON.49.html

We need to have a new rule, to test for the AKS Azure AD enabled RBAC. this is different than the old RBAC rule we already have. the criteria should be based on the following parameters:

"aadProfileConfiguration": {
      "managed": "[parameters('aadProfileManaged')]",
      "enableAzureRBAC": "[parameters('aadProfileEnableAzureRBAC')]",
      "adminGroupObjectIDs": "[parameters('aadProfileAdminGroupObjectIDs')]",
      "tenantID": "[parameters('aadProfileTenantId')]"
}

https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.network/aks-application-gateway-ingress-controller/azuredeploy.json

In file https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/terraform/vnetsubnets.rego re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.subnet_id); is incorrect and need to match with resource.id as per https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association

matching with id is impossible during compile time as id will only available from tf output file.

We need to find some other way to match the subnet association with vnet.

PR-AWS-0158-CFR : AWS SSM Parameter is not encrypted

As per the documentation, the "SecureString" does not support for the property type.

In some terraform rego files, the language of some rules noted as 'AWS Cloud Formation'. but it should be 'Terraform'

aws/terraform/api_gateway.rego
"Policy Code": "PR-AWS-0203-TRF",
"Type": "IaC",
"Product": "AWS",
"Language": "AWS Cloud formation",
"Policy Title": "AWS API gateway request parameter is not validated",
"Policy Description": "This policy identifies the AWS API gateways for with the request parameters are not validated. It is recommended to validate the request parameters in the URI, query string, and headers of an incoming request to focus on the validation efforts specific to your application.\n",
"Resource Type": "",