From 4ee1c5e13dbb4031a86f2153142d180accb4fbb2 Mon Sep 17 00:00:00 2001
From: Christoph Hartmann <chris@lollyrock.com>
Date: Sun, 26 May 2024 22:15:45 +0200
Subject: [PATCH] =?UTF-8?q?=E2=AD=90=EF=B8=8F=20adds=20new=20cloudformatio?=
 =?UTF-8?q?n=20template=20policy?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 extra/aws-cloudformation.yml | 39 ++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 extra/aws-cloudformation.yml

diff --git a/extra/aws-cloudformation.yml b/extra/aws-cloudformation.yml
new file mode 100644
index 00000000..7c5f3ac6
--- /dev/null
+++ b/extra/aws-cloudformation.yml
@@ -0,0 +1,39 @@
+policies:
+  - uid: mondoo-aws-cloudformation-security
+    name: AWS Cloudformation Security
+    version: 1.0.0
+    license: BUSL-1.1
+    tags:
+      mondoo.com/category: security
+      mondoo.com/platform: aws,cloud
+    authors:
+      - name: Mondoo, Inc
+        email: hello@mondoo.com
+    groups:
+      - filters: asset.platform == "cloudformation"
+        checks:
+          - uid: mondoo-alb-http-to-https-redirection-check
+          - uid: mondoo-cloudfront-viewer-certificate-tls
+
+queries:
+  - uid: mondoo-alb-http-to-https-redirection-check
+    title: Checks whether HTTP to HTTPS redirection is configured on all application load balancer http listeners
+    mql: |
+      cloudformation.template.resources.
+        where( type == "AWS::ElasticLoadBalancingV2::Listener").
+        where( properties.Protocol != "HTTPS" && properties.Protocol != "TLS" && properties.Protocol != "TCP" && properties.Protocol != "UDP" && properties.Protocol != "TCP_UDP" ).
+        all(properties["DefaultActions"].any( _["Type"] == "redirect" && _["RedirectConfig"].Protocol == "HTTPS"))
+    refs:
+      - title: AWS::ElasticLoadBalancingV2::Listener
+        url: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-elasticloadbalancingv2-listener.html
+  - uid: mondoo-cloudfront-viewer-certificate-tls
+    title: Checks whether the CloudFront distribution viewer certificate is configured with TLSv1.2
+    mql: |
+      cloudformation.template.resources.
+        where( type == "AWS::CloudFront::Distribution").
+        none( properties["DistributionConfig"]["ViewerCertificate"]["MinimumProtocolVersion"].in(["SSLv3", "TLSv1", "TLSv1_2016", "TLSv1.1_2016"]))
+    refs:
+      - title: AWS::CloudFront::Distribution ViewerCertificate
+        url: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-viewercertificate.html
+
+