|
1 | 1 | # Managed Config |
2 | | -This repository contains the defaul configuration files for Kaytu. |
3 | | -You can customizee by forking this repository and changing the files. |
4 | | - |
5 | | -Here is the repository structure: |
6 | | - |
7 | | - |
8 | | -* [analytics](#assets): contains all the analytics |
9 | | -* [queries](#finder): defines the default queries that are suggested to users in query page |
10 | | -* [compliance](#compliance): contains all the compliance benchmarks and controls |
11 | | - |
12 | | - |
13 | | -## Analytics |
14 | | -### How to define: |
15 | | -All the files with `yaml` extension in analytics will be considered. |
16 | | - |
17 | | -ID of each metric will be the file name so be careful of changing them as you will lose the historical data. |
18 | | -Each metric must contain these fields: |
19 | | -- connectors: `array[connector]` (connector: `AWS` or `Azure`) |
20 | | -- name: `string` |
21 | | -- query: `string` |
22 | | -- status: `string` (active or inactive) |
23 | | -- tags: `map[string][]string` |
24 | | -#### query |
25 | | -`query` should be grouped by `connection_id` and `region` and must select both of them along with the metric value with the name `count`. |
26 | | -we recommend using `kaytu_lookup` table to define the query. `kaytu_lookup` is a table that contains some bare information about all the resources in the system. |
27 | | -If you need more specific information about the resources, use the resource specific tables like `aws_ec2_instance` or `aws_s3_bucket`. |
28 | | - |
29 | | -<details> |
30 | | -<summary><b>Example</b></summary> |
31 | | - |
32 | | -```yaml |
33 | | -connectors: |
34 | | -- AWS |
35 | | -name: ACM Public Certificate (SSL/TLS) |
36 | | -query: select connection_id, region, count(*) from kaytu_lookup where resource_type = 'aws::certificatemanager::certificate' group by 1,2; |
37 | | -status: inactive |
38 | | -tags: |
39 | | - category: |
40 | | - - Security |
41 | | -``` |
42 | | -</details> |
43 | | -
|
44 | | -#### tags |
45 | | -`tags` is a map of string to array of strings. Some keys like `category` are used to group the metrics in the UI. |
46 | | - |
47 | | -#### query |
48 | | -`query` should be grouped by `kaytu_account_id` and `date` and must select both of them along with the metric value with the name `sum`. |
49 | | -The tables that contain cost data are `aws_cost_by_service_daily` and `azure_costmanagement_costbyresourcetype` for AWS and Azure respectively. |
50 | | - |
51 | | -<details> |
52 | | -<summary><b>Example</b></summary> |
53 | | - |
54 | | -```yaml |
55 | | -connectors: |
56 | | -- AWS |
57 | | -name: Amazon Elastic Compute Cloud - Compute |
58 | | -query: SELECT kaytu_account_id, period_start::date::text as date, sum(amortized_cost_amount) FROM aws_cost_by_service_daily WHERE service = 'Amazon Elastic Compute Cloud - Compute' group by 1,2; |
59 | | -status: active |
60 | | -tables: |
61 | | -- Amazon Elastic Compute Cloud - Compute |
62 | | -tags: |
63 | | - category: |
64 | | - - Compute |
65 | | -``` |
66 | | -</details> |
67 | | - |
68 | | -#### tables |
69 | | -`tables` is an array of strings that contains the names of the sub-table |
70 | | -(refer to where clause in the example) that contains the cost data. |
71 | | -#### tags |
72 | | -`tags` is a map of string to array of strings. |
73 | | -Some keys like `category` are used to group the metrics in the UI. |
74 | | - |
75 | | -## Asset Finder |
76 | | -### How to define: |
77 | | -All the files with `yaml` extension in finder will be considered `Finder Queries`. |
78 | | -The ones in the `popular` folder will be shown in popular tab and the ones |
79 | | -in the `other` folder will be shown in other tab. |
80 | | - |
81 | | -Each query must contain these fields: |
82 | | -- connectors: `array[connector]` (connector: `AWS` or `Azure`) |
83 | | -- query: `string` |
84 | | -- title: `string` |
85 | | - |
86 | | -#### query |
87 | | -`query` is the SQL query against the Kaytu query engine, there are no limitations on this query. |
88 | | - |
89 | | -<details> |
90 | | -<summary><b>Example</b></summary> |
91 | | - |
92 | | -```yaml |
93 | | -connectors: |
94 | | -- AWS |
95 | | -- Azure |
96 | | -query: |- |
97 | | - select |
98 | | - case |
99 | | - when resource_type like 'aws::%' then 'AWS' |
100 | | - else 'Azure' |
101 | | - end as provider, |
102 | | - c.name as cloud_account_name, |
103 | | - c.id as _discovered_provider_id, |
104 | | - r.name as name, |
105 | | - r.region as location, |
106 | | - r.connection_id as _kaytu_connection_id, |
107 | | - r.resource_id as _resource_id, |
108 | | - r.resource_type as _resource_type, |
109 | | - r.created_at as _last_discovered |
110 | | - from |
111 | | - kaytu_resources r inner join kaytu_connections c on r.connection_id = c.kaytu_id |
112 | | - where |
113 | | - resource_type IN ('aws::ec2::vpc', 'microsoft.network/virtualnetworks') |
114 | | -title: Cloud Networks |
115 | | -``` |
116 | | -</details> |
117 | | - |
118 | | - |
119 | | -## Compliance |
120 | | -Compliance consists of two parts: `benchmarks` and `controls`. |
121 | | -### How to define controls: |
122 | | -All the files with `yaml` extension in `compliance/controls` directory will be considered a `control`. |
123 | | -Each control must contain these fields: |
124 | | -- Description: `string` |
125 | | -- ID: `string` (must be unique across all the controls) |
126 | | -- Managed: `boolean` |
127 | | -- Query: |
128 | | - - Connector: `connector` (connector: `AWS` or `Azure`) |
129 | | - - Engine: `string` - the query engine that is used to run the query, currently only `odysseus-v0.0.1` is supported |
130 | | - - ListOfTables: `array[string]` - list of tables that are used in the query |
131 | | - - PrimaryTable: `string` - the table that the result of the query is from |
132 | | - - QueryToExecute: `string` - the query itself, no limitations |
133 | | - - Severity: `string` - the severity of the control one of `none`, `low`, `medium`, `high`, `critical` |
134 | | - - Tags: `map[string][]string` |
135 | | - |
136 | | -<details> |
137 | | -<summary><b>Example</b></summary> |
138 | | - |
139 | | -```yaml |
140 | | -Description: Ensure if an Amazon API Gateway API stage is using a WAF Web ACL. This rule is non compliant if an AWS WAF Web ACL is not used. |
141 | | -ID: aws_apigateway_stage_use_waf_web_acl |
142 | | -Query: |
143 | | - Connector: AWS |
144 | | - Engine: odysseus-v0.0.1 |
145 | | - ListOfTables: |
146 | | - - aws_api_gateway_stage |
147 | | - PrimaryTable: aws_api_gateway_stage |
148 | | - QueryToExecute: | |
149 | | - select |
150 | | - arn as resource, |
151 | | - kaytu_account_id as kaytu_account_id, |
152 | | - kaytu_resource_id as kaytu_resource_id, |
153 | | - case |
154 | | - when web_acl_arn is not null then 'ok' |
155 | | - else 'alarm' |
156 | | - end as status, |
157 | | - case |
158 | | - when web_acl_arn is not null then title || ' associated with WAF web ACL.' |
159 | | - else title || ' not associated with WAF web ACL.' |
160 | | - end as reason |
161 | | - |
162 | | - , region, account_id |
163 | | - from |
164 | | - aws_api_gateway_stage; |
165 | | -Severity: "" |
166 | | -Tags: |
167 | | - category: |
168 | | - - Compliance |
169 | | - cis_controls_v8_ig1: |
170 | | - - "true" |
171 | | - cisa_cyber_essentials: |
172 | | - - "true" |
173 | | - fedramp_low_rev_4: |
174 | | - - "true" |
175 | | - fedramp_moderate_rev_4: |
176 | | - - "true" |
177 | | - ffiec: |
178 | | - - "true" |
179 | | - nist_800_171_rev_2: |
180 | | - - "true" |
181 | | - nist_800_53_rev_5: |
182 | | - - "true" |
183 | | - nist_csf: |
184 | | - - "true" |
185 | | - pci_dss_v321: |
186 | | - - "true" |
187 | | - plugin: |
188 | | - - aws |
189 | | - rbi_cyber_security: |
190 | | - - "true" |
191 | | - service: |
192 | | - - AWS/APIGateway |
193 | | -Title: API Gateway stage should be associated with waf |
194 | | -``` |
195 | | -</details> |
196 | | - |
197 | | -### How to define benchmarks: |
198 | | -All the files with `yaml` extension in `compliance/benchmarks` directory will be considered a `benchmark`. |
199 | | -One thing to note here is that benchmarks can be nested into each other, with |
200 | | -root benchmarks being the ones that are not nested into any other benchmark |
201 | | -and the ones that we do assignments on, it is recommended to follow the directory structure |
202 | | -provided in this repository and mark root benchmarks with `root` in their name. |
203 | | - |
204 | | -Each benchmark must contain these fields: |
205 | | -- AutoAssign: `boolean` - only applicable for root benchmarks, whether to assign the benchmark to all the accounts by default or not |
206 | | -- Baseline: `boolean` - only applicable for root benchmarks, whether to assign the benchmark to all the accounts by default or not |
207 | | -- Children: `array[string]` - list of child benchmarks, note that child benchmarks also can have children and the children must be defined in a `children.yaml` file |
208 | | -- Connector: `connector` (connector: `AWS` or `Azure`) |
209 | | -- Controls: `array[string]` - list of controls that are part of this benchmark, note that controls can be part of multiple benchmarks and they must be defined in `compliance/controls` directory |
210 | | -- Description: `string` |
211 | | -- Enabled: `boolean` |
212 | | -- ID: `string` (must be unique across all the benchmarks) |
213 | | -- Managed: `boolean` |
214 | | -- Tags: `map[string][]string` |
215 | | -- Title: `string` |
216 | | - |
217 | | -<details> |
218 | | -<summary><b>Example</b></summary> |
219 | | - |
220 | | -```yaml |
221 | | -ID: aws_cis_v200_3 |
222 | | -Title: 3 Logging |
223 | | -DisplayCode: "" |
224 | | -Connector: AWS |
225 | | -Description: "" |
226 | | -Children: [] |
227 | | -Tags: |
228 | | - category: |
229 | | - - Compliance |
230 | | - cis: |
231 | | - - "true" |
232 | | - cis_section_id: |
233 | | - - "3" |
234 | | - cis_version: |
235 | | - - v2.0.0 |
236 | | - plugin: |
237 | | - - aws |
238 | | - service: |
239 | | - - AWS |
240 | | - type: |
241 | | - - Benchmark |
242 | | -Enabled: true |
243 | | -Controls: |
244 | | - - aws_cloudtrail_multi_region_read_write_enabled |
245 | | - - aws_cloudtrail_trail_validation_enabled |
246 | | - - aws_cloudtrail_bucket_not_public |
247 | | - - aws_cloudtrail_trail_integrated_with_logs |
248 | | - - aws_config_enabled_all_regions |
249 | | - - aws_cloudtrail_s3_logging_enabled |
250 | | - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk |
251 | | - - aws_kms_cmk_rotation_enabled |
252 | | - - aws_vpc_flow_logs_enabled |
253 | | - - aws_cloudtrail_s3_object_write_events_audit_enabled |
254 | | - - aws_cloudtrail_s3_object_read_events_audit_enabled |
255 | | -``` |
256 | | -</details> |
| 2 | +This repository contains the defaul configuration files for OpenGovernance. |
0 commit comments