Skip to content

Commit d70ae4f

Browse files
authored
Merge pull request #2 from opengovern/update-readme
updating readme
2 parents fa7e24f + 23a439b commit d70ae4f

File tree

1 file changed

+1
-255
lines changed

1 file changed

+1
-255
lines changed

README.md

Lines changed: 1 addition & 255 deletions
Original file line numberDiff line numberDiff line change
@@ -1,256 +1,2 @@
11
# Managed Config
2-
This repository contains the defaul configuration files for Kaytu.
3-
You can customizee by forking this repository and changing the files.
4-
5-
Here is the repository structure:
6-
7-
8-
* [analytics](#assets): contains all the analytics
9-
* [queries](#finder): defines the default queries that are suggested to users in query page
10-
* [compliance](#compliance): contains all the compliance benchmarks and controls
11-
12-
13-
## Analytics
14-
### How to define:
15-
All the files with `yaml` extension in analytics will be considered.
16-
17-
ID of each metric will be the file name so be careful of changing them as you will lose the historical data.
18-
Each metric must contain these fields:
19-
- connectors: `array[connector]` (connector: `AWS` or `Azure`)
20-
- name: `string`
21-
- query: `string`
22-
- status: `string` (active or inactive)
23-
- tags: `map[string][]string`
24-
#### query
25-
`query` should be grouped by `connection_id` and `region` and must select both of them along with the metric value with the name `count`.
26-
we recommend using `kaytu_lookup` table to define the query. `kaytu_lookup` is a table that contains some bare information about all the resources in the system.
27-
If you need more specific information about the resources, use the resource specific tables like `aws_ec2_instance` or `aws_s3_bucket`.
28-
29-
<details>
30-
<summary><b>Example</b></summary>
31-
32-
```yaml
33-
connectors:
34-
- AWS
35-
name: ACM Public Certificate (SSL/TLS)
36-
query: select connection_id, region, count(*) from kaytu_lookup where resource_type = 'aws::certificatemanager::certificate' group by 1,2;
37-
status: inactive
38-
tags:
39-
category:
40-
- Security
41-
```
42-
</details>
43-
44-
#### tags
45-
`tags` is a map of string to array of strings. Some keys like `category` are used to group the metrics in the UI.
46-
47-
#### query
48-
`query` should be grouped by `kaytu_account_id` and `date` and must select both of them along with the metric value with the name `sum`.
49-
The tables that contain cost data are `aws_cost_by_service_daily` and `azure_costmanagement_costbyresourcetype` for AWS and Azure respectively.
50-
51-
<details>
52-
<summary><b>Example</b></summary>
53-
54-
```yaml
55-
connectors:
56-
- AWS
57-
name: Amazon Elastic Compute Cloud - Compute
58-
query: SELECT kaytu_account_id, period_start::date::text as date, sum(amortized_cost_amount) FROM aws_cost_by_service_daily WHERE service = 'Amazon Elastic Compute Cloud - Compute' group by 1,2;
59-
status: active
60-
tables:
61-
- Amazon Elastic Compute Cloud - Compute
62-
tags:
63-
category:
64-
- Compute
65-
```
66-
</details>
67-
68-
#### tables
69-
`tables` is an array of strings that contains the names of the sub-table
70-
(refer to where clause in the example) that contains the cost data.
71-
#### tags
72-
`tags` is a map of string to array of strings.
73-
Some keys like `category` are used to group the metrics in the UI.
74-
75-
## Asset Finder
76-
### How to define:
77-
All the files with `yaml` extension in finder will be considered `Finder Queries`.
78-
The ones in the `popular` folder will be shown in popular tab and the ones
79-
in the `other` folder will be shown in other tab.
80-
81-
Each query must contain these fields:
82-
- connectors: `array[connector]` (connector: `AWS` or `Azure`)
83-
- query: `string`
84-
- title: `string`
85-
86-
#### query
87-
`query` is the SQL query against the Kaytu query engine, there are no limitations on this query.
88-
89-
<details>
90-
<summary><b>Example</b></summary>
91-
92-
```yaml
93-
connectors:
94-
- AWS
95-
- Azure
96-
query: |-
97-
select
98-
case
99-
when resource_type like 'aws::%' then 'AWS'
100-
else 'Azure'
101-
end as provider,
102-
c.name as cloud_account_name,
103-
c.id as _discovered_provider_id,
104-
r.name as name,
105-
r.region as location,
106-
r.connection_id as _kaytu_connection_id,
107-
r.resource_id as _resource_id,
108-
r.resource_type as _resource_type,
109-
r.created_at as _last_discovered
110-
from
111-
kaytu_resources r inner join kaytu_connections c on r.connection_id = c.kaytu_id
112-
where
113-
resource_type IN ('aws::ec2::vpc', 'microsoft.network/virtualnetworks')
114-
title: Cloud Networks
115-
```
116-
</details>
117-
118-
119-
## Compliance
120-
Compliance consists of two parts: `benchmarks` and `controls`.
121-
### How to define controls:
122-
All the files with `yaml` extension in `compliance/controls` directory will be considered a `control`.
123-
Each control must contain these fields:
124-
- Description: `string`
125-
- ID: `string` (must be unique across all the controls)
126-
- Managed: `boolean`
127-
- Query:
128-
- Connector: `connector` (connector: `AWS` or `Azure`)
129-
- Engine: `string` - the query engine that is used to run the query, currently only `odysseus-v0.0.1` is supported
130-
- ListOfTables: `array[string]` - list of tables that are used in the query
131-
- PrimaryTable: `string` - the table that the result of the query is from
132-
- QueryToExecute: `string` - the query itself, no limitations
133-
- Severity: `string` - the severity of the control one of `none`, `low`, `medium`, `high`, `critical`
134-
- Tags: `map[string][]string`
135-
136-
<details>
137-
<summary><b>Example</b></summary>
138-
139-
```yaml
140-
Description: Ensure if an Amazon API Gateway API stage is using a WAF Web ACL. This rule is non compliant if an AWS WAF Web ACL is not used.
141-
ID: aws_apigateway_stage_use_waf_web_acl
142-
Query:
143-
Connector: AWS
144-
Engine: odysseus-v0.0.1
145-
ListOfTables:
146-
- aws_api_gateway_stage
147-
PrimaryTable: aws_api_gateway_stage
148-
QueryToExecute: |
149-
select
150-
arn as resource,
151-
kaytu_account_id as kaytu_account_id,
152-
kaytu_resource_id as kaytu_resource_id,
153-
case
154-
when web_acl_arn is not null then 'ok'
155-
else 'alarm'
156-
end as status,
157-
case
158-
when web_acl_arn is not null then title || ' associated with WAF web ACL.'
159-
else title || ' not associated with WAF web ACL.'
160-
end as reason
161-
162-
, region, account_id
163-
from
164-
aws_api_gateway_stage;
165-
Severity: ""
166-
Tags:
167-
category:
168-
- Compliance
169-
cis_controls_v8_ig1:
170-
- "true"
171-
cisa_cyber_essentials:
172-
- "true"
173-
fedramp_low_rev_4:
174-
- "true"
175-
fedramp_moderate_rev_4:
176-
- "true"
177-
ffiec:
178-
- "true"
179-
nist_800_171_rev_2:
180-
- "true"
181-
nist_800_53_rev_5:
182-
- "true"
183-
nist_csf:
184-
- "true"
185-
pci_dss_v321:
186-
- "true"
187-
plugin:
188-
- aws
189-
rbi_cyber_security:
190-
- "true"
191-
service:
192-
- AWS/APIGateway
193-
Title: API Gateway stage should be associated with waf
194-
```
195-
</details>
196-
197-
### How to define benchmarks:
198-
All the files with `yaml` extension in `compliance/benchmarks` directory will be considered a `benchmark`.
199-
One thing to note here is that benchmarks can be nested into each other, with
200-
root benchmarks being the ones that are not nested into any other benchmark
201-
and the ones that we do assignments on, it is recommended to follow the directory structure
202-
provided in this repository and mark root benchmarks with `root` in their name.
203-
204-
Each benchmark must contain these fields:
205-
- AutoAssign: `boolean` - only applicable for root benchmarks, whether to assign the benchmark to all the accounts by default or not
206-
- Baseline: `boolean` - only applicable for root benchmarks, whether to assign the benchmark to all the accounts by default or not
207-
- Children: `array[string]` - list of child benchmarks, note that child benchmarks also can have children and the children must be defined in a `children.yaml` file
208-
- Connector: `connector` (connector: `AWS` or `Azure`)
209-
- Controls: `array[string]` - list of controls that are part of this benchmark, note that controls can be part of multiple benchmarks and they must be defined in `compliance/controls` directory
210-
- Description: `string`
211-
- Enabled: `boolean`
212-
- ID: `string` (must be unique across all the benchmarks)
213-
- Managed: `boolean`
214-
- Tags: `map[string][]string`
215-
- Title: `string`
216-
217-
<details>
218-
<summary><b>Example</b></summary>
219-
220-
```yaml
221-
ID: aws_cis_v200_3
222-
Title: 3 Logging
223-
DisplayCode: ""
224-
Connector: AWS
225-
Description: ""
226-
Children: []
227-
Tags:
228-
category:
229-
- Compliance
230-
cis:
231-
- "true"
232-
cis_section_id:
233-
- "3"
234-
cis_version:
235-
- v2.0.0
236-
plugin:
237-
- aws
238-
service:
239-
- AWS
240-
type:
241-
- Benchmark
242-
Enabled: true
243-
Controls:
244-
- aws_cloudtrail_multi_region_read_write_enabled
245-
- aws_cloudtrail_trail_validation_enabled
246-
- aws_cloudtrail_bucket_not_public
247-
- aws_cloudtrail_trail_integrated_with_logs
248-
- aws_config_enabled_all_regions
249-
- aws_cloudtrail_s3_logging_enabled
250-
- aws_cloudtrail_trail_logs_encrypted_with_kms_cmk
251-
- aws_kms_cmk_rotation_enabled
252-
- aws_vpc_flow_logs_enabled
253-
- aws_cloudtrail_s3_object_write_events_audit_enabled
254-
- aws_cloudtrail_s3_object_read_events_audit_enabled
255-
```
256-
</details>
2+
This repository contains the defaul configuration files for OpenGovernance.

0 commit comments

Comments
 (0)