|
1 | 1 | # Managed Config
|
2 |
| -This repository contains the defaul configuration files for Kaytu. |
3 |
| -You can customizee by forking this repository and changing the files. |
4 |
| - |
5 |
| -Here is the repository structure: |
6 |
| - |
7 |
| - |
8 |
| -* [analytics](#assets): contains all the analytics |
9 |
| -* [queries](#finder): defines the default queries that are suggested to users in query page |
10 |
| -* [compliance](#compliance): contains all the compliance benchmarks and controls |
11 |
| - |
12 |
| - |
13 |
| -## Analytics |
14 |
| -### How to define: |
15 |
| -All the files with `yaml` extension in analytics will be considered. |
16 |
| - |
17 |
| -ID of each metric will be the file name so be careful of changing them as you will lose the historical data. |
18 |
| -Each metric must contain these fields: |
19 |
| -- connectors: `array[connector]` (connector: `AWS` or `Azure`) |
20 |
| -- name: `string` |
21 |
| -- query: `string` |
22 |
| -- status: `string` (active or inactive) |
23 |
| -- tags: `map[string][]string` |
24 |
| -#### query |
25 |
| -`query` should be grouped by `connection_id` and `region` and must select both of them along with the metric value with the name `count`. |
26 |
| -we recommend using `kaytu_lookup` table to define the query. `kaytu_lookup` is a table that contains some bare information about all the resources in the system. |
27 |
| -If you need more specific information about the resources, use the resource specific tables like `aws_ec2_instance` or `aws_s3_bucket`. |
28 |
| - |
29 |
| -<details> |
30 |
| -<summary><b>Example</b></summary> |
31 |
| - |
32 |
| -```yaml |
33 |
| -connectors: |
34 |
| -- AWS |
35 |
| -name: ACM Public Certificate (SSL/TLS) |
36 |
| -query: select connection_id, region, count(*) from kaytu_lookup where resource_type = 'aws::certificatemanager::certificate' group by 1,2; |
37 |
| -status: inactive |
38 |
| -tags: |
39 |
| - category: |
40 |
| - - Security |
41 |
| -``` |
42 |
| -</details> |
43 |
| -
|
44 |
| -#### tags |
45 |
| -`tags` is a map of string to array of strings. Some keys like `category` are used to group the metrics in the UI. |
46 |
| - |
47 |
| -#### query |
48 |
| -`query` should be grouped by `kaytu_account_id` and `date` and must select both of them along with the metric value with the name `sum`. |
49 |
| -The tables that contain cost data are `aws_cost_by_service_daily` and `azure_costmanagement_costbyresourcetype` for AWS and Azure respectively. |
50 |
| - |
51 |
| -<details> |
52 |
| -<summary><b>Example</b></summary> |
53 |
| - |
54 |
| -```yaml |
55 |
| -connectors: |
56 |
| -- AWS |
57 |
| -name: Amazon Elastic Compute Cloud - Compute |
58 |
| -query: SELECT kaytu_account_id, period_start::date::text as date, sum(amortized_cost_amount) FROM aws_cost_by_service_daily WHERE service = 'Amazon Elastic Compute Cloud - Compute' group by 1,2; |
59 |
| -status: active |
60 |
| -tables: |
61 |
| -- Amazon Elastic Compute Cloud - Compute |
62 |
| -tags: |
63 |
| - category: |
64 |
| - - Compute |
65 |
| -``` |
66 |
| -</details> |
67 |
| - |
68 |
| -#### tables |
69 |
| -`tables` is an array of strings that contains the names of the sub-table |
70 |
| -(refer to where clause in the example) that contains the cost data. |
71 |
| -#### tags |
72 |
| -`tags` is a map of string to array of strings. |
73 |
| -Some keys like `category` are used to group the metrics in the UI. |
74 |
| - |
75 |
| -## Asset Finder |
76 |
| -### How to define: |
77 |
| -All the files with `yaml` extension in finder will be considered `Finder Queries`. |
78 |
| -The ones in the `popular` folder will be shown in popular tab and the ones |
79 |
| -in the `other` folder will be shown in other tab. |
80 |
| - |
81 |
| -Each query must contain these fields: |
82 |
| -- connectors: `array[connector]` (connector: `AWS` or `Azure`) |
83 |
| -- query: `string` |
84 |
| -- title: `string` |
85 |
| - |
86 |
| -#### query |
87 |
| -`query` is the SQL query against the Kaytu query engine, there are no limitations on this query. |
88 |
| - |
89 |
| -<details> |
90 |
| -<summary><b>Example</b></summary> |
91 |
| - |
92 |
| -```yaml |
93 |
| -connectors: |
94 |
| -- AWS |
95 |
| -- Azure |
96 |
| -query: |- |
97 |
| - select |
98 |
| - case |
99 |
| - when resource_type like 'aws::%' then 'AWS' |
100 |
| - else 'Azure' |
101 |
| - end as provider, |
102 |
| - c.name as cloud_account_name, |
103 |
| - c.id as _discovered_provider_id, |
104 |
| - r.name as name, |
105 |
| - r.region as location, |
106 |
| - r.connection_id as _kaytu_connection_id, |
107 |
| - r.resource_id as _resource_id, |
108 |
| - r.resource_type as _resource_type, |
109 |
| - r.created_at as _last_discovered |
110 |
| - from |
111 |
| - kaytu_resources r inner join kaytu_connections c on r.connection_id = c.kaytu_id |
112 |
| - where |
113 |
| - resource_type IN ('aws::ec2::vpc', 'microsoft.network/virtualnetworks') |
114 |
| -title: Cloud Networks |
115 |
| -``` |
116 |
| -</details> |
117 |
| - |
118 |
| - |
119 |
| -## Compliance |
120 |
| -Compliance consists of two parts: `benchmarks` and `controls`. |
121 |
| -### How to define controls: |
122 |
| -All the files with `yaml` extension in `compliance/controls` directory will be considered a `control`. |
123 |
| -Each control must contain these fields: |
124 |
| -- Description: `string` |
125 |
| -- ID: `string` (must be unique across all the controls) |
126 |
| -- Managed: `boolean` |
127 |
| -- Query: |
128 |
| - - Connector: `connector` (connector: `AWS` or `Azure`) |
129 |
| - - Engine: `string` - the query engine that is used to run the query, currently only `odysseus-v0.0.1` is supported |
130 |
| - - ListOfTables: `array[string]` - list of tables that are used in the query |
131 |
| - - PrimaryTable: `string` - the table that the result of the query is from |
132 |
| - - QueryToExecute: `string` - the query itself, no limitations |
133 |
| - - Severity: `string` - the severity of the control one of `none`, `low`, `medium`, `high`, `critical` |
134 |
| - - Tags: `map[string][]string` |
135 |
| - |
136 |
| -<details> |
137 |
| -<summary><b>Example</b></summary> |
138 |
| - |
139 |
| -```yaml |
140 |
| -Description: Ensure if an Amazon API Gateway API stage is using a WAF Web ACL. This rule is non compliant if an AWS WAF Web ACL is not used. |
141 |
| -ID: aws_apigateway_stage_use_waf_web_acl |
142 |
| -Query: |
143 |
| - Connector: AWS |
144 |
| - Engine: odysseus-v0.0.1 |
145 |
| - ListOfTables: |
146 |
| - - aws_api_gateway_stage |
147 |
| - PrimaryTable: aws_api_gateway_stage |
148 |
| - QueryToExecute: | |
149 |
| - select |
150 |
| - arn as resource, |
151 |
| - kaytu_account_id as kaytu_account_id, |
152 |
| - kaytu_resource_id as kaytu_resource_id, |
153 |
| - case |
154 |
| - when web_acl_arn is not null then 'ok' |
155 |
| - else 'alarm' |
156 |
| - end as status, |
157 |
| - case |
158 |
| - when web_acl_arn is not null then title || ' associated with WAF web ACL.' |
159 |
| - else title || ' not associated with WAF web ACL.' |
160 |
| - end as reason |
161 |
| - |
162 |
| - , region, account_id |
163 |
| - from |
164 |
| - aws_api_gateway_stage; |
165 |
| -Severity: "" |
166 |
| -Tags: |
167 |
| - category: |
168 |
| - - Compliance |
169 |
| - cis_controls_v8_ig1: |
170 |
| - - "true" |
171 |
| - cisa_cyber_essentials: |
172 |
| - - "true" |
173 |
| - fedramp_low_rev_4: |
174 |
| - - "true" |
175 |
| - fedramp_moderate_rev_4: |
176 |
| - - "true" |
177 |
| - ffiec: |
178 |
| - - "true" |
179 |
| - nist_800_171_rev_2: |
180 |
| - - "true" |
181 |
| - nist_800_53_rev_5: |
182 |
| - - "true" |
183 |
| - nist_csf: |
184 |
| - - "true" |
185 |
| - pci_dss_v321: |
186 |
| - - "true" |
187 |
| - plugin: |
188 |
| - - aws |
189 |
| - rbi_cyber_security: |
190 |
| - - "true" |
191 |
| - service: |
192 |
| - - AWS/APIGateway |
193 |
| -Title: API Gateway stage should be associated with waf |
194 |
| -``` |
195 |
| -</details> |
196 |
| - |
197 |
| -### How to define benchmarks: |
198 |
| -All the files with `yaml` extension in `compliance/benchmarks` directory will be considered a `benchmark`. |
199 |
| -One thing to note here is that benchmarks can be nested into each other, with |
200 |
| -root benchmarks being the ones that are not nested into any other benchmark |
201 |
| -and the ones that we do assignments on, it is recommended to follow the directory structure |
202 |
| -provided in this repository and mark root benchmarks with `root` in their name. |
203 |
| - |
204 |
| -Each benchmark must contain these fields: |
205 |
| -- AutoAssign: `boolean` - only applicable for root benchmarks, whether to assign the benchmark to all the accounts by default or not |
206 |
| -- Baseline: `boolean` - only applicable for root benchmarks, whether to assign the benchmark to all the accounts by default or not |
207 |
| -- Children: `array[string]` - list of child benchmarks, note that child benchmarks also can have children and the children must be defined in a `children.yaml` file |
208 |
| -- Connector: `connector` (connector: `AWS` or `Azure`) |
209 |
| -- Controls: `array[string]` - list of controls that are part of this benchmark, note that controls can be part of multiple benchmarks and they must be defined in `compliance/controls` directory |
210 |
| -- Description: `string` |
211 |
| -- Enabled: `boolean` |
212 |
| -- ID: `string` (must be unique across all the benchmarks) |
213 |
| -- Managed: `boolean` |
214 |
| -- Tags: `map[string][]string` |
215 |
| -- Title: `string` |
216 |
| - |
217 |
| -<details> |
218 |
| -<summary><b>Example</b></summary> |
219 |
| - |
220 |
| -```yaml |
221 |
| -ID: aws_cis_v200_3 |
222 |
| -Title: 3 Logging |
223 |
| -DisplayCode: "" |
224 |
| -Connector: AWS |
225 |
| -Description: "" |
226 |
| -Children: [] |
227 |
| -Tags: |
228 |
| - category: |
229 |
| - - Compliance |
230 |
| - cis: |
231 |
| - - "true" |
232 |
| - cis_section_id: |
233 |
| - - "3" |
234 |
| - cis_version: |
235 |
| - - v2.0.0 |
236 |
| - plugin: |
237 |
| - - aws |
238 |
| - service: |
239 |
| - - AWS |
240 |
| - type: |
241 |
| - - Benchmark |
242 |
| -Enabled: true |
243 |
| -Controls: |
244 |
| - - aws_cloudtrail_multi_region_read_write_enabled |
245 |
| - - aws_cloudtrail_trail_validation_enabled |
246 |
| - - aws_cloudtrail_bucket_not_public |
247 |
| - - aws_cloudtrail_trail_integrated_with_logs |
248 |
| - - aws_config_enabled_all_regions |
249 |
| - - aws_cloudtrail_s3_logging_enabled |
250 |
| - - aws_cloudtrail_trail_logs_encrypted_with_kms_cmk |
251 |
| - - aws_kms_cmk_rotation_enabled |
252 |
| - - aws_vpc_flow_logs_enabled |
253 |
| - - aws_cloudtrail_s3_object_write_events_audit_enabled |
254 |
| - - aws_cloudtrail_s3_object_read_events_audit_enabled |
255 |
| -``` |
256 |
| -</details> |
| 2 | +This repository contains the defaul configuration files for OpenGovernance. |
0 commit comments