feat(aws-policies): Add in AWS security account contact query (#11729)

jsonpr · web-flow · commit c9d7294a6294 · 2023-07-05T15:32:05.000Z
Adding Foundational Security Best Practice Policy - net new policy that we haven't covered for AWS Accounts.

This check looks for the presence of a security contact for each account.  

This check tested the following use cases.  These cases cover all expected pass and fail use cases for security contacts which are contained within the `aws_account_alternate_contact` table.  These alternate tables can include operations, billing, or security:

- Account with no alternate contacts (expected fail)
- Account with only billing or operations and no security contact (expected fail)
- Account with only a security contact (expected pass)
- Account with a security contact and other contacts (expected positive)


To do so, I joined this with a table that references the AWS Account.  This is not an ideal join, but the query uses `aws_iam_accounts` to get an idea of the account we're pulling data from.  Another option would be to use ` aws_account_contacts`, but that requires assuming that accounts will always have contact information (which should generally be the case).  The other tables considered were `aws_organizations_accounts` but that may not return the data we want due to permissions within the organization and how accounts could be listed depending on visibility.  

A couple conditions - updating contact information in AWS requires all fields to be populated.  Additionally, a lack of security contact will return no data - so we do a NULL check based off a left join (with iam_accounts as the left table).  We remove the non-security contacts in the right join (nested select).  

Right now, we pull contact information from the calling AWS Account.  It's possible to pull contact information from a delegated administrator or an administrator account.  If we revisit that later, this query will need to be updated.
diff --git a/plugins/source/aws/policies/foundational_security/account.sql b/plugins/source/aws/policies/foundational_security/account.sql
@@ -0,0 +1,3 @@
+\set check_id 'Account.1'
+\echo "Executing check Account.1"
+\ir ../queries/account/security_account_information_provided.sql
diff --git a/plugins/source/aws/policies/foundational_security/policy.sql b/plugins/source/aws/policies/foundational_security/policy.sql
@@ -9,6 +9,7 @@ SELECT CASE
 END AS "execution_time"  \gset
 \set framework 'foundational_security'
 \ir ../create_aws_policy_results.sql
+\ir ./account.sql
 \ir ./acm.sql
 \ir ./apigateway.sql
 \ir ./autoscaling.sql
diff --git a/plugins/source/aws/policies/queries/account/security_account_information_provided.sql b/plugins/source/aws/policies/queries/account/security_account_information_provided.sql
@@ -0,0 +1,18 @@
+insert into aws_policy_results
+select
+  :'execution_time' as execution_time,
+  :'framework' as framework,
+  :'check_id' as check_id,
+  'Security contact information should be provided for an AWS account' as title,
+  aws_iam_accounts.account_id,
+  case when
+    alternate_contact_type is null
+    then 'fail'
+    else 'pass'
+  end as status
+FROM aws_iam_accounts
+LEFT JOIN (
+	SELECT * from aws_account_alternate_contacts
+WHERE alternate_contact_type = 'SECURITY'
+) as account_security_contacts
+ON aws_iam_accounts.account_id = account_security_contacts.account_id
diff --git a/website/pages/docs/plugins/sources/aws/policies.md b/website/pages/docs/plugins/sources/aws/policies.md
@@ -196,6 +196,7 @@ AWS Foundational Security Best Practices requires the following tables to be syn
 
 ```yaml
 tables:
+  - aws_account_alternate_contacts
   - aws_acm_certificates
   - aws_apigateway_rest_api_stages
   - aws_apigateway_rest_apis
@@ -281,6 +282,7 @@ tables:
 ### Queries
 
 AWS Foundational Security Best Practices performs the following checks:
+  - Security contact information should be provided for an AWS account
   - certificate has less than 30 days to be renewed
   - API Gateway REST and WebSocket API logging should be enabled
   - API Gateway REST API stages should be configured to use SSL certificates for backend authentication
diff --git a/website/tables/aws/aws_account_alternate_contacts.md b/website/tables/aws/aws_account_alternate_contacts.md
@@ -19,4 +19,31 @@ The composite primary key for this table is (**account_id**, **alternate_contact
 |email_address|`utf8`|
 |name|`utf8`|
 |phone_number|`utf8`|
-|title|`utf8`|
+|title|`utf8`|
+
+## Example Queries
+
+These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.
+
+### Security contact information should be provided for an AWS account
+
+```sql
+SELECT
+  'Security contact information should be provided for an AWS account' AS title,
+  aws_iam_accounts.account_id,
+  CASE WHEN alternate_contact_type IS NULL THEN 'fail' ELSE 'pass' END AS status
+FROM
+  aws_iam_accounts
+  LEFT JOIN (
+      SELECT
+        *
+      FROM
+        aws_account_alternate_contacts
+      WHERE
+        alternate_contact_type = 'SECURITY'
+    )
+      AS account_security_contacts ON
+      aws_iam_accounts.account_id = account_security_contacts.account_id;
+```
+
+
diff --git a/website/tables/aws/aws_iam_accounts.md b/website/tables/aws/aws_iam_accounts.md
@@ -47,6 +47,27 @@ The primary key for this table is **account_id**.
 
 These SQL queries are sampled from CloudQuery policies and are compatible with PostgreSQL.
 
+### Security contact information should be provided for an AWS account
+
+```sql
+SELECT
+  'Security contact information should be provided for an AWS account' AS title,
+  aws_iam_accounts.account_id,
+  CASE WHEN alternate_contact_type IS NULL THEN 'fail' ELSE 'pass' END AS status
+FROM
+  aws_iam_accounts
+  LEFT JOIN (
+      SELECT
+        *
+      FROM
+        aws_account_alternate_contacts
+      WHERE
+        alternate_contact_type = 'SECURITY'
+    )
+      AS account_security_contacts ON
+      aws_iam_accounts.account_id = account_security_contacts.account_id;
+```
+
 ### S3 Block Public Access setting should be enabled
 
 ```sql

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+\set check_id 'Account.1'`
	`2`	`+\echo "Executing check Account.1"`
	`3`	`+\ir ../queries/account/security_account_information_provided.sql`