November policies

docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-73.adoc

@@ -0,0 +1,50 @@
+
+== AWS SQS queue encryption using default KMS key instead of CMK
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| 45f307ff-288c-4f87-92ec-bee6d0318b27
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/graph_checks/aws/SQSEncryptionCMK.yaml[CKV2_AWS_73]
+
+|Severity
+|INFO
+
+|Subtype
+|Build
+
+|Frameworks
+|Terraform,TerraformPlan
+
+|===
+
+=== Description
+
+This policy is checking whether AWS Simple Queue Service (SQS) queues are using Customer Master Keys (CMK) instead of the default AWS-managed keys for encryption. 
+
+The use of CMK over default keys is encouraged because CMKs allow for enhanced security and control. CMKs enable users to manage key policies, set usage permissions, and closely monitor access controls and key rotations. Using AWS-managed keys, on the other hand, places these controls in the hands of AWS, potentially broadening access and reducing oversight for the user. By ensuring SQS queues use CMK, organizations can enforce stricter access control and auditing, thus improving the security of data stored in and transmitted through SQS.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* aws_sqs_queue
+* *Arguments:* kms_master_key_id
+
+To ensure AWS SQS uses a Customer Managed Key (CMK) rather than the default AWS keys, you need to specify the `kms_master_key_id` in your `aws_sqs_queue` resource. This attribute should reference the ARN of the CMK you intend to use for encryption.
+
+Here's how you can update the SQS queue resource in Terraform to use a CMK for encryption:
+
+[source,go]
+----
+resource "aws_sqs_queue" "example" {
+   ...
++  kms_master_key_id = aws_kms_key.example.arn
+   ...
+}
+----

docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-374.adoc

@@ -0,0 +1,56 @@
+
+== AWS CloudFront web distribution with geo restriction disabled
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| a920a1a2-6856-4eb2-b2db-7aee4ce03f4c
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/CloudFrontGeoRestrictionDisabled.py[CKV_AWS_374]
+
+|Severity
+|LOW
+
+|Subtype
+|Build
+
+|Frameworks
+|Terraform,TerraformPlan
+
+|===
+
+=== Description
+
+The policy is checking whether AWS CloudFront web distributions have geographic restrictions enabled. This involves setting up geo restrictions to control access based on the geographic location of users attempting to access the content distributed by CloudFront.
+
+The reason this is considered important is because enabling geographic restrictions allows for better control over where your content can be accessed from, which can help comply with legal and regulatory requirements specific to certain regions. It can also improve security by preventing access from regions that are not relevant to your business or where you know that malicious activity might originate. Overall, implementing geo restrictions can help protect your data and ensure compliance with regional laws and policies.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* aws_cloudfront_distribution
+* *Arguments:* restrictions
+
+Enable geo restriction for your AWS CloudFront distribution. Include a `restrictions` block inside the `aws_cloudfront_distribution` resource to configure geo restrictions by specifying which countries are allowed or denied.
+
+Here is an example of how to enable geo restriction for an AWS CloudFront distribution using Terraform:
+
+[source,hcl]
+----
+resource "aws_cloudfront_distribution" "example" {
+  ...
+  restrictions {
+    geo_restriction {
+      restriction_type = "whitelist"  # Or "blacklist" depending on your use case
+      locations        = ["US", "CA", "GB"] # Example of allowed countries
+    }
+  }
+  ...
+}
+----
+

docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-375.adoc

@@ -0,0 +1,56 @@
+
+== AWS S3 bucket has global view ACL permissions enabled
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| 43c42760-5283-4bc4-ac43-a80e58c4139f
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3GlobalViewACL.py[CKV_AWS_375]
+
+|Severity
+|LOW
+
+|Subtype
+|Run,Build
+
+|Frameworks
+|Terraform,TerraformPlan
+
+|===
+
+=== Description
+
+This policy is checking to ensure that an AWS S3 bucket does not have global view ACL (Access Control List) permissions enabled. The focus is on preventing the bucket from being publicly accessible by anyone on the internet, which could happen if global read permissions are allowed through its ACL settings.
+
+Having global view permissions enabled on an S3 bucket means that anyone with the correct URL can view the contents of the bucket, potentially exposing sensitive data or files. This is a security risk because it can lead to unauthorized access or data breaches, wherein malicious actors could exploit the publicly available data for nefarious purposes. Ensuring that S3 buckets do not have these permissions enabled is crucial for maintaining data privacy and security in cloud environments.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* aws_s3_bucket_acl
+* *Arguments:* access_control_policy
+
+Ensure that your AWS S3 bucket does not have global view permissions by avoiding 'public-read', 'public-read-write', or 'authenticated-read' ACL settings. Properly restrict access by setting the ACL to 'private' or using more specific bucket policies and IAM roles.
+
+Here's how to update your Terraform configuration to ensure the S3 bucket does not have global view ACL permissions:
+
+[source,go]
+----
+resource "aws_s3_bucket_acl" "example" {
+  ...
+  access_control_policy {
+    grant {
+      grantee {
+        type = "Group"
+-        uri  = "http://acs.amazonaws.com/groups/global/AllUsers"
+      }
+      permission = "READ_ACP"
+    }
+}
+---- 

docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-376.adoc

@@ -0,0 +1,56 @@
+
+== AWS Elastic Load Balancer with listener TLS/SSL is not configured
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| 836a7c8c-34c2-4861-be1e-df2f8cd27aab
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/ELBwListenerNotTLSSSL.py[CKV_AWS_376]
+
+|Severity
+|LOW
+
+|Subtype
+|Run,Build
+
+|Frameworks
+|Terraform,TerraformPlan
+
+|===
+
+=== Description
+
+The policy is checking for the use of TLS/SSL protocols in AWS Elastic Load Balancer (ELB) listeners. The purpose of this check is to ensure that data transmitted between clients and the load balancer is encrypted and secure. TLS/SSL (Transport Layer Security/Secure Sockets Layer) are cryptographic protocols designed to provide secure communication over a network by encrypting the data exchanged.
+
+Without TLS/SSL, data transmitted over the network is susceptible to being intercepted, read, or tampered with by malicious actors. This can lead to data breaches, loss of sensitive information, and other security vulnerabilities. Therefore, it is important for ELB listeners to use TLS/SSL to protect the integrity and confidentiality of data in transit, ensuring secure communication channels for applications.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* aws_elb
+* *Arguments:* instance_protocol
+
+Ensure the AWS Elastic Load Balancer listener uses TLS/SSL by specifying the `instance_protocol` as `HTTPS` or `SSL` in your `aws_elb` resource configuration.
+
+To fix this issue, you should update your Terraform configuration to use `HTTPS` or `SSL` as the protocol for the load balancer listener. This will ensure that traffic between clients and the load balancer is encrypted.
+
+[source,go]
+----
+resource "aws_elb" "example" {
+  ...
+  listener {
+    instance_port     = 8000
+-    instance_protocol = "http"
++    instance_protocol = "https"
+    lb_port           = 80
+    lb_protocol       = "http"
+  }
+}
+----
+

docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-377.adoc

@@ -0,0 +1,48 @@
+== Route 53 domains do not have transfer lock protection
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| TBD
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/Route53TransferLock.py[CKV_AWS_377]
+
+|Severity
+|LOW
+
+|Subtype
+|Build
+
+|Frameworks
+|Terraform,TerraformPlan
+
+|===
+
+=== Description
+
+This policy is ensuring that Route 53 domains have transfer lock protection enabled. The transfer lock feature is crucial because it prevents unauthorized domain transfers to another registrar. Whenever a domain is locked, it cannot be transferred without explicit permission from the domain owner, safeguarding against accidental or malicious domain hijacking. Without this protection, a domain could be transferred away without the knowledge or approval of the owner, leading to potential service disruptions, loss of business, and security issues, especially if the domain is critical for business operations or brand presence.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* aws_route53domains_registered_domain
+* *Arguments:* transfer_lock
+
+Ensure that your Route 53 domains have transfer lock protection enabled. The domain transfer lock is a security feature that prevents unauthorized domain transfers. For each `aws_route53domains_registered_domain` resource, set the `transfer_lock` attribute to `true`.
+
+In this example, the transfer lock protection for an AWS Route 53 domain is enabled using Terraform templates.
+
+[source,go]
+----
+resource "aws_route53domains_registered_domain" "example" {
+   ...
++   transfer_lock = true
+   ...
+}
+----
+

docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-379.adoc

@@ -0,0 +1,65 @@
+
+== AWS S3 bucket not configured with secure data transport policy
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| 7b0df373-006a-40d6-9f3d-68e6ea0bdd5d
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/S3SecureDataTransport.py[CKV_AWS_379]
+
+|Severity
+|MEDIUM
+
+|Subtype
+|Build
+
+|Frameworks
+|Terraform,TerraformPlan
+
+|===
+
+=== Description
+
+The policy is checking to ensure that an AWS S3 bucket is configured to enforce secure data transport, specifically by requiring the use of HTTPS for data transfer. This is important because transmitting data over HTTPS ensures that the data is encrypted during transit. This encryption helps protect the data from interception or eavesdropping by unauthorized parties during transmission between clients and the S3 bucket. By requiring secure data transport, the risk of cyberattacks, such as man-in-the-middle attacks, is reduced, thereby enhancing the overall security posture of the cloud environment.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* aws_s3_bucket_acl
+* *Arguments:* aws_s3_bucket_public_access_block, access_control_policy
+
+To ensure secure data transport, configure your AWS S3 bucket to either be public, block public access or else explicitly enforce `aws:SecureTransport = true`.
+
+
+[source,go]
+----
+resource "aws_s3_bucket_policy" "example" {
+  ...
+  policy = jsonencode({
+    ...
+    Statement = [
+      {
+        Sid       = "DenyInsecureTransport"
+        Effect    = "Allow"
+        Principal = "*"
+        Action    = "s3:*"
+        Resource = [
+          aws_s3_bucket.example.arn
+        ]
+        Condition = {
+          Bool = {
+            "aws:SecureTransport" = "true"
+          }
+        }
+      }
+    ]
+  })
+}
+----
+

docs/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-380.adoc

@@ -0,0 +1,49 @@
+
+== AWS Transfer Server not using latest Security Policy
+
+=== Policy Details
+
+[width=45%]
+[cols="1,1"]
+|===
+|Prisma Cloud Policy ID
+| TBD
+
+|Checkov ID
+| https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/resource/aws/TransferServerLatestPolicy.py[CKV_AWS_380]
+
+|Severity
+|LOW
+
+|Subtype
+|Build
+
+|Frameworks
+|Terraform,TerraformPlan
+
+|===
+
+=== Description
+
+This policy is checking to ensure that an AWS Transfer Server is configured to use the latest security policy, as defined as no older than 24 months. In the context of AWS Transfer, security policies dictate the encryption algorithms and protocols that are used during file transfers. Using outdated security policies can be detrimental because they may include deprecated or weaker encryption methods, which can be more susceptible to security vulnerabilities and attacks. By ensuring that the latest security policy is used, it helps to maintain strong encryption standards, enhance data protection, and comply with best practices for secure communications. This can protect sensitive data being transferred to and from the server from unauthorized access and potential breaches.
+
+=== Fix - Buildtime
+
+*Terraform*
+
+* *Resource:* aws_transfer_server
+* *Arguments:* security_policy_name
+
+Ensure your AWS Transfer Server uses the latest security policy to secure data transfers. Associate each `aws_transfer_server` resource with the latest available `security_policy_name` to maintain high security standards.
+
+In this example, a security policy for an AWS Transfer Server is updated to the latest version using Terraform.
+
+[source,go]
+----
+resource "aws_transfer_server" "example" {
+   ...
++  security_policy_name = "TransferSecurityPolicy-2024-01"
+   ...
+}
+----
+