diff --git a/.github/workflows/auto-test.yml b/.github/workflows/auto-test.yml index 8d3afae89..a375d9a7d 100644 --- a/.github/workflows/auto-test.yml +++ b/.github/workflows/auto-test.yml @@ -25,7 +25,7 @@ env: TF_BACKEND_STORAGE_NAME: ${{ secrets.TF_BACKEND_STORAGE_NAME }} TF_CLI_ARGS: "-no-color" AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }} - default_resource_priority_list: '[ "codebuild"]' + default_resource_priority_list: '[ "ec2"]' RED: '\033[0;31m' permissions: diff --git a/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml b/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml index e30183045..122d4da6a 100644 --- a/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml +++ b/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml @@ -12,6 +12,10 @@ policies: IAM instance roles are not used for AWS resource access from instances resource: aws.ec2 filters: + - not: + - type: value + key: State.Name + value: terminated - type: value key: IamInstanceProfile value: absent diff --git a/policies/ecc-aws-222-ec2_instance_managed_by_systems_manager.yml b/policies/ecc-aws-222-ec2_instance_managed_by_systems_manager.yml index 531bb8694..366a2352e 100644 --- a/policies/ecc-aws-222-ec2_instance_managed_by_systems_manager.yml +++ b/policies/ecc-aws-222-ec2_instance_managed_by_systems_manager.yml @@ -12,11 +12,10 @@ policies: EC2 instances are not managed by AWS Systems Manager resource: aws.ec2 filters: - - and: - - type: value - key: State.Name - op: in - value: [running, stopped] - - type: ssm - key: InstanceId - value: empty + - not: + - type: value + key: State.Name + value: terminated + - type: ssm + key: InstanceId + value: empty diff --git a/policies/ecc-aws-223-ec2_managed_instance_association_compliance_status_check.yml b/policies/ecc-aws-223-ec2_managed_instance_association_compliance_status_check.yml index 457ae2e19..16c120c9b 100644 --- a/policies/ecc-aws-223-ec2_managed_instance_association_compliance_status_check.yml +++ b/policies/ecc-aws-223-ec2_managed_instance_association_compliance_status_check.yml @@ -12,13 +12,12 @@ policies: Instances managed by Systems Manager do not have association compliance status of COMPLIANT resource: aws.ec2 filters: - - and: - - type: value - key: State.Name - op: in - value: [running, stopped] - - type: ssm-compliance - compliance_types: - - Association - states: - - NON_COMPLIANT + - not: + - type: value + key: State.Name + value: terminated + - type: ssm-compliance + compliance_types: + - Association + states: + - NON_COMPLIANT diff --git a/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml b/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml index 10de0ee70..5aed2cba7 100644 --- a/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml +++ b/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml @@ -12,6 +12,10 @@ policies: EC2 instances do not use IMDSv2 resource: aws.ec2 filters: + - not: + - type: value + key: State.Name + value: terminated - type: value key: MetadataOptions.HttpTokens value: optional diff --git a/policies/ecc-aws-489-ec2_instance_detailed_monitoring_enabled.yml b/policies/ecc-aws-489-ec2_instance_detailed_monitoring_enabled.yml index bb1089fbe..6eba171ec 100644 --- a/policies/ecc-aws-489-ec2_instance_detailed_monitoring_enabled.yml +++ b/policies/ecc-aws-489-ec2_instance_detailed_monitoring_enabled.yml @@ -12,6 +12,10 @@ policies: EC2 instances detailed monitoring disabled resource: aws.ec2 filters: + - not: + - type: value + key: State.Name + value: terminated - type: value key: Monitoring.State value: disabled diff --git a/policies/ecc-aws-490-ec2_token_hop_limit_check.yml b/policies/ecc-aws-490-ec2_token_hop_limit_check.yml index 0e9ee97d1..e41c94ef0 100644 --- a/policies/ecc-aws-490-ec2_token_hop_limit_check.yml +++ b/policies/ecc-aws-490-ec2_token_hop_limit_check.yml @@ -12,6 +12,10 @@ policies: EC2 instances token hop limit set correctly resource: aws.ec2 filters: + - not: + - type: value + key: State.Name + value: terminated - not: - type: value key: MetadataOptions.HttpPutResponseHopLimit diff --git a/policies/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled.yml b/policies/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled.yml index 1f03ab26e..581559d59 100644 --- a/policies/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled.yml +++ b/policies/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled.yml @@ -12,6 +12,10 @@ policies: EBS volumes attached to an EC2 instance is not marked for deletion upon instance termination resource: aws.ec2 filters: + - not: + - type: value + key: State.Name + value: terminated - type: value key: BlockDeviceMappings[].Ebs.DeleteOnTermination op: contains diff --git a/policies/ecc-aws-549-ec2_instance_previous_generation.yml b/policies/ecc-aws-549-ec2_instance_previous_generation.yml index 60eadec56..6adefe277 100755 --- a/policies/ecc-aws-549-ec2_instance_previous_generation.yml +++ b/policies/ecc-aws-549-ec2_instance_previous_generation.yml @@ -12,7 +12,11 @@ policies: EC2 instance is not using last generation classes resource: ec2 filters: + - not: + - type: value + key: State.Name + value: terminated - type: value key: InstanceType op: regex - value: '(m1|m2|m3|t1|c1|c3|i2|cr1|r3|hs1|g2|a1).[^\s]+' + value: '(m1|m2|m3|m4|t1|c1|c2|c3|i2|cr1|r3|r4|hs1|g2|a1|d2).[^\s]+' diff --git a/policies/ecc-aws-576-ec2_instance_dedicated_tenancy.yml b/policies/ecc-aws-576-ec2_instance_dedicated_tenancy.yml index 9d577ba52..5f3344827 100644 --- a/policies/ecc-aws-576-ec2_instance_dedicated_tenancy.yml +++ b/policies/ecc-aws-576-ec2_instance_dedicated_tenancy.yml @@ -12,6 +12,10 @@ policies: Amazon EC2 instances with dedicated tenancy resource: aws.ec2 filters: + - not: + - type: value + key: State.Name + value: terminated - type: value key: Placement.Tenancy op: in diff --git a/terraform/ecc-aws-020-instance_without_any_tag/iam/020-policy.json b/terraform/ecc-aws-020-instance_without_any_tag/iam/020-policy.json index c5b7332a8..57ccc2465 100644 --- a/terraform/ecc-aws-020-instance_without_any_tag/iam/020-policy.json +++ b/terraform/ecc-aws-020-instance_without_any_tag/iam/020-policy.json @@ -1,13 +1,13 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances", - "ec2:DescribeRegions" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeTags" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-025-instance_without_termination_protection/iam/025-policy.json b/terraform/ecc-aws-025-instance_without_termination_protection/iam/025-policy.json index 874d17dc0..c620b93ed 100644 --- a/terraform/ecc-aws-025-instance_without_termination_protection/iam/025-policy.json +++ b/terraform/ecc-aws-025-instance_without_termination_protection/iam/025-policy.json @@ -6,8 +6,7 @@ "Action": [ "ec2:DescribeInstanceAttribute", "ec2:DescribeInstances", - "ec2:DescribeTags", - "ec2:DescribeRegions" + "ec2:DescribeTags" ], "Resource": "*" } diff --git a/terraform/ecc-aws-091-ec2_managed_ssm_patch_compliance/iam/091-policy.json b/terraform/ecc-aws-091-ec2_managed_ssm_patch_compliance/iam/091-policy.json index 26a6a4dea..6e309a2ac 100644 --- a/terraform/ecc-aws-091-ec2_managed_ssm_patch_compliance/iam/091-policy.json +++ b/terraform/ecc-aws-091-ec2_managed_ssm_patch_compliance/iam/091-policy.json @@ -5,7 +5,8 @@ "Effect": "Allow", "Action": [ "ssm:ListResourceComplianceSummaries", - "ec2:DescribeInstances" + "ec2:DescribeInstances", + "ec2:DescribeTags" ], "Resource": "*" } diff --git a/terraform/ecc-aws-185-ec2_stopped_instance/iam/185-policy.json b/terraform/ecc-aws-185-ec2_stopped_instance/iam/185-policy.json index 1a02f8802..1e916612e 100644 --- a/terraform/ecc-aws-185-ec2_stopped_instance/iam/185-policy.json +++ b/terraform/ecc-aws-185-ec2_stopped_instance/iam/185-policy.json @@ -1,12 +1,13 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeTags" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-186-ec2_instance_no_public_ip/iam/186-policy.json b/terraform/ecc-aws-186-ec2_instance_no_public_ip/iam/186-policy.json index 510c2d8d2..1e916612e 100644 --- a/terraform/ecc-aws-186-ec2_instance_no_public_ip/iam/186-policy.json +++ b/terraform/ecc-aws-186-ec2_instance_no_public_ip/iam/186-policy.json @@ -1,12 +1,13 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeNetworkInterfaces" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeTags" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-189-ec2_instance_should_not_use_multiple_eni/iam/189-policy.json b/terraform/ecc-aws-189-ec2_instance_should_not_use_multiple_eni/iam/189-policy.json index 4a3386d8f..1e916612e 100644 --- a/terraform/ecc-aws-189-ec2_instance_should_not_use_multiple_eni/iam/189-policy.json +++ b/terraform/ecc-aws-189-ec2_instance_should_not_use_multiple_eni/iam/189-policy.json @@ -1,12 +1,13 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances" - ], - "Resource": "*" - } - ] -} + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeTags" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-222-ec2_instance_managed_by_systems_manager/iam/222-policy.json b/terraform/ecc-aws-222-ec2_instance_managed_by_systems_manager/iam/222-policy.json index 5510fd120..014dd1743 100644 --- a/terraform/ecc-aws-222-ec2_instance_managed_by_systems_manager/iam/222-policy.json +++ b/terraform/ecc-aws-222-ec2_instance_managed_by_systems_manager/iam/222-policy.json @@ -5,10 +5,11 @@ "Effect": "Allow", "Action": [ "ec2:DescribeInstances", + "ec2:DescribeTags", "tag:GetResources", "ssm:DescribeInstanceInformation" ], "Resource": "*" } ] -} \ No newline at end of file +} diff --git a/terraform/ecc-aws-223-ec2_managed_instance_association_compliance_status_check/iam/223-policy.json b/terraform/ecc-aws-223-ec2_managed_instance_association_compliance_status_check/iam/223-policy.json index 927cdf83b..1f0893f80 100644 --- a/terraform/ecc-aws-223-ec2_managed_instance_association_compliance_status_check/iam/223-policy.json +++ b/terraform/ecc-aws-223-ec2_managed_instance_association_compliance_status_check/iam/223-policy.json @@ -5,6 +5,7 @@ "Effect": "Allow", "Action": [ "ec2:DescribeInstances", + "ec2:DescribeTags", "ssm:ListResourceComplianceSummaries" ], "Resource": "*" diff --git a/terraform/ecc-aws-489-ec2_instance_detailed_monitoring_enabled/iam/489-policy.json b/terraform/ecc-aws-489-ec2_instance_detailed_monitoring_enabled/iam/489-policy.json index 1a02f8802..1e916612e 100644 --- a/terraform/ecc-aws-489-ec2_instance_detailed_monitoring_enabled/iam/489-policy.json +++ b/terraform/ecc-aws-489-ec2_instance_detailed_monitoring_enabled/iam/489-policy.json @@ -1,12 +1,13 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeTags" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-490-ec2_token_hop_limit_check/iam/490-policy.json b/terraform/ecc-aws-490-ec2_token_hop_limit_check/iam/490-policy.json index 1a02f8802..1e916612e 100644 --- a/terraform/ecc-aws-490-ec2_token_hop_limit_check/iam/490-policy.json +++ b/terraform/ecc-aws-490-ec2_token_hop_limit_check/iam/490-policy.json @@ -1,12 +1,13 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeTags" + ], + "Resource": "*" + } + ] } \ No newline at end of file diff --git a/terraform/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled/iam/529-policy.json b/terraform/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled/iam/529-policy.json index 554ce75f6..57ccc2465 100644 --- a/terraform/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled/iam/529-policy.json +++ b/terraform/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled/iam/529-policy.json @@ -1,10 +1,13 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": "ec2:DescribeInstances", - "Resource": "*" - } - ] -} + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeTags" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/iam/576-policy.json b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/iam/576-policy.json index c86a0cb6b..57ccc2465 100644 --- a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/iam/576-policy.json +++ b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/iam/576-policy.json @@ -1,12 +1,13 @@ { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances" - ], - "Resource": "*" - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeTags" + ], + "Resource": "*" + } + ] } \ No newline at end of file