skip: Merge branch 'update_iam_per_policy' into feature/policy_testin…

…g_v2
epam · Jul 3, 2024 · b90f2ec · b90f2ec
2 parents 13f44d0 + 2cfa9ba
commit b90f2ec
Show file tree

Hide file tree

Showing 21 changed files with 141 additions and 104 deletions.
diff --git a/...cies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml b/...cies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml
@@ -12,6 +12,10 @@ policies:
       IAM instance roles are not used for AWS resource access from instances
     resource: aws.ec2
     filters:
+      - not:
+        - type: value
+          key: State.Name
+          value: terminated
       - type: value
         key: IamInstanceProfile
         value: absent
diff --git a/policies/ecc-aws-222-ec2_instance_managed_by_systems_manager.yml b/policies/ecc-aws-222-ec2_instance_managed_by_systems_manager.yml
@@ -12,11 +12,10 @@ policies:
       EC2 instances are not managed by AWS Systems Manager
     resource: aws.ec2
     filters:
-      - and:
-          - type: value
-            key: State.Name
-            op: in
-            value: [running, stopped]
-          - type: ssm
-            key: InstanceId
-            value: empty
+      - not:
+        - type: value
+          key: State.Name
+          value: terminated
+      - type: ssm
+        key: InstanceId
+        value: empty
diff --git a/policies/ecc-aws-223-ec2_managed_instance_association_compliance_status_check.yml b/policies/ecc-aws-223-ec2_managed_instance_association_compliance_status_check.yml
@@ -12,13 +12,12 @@ policies:
       Instances managed by Systems Manager do not have association compliance status of COMPLIANT
     resource: aws.ec2
     filters:
-      - and:
-          - type: value
-            key: State.Name
-            op: in
-            value: [running, stopped]
-          - type: ssm-compliance
-            compliance_types:
-              - Association
-            states:
-              - NON_COMPLIANT
+      - not:
+        - type: value
+          key: State.Name
+          value: terminated
+      - type: ssm-compliance
+        compliance_types:
+          - Association
+        states:
+          - NON_COMPLIANT
diff --git a/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml b/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml
@@ -12,6 +12,10 @@ policies:
       EC2 instances do not use IMDSv2
     resource: aws.ec2
     filters:
+      - not:
+        - type: value
+          key: State.Name
+          value: terminated
       - type: value
         key: MetadataOptions.HttpTokens
         value: optional
diff --git a/policies/ecc-aws-489-ec2_instance_detailed_monitoring_enabled.yml b/policies/ecc-aws-489-ec2_instance_detailed_monitoring_enabled.yml
@@ -12,6 +12,10 @@ policies:
       EC2 instances detailed monitoring disabled
     resource: aws.ec2
     filters:
+      - not:
+        - type: value
+          key: State.Name
+          value: terminated
       - type: value
         key: Monitoring.State
         value: disabled
diff --git a/policies/ecc-aws-490-ec2_token_hop_limit_check.yml b/policies/ecc-aws-490-ec2_token_hop_limit_check.yml
@@ -12,6 +12,10 @@ policies:
       EC2 instances token hop limit set correctly
     resource: aws.ec2
     filters:
+      - not:
+          - type: value
+            key: State.Name
+            value: terminated
       - not:
           - type: value
             key: MetadataOptions.HttpPutResponseHopLimit

diff --git a/policies/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled.yml b/policies/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled.yml
@@ -12,6 +12,10 @@ policies:
       EBS volumes attached to an EC2 instance is not marked for deletion upon instance termination
     resource: aws.ec2
     filters:
+      - not:
+        - type: value
+          key: State.Name
+          value: terminated
       - type: value
         key: BlockDeviceMappings[].Ebs.DeleteOnTermination
         op: contains

diff --git a/policies/ecc-aws-549-ec2_instance_previous_generation.yml b/policies/ecc-aws-549-ec2_instance_previous_generation.yml
@@ -12,7 +12,11 @@ policies:
       EC2 instance is not using last generation classes
     resource: ec2
     filters:
+      - not:
+        - type: value
+          key: State.Name
+          value: terminated
       - type: value
         key: InstanceType
         op: regex
-        value: '(m1|m2|m3|t1|c1|c3|i2|cr1|r3|hs1|g2|a1).[^\s]+'
+        value: '(m1|m2|m3|m4|t1|c1|c2|c3|i2|cr1|r3|r4|hs1|g2|a1|d2).[^\s]+'
diff --git a/policies/ecc-aws-576-ec2_instance_dedicated_tenancy.yml b/policies/ecc-aws-576-ec2_instance_dedicated_tenancy.yml
@@ -12,6 +12,10 @@ policies:
       Amazon EC2 instances with dedicated tenancy
     resource: aws.ec2
     filters:
+      - not:
+          - type: value
+            key: State.Name
+            value: terminated
       - type: value
         key: Placement.Tenancy
         op: in

diff --git a/terraform/ecc-aws-020-instance_without_any_tag/iam/020-policy.json b/terraform/ecc-aws-020-instance_without_any_tag/iam/020-policy.json
@@ -1,13 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DescribeInstances",
-                "ec2:DescribeRegions"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"ec2:DescribeInstances",
+				"ec2:DescribeTags"
+			],
+			"Resource": "*"
+		}
+	]
 }
diff --git a/terraform/ecc-aws-025-instance_without_termination_protection/iam/025-policy.json b/terraform/ecc-aws-025-instance_without_termination_protection/iam/025-policy.json
@@ -6,8 +6,7 @@
             "Action": [
                 "ec2:DescribeInstanceAttribute",
                 "ec2:DescribeInstances",
-                "ec2:DescribeTags",
-                "ec2:DescribeRegions"
+                "ec2:DescribeTags"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-091-ec2_managed_ssm_patch_compliance/iam/091-policy.json b/terraform/ecc-aws-091-ec2_managed_ssm_patch_compliance/iam/091-policy.json
@@ -5,7 +5,8 @@
             "Effect": "Allow",
             "Action": [ 
                 "ssm:ListResourceComplianceSummaries",
-                "ec2:DescribeInstances"
+                "ec2:DescribeInstances",
+                "ec2:DescribeTags"
             ],
             "Resource": "*"
         }

diff --git a/terraform/ecc-aws-185-ec2_stopped_instance/iam/185-policy.json b/terraform/ecc-aws-185-ec2_stopped_instance/iam/185-policy.json
@@ -1,12 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DescribeInstances"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"ec2:DescribeInstances",
+				"ec2:DescribeTags"
+			],
+			"Resource": "*"
+		}
+	]
 }
diff --git a/terraform/ecc-aws-186-ec2_instance_no_public_ip/iam/186-policy.json b/terraform/ecc-aws-186-ec2_instance_no_public_ip/iam/186-policy.json
@@ -1,12 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DescribeNetworkInterfaces"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"ec2:DescribeInstances",
+				"ec2:DescribeTags"
+			],
+			"Resource": "*"
+		}
+	]
 }
diff --git a/terraform/ecc-aws-189-ec2_instance_should_not_use_multiple_eni/iam/189-policy.json b/terraform/ecc-aws-189-ec2_instance_should_not_use_multiple_eni/iam/189-policy.json
@@ -1,12 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DescribeInstances"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"ec2:DescribeInstances",
+				"ec2:DescribeTags"
+			],
+			"Resource": "*"
+		}
+	]
+}
diff --git a/terraform/ecc-aws-222-ec2_instance_managed_by_systems_manager/iam/222-policy.json b/terraform/ecc-aws-222-ec2_instance_managed_by_systems_manager/iam/222-policy.json
@@ -5,10 +5,11 @@
             "Effect": "Allow",
             "Action": [
                 "ec2:DescribeInstances",
+				"ec2:DescribeTags",
                 "tag:GetResources",
                 "ssm:DescribeInstanceInformation"
             ],
             "Resource": "*"
         }
     ]
-}
+}
diff --git a/.../ecc-aws-223-ec2_managed_instance_association_compliance_status_check/iam/223-policy.json b/.../ecc-aws-223-ec2_managed_instance_association_compliance_status_check/iam/223-policy.json
@@ -5,6 +5,7 @@
             "Effect": "Allow",
             "Action": [
                 "ec2:DescribeInstances",
+                "ec2:DescribeTags",
                 "ssm:ListResourceComplianceSummaries"
             ],
             "Resource": "*"

diff --git a/terraform/ecc-aws-489-ec2_instance_detailed_monitoring_enabled/iam/489-policy.json b/terraform/ecc-aws-489-ec2_instance_detailed_monitoring_enabled/iam/489-policy.json
@@ -1,12 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DescribeInstances"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"ec2:DescribeInstances",
+				"ec2:DescribeTags"
+			],
+			"Resource": "*"
+		}
+	]
 }
diff --git a/terraform/ecc-aws-490-ec2_token_hop_limit_check/iam/490-policy.json b/terraform/ecc-aws-490-ec2_token_hop_limit_check/iam/490-policy.json
@@ -1,12 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DescribeInstances"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"ec2:DescribeInstances",
+				"ec2:DescribeTags"
+			],
+			"Resource": "*"
+		}
+	]
 }
diff --git a/terraform/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled/iam/529-policy.json b/terraform/ecc-aws-529-ebs_attached_volume_delete_on_termination_enabled/iam/529-policy.json
@@ -1,10 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": "ec2:DescribeInstances",
-            "Resource": "*"
-        }
-    ]
-}
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"ec2:DescribeInstances",
+				"ec2:DescribeTags"
+			],
+			"Resource": "*"
+		}
+	]
+}
diff --git a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/iam/576-policy.json b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/iam/576-policy.json
@@ -1,12 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:DescribeInstances"
-            ],
-            "Resource": "*"
-        }
-    ]
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"ec2:DescribeInstances",
+				"ec2:DescribeTags"
+			],
+			"Resource": "*"
+		}
+	]
 }