Justin Fox from NuData Security, A Mastercard Company presents at the Canadian Executive Cloud & DevOps Summit in Toronto, June 9, 2017 on the topic "Security your DevOps Pipeline".
// Description: Checks that all IAM Users have MFA Enabled// Trigger Type: Change Triggered// Scope of Changes: IAM:User// Required Parameter: Nonefunction evaluateIamUsersMfaIsEnabled(event,context,resourceType,resourceId,orderingTimestamp){ var invokingEvent = JSON.parse(event.invokingEvent); if (resourceType == 'AWS::IAM::User') { iam.listMFADevices({ UserName: invokingEvent.configurationItem.resourceName }, function(mfaerr, mfadata) { var compliance = 'NON_COMPLIANT'; if (!mfaerr) { if (mfadata.MFADevices.length > 0) { compliance = 'COMPLIANT'; } } else { console.log(mfaerr); } putEvaluation(event,context,resourceType,resourceId,compliance,orderingTimestamp); }); } else { putEvaluation(event,context,resourceType,resourceId,'NOT_APPLICABLE',orderingTimestamp); }}
readSnapshot = s3 get object
// Description: Checks that a CloudTrail exists that is set to multi-region// Trigger Type: Periodic// Scope of Changes: Global// Required Parameter: Nonefunction evaluateCloudTrailIsEnabled(event,context,resourceType,resourceId,orderingTimestamp){ var invokingEvent = JSON.parse(event.invokingEvent); var s3key = invokingEvent.s3ObjectKey; var s3bucket = invokingEvent.s3Bucket; readSnapshot(s3, s3key, s3bucket, function(err, snapshot) { if (err === null) { var compliance = 'NON_COMPLIANT'; for (var i = 0; i < snapshot.configurationItems.length; i++) { var item = snapshot.configurationItems[i]; if (item.resourceType === 'AWS::CloudTrail::Trail') { if (item.configuration.isMultiRegionTrail) { compliance = 'COMPLIANT'; } } } putEvaluation(event,context,resourceType,resourceId,compliance,orderingTimestamp); } else { context.fail(err); } });}
// Checks that all Vpc networks have flow logging enabled.// Trigger Type: Change Triggered// Scope of Changes: AWS::EC2::VPC// Required Parameter: None