finished final readthroughs, reviewed latest test runs, removed unnee…

…ded comments, updated profile version, should be ready for merge

Signed-off-by: Aaron Lippold <[email protected]>

Gemfile

@@ -9,6 +9,5 @@ gem 'kitchen-inspec'
 gem 'rake'
 gem 'rubocop'
 gem 'rubocop-rake'
-gem 'train-kubernetes'
 gem "train-aws", git: 'https://github.com/mitre/train-aws.git', branch: 'al/dep-updates'
 

README.md

@@ -1,6 +1,6 @@
 # aws-foundations-cis-baseline
 
-InSpec profile to validate the secure configuration of Amazon Web Services against [CIS'](https://www.cisecurity.org/cis-benchmarks/) Amazon Web Services Foundations Benchmark Version 2.0.0 - 06-28-2023
+InSpec profile to validate the secure configuration of Amazon Web Services against [CIS Amazon Web Services Foundations Benchmark Version 2.0.0](https://www.cisecurity.org/cis-benchmarks/) - 06-28-2023
 
 ## Getting Started
 
@@ -12,11 +12,11 @@ The latest versions and installation options are available at the [InSpec](http:
 
 This baseline also requires the AWS Command Line Interface (CLI) which is available at the [AWS CLI](https://aws.amazon.com/cli/) site (at least version 2.x).
 
-### Minimum Permissions needed to Run this Profile
+## Minimum AWS IAM API Permissions needed to Run the Profile
 
 The IAM account used to run this profile against the AWS environment needs to attached through a group or role with at least `AWS IAM "ReadOnlyAccess" Managed Policy`
 
-### Getting MFA Aware AWS Access, Secret and Session Tokens
+## Getting MFA Aware AWS Access, Secret and Session Tokens
 
 You will need to ensure your AWS CLI environment has the right system environment variables set with your AWS region and credentials and session token to use the AWS CLI and InSpec resources in the AWS environment. InSpec supports the following standard AWS variables:
 
@@ -43,7 +43,7 @@ b. Then export the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_SESSION
 
 This profile uses InSpec Inputs to make the tests more flexible. You are able to provide inputs at runtime either via the cli or via YAML files to help the profile work best in your deployment.
 
-#### **_Do not change the inputs in the `inspec.yml` file_**
+### **_Do not change the inputs in the `inspec.yml` file_**
 
 The `inputs` defined in the `inspec.yml` file are the shared inputs for the **profile and defaults for the profile**.
 
@@ -290,7 +290,7 @@ third_party_api_monitoring_tool: ""
 | Done       | Yes          | 5.5                | exempt_routes                                                                                                                                                                                                                             |
 | Done       | Yes          | 5.6                | skip_stopped_ec2<br>exempt_ec2s                                                                                                                                                                                                           |
 
-### Manual Checks
+## Manual Checks
 
 Note that not all controls in the CIS Benchmarks can be done automatically. This profile will mark the output of those controls as "skipped." Be sure to manually review any skipped controls, and if desired, use the MITRE SAF CLI's [Attestation](https://saf-cli.mitre.org/#attest) feature to save your manual attestations into the same file as your automated test results.
 
@@ -306,7 +306,7 @@ The script will inspect the avalible aws regions for the AWS Account running the
 
 You should add this data to your `my_inputs.yml` and
 
-## Usage
+# Usage
 
 ```
 # Set required ENV variables
@@ -328,13 +328,15 @@ $ ruby generate_inputs.rb
 inspec exec https://github.com/mitre/aws-foundations-cis-baseline/archive/master.tar.gz --target aws:// --input-file=<./path/my_inpupts.yml> --reporter=cli json:<path/name_of_your_output_file.json>
 ```
 
-### Different Run Options
+## Different Run Options
+
+Please review the following documentation 
 
 [Full exec options](https://docs.chef.io/inspec/cli/#options-3)
 
-## Running This Baseline from a local Archive copy
+### Diconnected & Local Archive Execution
 
-If your runner is not always expected to have direct access to GitHub, use the following steps to create an archive bundle of this baseline and all of its dependent tests:
+If your runner is not always expected to have direct access to the network, use the following steps to create an archive bundle of this baseline and all of its dependent tests:
 
 (Git is required to clone the InSpec profile using the instructions below. Git can be downloaded from the [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) site.)
 

Rakefile

@@ -2,126 +2,11 @@
 
 require "rake/testtask"
 require "rubocop/rake_task"
-#require "chefstyle"
-#require_relative 'test/integration/configuration/aws_inspec_config'
 
-# INTEGRATION_DIR = File.join('test', 'integration')
-# CONTROLS_DIR = File.join(INTEGRATION_DIR, 'verify')
-# TERRAFORM_DIR = File.join(INTEGRATION_DIR, 'build')
-# TF_VAR_FILE_NAME = 'inspec-aws.tfvars.json'
-# TF_VAR_FILE = File.join(TERRAFORM_DIR, TF_VAR_FILE_NAME)
-# TF_PLAN_FILE = 'inspec-aws.plan'
-# PROFILE_ATTRIBUTES = 'aws-inspec-attributes.yaml'
-
-# Rubocop
-# desc 'Run Rubocop lint checks'
-# task :rubocop do
-#   RuboCop::RakeTask.new
-# end
-
-# Minitest
-Rake::TestTask.new do |t|
-  t.libs << "libraries"
-  t.libs << File.join("test", "unit")
-  t.warning = false
-  t.verbose = true
-  t.pattern = File.join("test", "unit", "**", "*_test.rb")
-end
-
-# desc 'Run rubocop linter'
-# task lint: [:rubocop]
-
-# lint the project
-# chefstyle
 begin
   RuboCop::RakeTask.new(:lint) do |task|
     task.options += %w[--display-cop-names --no-color --parallel]
   end
 rescue LoadError
   puts "rubocop is not available. Install the rubocop gem to run the lint tests."
-end
-
-# run tests
-# Disabling inspec check on profile with path dependency due to https://github.com/inspec/inspec/issues/3571 - 'test:check'
-# desc 'Run rubocop chefstyle linter + unit tests'
-# task default: [:lint, :test ]
-
-# namespace :test do
-
-#   task :check do
-#     # Run inspec check to verify that the profile is properly configured
-#     dir = File.join(File.dirname(__FILE__))
-#     sh("bundle exec inspec check #{CONTROLS_DIR}")
-#   end
-
-#   task :setup_integration_tests => ['tf:setup_integration_tests']
-
-#   task :plan_integration_tests => ['tf:plan_integration_tests']
-
-#   task :run_integration_tests do
-#     puts '----> Running InSpec tests'
-#     target = if ENV['INSPEC_PROFILE_TARGET'] then ENV['INSPEC_PROFILE_TARGET'] else CONTROLS_DIR end
-#     reporter_name = if ENV['INSPEC_REPORT_NAME'] then ENV['INSPEC_REPORT_NAME'] else 'inspec-output' end
-#     # Since the default behaviour is to skip tests, the below absorbs an inspec "101 run okay + skipped only" exit code as successful
-#     cmd = 'bundle exec inspec exec %s -t aws:// --input-file %s --reporter cli json:%s.json html:%s.html --chef-license=accept-silent'
-#     if ENV['INSPEC_TRAP_NON_ZERO_EXIT'] then cmd += ' || true' else cmd += '; rc=$?; if [ $rc -eq 0 ] || [ $rc -eq 101 ]; then exit 0; else exit 1; fi' end
-#     cmd = format(cmd, target, File.join(TERRAFORM_DIR.to_s, PROFILE_ATTRIBUTES), reporter_name, reporter_name)
-#     sh(cmd)
-#   end
-
-#   task :cleanup_integration_tests => ['tf:cleanup_integration_tests']
-
-#   desc 'Perform Integration Tests'
-#   task integration: ['tf:setup_integration_tests'] do
-#     Rake::Task['test:run_integration_tests'].execute
-#     Rake::Task['tf:destroy'].execute
-#   end
-# end
-
-# namespace :tf do
-
-#   task :tf_dir do
-#     Dir.chdir(TERRAFORM_DIR)
-#   end
-
-#   task init_workspace: [:tf_dir] do
-#     puts '----> Initializing Terraform'
-#     # Initialize terraform workspace
-#     cmd = format('terraform init')
-#     sh(cmd)
-#   end
-
-#   task plan_integration_tests: [:tf_dir, :init_workspace] do
-#     if File.exist?(TF_VAR_FILE)
-#       puts '----> Previous run not cleaned up - running cleanup...'
-#       Rake::Task['tf:cleanup_integration_tests'].execute
-#     end
-#     puts '----> Generating Terraform and InSpec variable files'
-#     AWSInspecConfig.store_json(TF_VAR_FILE_NAME)
-#     AWSInspecConfig.store_yaml(PROFILE_ATTRIBUTES)
-#     puts '----> Generating the Plan'
-#     # Create the plan that can be applied to AWS
-#     cmd = format('terraform plan -var-file=%s -out %s', TF_VAR_FILE_NAME, TF_PLAN_FILE)
-#     sh(cmd)
-#   end
-
-#   task setup_integration_tests: [:tf_dir] do
-#     unless File.exist?(TF_PLAN_FILE)
-#       Rake::Task['test:plan_integration_tests'].invoke
-#     end
-#     puts '----> Applying the plan'
-#     # Apply the plan on AWS
-#     cmd = format('terraform apply %s', TF_PLAN_FILE)
-#     sh(cmd)
-#     puts '----> Adding terraform outputs to InSpec variable file'
-#     AWSInspecConfig.update_yaml(PROFILE_ATTRIBUTES)
-#   end
-
-#   task cleanup_integration_tests: [:tf_dir] do
-#     puts '----> Cleanup'
-#     cmd = 'terraform destroy -force -var-file=%s '
-#     cmd += ' || true' if ENV['CLEANUP_TRAP_NON_ZERO_EXIT']
-#     cmd = format(cmd, TF_VAR_FILE_NAME)
-#     sh(cmd)
-#   end
-#end
+end

controls/aws-foundations-cis-1.3.rb

@@ -54,9 +54,9 @@
   tag severity: 'medium '
   tag cis_controls: [{ '8' => ['17.2'] }]
 
-  # only_if('AWS GovCloud only allows you to Manually view Account information, please review this requirement in the AWS GovCloud Console.') {
-  #   !aws_sts_caller_identity.govcloud?
-  # }
+  only_if('AWS GovCloud only allows you to Manually view Account information, please review this requirement in the AWS GovCloud Console.') {
+    !aws_sts_caller_identity.govcloud?
+  }
 
   describe 'Requirement must be tested manually' do
     skip "

inspec.yml

@@ -5,8 +5,8 @@ maintainer: "MITRE SAF Team"
 copyright: "MITRE, 2023"
 copyright_email: "[email protected]"
 license: "Apache-2.0"
-summary: "InSpec Validation Profile for AWS Foundations CIS"
-version: 2.0.2
+summary: "InSpec Validation Profile for the CIS AWS Foundations Benchmark v2.0"
+version: 2.0.5
 inspec_version: ">= 4.0"
 supports:
   - platform: aws