diff --git a/.github/workflows/axios.yml.example b/.github/workflows/axios.yml.example
deleted file mode 100644
index 6d7ce367..00000000
--- a/.github/workflows/axios.yml.example
+++ /dev/null
@@ -1,61 +0,0 @@
-- name: "Call API"
- uses: indiesdev/curl@v1.1
- with:
- # The target URL
- # Required: true if custom-config is not set
- url: https://heimdall-demo.mitre.org/
-
- # The request method, basically it's one of GET|POST|PUT|PATCH
- # Default is GET
- method: "POST"
-
- # List of response status codes to be accepted, else it will set the job to be failed
- # If more than one value is needed, you can use comma (,) as separator
- # In this case if the response status code is not one of 200, 201 and 204, the job will be failed
- # Default is 200,201,204
- accept: 200,201,204
-
- # Headers can be passed through with a json object string
- headers: '{ "custom-header": "value" }'
-
- # Params can be passed through with a json object string
- params: '{ "param1": "value", "param2": "value2" }'
-
- # Body request
- # Apply only to POST|PUT request
- body: '{ "name": "breeze", "job": "devops" }'
-
- # Request timeout (millisec)
- # Default: 1000
- timeout: 1000
-
- # Basic authentication using username and password
- # This will override the Authorization header, for example Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
- # Format => username:password as base 64
- basic-auth-token: ${{ secrets.curl_auth_token }}
-
- # The authentication using token
- # This will override the Authorization header, for example Authorization: Bearer QWxhZGRpbjpPcGVuU2VzYW1l
- bearer-token: ${{ secrets.bearer_token }}
-
- # If you want to use proxy with the request, you can use proxy-url
- # Format => host:port
- proxy-url: https://proxy-url:3000
-
- # If the proxy host requires authentication, you can use proxy-auth to pass credentials
- # Format => username:password as base64
- proxy-auth-token: ${{ secrets.proxy_auth_token }}
-
- # If it is set to true, it will show the response log in the GitHub UI
- # Default: false
- log-response: false
-
- # The number of attempts before giving up
- # Default: 1
- retries: 3
-
- # If you want to use axios config directly, you can pass a config file to the action
- # The file is just basically a json file that has the same format as axios config https://github.com/axios/axios#request-config
- # If this input is set, it will ignore other inputs related to the config
- # The path file is relative to the root directory of the repo
- custom-config: .github/workflows/curl-config.json
\ No newline at end of file
diff --git a/Gemfile b/Gemfile
index c90d47cc..3163d0ce 100644
--- a/Gemfile
+++ b/Gemfile
@@ -9,6 +9,5 @@ gem 'kitchen-inspec'
gem 'rake'
gem 'rubocop'
gem 'rubocop-rake'
-gem 'train-kubernetes'
gem "train-aws", git: 'https://github.com/mitre/train-aws.git', branch: 'al/dep-updates'
diff --git a/README.md b/README.md
index ed776d77..d70f2e70 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# aws-foundations-cis-baseline
-InSpec profile to validate the secure configuration of Amazon Web Services against [CIS'](https://www.cisecurity.org/cis-benchmarks/) Amazon Web Services Foundations Benchmark Version 2.0.0 - 06-28-2023
+InSpec profile to validate the secure configuration of Amazon Web Services against [CIS Amazon Web Services Foundations Benchmark Version 2.0.0](https://www.cisecurity.org/cis-benchmarks/) - 06-28-2023
## Getting Started
@@ -12,11 +12,11 @@ The latest versions and installation options are available at the [InSpec](http:
This baseline also requires the AWS Command Line Interface (CLI) which is available at the [AWS CLI](https://aws.amazon.com/cli/) site (at least version 2.x).
-### Minimum Permissions needed to Run this Profile
+## Minimum AWS IAM API Permissions needed to Run the Profile
The IAM account used to run this profile against the AWS environment needs to attached through a group or role with at least `AWS IAM "ReadOnlyAccess" Managed Policy`
-### Getting MFA Aware AWS Access, Secret and Session Tokens
+## Getting MFA Aware AWS Access, Secret and Session Tokens
You will need to ensure your AWS CLI environment has the right system environment variables set with your AWS region and credentials and session token to use the AWS CLI and InSpec resources in the AWS environment. InSpec supports the following standard AWS variables:
@@ -43,7 +43,7 @@ b. Then export the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` and `AWS_SESSION
This profile uses InSpec Inputs to make the tests more flexible. You are able to provide inputs at runtime either via the cli or via YAML files to help the profile work best in your deployment.
-#### **_Do not change the inputs in the `inspec.yml` file_**
+### **_Do not change the inputs in the `inspec.yml` file_**
The `inputs` defined in the `inspec.yml` file are the shared inputs for the **profile and defaults for the profile**.
@@ -290,7 +290,7 @@ third_party_api_monitoring_tool: ""
| Done | Yes | 5.5 | exempt_routes |
| Done | Yes | 5.6 | skip_stopped_ec2
exempt_ec2s |
-### Manual Checks
+## Manual Checks
Note that not all controls in the CIS Benchmarks can be done automatically. This profile will mark the output of those controls as "skipped." Be sure to manually review any skipped controls, and if desired, use the MITRE SAF CLI's [Attestation](https://saf-cli.mitre.org/#attest) feature to save your manual attestations into the same file as your automated test results.
@@ -306,7 +306,7 @@ The script will inspect the avalible aws regions for the AWS Account running the
You should add this data to your `my_inputs.yml` and
-## Usage
+# Usage
```
# Set required ENV variables
@@ -328,13 +328,15 @@ $ ruby generate_inputs.rb
inspec exec https://github.com/mitre/aws-foundations-cis-baseline/archive/master.tar.gz --target aws:// --input-file=<./path/my_inpupts.yml> --reporter=cli json:
```
-### Different Run Options
+## Different Run Options
+
+Please review the following documentation
[Full exec options](https://docs.chef.io/inspec/cli/#options-3)
-## Running This Baseline from a local Archive copy
+### Diconnected & Local Archive Execution
-If your runner is not always expected to have direct access to GitHub, use the following steps to create an archive bundle of this baseline and all of its dependent tests:
+If your runner is not always expected to have direct access to the network, use the following steps to create an archive bundle of this baseline and all of its dependent tests:
(Git is required to clone the InSpec profile using the instructions below. Git can be downloaded from the [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) site.)
diff --git a/Rakefile b/Rakefile
index 7871f067..36ba601e 100755
--- a/Rakefile
+++ b/Rakefile
@@ -2,126 +2,11 @@
require "rake/testtask"
require "rubocop/rake_task"
-#require "chefstyle"
-#require_relative 'test/integration/configuration/aws_inspec_config'
-# INTEGRATION_DIR = File.join('test', 'integration')
-# CONTROLS_DIR = File.join(INTEGRATION_DIR, 'verify')
-# TERRAFORM_DIR = File.join(INTEGRATION_DIR, 'build')
-# TF_VAR_FILE_NAME = 'inspec-aws.tfvars.json'
-# TF_VAR_FILE = File.join(TERRAFORM_DIR, TF_VAR_FILE_NAME)
-# TF_PLAN_FILE = 'inspec-aws.plan'
-# PROFILE_ATTRIBUTES = 'aws-inspec-attributes.yaml'
-
-# Rubocop
-# desc 'Run Rubocop lint checks'
-# task :rubocop do
-# RuboCop::RakeTask.new
-# end
-
-# Minitest
-Rake::TestTask.new do |t|
- t.libs << "libraries"
- t.libs << File.join("test", "unit")
- t.warning = false
- t.verbose = true
- t.pattern = File.join("test", "unit", "**", "*_test.rb")
-end
-
-# desc 'Run rubocop linter'
-# task lint: [:rubocop]
-
-# lint the project
-# chefstyle
begin
RuboCop::RakeTask.new(:lint) do |task|
task.options += %w[--display-cop-names --no-color --parallel]
end
rescue LoadError
puts "rubocop is not available. Install the rubocop gem to run the lint tests."
-end
-
-# run tests
-# Disabling inspec check on profile with path dependency due to https://github.com/inspec/inspec/issues/3571 - 'test:check'
-# desc 'Run rubocop chefstyle linter + unit tests'
-# task default: [:lint, :test ]
-
-# namespace :test do
-
-# task :check do
-# # Run inspec check to verify that the profile is properly configured
-# dir = File.join(File.dirname(__FILE__))
-# sh("bundle exec inspec check #{CONTROLS_DIR}")
-# end
-
-# task :setup_integration_tests => ['tf:setup_integration_tests']
-
-# task :plan_integration_tests => ['tf:plan_integration_tests']
-
-# task :run_integration_tests do
-# puts '----> Running InSpec tests'
-# target = if ENV['INSPEC_PROFILE_TARGET'] then ENV['INSPEC_PROFILE_TARGET'] else CONTROLS_DIR end
-# reporter_name = if ENV['INSPEC_REPORT_NAME'] then ENV['INSPEC_REPORT_NAME'] else 'inspec-output' end
-# # Since the default behaviour is to skip tests, the below absorbs an inspec "101 run okay + skipped only" exit code as successful
-# cmd = 'bundle exec inspec exec %s -t aws:// --input-file %s --reporter cli json:%s.json html:%s.html --chef-license=accept-silent'
-# if ENV['INSPEC_TRAP_NON_ZERO_EXIT'] then cmd += ' || true' else cmd += '; rc=$?; if [ $rc -eq 0 ] || [ $rc -eq 101 ]; then exit 0; else exit 1; fi' end
-# cmd = format(cmd, target, File.join(TERRAFORM_DIR.to_s, PROFILE_ATTRIBUTES), reporter_name, reporter_name)
-# sh(cmd)
-# end
-
-# task :cleanup_integration_tests => ['tf:cleanup_integration_tests']
-
-# desc 'Perform Integration Tests'
-# task integration: ['tf:setup_integration_tests'] do
-# Rake::Task['test:run_integration_tests'].execute
-# Rake::Task['tf:destroy'].execute
-# end
-# end
-
-# namespace :tf do
-
-# task :tf_dir do
-# Dir.chdir(TERRAFORM_DIR)
-# end
-
-# task init_workspace: [:tf_dir] do
-# puts '----> Initializing Terraform'
-# # Initialize terraform workspace
-# cmd = format('terraform init')
-# sh(cmd)
-# end
-
-# task plan_integration_tests: [:tf_dir, :init_workspace] do
-# if File.exist?(TF_VAR_FILE)
-# puts '----> Previous run not cleaned up - running cleanup...'
-# Rake::Task['tf:cleanup_integration_tests'].execute
-# end
-# puts '----> Generating Terraform and InSpec variable files'
-# AWSInspecConfig.store_json(TF_VAR_FILE_NAME)
-# AWSInspecConfig.store_yaml(PROFILE_ATTRIBUTES)
-# puts '----> Generating the Plan'
-# # Create the plan that can be applied to AWS
-# cmd = format('terraform plan -var-file=%s -out %s', TF_VAR_FILE_NAME, TF_PLAN_FILE)
-# sh(cmd)
-# end
-
-# task setup_integration_tests: [:tf_dir] do
-# unless File.exist?(TF_PLAN_FILE)
-# Rake::Task['test:plan_integration_tests'].invoke
-# end
-# puts '----> Applying the plan'
-# # Apply the plan on AWS
-# cmd = format('terraform apply %s', TF_PLAN_FILE)
-# sh(cmd)
-# puts '----> Adding terraform outputs to InSpec variable file'
-# AWSInspecConfig.update_yaml(PROFILE_ATTRIBUTES)
-# end
-
-# task cleanup_integration_tests: [:tf_dir] do
-# puts '----> Cleanup'
-# cmd = 'terraform destroy -force -var-file=%s '
-# cmd += ' || true' if ENV['CLEANUP_TRAP_NON_ZERO_EXIT']
-# cmd = format(cmd, TF_VAR_FILE_NAME)
-# sh(cmd)
-# end
-#end
+end
\ No newline at end of file
diff --git a/controls/aws-foundations-cis-1.3.rb b/controls/aws-foundations-cis-1.3.rb
index ff0a459d..82ba7ad4 100644
--- a/controls/aws-foundations-cis-1.3.rb
+++ b/controls/aws-foundations-cis-1.3.rb
@@ -54,9 +54,9 @@
tag severity: 'medium '
tag cis_controls: [{ '8' => ['17.2'] }]
- # only_if('AWS GovCloud only allows you to Manually view Account information, please review this requirement in the AWS GovCloud Console.') {
- # !aws_sts_caller_identity.govcloud?
- # }
+ only_if('AWS GovCloud only allows you to Manually view Account information, please review this requirement in the AWS GovCloud Console.') {
+ !aws_sts_caller_identity.govcloud?
+ }
describe 'Requirement must be tested manually' do
skip "
diff --git a/inspec.yml b/inspec.yml
index 4af0d9f8..a6277209 100644
--- a/inspec.yml
+++ b/inspec.yml
@@ -5,8 +5,8 @@ maintainer: "MITRE SAF Team"
copyright: "MITRE, 2023"
copyright_email: "saf@groups.mitre.org"
license: "Apache-2.0"
-summary: "InSpec Validation Profile for AWS Foundations CIS"
-version: 2.0.2
+summary: "InSpec Validation Profile for the CIS AWS Foundations Benchmark v2.0"
+version: 2.0.5
inspec_version: ">= 4.0"
supports:
- platform: aws