diff --git a/providers/arista/resources/arista.lr b/providers/arista/resources/arista.lr index 25c26b5cc0..9f0cef1f9b 100644 --- a/providers/arista/resources/arista.lr +++ b/providers/arista/resources/arista.lr @@ -122,7 +122,7 @@ private arista.eos.interface @defaults("name") { status() dict } -// Arista EOS IP interfacea +// Arista EOS IP interface private arista.eos.ipInterface @defaults("name") { // Interface Name name string diff --git a/providers/aws/resources/aws.lr b/providers/aws/resources/aws.lr index cadbcba4f0..cd8d41977d 100644 --- a/providers/aws/resources/aws.lr +++ b/providers/aws/resources/aws.lr @@ -29,7 +29,7 @@ aws.account @defaults("id") { aws.organization @defaults("arn masterAccountEmail") { // ARN of the organization arn string - // Specifies the functionality available to org (ALL or CONSOLIDATED_BILLING) + // Specifies the functionality available to org: ALL or CONSOLIDATED_BILLING featureSet string // ID of the organization's master account masterAccountId string @@ -45,17 +45,17 @@ private aws.vpc @defaults("id isDefault cidrBlock region") { id string // IPv4 CIDR block of the VPC cidrBlock string - // State of the VPC (pending or available) + // State of the VPC: pending or available state string - // Whether the VPC is the default one + // Whether the VPC is the default VPC isDefault bool // How instance hardware tenancy settings are enforced on instances launched in this VPC instanceTenancy string // Region in which the VPC exists region string - // A list of endpoints for the VPC + // List of endpoints for the VPC endpoints() []aws.vpc.endpoint - // A list of flowlogs for the VPC + // List of flow logs for the VPC flowLogs() []aws.vpc.flowlog // List of route tables for the VPC routeTables() []aws.vpc.routetable @@ -412,7 +412,7 @@ private aws.waf.rule.fieldtomatch @defaults("target") { ruleName string // ID of the statement statementID string - // Whether to match the HTTP method (GET, POST) + // Whether to match the HTTP method: GET or POST method bool // Whether to match the URI path uriPath bool @@ -996,7 +996,7 @@ private aws.acm.certificate @defaults("domainName issuer createdAt notAfter") { createdAt time // FQDN for the certificate domainName string - // Status of the certificate (issued, expired, revoked, etc.) + // Status of the certificate: issued, expired, revoked, and so on status string // Name of the entity associated with the public key in the certificate subject string @@ -1032,7 +1032,7 @@ private aws.autoscaling.group @defaults("name region") { name string // List of load balancer names associated with the group loadBalancerNames []string - // Health check type used by the group (ELB or EC2) + // Health check type used by the group: ELB or EC2 healthCheckType string // Tags for the asg tags map[string]string @@ -1070,7 +1070,7 @@ private aws.elb.loadbalancer @defaults("arn name") { listenerDescriptions() []dict // User specified name for the load balancer name string - // Scheme for the lb (internet-facing vs. internal) + // Scheme for the lb: internet-facing or internal scheme string // A list of attributes for the load balancer attributes() []dict @@ -1116,7 +1116,7 @@ private aws.guardduty.detector @defaults("id region") { id string // Region for the detector region string - // Status of the detector (ENABLED or DISABLED) + // Status of the detector: ENABLED or DISABLED status string // Publishing frequency for the detector findingPublishingFrequency string @@ -1596,7 +1596,7 @@ private aws.s3.bucket.corsrule @defaults("name") { name string // List of allowed headers allowedHeaders []string - // List of allowed methods (GET, POST, PUT, etc.) + // List of allowed methods GET, POST, PUT, and so on allowedMethods []string // List of origins from which the bucket can be accessed allowedOrigins []string @@ -1624,7 +1624,7 @@ private aws.s3.bucket.policy @defaults("name version") { // AWS Application Auto Scaling aws.applicationAutoscaling @defaults("namespace") { init(namespace string) - // Service namespace to query for application auto scaling. comprehend, rds, sagemaker, appstream, elasticmapreduce, dynamodb, lambda, ecs, cassandra, ec2, neptune, kafka, custom-resource, or elasticache + // Service namespace to query for application auto scaling: comprehend, rds, sagemaker, appstream, elasticmapreduce, dynamodb, lambda, ecs, cassandra, ec2, neptune, kafka, custom-resource, or elasticache namespace string // List of scalable targets belonging to the service namespace scalableTargets() []aws.applicationautoscaling.target @@ -1674,7 +1674,7 @@ private aws.backup.vault @defaults("name region") { private aws.backup.vaultRecoveryPoint @defaults("resourceType completionDate status") { // ARN of the recovery point arn string - // Resource type for the recovery point, (e.g., EFS or DynamoDB) + // Resource type for the recovery point: EFS, DynamoDB, and so on resourceType string // Information about who created the recovery point createdBy dict @@ -1830,7 +1830,7 @@ private aws.rds.snapshot @defaults("id region type encrypted") { id string // Attribute values that describe permissions to restore the snapshot attributes() []dict - // Type of snapshot (manual or automated) + // Type of snapshot: manual or automated type string // Whether the snapshot is encrypted encrypted bool @@ -1944,7 +1944,7 @@ private aws.elasticache.cluster @defaults("cacheClusterId region nodeType engine clientDownloadLandingPage string // The node type for the nodes in the cluster nodeType string - // The name of the cache engine (Memcached or Redis) used for this cluster + // The name of the cache engine used for this cluster: Memcached or Redis engine string // The version of the cache engine that is used in this cluster engineVersion string @@ -2167,13 +2167,13 @@ aws.ssm @defaults("instances") { private aws.ssm.instance @defaults("instanceId region platformName platformVersion ipAddress") { // Instance ID for the SSM Instance instanceId string - // Ping status (e.g., online) for the SSM Instance + // Ping status (such as online) for the SSM Instance pingStatus string // IP Address for the SSM instance ipAddress string // Platform name for the SSM Instance, as described by AWS platformName string - // The type of for the SSM Instance, as described by AWS (Windows, Linux, etc) + // The type of for the SSM Instance, as described by AWS: Windows, Linux, and so on platformType string // Platform version for the SSM Instance, as described by AWS platformVersion string @@ -2295,7 +2295,7 @@ private aws.ec2.snapshot @defaults("id region volumeSize state") { startTime time // Tags for the snapshot tags map[string]string - // State of the snapshot (pending, completed, error, recoverable, or recovering) + // State of the snapshot: pending, completed, error, recoverable, or recovering state string // The size of the volume, in GiB volumeSize int @@ -2315,13 +2315,13 @@ private aws.ec2.volume @defaults("id region volumeType size encrypted state") { attachments []dict // Whether the volume is encrypted encrypted bool - // State of the volume (creating, available, in-use, etc.) + // State of the volume: creating, available, in-use, and so on state string // A map of tags associated with the EBS volume tags map[string]string // Availability Zone in which the volume was created availabilityZone string - // EBS volume type (gp2, gp3, io1, io2, st1, sc1, or standard) + // EBS volume type: gp2, gp3, io1, io2, st1, sc1, or standard volumeType string // Time the volume was created createTime time @@ -2359,9 +2359,9 @@ private aws.ec2.instance @defaults("instanceId region state instanceType archite httpEndpoint string // Patch state information about the instance patchState() dict - // State of the instance (pending, running, stopping, stopped, rebooting, or terminated) + // State of the instance: pending, running, stopping, stopped, rebooting, or terminated state string - // List of devices attached to the instance (e.g., EBS volume) + // List of devices attached to the instance (such as EBS volume) deviceMappings []aws.ec2.instance.device // List of security groups (IDs) associated with the instance securityGroups []aws.ec2.securitygroup @@ -2379,7 +2379,7 @@ private aws.ec2.instance @defaults("instanceId region state instanceType archite ebsOptimized bool // Whether enhanced networking with ENA is enabled enaSupported bool - // Instance type (e.g., t2.micro) + // Instance type, such as t2.micro instanceType string // Tags on the instance tags map[string]string @@ -2403,7 +2403,7 @@ private aws.ec2.instance @defaults("instanceId region state instanceType archite instanceLifecycle string // The root device type used by the AMI: ebs or instance-store rootDeviceType string - // The device name of the root device volume (for example, /dev/sda1) + // The device name of the root device volume, such as /dev/sda1 rootDeviceName string // The architecture of the instance architecture string @@ -2417,7 +2417,7 @@ private aws.ec2.keypair @defaults("name type region") { fingerprint string // Name of the key pair name string - // Type of key (e.g., RSA) + // Type of key, such as RSA type string // Tags for the key pair tags map[string]string diff --git a/providers/aws/resources/aws.lr.manifest.yaml b/providers/aws/resources/aws.lr.manifest.yaml index 861aca6fe4..c61270f10f 100755 --- a/providers/aws/resources/aws.lr.manifest.yaml +++ b/providers/aws/resources/aws.lr.manifest.yaml @@ -5,7 +5,7 @@ resources: aws: docs: desc: | - The `aws` can be used to assess the configuration of AWS accounts. It provides the `aws.regions` field for returning a list of enabled AWS regions in the account, and the `aws.vpcs` field which provides a list of VPCs configured within the account. + Use the `aws` resource to assess the configuration of AWS accounts. It features the `aws.regions` field, which returns a list of enabled AWS regions in the account, and the `aws.vpcs` field, which provides a list of VPCs configured within the account. fields: regions: {} vpcs: {} @@ -33,7 +33,7 @@ resources: aws.accessAnalyzer: docs: desc: | - The `aws.accessAnalyzer` resource returns a list of `aws.accessAnalyzer.analyzer` resources representing all of the AWS IAM Access Analyzers configured across the AWS account. + The `aws.accessAnalyzer` resource returns a list AWS IAM Access Analyzers configured across the AWS account. fields: analyzers: {} min_mondoo_version: 5.15.0 @@ -45,8 +45,7 @@ resources: url: https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html snippets: - query: aws.accessAnalyzer.analyzers - title: Return a list of `aws.accessAnalyzer.analyzer` resources representing - all of the AWS IAM Access Analyzers configured across the AWS account + title: Return a list of AWS IAM Access Analyzers configured across the AWS account - query: "aws.accessAnalyzer.analyzers { \n arn \n name \n status \n type \n}\n" title: Return a list of `aws.accessAnalyzer.analyzer` resources and the value @@ -93,10 +92,9 @@ resources: title: Return the account ID (number) and any configured account aliases aws.acm: docs: - desc: The `aws.acm` resource can be used to assess the configuration of the - AWS Certificates Manager service within the account. This resource returns - a list of `aws.acm.certificate` resources for all ACM certificates found within - the account. + desc: Use the `aws.acm` resource to assess the configuration of the + AWS Certificates Manager service in the account. This resource returns + a list of ACM certificates found in the account. fields: certificates: {} min_mondoo_version: 5.15.0 @@ -119,12 +117,12 @@ resources: aws.acm.certificates. where( status != /PENDING_VALIDATION/ ). all (notAfter - notBefore <= 90 * time.day) - title: Checks whether ACM certificates in your account are marked for expiration + title: Check whether ACM certificates in your account are marked for expiration within 90 days aws.acm.certificate: docs: desc: | - The `aws.acm.certificate` resource provides fields for assessing the configuration of AWS ACM certificates. For usage see the `aws.acm` resource documentation. + The `aws.acm.certificate` resource provides fields for assessing the configuration of AWS ACM certificates. For usage, read the `aws.acm` resource documentation. fields: arn: {} certificate: {} @@ -155,7 +153,7 @@ resources: - aws aws.apigateway: docs: - desc: The `aws.apigateway` resource can be used to assess the configuration + desc: Use the `aws.apigateway` resource to assess the configuration of the AWS API Gateway service. fields: restApis: {} @@ -187,17 +185,17 @@ resources: fields - query: "aws.apigateway.restApis.all(stages.all(\n methodSettings['CachingEnabled'] == true && \n methodSettings['CacheDataEncrypted'] == true\n))\n" - title: Checks that all methods in Amazon API Gateway have caching enabled and + title: Check that all methods in Amazon API Gateway have caching enabled and encrypted - query: | aws.apigateway.restApis.all(stages.all( methodSettings['LoggingLevel'] == "ERROR" || methodSettings['LoggingLevel'] == "INFO" )) - title: Checks that all methods in Amazon API Gateway have logging enabled + title: Check that all methods in Amazon API Gateway have logging enabled aws.apigateway.restapi: docs: desc: | - The `aws.apigateway.restapi` resource provides fields representing an individual REST API configured within the AWS account. For usage see the `aws.apigateway` resource documentation. + The `aws.apigateway.restapi` resource provides fields representing an individual REST API configured within the AWS account. For usage, read the `aws.apigateway` resource documentation. fields: arn: {} createdDate: {} @@ -216,7 +214,7 @@ resources: aws.apigateway.stage: docs: desc: | - The `aws.apigateway.stage` resource provides fields representing an individual stage configured on a REST API. For usage see the `aws.apigateway` resource documentation. + The `aws.apigateway.stage` resource provides fields representing an individual stage configured on a REST API. For usage, read the `aws.apigateway` resource documentation. fields: arn: {} deploymentId: {} @@ -278,7 +276,7 @@ resources: aws.autoscaling: docs: desc: | - The `aws.autoscaling` resource can be used to assess the configuration of AWS auto scaling groups within an AWS account. This resource provides the `.groups` field which returns a list of `aws.autoscaling.group` resources representing all auto scaling groups configured across all enabled regions across the account. + Use the `aws.autoscaling` resource to assess the configuration of AWS auto scaling groups within an AWS account. This resource provides the `.groups` field, which returns a list of all auto scaling groups configured across all enabled regions across the account. fields: groups: {} min_mondoo_version: 5.15.0 @@ -293,17 +291,17 @@ resources: snippets: - query: "aws.autoscaling.groups { \n arn \n healthCheckType \n loadBalancerNames \n name \n}\n" - title: Return a list of `aws.autoscaling.group` resources representing all auto - scaling groups configured across all enabled regions across the account and - the value for specified fields + title: Return a list of all auto-scaling groups configured across all + enabled regions across the account and + the values for specified fields - query: "aws.autoscaling.groups.where(loadBalancerNames.length > 0) { \n healthCheckType == \"ELB\" \n}\n" - title: Checks that all autoscaling groups assoc with a load balancer use health + title: Check that all autoscaling groups associated with a load balancer use health checks aws.autoscaling.group: docs: desc: | - The `aws.autoscaling.group` resource provides fields representing an individual AWS auto scaling group within the account. For usage see the `aws.autoscaling` resource documentation. + The `aws.autoscaling.group` resource provides fields representing an individual AWS auto scaling group within the account. For usage, read the `aws.autoscaling` resource documentation. fields: arn: {} createdAt: @@ -331,13 +329,29 @@ resources: name: - aws aws.backup: + docs: + desc: | + Use the `aws.backup` resource to assess the configuration of AWS Backup vaults in an AWS account. This resource provides the `.vaults` field, which returns a list of all AWS Backup vaults configured across all enabled regions across the account. fields: vaults: {} min_mondoo_version: latest platform: name: - aws + refs: + - title: What is AWS Backup? + url: https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html + - title: Compliance validation for AWS Backup + url: https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-compliance.html + snippets: + - query: "aws.backup.vaults { \n arn \n region \n recoveryPoints + \n name \n}\n" + title: Return a list of all AWS Backup vaults configured across all + enabled regions across the account and all their recovery points aws.backup.vault: + docs: + desc: | + The `aws.backup.vault` resource provides fields representing an individual AWS Backup vaults within the account. For usage, read the `aws.backup` resource documentation. fields: arn: {} createdAt: {} @@ -423,7 +437,7 @@ resources: aws.cloudtrail: docs: desc: | - The `aws.cloudtrail` resource can be used to assess the configuration of AWS CloudTrails deployed within an AWS account. The resource provides the `.trails` field which creates a list of `aws.cloudtrail.trail` resources representing all CloudTrails configured across every enabled region. + Use the `aws.cloudtrail` resource to assess the configuration of AWS CloudTrails deployed within an AWS account. The resource provides the `.trails` field, which creates a list of `aws.cloudtrail.trail` resources representing all CloudTrails configured across every enabled region. fields: trails: {} min_mondoo_version: 5.15.0 @@ -459,7 +473,7 @@ resources: aws.cloudtrail.trail: docs: desc: | - The `aws.cloudtrail.trail` object represents an individual AWS CloudTrail configured within an account. For usage see the `aws.cloudtrail` resource. + The `aws.cloudtrail.trail` object represents an individual AWS CloudTrail configured within an account. For usage, read the `aws.cloudtrail` resource documentation. fields: arn: {} cloudWatchLogsRoleArn: {} @@ -483,7 +497,7 @@ resources: aws.cloudwatch: docs: desc: | - The `aws.cloudwatch` resource is used to assess the configuration of the AWS CloudWatch service. + Use the `aws.cloudwatch` resource to assess the configuration of the AWS CloudWatch service. fields: alarms: {} logGroups: {} @@ -505,11 +519,11 @@ resources: insufficientDataActions.length > 0 == props.cloudwatchAlarmInsufficientDataActionRequired && okActions.length > 0 == props.cloudwatchAlarmOkActionRequired ) - title: Checks that all cloudwatch alarms have at least one action enabled + title: Check that all cloudwatch alarms have at least one action enabled aws.cloudwatch.loggroup: docs: desc: | - The `aws.cloudwatch.loggroup` object represents an individual AWS CloudWatch log group configured within an account. For usage see the `aws.cloudwatch` resource. + The `aws.cloudwatch.loggroup` object represents an individual AWS CloudWatch log group configured within an account. For usage, read the `aws.cloudwatch` resource documentation. fields: arn: {} kmsKey: {} @@ -526,7 +540,7 @@ resources: aws.cloudwatch.loggroup.metricsfilter: docs: desc: | - The `aws.cloudwatch.metricsfilter` object represents an individual AWS CloudWatch metrics filter configured within an account. For usage see the `aws.cloudwatch` resource. + The `aws.cloudwatch.metricsfilter` object represents an individual AWS CloudWatch metrics filter configured within an account. For usage, read the `aws.cloudwatch` resource documentation. fields: filterName: {} filterPattern: {} @@ -540,7 +554,7 @@ resources: aws.cloudwatch.metric: docs: desc: | - The `aws.cloudwatch.metric` object represents an individual AWS CloudWatch metric configured within an account. For usage see the `aws.cloudwatch` resource. + The `aws.cloudwatch.metric` object represents an individual AWS CloudWatch metric configured within an account. For usage, read the `aws.cloudwatch` resource documentation. fields: alarms: {} dimensions: @@ -580,7 +594,7 @@ resources: aws.cloudwatch.metricsalarm: docs: desc: | - The `aws.cloudwatch.metricsalarm` object represents an individual AWS CloudWatch metric alarm configured within an account. For usage see the `aws.cloudwatch` resource. + The `aws.cloudwatch.metricsalarm` object represents an individual AWS CloudWatch metric alarm configured within an account. For usage, read the `aws.cloudwatch` resource documentation. fields: actions: {} arn: {} @@ -610,7 +624,7 @@ resources: - aws aws.codebuild: docs: - desc: "The `aws.codebuild` resource is used to assess the configuration of the + desc: "Use the `aws.codebuild` resource to assess the configuration of the AWS CodeBuild service and the projects within. \n" fields: projects: {} @@ -637,16 +651,16 @@ resources: - query: "aws.codebuild.projects { \n environment ['EnvironmentVariables'].where(_['Name'] == \"AWS_ACCESS_KEY_ID\") { _['Type'] != \"PLAINTEXT\"}\n environment ['EnvironmentVariables'].where(_['Name'] == \"AWS_SECRET_ACCESS_KEY\") { _['Type'] != \"PLAINTEXT\"} \n}\n" - title: Checks that all projects containing env variables AWS_ACCESS_KEY_ID and + title: Check that all projects containing env variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are not in plaintext - query: "aws.codebuild.projects.where( source['Type'] == \"BITBUCKET\" || source['Type'] == \"GITHUB\" ) { \n source['Auth']['Type'] == \"OAUTH\"\n}\n" - title: Checks that all projects using GitHub or Bitbucket as the source use + title: Check that all projects using GitHub or Bitbucket as the source use oauth aws.codebuild.project: docs: desc: | - The `aws.codebuild.project` resource provides fields representing an individual AWS CodeBuild project configured within the account. For usage see the `aws.codebuild` documentation. + The `aws.codebuild.project` resource provides fields representing an individual AWS CodeBuild project configured within the account. For usage, read the `aws.codebuild` documentation. fields: arn: {} description: {} @@ -664,7 +678,7 @@ resources: aws.config: docs: desc: | - The `aws.config` resource is used to assess the configuration of the AWS Config service. The resource provides the `.recorders` field which returns a list of `aws.config.recorder` resources representing all AWS Config recorders configured across all enabled regions, as well as the `.rules` field which returns a list of `aws.config.rule` resources representing all AWS Config rules configured across all enabled regions in the account. + Use the `aws.config` resource to assess the configuration of the AWS Config service. The resource provides the `.recorders` field, which returns a list of `aws.config.recorder` resources representing all AWS Config recorders configured across all enabled regions, as well as the `.rules` field, which returns a list of `aws.config.rule` resources representing all AWS Config rules configured across all enabled regions in the account. fields: recorders: {} rules: {} @@ -680,11 +694,11 @@ resources: snippets: - query: "aws.config.rules {\n arn \n state \n source\n}\n" title: Return a list of `aws.config.rule` resources representing AWS Config - rules configured across all enabled regions and the value for specified fields + rules configured across all enabled regions and the values for specified fields - query: "aws.config.recorders {\n name \n roleArn \n allSupported \n includeGlobalResourceTypes \n recording \n lastStatus \n region \n}\n" title: Return a list of AWS Config recorders configured across all enabled regions - and the value for specified fields + and the values for specified fields - query: | aws.config.recorders.any(allSupported == true && includeGlobalResourceTypes == true) aws.config.recorders.where(allSupported == true && includeGlobalResourceTypes == true).all( @@ -694,7 +708,7 @@ resources: aws.config.recorder: docs: desc: "The `aws.config.recorder` resource provides fields representing an individual - AWS Config recorder configured within an account. For usage see the `aws.config` + AWS Config recorder configured within an account. For usage, read the `aws.config` resource documentation. \n" fields: allSupported: {} @@ -712,7 +726,7 @@ resources: aws.config.rule: docs: desc: | - The `aws.config.rule` resource provides fields representing an individual AWS Config rule configured within an account. For usage see the `aws.config` resource documentation. + The `aws.config.rule` resource provides fields representing an individual AWS Config rule configured within an account. For usage, read the `aws.config` resource documentation. fields: arn: {} description: @@ -733,7 +747,7 @@ resources: aws.dms: docs: desc: | - The `aws.dms` resource is used to assess the configuration of the AWS Database Migration service. + Use the `aws.dms` resource to assess the configuration of the AWS Database Migration service. fields: replicationInstances: {} min_mondoo_version: 5.15.0 @@ -750,12 +764,12 @@ resources: aws.dms.replicationInstances.none( _['PubliclyAccessible'] == true ) - title: Checks whether AWS Database Migration Service replication instances are + title: Check whether AWS Database Migration Service replication instances are public aws.dynamodb: docs: desc: | - The `aws.dynamodb` resource can be used to assess the configuration of the AWS DynamoDB. + Use the `aws.dynamodb` resource to assess the configuration of the AWS DynamoDB. fields: backups: {} globalTables: {} @@ -782,12 +796,12 @@ resources: specified fields - query: "aws.dynamodb.tables.all( \n sseDescription['SSEType'] == 'KMS' && sseDescription['Status'] == 'ENABLED'\n)\n" - title: Checks that all DynamoDB tables are encrypted with AWS Key Management + title: Check that all DynamoDB tables are encrypted with AWS Key Management Service (KMS) aws.dynamodb.globaltable: docs: desc: | - The `aws.dynamodb.globaltable` resource provides fields representing a DynamoDB Global Table. For usage see `aws.dynamodb` resource documentation. + The `aws.dynamodb.globaltable` resource provides fields representing a DynamoDB global table. For usage, see `aws.dynamodb` resource documentation. fields: arn: {} name: {} @@ -802,7 +816,7 @@ resources: aws.dynamodb.limit: docs: desc: | - The `aws.dynamodb.limit` resource provides fields representing a DynamoDB limit configuration. For usage see `aws.dynamodb` resource documentation. + The `aws.dynamodb.limit` resource provides fields representing a DynamoDB limit configuration. For usage, see `aws.dynamodb` resource documentation. fields: accountMaxRead: {} accountMaxWrite: {} @@ -818,7 +832,7 @@ resources: aws.dynamodb.table: docs: desc: | - The `aws.dynamodb.table` resource provides fields representing a DynamoDB Table. For usage see `aws.dynamodb` resource documentation. + The `aws.dynamodb.table` resource provides fields representing a DynamoDB table. For usage, see `aws.dynamodb` resource documentation. fields: arn: {} backups: {} @@ -849,7 +863,7 @@ resources: aws.ec2: docs: desc: | - The `aws.ec2` resource can be used to assess the configuration of AWS EC2 instances. + Use the `aws.ec2` resource to assess the configuration of AWS EC2 instances. fields: ebsEncryptionByDefault: {} instances: {} @@ -875,7 +889,7 @@ resources: \n securityGroups\n publicDnsName \n instanceStatus\n stateReason \n stateTransitionReason \n ebsOptimized \n instanceType \n tags \n image\n launchTime \n}\n" title: Return a list of all EC2 instances across all enabled regions in the - account and the value for specified fields + account and the values for specified fields - query: | aws.ec2.securityGroups { arn @@ -897,7 +911,7 @@ resources: aws.ec2.image: docs: desc: | - The `aws.ec2.image` resource provides fields for assessing AMIs within an account. For usage see `aws.ec2` resource. + The `aws.ec2.image` resource provides fields for assessing AMIs within an account. For usage, see `aws.ec2` resource documentation. fields: architecture: {} arn: {} @@ -914,7 +928,7 @@ resources: aws.ec2.instance: docs: desc: | - The `aws.ec2.instance` resource provides fields for assessing the configuration of EC2 instances within an account. For usage see `aws.ec2` resource. + The `aws.ec2.instance` resource provides fields for assessing the configuration of EC2 instances within an account. For usage, see `aws.ec2` resource documentation. fields: architecture: min_mondoo_version: 9.0.0 @@ -970,7 +984,7 @@ resources: aws.ec2.instance.device: docs: desc: | - The `aws.ec2.instance.device` resource provides fields for assessing the configuration of devices attached to EC2 instances within an account. For usage see `aws.ec2` resource. + The `aws.ec2.instance.device` resource provides fields for assessing the configuration of devices attached to EC2 instances within an account. For usage, see `aws.ec2` resource documentation. fields: deleteOnTermination: {} deviceName: {} @@ -984,7 +998,7 @@ resources: aws.ec2.internetgateway: docs: desc: | - The `aws.ec2.internetgateway` resource provides fields for assessing the configuration of internet gateways within an AWS account. For usage see `aws.ec2` resource. + The `aws.ec2.internetgateway` resource provides fields for assessing the configuration of internet gateways within an AWS account. For usage, see `aws.ec2` resource documentation. fields: arn: {} attachments: {} @@ -1011,7 +1025,7 @@ resources: aws.ec2.networkacl: docs: desc: | - The `aws.ec2.networkacl` resource provides fields for assessing the configuration of VPC network ACLs within an AWS account. For usage see `aws.ec2` resource. + The `aws.ec2.networkacl` resource provides fields for assessing the configuration of VPC network ACLs within an AWS account. For usage, see `aws.ec2` resource documentation. fields: arn: {} entries: {} @@ -1029,7 +1043,7 @@ resources: aws.ec2.networkacl.entry: docs: desc: | - The `aws.ec2.networkacl.entry` resource provides fields for assessing the configuration of network ACL entries within an AWS account. For usage see `aws.ec2` resource. + The `aws.ec2.networkacl.entry` resource provides fields for assessing the configuration of network ACL entries within an AWS account. For usage, see `aws.ec2` resource documentation. fields: cidrBlock: min_mondoo_version: 9.0.0 @@ -1049,7 +1063,7 @@ resources: aws.ec2.networkacl.entry.portrange: docs: desc: | - The `aws.ec2.networkacl.portrange` resource provides fields for assessing the port range configuration of network ACL entries within an AWS account. For usage see `aws.ec2` resource. + The `aws.ec2.networkacl.portrange` resource provides fields for assessing the port range configuration of network ACL entries within an AWS account. For usage, see `aws.ec2` resource documentation. fields: from: {} id: {} @@ -1062,7 +1076,7 @@ resources: aws.ec2.securitygroup: docs: desc: | - The `aws.ec2.securitygroup` resource provides fields for assessing the configuration of security groups within an AWS account. For usage see `aws.ec2` resource. + The `aws.ec2.securitygroup` resource provides fields for assessing the configuration of security groups within an AWS account. For usage, see `aws.ec2` resource documentation. fields: arn: {} description: {} @@ -1082,7 +1096,7 @@ resources: aws.ec2.securitygroup.ippermission: docs: desc: | - The `aws.ec2.securitygroup.ippermission` resource provides fields for assessing the configuration of ip permissions for security groups within an AWS account. For usage see `aws.ec2` resource. + The `aws.ec2.securitygroup.ippermission` resource provides fields for assessing the configuration of ip permissions for security groups within an AWS account. For usage, see `aws.ec2` resource documentation. fields: fromPort: {} id: {} @@ -1098,7 +1112,7 @@ resources: aws.ec2.snapshot: docs: desc: | - The `aws.ec2.snapshot` resource provides fields for assessing the configuration of EBS snapshots within an AWS account. For usage see `aws.ec2` resource. + The `aws.ec2.snapshot` resource provides fields for assessing the configuration of EBS snapshots within an AWS account. For usage, see `aws.ec2` resource documentation. fields: arn: {} createVolumePermission: {} @@ -1122,7 +1136,7 @@ resources: aws.ec2.vgwtelemetry: docs: desc: | - The `aws.ec2.vgwtelemetry` resource provides fields for assessing the configuration of telemetry for VPN tunnels within an AWS account. For usage see `aws.ec2` resource. + The `aws.ec2.vgwtelemetry` resource provides fields for assessing the configuration of telemetry for VPN tunnels within an AWS account. For usage, see `aws.ec2` resource documentation. fields: outsideIpAddress: {} status: {} @@ -1135,7 +1149,7 @@ resources: aws.ec2.volume: docs: desc: | - The `aws.ec2.volume` resource provides fields for assessing the configuration of EBS volumes within an AWS account. For usage see `aws.ec2` resource. + The `aws.ec2.volume` resource provides fields for assessing the configuration of EBS volumes within an AWS account. For usage, see `aws.ec2` resource documentation. fields: arn: {} attachments: {} @@ -1164,7 +1178,7 @@ resources: aws.ec2.vpnconnection: docs: desc: | - The `aws.ec2.vpnconnection` resource provides fields for assessing the configuration of VPN connections within an AWS account. For usage see `aws.ec2` resource. + The `aws.ec2.vpnconnection` resource provides fields for assessing the configuration of VPN connections within an AWS account. For usage, see `aws.ec2` resource documentation. fields: arn: {} vgwTelemetry: {} @@ -1176,7 +1190,7 @@ resources: aws.ecr: docs: desc: | - The `aws.ecr` resource can be used to assess the configuration of an Amazon Elastic Container Registry. + The `aws.ecr` resource to assess the configuration of an Amazon Elastic Container Registry. fields: images: {} privateRepositories: {} @@ -1195,7 +1209,7 @@ resources: aws.ecr.image: docs: desc: | - The `aws.ecr.image` resource can be used to assess a container image stored in an Amazon Elastic Container Registry. + Use the `aws.ecr.image` resource to assess a container image stored in an Amazon Elastic Container Registry. fields: arn: {} digest: {} @@ -1218,7 +1232,7 @@ resources: aws.ecr.repository: docs: desc: | - The `aws.ecr.repository` resource can be used to assess the Amazon Elastic Container Registry repositories. + Use the `aws.ecr.repository` resource to assess the Amazon Elastic Container Registry repositories. fields: arn: {} imageScanOnPush: @@ -1318,7 +1332,7 @@ resources: aws.efs: docs: desc: | - The `aws.efs` resource can be used to assess the configuration of Amazon Elastic File System deployments. + Use the `aws.efs` resource to assess the configuration of Amazon Elastic File System deployments. fields: filesystems: {} min_mondoo_version: 5.15.0 @@ -1343,12 +1357,12 @@ resources: deployments across all enabled regions in the account - query: "aws.efs.filesystems.all(\n encrypted == true && kmsKey.arn == /^arn:aws:kms:.*/ \n)\n" - title: Checks whether all EFS systems are configured to encrypt file data using + title: Check whether all EFS systems are configured to encrypt file data using KMS aws.efs.filesystem: docs: desc: "The `aws.efs.filesystem` resource provides fields for assessing the configuration - of individual EFS deployments. For usage see the `aws.efs` resource documentation. + of individual EFS deployments. For usage, read the `aws.efs` resource documentation. \n" fields: arn: {} @@ -1397,7 +1411,7 @@ resources: - aws aws.elasticache: docs: - desc: "The `aws.elasticache` resource can be used to assess the configuration + desc: "Use the `aws.elasticache` resource to assess the configuration of Amazon ElastiCache. \n" fields: cacheClusters: {} @@ -1414,7 +1428,7 @@ resources: aws.elasticache.clusters.all( _['SnapshotRetentionLimit'] > _['SnapshotRetentionPeriod'] ) - title: Checks if the ElastiCache Redis clusters have automatic backup turned + title: Check if the ElastiCache Redis clusters have automatic backup turned on aws.elasticache.cluster: fields: @@ -1454,7 +1468,7 @@ resources: aws.elb: docs: desc: | - The `aws.elb` resource can be used to assess the configuration of Amazon Elastic Load Balancers within an AWS account. + Use the `aws.elb` resource to assess the configuration of Amazon Elastic Load Balancers within an AWS account. fields: classicLoadBalancers: {} loadBalancers: {} @@ -1490,16 +1504,16 @@ resources: enabled region and the values for specified fields - query: "aws.elb.loadBalancers.all( listenerDescriptions.any ( \n _['Protocol'] == \"HTTPS\" || _['Protocol'] == \"SSL\" ) \n)\n" - title: Checks whether HTTP to HTTPS redirection is configured on all application + title: Check whether HTTP to HTTPS redirection is configured on all application load balancer http listeners - query: "aws.elb.classicLoadBalancers.all( listenerDescriptions.any ( \n _['Listener']['Protocol'] == \"HTTPS\" || _['Listener']['Protocol'] == \"SSL\" ) \n)\n" - title: Checks that all Classic Load Balancers use SSL certificates provided + title: Check that all Classic Load Balancers use SSL certificates provided by AWS Cert Mgr aws.elb.loadbalancer: docs: desc: | - The `aws.elb.loadbalancer` resource provides fields for assessing the configuration of individual classic, application, gateway, and network Amazon Elastic Load Balancers. For usage see the `aws.elb` documentation. + The `aws.elb.loadbalancer` resource provides fields for assessing the configuration of individual classic, application, gateway, and network Amazon Elastic Load Balancers. For usage, read the `aws.elb` documentation. fields: arn: {} attributes: {} @@ -1519,7 +1533,7 @@ resources: aws.emr: docs: desc: | - The `aws.emr` resource can be used to assess the configuration of Amazon EMR clusters. This resource provides a list of `aws.emr.cluster` resources representing EMR clusters deployed across all enabled regions. + Use the `aws.emr` resource to assess the configuration of Amazon EMR clusters. This resource provides a list of `aws.emr.cluster` resources representing EMR clusters deployed across all enabled regions. fields: clusters: {} min_mondoo_version: 5.15.0 @@ -1546,11 +1560,11 @@ resources: aws.emr.clusters.all( masterInstances { _['PublicIpAddress'] == null } ) - title: Checks whether EMR cluster master nodes have public ips + title: Check whether EMR cluster master nodes have public ips aws.emr.cluster: docs: desc: | - The `aws.emr.cluster` resource provides fields for assessing the configuration of individual Amazon EMR clusters. For usage see the `aws.emr` resource documentation. + The `aws.emr.cluster` resource provides fields for assessing the configuration of individual Amazon EMR clusters. For usage, read the `aws.emr` resource documentation. fields: arn: {} id: {} @@ -1568,7 +1582,7 @@ resources: aws.es: docs: desc: | - The `aws.es` resource can be used to assess the configuration of Amazon Elasticsearch domains. This resource provides a list of `aws.es.domain` resources representing Elasticsearch domains deployed across all enabled regions. + Use the `aws.es` resource to assess the configuration of Amazon Elasticsearch domains. This resource provides a list of `aws.es.domain` resources representing Elasticsearch domains deployed across all enabled regions. fields: domains: {} min_mondoo_version: 5.15.0 @@ -1581,7 +1595,7 @@ resources: aws.es.domain: docs: desc: | - The `aws.es.domain` provides fields for assessing the configuration of individual Amazon Elasticsearch domains. For usage see the `aws.es` resource documentation + The `aws.es.domain` provides fields for assessing the configuration of individual Amazon Elasticsearch domains. For usage, read the `aws.es` resource documentation fields: arn: {} domainId: @@ -1604,7 +1618,7 @@ resources: aws.guardduty: docs: desc: | - The `aws.guardduty` resource can be used to assess the configuration of the AWS GuardDuty service. The resource provides a list of `aws.guardduty.detector` resources representing GuardDuty Detectors deployed across all enabled regions. + Use the `aws.guardduty` resource to assess the configuration of the AWS GuardDuty service. The resource provides a list of `aws.guardduty.detector` resources representing GuardDuty Detectors deployed across all enabled regions. fields: detectors: {} min_mondoo_version: 5.15.0 @@ -1627,11 +1641,11 @@ resources: specified fields - query: | aws.guardduty.detectors.all( status == "ENABLED" ) - title: Checks that guardduty is enabled in all regions + title: Check that guardduty is enabled in all regions aws.guardduty.detector: docs: desc: | - The `aws.guardduty.detector` provides fields for assessing the configuration of individual Amazon GuardDuty Detectors. For usage see the `aws.guardduty` resource documentation + The `aws.guardduty.detector` provides fields for assessing the configuration of individual Amazon GuardDuty Detectors. For usage, read the `aws.guardduty` resource documentation fields: findingPublishingFrequency: {} id: {} @@ -1646,7 +1660,7 @@ resources: aws.iam: docs: desc: | - The `aws.iam` resource can be used to assess the configuration of the AWS IAM service. The resource provides a list of `aws.iam.user` resources representing GuardDuty Detectors deployed across all enabled regions. + Use the `aws.iam` resource to assess the configuration of the AWS IAM service. The resource provides a list of `aws.iam.user` resources representing GuardDuty Detectors deployed across all enabled regions. fields: accountPasswordPolicy: {} accountSummary: {} @@ -1691,7 +1705,7 @@ resources: aws.iam.group: docs: desc: | - The `aws.iam.group` provides fields for assessing the configuration of IAM Groups. For usage see the `aws.iam` resource documentation. + The `aws.iam.group` provides fields for assessing the configuration of IAM Groups. For usage, read the `aws.iam` resource documentation. fields: arn: {} createDate: {} @@ -1714,7 +1728,7 @@ resources: aws.iam.policy: docs: desc: | - The `aws.iam.policy` provides fields for assessing the configuration of individual IAM Policies. For usage see the `aws.iam` resource documentation. + The `aws.iam.policy` provides fields for assessing the configuration of individual IAM Policies. For usage, read the `aws.iam` resource documentation. fields: arn: {} attachedGroups: {} @@ -1738,7 +1752,7 @@ resources: aws.iam.policyversion: docs: desc: | - The `aws.iam.policyversion` provides fields for assessing the metadata for IAM Policy versions. For usage see the `aws.iam` resource documentation. + The `aws.iam.policyversion` provides fields for assessing the metadata for IAM Policy versions. For usage, read the `aws.iam` resource documentation. fields: arn: {} createDate: {} @@ -1753,7 +1767,7 @@ resources: aws.iam.role: docs: desc: | - The `aws.iam.role` provides fields for assessing the configuration of individual IAM Roles. For usage see the `aws.iam` resource documentation. + The `aws.iam.role` provides fields for assessing the configuration of individual IAM Roles. For usage, read the `aws.iam` resource documentation. fields: arn: {} createDate: {} @@ -1769,7 +1783,7 @@ resources: aws.iam.user: docs: desc: | - The `aws.iam.user` provides fields for assessing the configuration of individual IAM users. For usage see the `aws.iam` resource documentation. + The `aws.iam.user` provides fields for assessing the configuration of individual IAM users. For usage, read the `aws.iam` resource documentation. fields: accessKeys: {} arn: {} @@ -1791,7 +1805,7 @@ resources: aws.iam.usercredentialreportentry: docs: desc: | - The `aws.iam.credentialreportentry` provides fields for assessing the metadata for individual IAM Credential Report entries. For usage see the `aws.iam` resource documentation. + The `aws.iam.credentialreportentry` provides fields for assessing the metadata for individual IAM Credential Report entries. For usage, read the `aws.iam` resource documentation. fields: accessKey1Active: {} accessKey1LastRotated: {} @@ -1824,7 +1838,7 @@ resources: aws.iam.virtualmfadevice: docs: desc: | - The `aws.iam.virtualmfadevice` provides fields for assessing the metadata for individual virtual MFA devices associated with IAM users. For usage see the `aws.iam` resource documentation. + The `aws.iam.virtualmfadevice` provides fields for assessing the metadata for individual virtual MFA devices associated with IAM users. For usage, read the `aws.iam` resource documentation. fields: enableDate: {} serialNumber: {} @@ -1836,7 +1850,7 @@ resources: - aws aws.kms: docs: - desc: "The `aws.kms` resource can be used to assess the configuration of AWS + desc: "Use the `aws.kms` resource to assess the configuration of AWS KMS keys. \n" fields: keys: {} @@ -1851,7 +1865,7 @@ resources: aws.kms.key: docs: desc: | - The `aws.kms.key` provides fields for assessing the configuration of individual KMS keys. For usage see the `aws.kms` resource documentation. + The `aws.kms.key` provides fields for assessing the configuration of individual KMS keys. For usage, read the `aws.kms` resource documentation. fields: arn: {} id: {} @@ -1865,7 +1879,7 @@ resources: - aws aws.lambda: docs: - desc: "The `aws.lambda` resource can be used to assess the configuration of + desc: "Use the `aws.lambda` resource to assess the configuration of AWS Lambda. \n" fields: functions: {} @@ -1876,7 +1890,7 @@ resources: aws.lambda.function: docs: desc: | - The `aws.lambda.function` provides fields for assessing the configuration of individual AWS Lambda functions. For usage see the `aws.lambda` resource documentation. + The `aws.lambda.function` provides fields for assessing the configuration of individual AWS Lambda functions. For usage, read the `aws.lambda` resource documentation. fields: arn: {} concurrency: {} @@ -1906,7 +1920,7 @@ resources: aws.rds: docs: desc: | - The `aws.rds` resource can be used to assess the configuration of AWS RDS deployments. The resource returns lists of `aws.rds.dbcluster`, `aws.rds.dbinstance`, and `aws.rds.snapshot` resources, each with fields for assessing the configuration of those assets. + Use the `aws.rds` resource to assess the configuration of AWS RDS deployments. The resource returns lists of `aws.rds.dbcluster`, `aws.rds.dbinstance`, and `aws.rds.snapshot` resources, each with fields for assessing the configuration of those assets. fields: dbClusters: {} dbInstances: {} @@ -1919,9 +1933,9 @@ resources: url: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html snippets: - query: aws.rds.dbInstances.all(snapshots.length > 0) - title: Checks whether RDS DB instances have backups enabled + title: Check whether RDS DB instances have backups enabled - query: aws.rds.dbInstances.all(multiAZ == true) - title: Checks whether high availability is enabled for all rds instances + title: Check whether high availability is enabled for all rds instances - query: aws.rds.dbClusters { snapshots.where( encrypted == false) } { arn region id } title: Return a list of RDS Clusters across all regions where snapshots are @@ -1981,7 +1995,7 @@ resources: aws.rds.dbinstance: docs: desc: | - The `aws.rds.dbinstance` fields for assessing the configuration of RDS instances. For usage see the `aws.rds` resource documentation. + The `aws.rds.dbinstance` provides fields for assessing the configuration of RDS instances. For usage, read the `aws.rds` resource documentation. fields: arn: {} autoMinorVersionUpgrade: @@ -2032,7 +2046,7 @@ resources: aws.rds.snapshot: docs: desc: | - The `aws.rds.snapshot` fields for assessing the configuration of RDS snapshots. For usage see the `aws.rds` resource documentation. + The `aws.rds.snapshot` provides fields for assessing the configuration of RDS snapshots. For usage, read the `aws.rds` resource documentation. fields: allocatedStorage: min_mondoo_version: 9.0.0 @@ -2056,7 +2070,7 @@ resources: aws.redshift: docs: desc: | - The `aws.redshift` resource can be used to assess the configuration of Amazon Redshift deployments. The resource returns lists of `aws.rds.dbcluster`, `aws.rds.dbinstance`, and `aws.rds.snapshot` resources, each with fields for assessing the configuration of those assets. + Use the `aws.redshift` resource to assess the configuration of Amazon Redshift deployments. The resource returns lists of `aws.rds.dbcluster`, `aws.rds.dbinstance`, and `aws.rds.snapshot` resources, each with fields for assessing the configuration of those assets. fields: clusters: {} min_mondoo_version: 5.15.0 @@ -2172,21 +2186,21 @@ resources: publicAccessBlock exists } - title: Return a list of AWS S3 buckets and the value for specified fields + title: Return a list of AWS S3 buckets and the values for specified fields - query: "aws.s3.buckets.where( public == true ) {\n arn\n name\n location\n \ tags\n publicAccessBlock \n}\n" title: Return a list of AWS S3 buckets that are public and return the values for the `arn` `name` `location` `tags` and `publicAccessBlock` - query: "aws.s3.buckets.all( \n replication['Rules'] { _['Status'] == \"Enabled\" }\n)\n" - title: Checks whether S3 buckets have cross-region replication enabled + title: Check whether S3 buckets have cross-region replication enabled - query: "aws.s3.buckets.all( \n encryption['Rules'] { _['ApplyServerSideEncryptionByDefault']['KMSMasterKeyID'] == /^arn:aws:kms:.*/}\n)\n" - title: Checks that all buckets are encrypted with kms + title: Check that all buckets are encrypted with kms aws.s3.bucket: docs: desc: | - The `aws.s3.bucket` resource provides fields for assessing the configuration of AWS S3 buckets. For usage see the `aws.s3` resource documentation. + The `aws.s3.bucket` resource provides fields for assessing the configuration of AWS S3 buckets. For usage, read the `aws.s3` resource documentation. fields: acl: {} arn: {} diff --git a/providers/azure/resources/azure.lr.manifest.yaml b/providers/azure/resources/azure.lr.manifest.yaml index 31a244299a..d8bbcd67a6 100644 --- a/providers/azure/resources/azure.lr.manifest.yaml +++ b/providers/azure/resources/azure.lr.manifest.yaml @@ -9,6 +9,9 @@ resources: name: - azure azure.subscription: + docs: + desc: | + Use the `azure.subscription` resource to assess the configuration of Azure subscriptions. fields: advisor: {} aks: {} @@ -40,6 +43,9 @@ resources: platform: name: - azure + snippets: + - query: "azure.subscription {\n subscriptionId \n managedByTenants\n}\n" + title: Return the subscription ID and a list of tenants that manage the subscription azure.subscription.advisor: fields: recommendations: {} @@ -57,6 +63,9 @@ resources: name: - azure azure.subscription.advisorService: + docs: + desc: | + Use the `azure.subscription.advisorService` resource to retrieve scoring and recommendations from Microsoft Azure Advisor. fields: averageScore: {} recommendations: {} @@ -67,6 +76,9 @@ resources: platform: name: - azure + snippets: + - query: "azure.subscription.advisorService {\n averageScore > 90\n}\n" + title: Check if the average score that the Azure Advisor service gives the subscription is greater than 90 azure.subscription.advisorService.recommendation: fields: category: {}