Policy Rule Helper Functions

Open Raven has a number of Helper Functions to assist you with creating Policy Rules.

When creating Policy Rules, you can use these Helper Functions by importing data.helpers. Or, you can use these Helper Functions as a template within your own Rule.

package helpers

#DATA TYPE DEFINITIONS

isIAM {
    input.asset.resourceType == "AWS::IAM::User"
}

isSecurityGroup {
    input.asset.resourceType == "AWS::EC2::SecurityGroup"
}

isEFS {
    input.asset.resourceType == "AWS::EFS::FileSystem"
}

isFsx {
    input.asset.resourceType == "AWS::FSx::FileSystem"
}

isFsxLustre {
    input.asset.resourceType == "AWS::FSx::FileSystem"
    input.asset.configuration.fileSystemTypeAsString == "LUSTRE"
}

isFsxWindows {
    input.asset.resourceType == "AWS::FSx::FileSystem"
    input.asset.configuration.windowsConfiguration != null
}

isRedshift {
    input.asset.resourceType == "AWS::Redshift::Cluster"
}

isDynamoDB {
    input.asset.resourceType == "AWS::DynamoDB::Table"
}

isDynamoDBGlobal {
    input.asset.resourceType == "AWS::DynamoDB::GlobalTable"
}

isGlacier {
    input.asset.resourceType == "AWS::Glacier::Vault"
}

isBackupVault {
    input.asset.resourceType == "AWS::Backup::BackupVault"
}

isEc2Instance {
    input.asset.resourceType == "AWS::EC2::Instance"
}

isEcsCluster {
    input.asset.resourceType == "AWS::ECS::Cluster"
}

isEksCluser {
    input.asset.resourceType == "AWS::EKS::Cluster"
}

isCassandraKeyspaces {
    input.asset.resourceType == "AWS::Cassandra::Keyspace"
}

isNeptuneCluster {
    input.asset.resourceType == "AWS::Neptune::Cluster"
}

isNeptuneInstance {
    input.asset.resourceType == "AWS::Neptune::Instance"
}

isQuantumLedgerDB {
    input.asset.resourceType == "AWS::Qldb::Ledger"
}

isElasticLoadBalancerv1 {
    input.asset.resourceType == "AWS::ElasticLoadBalancing::LoadBalancer"
}

isElasticLoadBalancerv2 {
    input.asset.resourceType == "AWS::ElasticLoadBalancingV2::LoadBalancer"
}

isElasticSearchDomain {
    input.asset.resourceType == "AWS::Elasticsearch::Domain"
}

isEmrCluster {
    input.asset.resourceType == "AWS::EMR::Cluster"
}

isElastiCache{
    input.asset.resourceType == "AWS::ElastiCache::Cluster"
}

isRdsInstance {
    input.asset.resourceType == "AWS::RDS::DBInstance"
}

isRedShiftCluster {
    input.asset.resourceType == "AWS::Redshift::Cluster"
}

isS3Bucket {
    input.asset.resourceType == "AWS::S3::Bucket"
}

isS3BucketObject {
    input.asset.resourceType == "AWS::S3::BucketObject"
}

isAurora {
    input.asset.resourceType == "AWS::RDS::DBInstance"
    input.asset.configuration.engine == "aurora"
}

isPostgresSql {
    input.asset.resourceType == "AWS::RDS::DBInstance"
    input.asset.configuration.engine == "aurora-postgresql"
}

isPostgresSql {
    input.asset.resourceType == "AWS::RDS::DBInstance"
    input.asset.configuration.engine == "postgres"
}

isDocumentDB {
    input.asset.resourceType == "AWS::RDS::DBInstance"
    input.asset.configuration.engine = "docdb"
}

isELK {
    input.asset.resourceType == "AWS::Elasticsearch::Domain"
}

isStorageGateway {
    input.asset.resourceType == "AWS::StorageGateway::Gateway"
}

isLightsail {
    input.asset.resourceType == "AWS::Lightsail::Database"
}

isBatch {
    input.asset.resourceType == "AWS::Batch::ComputeEnvironment"
}

isLambda {
    input.asset.resourceType == "AWS::FSx::Function"
}

isElasticBeanstalk {
    input.asset.resourceType == "AWS::Eb::Environment "
}

isRoute53 {
    input.asset.resourceType == "AWS::Route53::HostedZone"
}


isCloudFront {
    input.asset.resourceType == "AWS::Cloudfront::Distribution"
}


isLakeFormation {
    input.asset.resourceType == "AWS::LakeFormation::Resource"
}


isCloudSearch {
    input.asset.resourceType == "AWS::CloudSearch::Domain"
}

isAthena {
    input.asset.resourceType == "AWS::Athena::dataCatalog"
}

isSecretsManager {
    input.asset.resourceType == "AWS::SecretsManager"
}

isKMS {
    input.asset.resourceType == "AWS::Kms::Key"
}

isMySQL {
    isRdsInstance
    contains(input.asset.configuration.engine, "mysql")
}

isMariaDB {
    isRdsInstance
    contains(input.asset.configuration.engine, "mariadb")
}

isOracle {
    isRdsInstance
    contains(input.asset.configuration.engine, "oracle")
}

isMsSqlServer {
    isRdsInstance
    contains(input.asset.configuration.engine, "sqlserver")
}

isSpark {
    input.asset.resourceType == "AWS::EMR::Cluster"
    input.asset.supplementaryConfiguration.Description.cluster.applications[_].name == "Spark"
}

isHadoop {
    input.asset.resourceType == "AWS::EMR::Cluster"
    input.asset.supplementaryConfiguration.Description.cluster.applications[_].name == "Hadoop"
}

isHive {
    input.asset.resourceType == "AWS::EMR::Cluster"
    input.asset.supplementaryConfiguration.Description.cluster.applications[_].name == "Hive"
}

isHBase {
    input.asset.resourceType == "AWS::EMR::Cluster"
    input.asset.supplementaryConfiguration.Description.cluster.applications[_].name == "HBase"
}

isFlink {
    input.asset.resourceType == "AWS::EMR::Cluster"
    input.asset.supplementaryConfiguration.Description.cluster.applications[_].name == "Flink"
}

isHudi {
    input.asset.resourceType == "AWS::EMR::Cluster"
    input.asset.supplementaryConfiguration.Description.cluster.applications[_].name == "Hudi"
}

isPresto {
    input.asset.resourceType == "AWS::EMR::Cluster"
    input.asset.supplementaryConfiguration.Description.cluster.applications[_].name == "Presto"
}

isEC2Volume{
    input.asset.resourceType == "AWS::EC2:Volume"
}

isEbs {
    input.asset.resourceType == "AWS::EC2:Volume"
}

isEni {
    input.asset.resourceType == "AWS::EC2::NetworkInterface"
}

isEip {
    input.asset.resourceType == "AWS::EC2::EIP"
}

# isDataStore DEFINITIONS

isDataStore {
    isGlacier
}

isDataStore {
    isStorageGateway
}

isDataStore {
    isS3Bucket
}

isDataStore {
    isBackupVault
}

isDataStore {
    isEFS
}

isDataStore {
    isFsx
}

isDataStore {
    isCassandraKeyspaces
}

isDataStore {
    isNeptuneCluster
}

isDataStore {
    isNeptuneInstance
}

isDataStore {
    isQuantumLedgerDB
}

isDataStore {
    isElastiCache
}

isDataStore {
    isPostgresSql
}

isDataStore {
    isAurora
}

isDataStore {
    isMySQL
}

isDataStore {
    isMariaDB
}

isDataStore {
    isOracle
}

isDataStore {
    isMsSqlServer
}

isDataStore {
    isRedshift
}

isDataStore {
    isRedShiftCluster
}

isDataStore {
    isDynamoDB
}

isDataStore {
    isDynamoDBGlobal
}

isDataStore {
    isDocumentDB
}

# isStorage DEFINITIONS

isStorage {
    isGlacier
}

isStorage {
    isStorageGateway
}

isStorage {
    isEbs
}

isStorage {
  isEC2Volume
}

isStorage {
    isS3Bucket
}

isStorage {
    isBackupVault
}

isStorage {
    isEFS
}

isStorage {
    isFsx
}

# isDatabase DEFINITIONS

isDatabase {
    isCassandraKeyspaces
}

isDatabase {
    isNeptuneInstance
}

isDatabase {
    isNeptuneCluster
}

isDatabase {
    isQuantumLedgerDB
}

isDatabase {
    isElastiCache
}

isDatabase {
    isPostgresSql
}

isDatabase {
    isAurora
}

isDatabase {
    isMySQL
}

isDatabase {
    isMariaDB
}

isDatabase {
    isOracle
}

isDatabase {
    isMsSqlServer
}

isDatabase {
    isRedshift
}

isDatabase {
    isRedShiftCluster
}

isDatabase {
    isDynamoDB
}

isDatabase {
    isDynamoDBGlobal
}

isDatabase {
    isDocumentDB
}

# isCompute DEFINITIONS

isCompute {
    isLightsail
}

isCompute {
    isElasticBeanstalk
}

isCompute {
    isLambda
}

isCompute {
    isBatch
}

isCompute {
    isEc2Instance
}

# isNetworkingAndCD DEFINITIONS

isNetworkingAndCD {
    isElasticLoadBalancerv1
}

isNetworkingAndCD {
    isElasticLoadBalancerv2
}

isNetworkingAndCD {
    isEni
}

isNetworkingAndCD {
    isEip
}

isNetworkingAndCD {
    isCloudFront
}

isNetworkingAndCD {
    isRoute53
}

# isAnalytics DEFINITIONS

isAnalytics {
    isLakeFormation
}

isAnalytics {
    isSpark
}

isAnalytics {
    isHadoop
}

isAnalytics {
    isHive
}

isAnalytics {
    isHBase
}

isAnalytics {
    isFlink
}

isAnalytics {
    isHudi
}

isAnalytics {
    isPresto
}

isAnalytics {
    isAthena
}

isAnalytics {
    isCloudSearch
}

isAnalytics {
    isELK
}

# isSIC DEFINITIONS

isSIC {
    isSecretsManager
}

isSIC {
    isKMS
}

isSIC {
    isIAM
}

# s3WebServer DEFINITION

s3WebServer {
    isS3Bucket
    input.asset.supplementaryConfiguration.BucketWebsiteConfiguration != null
}

# isNotEncryptedAtRest DEFINITIONS

isNotEncryptedAtRest {
    isDynamoDB
    input.asset.configuration.sseDescription.status != "ENABLED"
}

isNotEncryptedAtRest {
    isElasticSearchDomain
    input.asset.configuration.encryptionAtRestOptions.enabled != true
}

isNotEncryptedAtRest {
    isS3Bucket
    input.asset.configuration.s3restencrypt.enabled != true
}


# isNotEncrypted DEFINITIONS

isNotEncrypted {
    isEFS
    input.asset.configuration.encrypted == false
}

isNotEncrypted {
    isRedshift
    input.asset.configuration.encrypted == false
}

isNotEncrypted {
    isRedShiftCluster
    input.asset.configuration.encrypted == false
}

isNotEncrypted {
    isS3Bucket
    input.asset.supplementaryConfiguration.ServerSideEncryptionConfiguration == null
}

isNotEncrypted {
    isBackupVault
    input.asset.configuration.encryptionKeyArn == null
}

isNotEncrypted {
    isRdsInstance
    input.asset.configuration.storageEncrypted == false
}

# hasKmsDisabled DEFINITIONS

hasKmsDisabled {
    isS3Bucket
    input.asset.supplementaryConfiguration.ServerSideEncryptionConfiguration.rules[_].applyServerSideEncryptionByDefault.kmsMasterKeyID == null
}

hasKmsDisabled {
    isBackupVault
    input.asset.configuration.encryptionKeyArn == null
}

hasKmsDisabled {
    isRdsInstance
    input.asset.configuration.kmsKeyId == null
}

hasKmsDisabled {
    isEFS
    input.asset.configuration.kmsKeyId == null
}

hasKmsDisabled {
    isDynamoDB
    input.asset.configuration.sseDescription.sseType != "KMS"
}

hasKmsDisabled {
    isSecretsManager
    input.asset.supplementaryConfiguration.Secrets.secretList[_].kmsKeyId != null
}

hasKmsDisabled {
    input.asset.configuration.kmsKeyId == null
}


# isPublic DEFINITION
default isPublic = false

isPublic {
    isEc2Instance
    input.asset.configuration.publicIpAddress != null
}

isPublic {
    isEc2Instance
    input.asset.configuration.publicIp != null
}

isPublic {
    isRdsInstance
    input.asset.configuration.publiclyAccessible
}

isPublic {
    isS3Bucket
    input.asset.supplementaryConfiguration.isPublic
}

isPublic {
    isElasticSearchDomain
    input.asset.configuration.endpoint != null
}

isPublic {
    isElasticSearchDomain
    input.asset.configuration.endpoints != {}
    input.asset.configuration.endpoint != null
    isElasticSearchDomain
}

isPublic {
    isRedshift
    input.asset.configuration.clusterNodes[_].publicIpAddress != null
}

isPublic {
    isRedShiftCluster
    input.asset.configuration.clusterNodes[_].publicIpAddress != null
}

noDeleteProtection {
    isRdsInstance
    input.asset.configuration.deletionProtection == false
}

noDeleteProtection {
    isAurora
    input.asset.configuration.deletionProtection == false
}


# Region DEFINITIONS
inUsEastRegion {
    input.asset.awsRegion == "us-east-1"
}

inUsEastRegion {
    input.asset.awsRegion == "us-east-2"
}

inUsWestRegion {
    input.asset.awsRegion == "us-west-1"
}

inUsWestRegion {
    input.asset.awsRegion == "us-west-2"
}

inUsGovRegion {
    input.asset.awsRegion == "us-gov-east-1"
}

inUsGovRegion {
    input.asset.awsRegion == "us-gov-west-1"
}

inUsRegion {
    inUsEastRegion
}

inUsRegion {
    inUsWestRegion
}

inUsRegion {
    inUsGovRegion
}

#hasNoMFA DEFINITION

hasNoMFA {
    isIAM
    input.asset.supplementaryConfiguration.mfaDevices == null
}


# isAdminUser DEFINITION

isAdminUser {
    isIAM
    input.asset.supplementaryConfiguration.policies[_].arn == "arn:aws:iam::aws:policy/AdministratorAccess"
}


# isLoggingDisabled DEFINITION

isLoggingDisabled {
    isS3Bucket
    input.asset.supplementaryConfiguration.BucketLoggingConfiguration.loggingEnabled == false
}


# hasBackupDisabled DEFINITIONS

hasBackupDisabled {
    isRdsInstance
    input.asset.configuration.backupRetentionPeriod < 1
}

hasBackupDisabled {
    isAurora
    input.asset.configuration.backupRetentionPeriod < 1
}

# isSizeLargerThan50G DEFINITION

isSizeLargerThan50G {
    input.asset.sizeInBytes  > 50000000000
}

isSizeLargerThan50G {
    isEFS
    input.asset.configuration.sizeInBytes.value > 50000000000
}

isSizeLargerThan50G {
    isDynamoDB
    input.asset.configuration.tableSizeBytes > 50000000000
}

isSizeLargerThan50G {
    isRedshift
    input.asset.supplementaryConfiguration.totalBackupSizeInMegaBytes > 50
}

isSizeLargerThan50G {
    isS3Bucket
    input.asset.supplementaryConfiguration.size.BucketSizeBytes > 50000000000
}


# isManaged DEFINITION

default isManaged = false

isManaged {
    isElasticSearchDomain
    input.asset.configuration.endpoints.vpc != null
}


# hasInlinePolicy DEFINITION

hasInlinePolicy {
    isIAM
    input.asset.supplementaryConfiguration.policies[_].type == "inline"
}

# hasOpenIpPermissions DEFINITION

hasOpenIpPermissions {
    isSecurityGroup

    some i;
    input.asset.configuration.ipPermissions[i].ipRanges[_].cidrIp == "0.0.0.0/0"
}

# hasPort22OpenEverywhere DEFINITION

hasPort22OpenEverywhere {
    isSecurityGroup

    some i;
    input.asset.configuration.ipPermissions[i].ipRanges[_].cidrIp == "0.0.0.0/0"
    input.asset.configuration.ipPermissions[i].fromPort <= 22
    input.asset.configuration.ipPermissions[i].toPort >= 22
}

# hasPort3389OpenEverywhere DEFINITION
hasPort3389OpenEverywhere {
    isSecurityGroup

    some i;
    input.asset.configuration.ipPermissions[i].ipRanges[_].cidrIp == "0.0.0.0/0"
    input.asset.configuration.ipPermissions[i].fromPort <= 3389
    input.asset.configuration.ipPermissions[i].toPort >= 3389
}

# isNotTagged DEFINITION

isNotTagged {
    input.asset.tags == null
}

# hasIAMDisabled DEFINITION

hasIAMDisabled {
    isRdsInstance
    input.asset.configuration.iamDatabaseAuthenticationEnabled == false
}

# hasAutoMinorVersionDisabled DEFINITION

hasAutoMinorVersionDisabled {
    isRdsInstance
    input.asset.configuration.autoMinorVersionUpgrade == false
}

# hasDMAPDataSource DEFINITION

hasDMAPDataSource(DS) {
    isEc2Instance
    input.asset.dmap.topApplication.topPrediction.app_name == DS
}



# FOR LOOKING UP DATA CLASS/COLLECTIONS

hasDataInClass(class) = ret {
    some i, j
    ret := [ output | f := input.asset.dataanalysis[i].findings[j]
                      a := f.annotations[_]
                      a.class == class
                      output := { "source" : f.source, "annotations" : [a] }
           ]
}

hasDataFromCollection(collection) = ret {
    some i, j  # setup some vars to remember and reference a scan + source (S3 object)
    ret := [ output | f := input.asset.dataanalysis[i].findings[j]
                      a := f.annotations[_]
                      a.collection == collection
                      output := { "source" : f.source, "annotations" : [a] }
           ]
}

hasAnyData = ret {
    some i, j  # setup some vars to remember and reference a scan + source (S3 object)
    ret := [ output | f := input.asset.dataanalysis[i].findings[j]
                      a := f.annotations[_]
                      output := { "source" : f.source, "annotations" : [a] }
           ]
}