From 79991be1e14f563039129a49036a8bee3980075f Mon Sep 17 00:00:00 2001 From: Arun Kumar <104547029+arunpaladin@users.noreply.github.com> Date: Thu, 28 Aug 2025 08:27:19 -0700 Subject: [PATCH] feat:[NEXT-625] Added Tagging Policy for AWS AMI --- installer/resources/pacbot_app/files/DB_Policy.sql | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/installer/resources/pacbot_app/files/DB_Policy.sql b/installer/resources/pacbot_app/files/DB_Policy.sql index bd99fe76a..6d7477786 100644 --- a/installer/resources/pacbot_app/files/DB_Policy.sql +++ b/installer/resources/pacbot_app/files/DB_Policy.sql @@ -606,8 +606,9 @@ INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisp INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, severity, category, autoFixAvailable, autoFixEnabled, allowList, waitingTime, maxEmailNotification, templateName, templateColumns, fixType, warningMailSubject, fixMailSubject, warningMessage, fixMessage, violationMessage, elapsedTime, userId, createdDate, modifiedDate, status) VALUES ('contrast_library_low_vulnerabilities_found','contrast_library_low_vulnerabilities_found','Scan and Remediate Low Vulnerability Library Policy','Contrast Found Low Vulnerabilities', 'Contrast Library Security provides a comprehensive approach to identifying and managing vulnerabilities in software libraries. It scans updated libraries using Contrast\'s extensive vulnerability database to extract essential details such as CVE identifiers, suggested solutions, affected resources, Contrast\'s severity classification, and comprehensive descriptions. Proactively scanning and remediating high-risk libraries within cloud environments, such as AWS, facilitates the early detection and mitigation of potential security threats. This approach significantly reduces the risk of security breaches and fortifies the integrity of the cloud infrastructure.', NULL,'https://paladincloud.io/docs/vuln-policies','library','contrast','LibraryVulnerabilityCheck','{\"params\":[{\"encrypt\":\"false\",\"value\":\"true\",\"key\":\"threadsafe\"},{\"key\":\"policyKey\",\"value\":\"check-vulnerability-exists-for-library\",\"encrypt\":false},{\"encrypt\":false,\"value\":\"low\",\"key\":\"severityToCheck\"},{\"encrypt\":false,\"value\":\"low\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"security\",\"key\":\"policyCategory\"}],\"environmentVariables\":[],\"policyId\":\"contrast_library_low_vulnerabilities_found\",\"autofix\":false,\"policyRestUrl\":\"\",\"targetType\":\"library\",\"pac_ds\":\"contrast\",\"assetGroup\":\"contrast\",\"policyUUID\":\"contrast_library_low_vulnerabilities_found\",\"policyType\":\"ManagePolicy\"}','0 0/6 * * ? *', NULL,NULL,'ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/contrast_library_low_vulnerabilities_found','low','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'ASGC', '2022-06-03','2022-06-03','ENABLED'); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, severity, category, autoFixAvailable, autoFixEnabled, allowList, waitingTime, maxEmailNotification, templateName, templateColumns, fixType, warningMailSubject, fixMailSubject, warningMessage, fixMessage, violationMessage, elapsedTime, userId, createdDate, modifiedDate, status) VALUES ('red_hat_acs_not_scanning_gcp_gke','red_hat_acs_not_scanning_gcp_gke','Enable Red Hat ACS On Kubernetes Cluster','Enable Red Hat ACS On Kubernetes Cluster', 'The policy aims to validate and enforce the adherence of Kubernetes clusters to the requirement of being scanned by Red Hat security tools, specifically RHACS. It ensures that all Kubernetes clusters within the organization\'s infrastructure have undergone the necessary security scanning provided by Red Hat to mitigate vulnerabilities, threats, and compliance risks.', NULL,'https://github.com/PaladinCloud/CE/wiki/RedHat-Policy#enable-red-hat-acs-on-kubernetes-cluster','gke','gcp','RedHatACSNotScanningKubernetesCluster','{\"params\":[{\"encrypt\":\"false\",\"value\":\"true\",\"key\":\"threadsafe\"},{\"key\":\"policyKey\",\"value\":\"redhat-not-scanning-clusters\",\"encrypt\":false},{\"encrypt\":false,\"value\":\"high\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"security\",\"key\":\"policyCategory\"}],\"environmentVariables\":[],\"policyId\":\"red_hat_acs_not_scanning_gcp_gke\",\"autofix\":false,\"policyRestUrl\":\"\",\"targetType\":\"gke\",\"pac_ds\":\"gcp\",\"assetGroup\":\"gcp\",\"policyUUID\":\"red_hat_acs_not_scanning_gcp_gke\",\"policyType\":\"ManagePolicy\"}','0 0/6 * * ? *', NULL,NULL,'ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/red_hat_acs_not_scanning_gcp_gke','critical','security','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'ASGC', '2024-01-03','2024-01-03','ENABLED'); INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, severity, category, autoFixAvailable, autoFixEnabled, allowList, waitingTime, maxEmailNotification, templateName, templateColumns, fixType, warningMailSubject, fixMailSubject, warningMessage, fixMessage, violationMessage, elapsedTime, userId, createdDate, modifiedDate, status) VALUES ('remove_unused_scale_set','remove_unused_scale_set',' Delete Unused Scale Set',' Delete Unused Scale Set','Identify any empty virtual machine scale sets available within your Microsoft Azure cloud account and delete them in order to eliminate unnecessary costs and meet compliance requirements when it comes to unused resources.','Every empty virtual machine scale set should be removed for cost optimization and better management of your cloud resources.','','virtualmachinescaleset','azure','remove_unused_scale_set','{"params":[{"encrypt":false,"value":"check-for-unused-Virtual-machine-scale-set","key":"policyKey"},{"encrypt":false,"value":",","key":"splitterChar"},{"encrypt":false,"value":"Application,Environment,Stack,Role","key":"mandatoryTags","isMandatory":true,"description":"Assets should have these mandatory tags","defaultVal":"Application,Environment,Stack,Role","displayName":"Mandatory tags"},{"encrypt":false,"value":"low","key":"severity"},{"encrypt":false,"value":"security","key":"policyCategory"},{"encrypt":false,"value":"","key":"policyOwner"}],"environmentVariables":[],"policyId":"remove_unused_scale_set","autofix":false,"alexaKeyword":"remove_unused_scale_set","policyRestUrl":"","targetType":"virtualmachinescaleset","pac_ds":"azure","assetGroup":"azure","policyUUID":"remove_unused_scale_set","policyType":"ManagePolicy"}','0 0/6 * * ? *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/remove_unused_scale_set','high','cost','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'ASGC','2023-07-19','2023-07-19','ENABLED'); - INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, severity, category, autoFixAvailable, autoFixEnabled, allowList, waitingTime, maxEmailNotification, templateName, templateColumns, fixType, warningMailSubject, fixMailSubject, warningMessage, fixMessage, violationMessage, elapsedTime, userId, createdDate, modifiedDate, status) VALUES ('delete_unused_vm_disk','delete_unused_vm_disk',' Delete Unused VM Disk','Delete Unused VM Disk','Identify any unattached (unused) Gcp virtual machine disk volumes available within yourcloud account and delete them in order to lower the cost of your monthly bill and reduce the risk of sensitive data leakage.','Every unused virtual machine disk should be removed for cost optimization and better management of your cloud resources.','','gcpdisks','gcp','delete_unused_vm_disk','{"params":[{"encrypt":false,"value":"delete-unused-vm-disk","key":"policyKey"},{"encrypt":false,"value":",","key":"splitterChar"},{"encrypt":false,"value":"Application,Environment,Stack,Role","key":"mandatoryTags","isMandatory":true,"description":"Assets should have these mandatory tags","defaultVal":"Application,Environment,Stack,Role","displayName":"Mandatory tags"},{"encrypt":false,"value":"high","key":"severity"},{"encrypt":false,"value":"cost","key":"policyCategory"},{"encrypt":false,"value":"","key":"policyOwner"}],"environmentVariables":[],"policyId":"delete_unused_vm_disk","autofix":false,"alexaKeyword":"delete_unused_vm_disk","policyRestUrl":"","targetType":"gcpdisks","pac_ds":"gcp","assetGroup":"gcp","policyUUID":"delete_unused_vm_disk","policyType":"ManagePolicy"}','0 0/6 * * ? *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/delete_unused_vm_disk','high','cost','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'ASGC','2023-07-19','2023-07-19','ENABLED'); +INSERT IGNORE INTO cf_PolicyTable (policyId, policyUUID, policyName, policyDisplayName, policyDesc, resolution, resolutionUrl, targetType, assetGroup, alexaKeyword, policyParams, policyFrequency, policyExecutable, policyRestUrl, policyType, policyArn, severity, category, autoFixAvailable, autoFixEnabled, allowList, waitingTime, maxEmailNotification, templateName, templateColumns, fixType, warningMailSubject, fixMailSubject, warningMessage, fixMessage, violationMessage, elapsedTime, userId, createdDate, modifiedDate, status) VALUES ('taggingRule_version-1_aws_ami','taggingRule_version-1_aws_ami','taggingRule_version-1_aws_ami','Assign Mandatory Tags to AWS AMI','Assigning mandatory tags to AMI is important for identifying resources, allocating costs, automation, security, and compliance purposes. Mandatory tags ensure consistency, manageability, cost-effectiveness, security, and compliance across your aws infrastructure.','Add the mandatory tags to the assets,Follow the Cloud Asset Tagging guidelines.','https://github.com/PaladinCloud/CE/wiki/AWS-Policy#Assign-Mandatory-Tags-to-AWS-AMI','ami','aws','awsamitaggingrule','{\"params\":[{\"encrypt\":false,\"value\":\",\",\"key\":\"splitterChar\"},{\"encrypt\":false,\"value\":\"check-for-missing-mandatory-tags\",\"key\":\"policyKey\"},{\"encrypt\":false,\"value\":\"high\",\"key\":\"severity\"},{\"encrypt\":false,\"value\":\"Application,Environment,Stack,Role\",\"key\":\"mandatoryTags\",\"isMandatory\":true,\"description\":\"Assets should have these mandatory tags\",\"defaultVal\":\"Application,Environment,Stack,Role\",\"displayName\":\"Mandatory tags\"},{\"isValueNew\":true,\"encrypt\":false,\"value\":\"tagging\",\"key\":\"policyCategory\"}],\"environmentVariables\":[],\"policyId\":\"taggingRule_version-1_aws_ami\",\"autofix\":false,\"alexaKeyword\":\"amitagginrule\",\"policyRestUrl\":\"\",\"targetType\":\"ami\",\"pac_ds\":\"aws\",\"assetGroup\":\"aws\",\"policyUUID\":\"taggingRule_version-1_aws_ami\",\"policyType\":\"ManagePolicy\"}','0 0/12 * * ? *','','','ManagePolicy','arn:aws:events:us-east-1:***REMOVED***:rule/taggingRule_version-1_aws_ami','high','tagging','false','false',NULL,24,1,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,24,'ASGC','2025-08-28','2025-08-28','ENABLED'); + update cf_PolicyTable set resolutionUrl='https://paladincloud.io/docs/gcp-policy/#articleTOC_104',policyDesc='Deleting unused VM disks in GCP is essential for cost savings, resource management, security, and performance optimization. It streamlines your cloud environment, reduces expenses, and ensures compliance with data protection regulations.' where policyId='delete_unused_vm_disk'; update cf_PolicyTable set policyUUID='deny_public_access_to_ebs_snapshot' where policyId='EbsSnapShot_version-1_EbsSnapShot_snapshot'; @@ -2430,6 +2431,11 @@ INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `def INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('red_hat_acs_not_scanning_gcp_gke','policyKey','redhat-not-scanning-clusters','','false','false','false','',''); INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('red_hat_acs_not_scanning_gcp_gke','policyName','Enable Red Hat ACS On Kubernetes Cluster','','false','false','false','',''); +INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('taggingRule_version-1_aws_ami','mandatoryTags','Application,Environment,Stack,Role','Application,Environment,Stack,Role','false','true','false','Mandatory tags','Assets should have these mandatory tags'); +INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('taggingRule_version-1_aws_ami','policyKey','check-for-missing-mandatory-tags','','false','false','false','policyKey',''); +INSERT IGNORE INTO `cf_PolicyParams` (`policyID`, `paramKey`, `paramValue`, `defaultVal`, `isEdit`, `isMandatory`, `encrypt`, `displayName`, `description`) VALUES ('taggingRule_version-1_aws_ami','splitterChar',',','','false','false','false','splitterChar',''); + + UPDATE cf_PolicyParams SET encrypt ='false' WHERE policyID IN ( 'Ec2StoppedInstanceForLong_version-1_Ec2StoppedInstanceForLong_ec2_inNDays', 'Ec2WithPubAccPort1434_version-1_Ec2WithPubAccPort1434_ec2',