-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathconfig.yaml.example
80 lines (80 loc) · 2.06 KB
/
config.yaml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#
# frost config file
#
# Documentation on config file found in README.md
#
exemptions:
- test_name: test_ec2_instance_has_required_tags
test_param_id: i-0123456789f014c162
expiration_day: 2019-01-01
reason: ec2 instance has no owner
- test_name: test_ec2_security_group_opens_specific_ports_to_all
test_param_id: '*HoneyPot'
expiration_day: 2020-01-01
reason: purposefully insecure security group
severities:
- test_name: test_ec2_instance_has_required_tags
severity: INFO
- test_name: '*'
severity: ERROR
aws:
admin_groups:
- "Administrators"
admin_policies:
- "AWSAdminRequireMFA"
user_is_inactive:
no_activity_since:
years: 1
months: 0
created_after:
weeks: 1
access_key_expires_after:
years: 1
months: 0
required_tags:
- Name
- Type
- App
- Env
# Allowed ports for the test_ec2_security_group_opens_specific_ports_to_all
# test for all instances
allowed_ports_global:
- 25
# Allowed ports for the test_ec2_security_group_opens_specific_ports_to_all
# test for specific instances. In this example, we are allowing ports 22
# and 2222 for all security groups that include the word 'bastion' in them.
allowed_ports:
- test_param_id: '*bastion'
ports:
- 22
- 2222
max_ami_age_in_days: 90
owned_ami_account_ids:
- 1234567890
gcp:
allowed_org_domains:
- mygsuiteorg.com
allowed_gke_versions:
- 1.15.12-gke.20
- 1.16.13-gke.401
- 1.17.9-gke.1504
- 1.18.6-gke.3504
# Allowed ports for the test_firewall_opens_any_ports_to_all
# test for all firewalls
allowed_ports_global:
- 25
# Allowed ports for the test_firewall_opens_any_ports_to_all
# test for specific firewalls. In this example, we are allowing ports 22
# and 2222 for all firewalls that include the word 'bastion' in them.
allowed_ports:
- test_param_id: '*bastion'
ports:
- 22
- 2222
gsuite:
domain: 'mygsuiteorg.com'
min_number_of_owners: 2
user_is_inactive:
no_activity_since:
years: 1
months: 0