Skip to content

feat(aws): add identity/network baseline rules and collector enhancem…#106

Open
j3ttt wants to merge 2 commits intoantgroup:mainfrom
j3ttt:enhence/aws-assets-rules
Open

feat(aws): add identity/network baseline rules and collector enhancem…#106
j3ttt wants to merge 2 commits intoantgroup:mainfrom
j3ttt:enhence/aws-assets-rules

Conversation

@j3ttt
Copy link
Collaborator

@j3ttt j3ttt commented Feb 26, 2026

…ents

Thank you for your contribution to CloudRec!

What About:

  • Server (java)
  • Collector (go)
  • Rule (opa)

Description:

Explain the purpose of the PR.

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Feb 26, 2026

Summary of Changes

Hello @j3ttt, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly expands the AWS security posture assessment capabilities by adding numerous new baseline rules focused on identity and network access. To facilitate these new checks, the underlying data collectors for various AWS services have been upgraded to retrieve more granular configuration details. A new documentation file has also been introduced to standardize the process for future rule and collector development, ensuring consistency and clarity in how security rules are implemented and supported by data collection.

Highlights

  • New AWS Baseline Rules: Introduced a comprehensive set of new OPA Rego rules covering AWS identity and network security baselines for various services like IAM, EC2, S3, ELB, ElastiCache, OpenSearch, Lambda, EKS, SNS, and SQS.
  • Collector Enhancements: Enhanced several AWS collectors to gather more detailed information required by the new rules, including security group details for ElastiCache and OpenSearch, listener information for ELB, Access Analyzer data for IAM account settings, and full policy documents for IAM roles.
  • Documentation for Rule-Driven Enhancements: Added a new markdown document outlining a standard process for rule-driven collector enhancements, emphasizing a 'Struct-First' and 'Gap-Driven' approach to ensure rule accuracy and maintainability.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog
  • collector/aws/collector/elasticache/elasticache.go
    • Added EC2 SDK imports and strings package.
    • Introduced CacheClusterDetail and ClusterNetworkExposure structs to include security group and network exposure information.
    • Modified GetCacheClusterDetail to use both ElastiCache and EC2 clients.
    • Implemented describeClusterSecurityGroups and describeClusterNetworkExposure functions to fetch detailed security group and network routing information.
  • collector/aws/collector/elasticloadbalancing/elasticloadbalancingv2.go
    • Added Listeners field to the ELBDetail struct.
    • Modified describeELBDetails to fetch listener information.
    • Implemented describeListenersByLoadBalancerArn function to retrieve listener details for a given Load Balancer ARN.
  • collector/aws/collector/iam/account_settings.go
    • Added Access Analyzer SDK imports.
    • Introduced AccessAnalyzers field to the AccountSettingsDetail struct.
    • Modified describeAccountSettingsDetail to include Access Analyzer client.
    • Implemented listAccessAnalyzers function to retrieve Access Analyzer summaries.
  • collector/aws/collector/iam/role.go
    • Added encoding/json and net/url imports.
    • Introduced ManagedPolicyDocument and InlinePolicyDocument structs to store parsed policy documents.
    • Modified RoleDetail to include AttachedPolicyDocuments and InlinePolicyDocuments fields.
    • Implemented listAttachedRolePolicyDocuments, listRolePolicyDocuments, and parsePolicyDocument functions to fetch and parse policy content.
  • collector/aws/collector/iam/user.go
    • Introduced AccessKeyDetail struct to include LastUsed information for access keys.
    • Modified listAccessKeys to fetch and include LastUsed details for each access key.
    • Implemented getAccessKeyLastUsed function to retrieve access key last used information.
  • collector/aws/collector/opensearch/domain.go
    • Added EC2 SDK imports.
    • Introduced SecurityGroups field to the DomainDetail struct.
    • Modified GetDomainDetail to use both OpenSearch and EC2 clients.
    • Implemented describeDomainSecurityGroups function to fetch security group details for OpenSearch domains.
  • collector/aws/collector/s3/bucket.go
    • Added PublicAccessBlock field to the BucketDetail struct.
    • Modified describeBucketDetails to fetch public access block configuration.
    • Implemented getPublicAccessBlock function to retrieve S3 bucket public access block settings.
  • collector/aws/collector/services.go
    • Updated InitServices to initialize EC2 client for ElastiCache and OpenSearch services.
    • Updated InitServices to initialize AccessAnalyzer client for IAM services.
  • doc/rule-driven-collector-enhancement.md
    • Added a new documentation file detailing the process for rule-driven collector enhancements, including objectives, scope, core principles, standard execution flow, and checklists.
  • rules/AWS/AWS_APIGatewayV2_202602251900_900022/input.json
    • Added a new OPA rule input JSON for API Gateway V2.
  • rules/AWS/AWS_APIGatewayV2_202602251900_900022/metadata.json
    • Added a new OPA rule metadata JSON for API Gateway V2.
  • rules/AWS/AWS_APIGatewayV2_202602251900_900022/policy.rego
    • Added a new OPA Rego policy to detect API Gateway V2 APIs with enabled default execute endpoints and no authorizers.
  • rules/AWS/AWS_APIGatewayV2_202602251900_900022/relation.json
    • Added a new OPA rule relation JSON for API Gateway V2.
  • rules/AWS/AWS_AccountSettings_202602251620_900011/input.json
    • Added a new OPA rule input JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602251620_900011/metadata.json
    • Added a new OPA rule metadata JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602251620_900011/policy.rego
    • Added a new OPA Rego policy to detect weak IAM account password policies.
  • rules/AWS/AWS_AccountSettings_202602251620_900011/relation.json
    • Added a new OPA rule relation JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602251620_900012/input.json
    • Added a new OPA rule input JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602251620_900012/metadata.json
    • Added a new OPA rule metadata JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602251620_900012/policy.rego
    • Added a new OPA Rego policy to detect IAM account password policies that do not allow users to change passwords.
  • rules/AWS/AWS_AccountSettings_202602251620_900012/relation.json
    • Added a new OPA rule relation JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900025/input.json
    • Added a new OPA rule input JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900025/metadata.json
    • Added a new OPA rule metadata JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900025/policy.rego
    • Added a new OPA Rego policy to detect if the Root account has active Access Keys.
  • rules/AWS/AWS_AccountSettings_202602252020_900025/relation.json
    • Added a new OPA rule relation JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900026/input.json
    • Added a new OPA rule input JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900026/metadata.json
    • Added a new OPA rule metadata JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900026/policy.rego
    • Added a new OPA Rego policy to detect if the Root account does not have MFA enabled.
  • rules/AWS/AWS_AccountSettings_202602252020_900026/relation.json
    • Added a new OPA rule relation JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900027/input.json
    • Added a new OPA rule input JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900027/metadata.json
    • Added a new OPA rule metadata JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900027/policy.rego
    • Added a new OPA Rego policy to detect if the Root account does not have hardware MFA enabled.
  • rules/AWS/AWS_AccountSettings_202602252020_900027/relation.json
    • Added a new OPA rule relation JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900028/input.json
    • Added a new OPA rule input JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900028/metadata.json
    • Added a new OPA rule metadata JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900028/policy.rego
    • Added a new OPA Rego policy to detect if IAM password policy does not prevent password reuse.
  • rules/AWS/AWS_AccountSettings_202602252020_900028/relation.json
    • Added a new OPA rule relation JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900032/input.json
    • Added a new OPA rule input JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900032/metadata.json
    • Added a new OPA rule metadata JSON for Account Settings.
  • rules/AWS/AWS_AccountSettings_202602252020_900032/policy.rego
    • Added a new OPA Rego policy to detect if an active ACCOUNT type Access Analyzer is not enabled.
  • rules/AWS/AWS_AccountSettings_202602252020_900032/relation.json
    • Added a new OPA rule relation JSON for Account Settings.
  • rules/AWS/AWS_Bucket_202602251940_900023/input.json
    • Added a new OPA rule input JSON for S3 Bucket.
  • rules/AWS/AWS_Bucket_202602251940_900023/metadata.json
    • Added a new OPA rule metadata JSON for S3 Bucket.
  • rules/AWS/AWS_Bucket_202602251940_900023/policy.rego
    • Added a new OPA Rego policy to detect S3 buckets with public read policies.
  • rules/AWS/AWS_Bucket_202602251940_900023/relation.json
    • Added a new OPA rule relation JSON for S3 Bucket.
  • rules/AWS/AWS_Bucket_202602252020_900035/input.json
    • Added a new OPA rule input JSON for S3 Bucket.
  • rules/AWS/AWS_Bucket_202602252020_900035/metadata.json
    • Added a new OPA rule metadata JSON for S3 Bucket.
  • rules/AWS/AWS_Bucket_202602252020_900035/policy.rego
    • Added a new OPA Rego policy to detect S3 buckets with incomplete public access block configurations.
  • rules/AWS/AWS_Bucket_202602252020_900035/relation.json
    • Added a new OPA rule relation JSON for S3 Bucket.
  • rules/AWS/AWS_Bucket_202602252020_900036/input.json
    • Added a new OPA rule input JSON for S3 Bucket.
  • rules/AWS/AWS_Bucket_202602252020_900036/metadata.json
    • Added a new OPA rule metadata JSON for S3 Bucket.
  • rules/AWS/AWS_Bucket_202602252020_900036/policy.rego
    • Added a new OPA Rego policy to detect S3 buckets that do not enforce SSL access.
  • rules/AWS/AWS_Bucket_202602252020_900036/relation.json
    • Added a new OPA rule relation JSON for S3 Bucket.
  • rules/AWS/AWS_CDN_202602251940_900024/input.json
    • Added a new OPA rule input JSON for CDN.
  • rules/AWS/AWS_CDN_202602251940_900024/metadata.json
    • Added a new OPA rule metadata JSON for CDN.
  • rules/AWS/AWS_CDN_202602251940_900024/policy.rego
    • Added a new OPA Rego policy to detect CloudFront distributions allowing HTTP plaintext access.
  • rules/AWS/AWS_CDN_202602251940_900024/relation.json
    • Added a new OPA rule relation JSON for CDN.
  • rules/AWS/AWS_EC2_202602251450_900005/input.json
    • Added a new OPA rule input JSON for EC2 Security Group.
  • rules/AWS/AWS_EC2_202602251450_900005/metadata.json
    • Added a new OPA rule metadata JSON for EC2 Security Group.
  • rules/AWS/AWS_EC2_202602251450_900005/policy.rego
    • Added a new OPA Rego policy to detect EC2 security groups with high-risk ports open to 0.0.0.0/0.
  • rules/AWS/AWS_EC2_202602251450_900005/relation.json
    • Added a new OPA rule relation JSON for EC2 Security Group.
  • rules/AWS/AWS_EC2_202602251450_900006/input.json
    • Added a new OPA rule input JSON for EC2 Instance.
  • rules/AWS/AWS_EC2_202602251450_900006/metadata.json
    • Added a new OPA rule metadata JSON for EC2 Instance.
  • rules/AWS/AWS_EC2_202602251450_900006/policy.rego
    • Added a new OPA Rego policy to detect public EC2 instances associated with security groups that expose high-risk ports to the internet.
  • rules/AWS/AWS_EC2_202602251450_900006/relation.json
    • Added a new OPA rule relation JSON for EC2 Instance.
  • rules/AWS/AWS_EC2_202602251450_900010/input.json
    • Added a new OPA rule input JSON for EC2 Security Group.
  • rules/AWS/AWS_EC2_202602251450_900010/metadata.json
    • Added a new OPA rule metadata JSON for EC2 Security Group.
  • rules/AWS/AWS_EC2_202602251450_900010/policy.rego
    • Added a new OPA Rego policy to detect EC2 security groups that allow all traffic to 0.0.0.0/0.
  • rules/AWS/AWS_EC2_202602251450_900010/relation.json
    • Added a new OPA rule relation JSON for EC2 Security Group.
  • rules/AWS/AWS_EFS_202602251900_900021/input.json
    • Added a new OPA rule input JSON for EFS File System.
  • rules/AWS/AWS_EFS_202602251900_900021/metadata.json
    • Added a new OPA rule metadata JSON for EFS File System.
  • rules/AWS/AWS_EFS_202602251900_900021/policy.rego
    • Added a new OPA Rego policy to detect EFS file system policies that allow wildcard principals.
  • rules/AWS/AWS_EFS_202602251900_900021/relation.json
    • Added a new OPA rule relation JSON for EFS File System.
  • rules/AWS/AWS_EKSCluster_202602261430_900038/input.json
    • Added a new OPA rule input JSON for EKS Cluster.
  • rules/AWS/AWS_EKSCluster_202602261430_900038/metadata.json
    • Added a new OPA rule metadata JSON for EKS Cluster.
  • rules/AWS/AWS_EKSCluster_202602261430_900038/policy.rego
    • Added a new OPA Rego policy to detect EKS clusters with public API server endpoints open to 0.0.0.0/0.
  • rules/AWS/AWS_EKSCluster_202602261430_900038/relation.json
    • Added a new OPA rule relation JSON for EKS Cluster.
  • rules/AWS/AWS_ELB_202602251450_900007/input.json
    • Added a new OPA rule input JSON for Classic Load Balancer (CLB).
  • rules/AWS/AWS_ELB_202602251450_900007/metadata.json
    • Added a new OPA rule metadata JSON for Classic Load Balancer (CLB).
  • rules/AWS/AWS_ELB_202602251450_900007/policy.rego
    • Added a new OPA Rego policy to detect internet-facing CLBs listening on high-risk management ports.
  • rules/AWS/AWS_ELB_202602251450_900007/relation.json
    • Added a new OPA rule relation JSON for Classic Load Balancer (CLB).
  • rules/AWS/AWS_ELB_202602251620_900015/input.json
    • Added a new OPA rule input JSON for ELB.
  • rules/AWS/AWS_ELB_202602251620_900015/metadata.json
    • Added a new OPA rule metadata JSON for ELB.
  • rules/AWS/AWS_ELB_202602251620_900015/policy.rego
    • Added a new OPA Rego policy to detect internet-facing ELBs with HTTP plaintext listeners.
  • rules/AWS/AWS_ELB_202602251620_900015/relation.json
    • Added a new OPA rule relation JSON for ELB.
  • rules/AWS/AWS_ElastiCache_202602261430_900041/input.json
    • Added a new OPA rule input JSON for ElastiCache.
  • rules/AWS/AWS_ElastiCache_202602261430_900041/metadata.json
    • Added a new OPA rule metadata JSON for ElastiCache.
  • rules/AWS/AWS_ElastiCache_202602261430_900041/policy.rego
    • Added a new OPA Rego policy to detect ElastiCache Redis clusters without transit encryption enabled.
  • rules/AWS/AWS_ElastiCache_202602261430_900041/relation.json
    • Added a new OPA rule relation JSON for ElastiCache.
  • rules/AWS/AWS_ElastiCache_202602261430_900042/input.json
    • Added a new OPA rule input JSON for ElastiCache.
  • rules/AWS/AWS_ElastiCache_202602261430_900042/metadata.json
    • Added a new OPA rule metadata JSON for ElastiCache.
  • rules/AWS/AWS_ElastiCache_202602261430_900042/policy.rego
    • Added a new OPA Rego policy to detect ElastiCache Redis clusters without authentication tokens enabled.
  • rules/AWS/AWS_ElastiCache_202602261430_900042/relation.json
    • Added a new OPA rule relation JSON for ElastiCache.
  • rules/AWS/AWS_ElastiCache_202602261520_900044/input.json
    • Added a new OPA rule input JSON for ElastiCache.
  • rules/AWS/AWS_ElastiCache_202602261520_900044/metadata.json
    • Added a new OPA rule metadata JSON for ElastiCache.
  • rules/AWS/AWS_ElastiCache_202602261520_900044/policy.rego
    • Added a new OPA Rego policy to detect ElastiCache Redis clusters with public network exposure and open Redis ports.
  • rules/AWS/AWS_ElastiCache_202602261520_900044/relation.json
    • Added a new OPA rule relation JSON for ElastiCache.
  • rules/AWS/AWS_IAMPolicy_202602252020_900031/input.json
    • Added a new OPA rule input JSON for IAM Policy.
  • rules/AWS/AWS_IAMPolicy_202602252020_900031/metadata.json
    • Added a new OPA rule metadata JSON for IAM Policy.
  • rules/AWS/AWS_IAMPolicy_202602252020_900031/policy.rego
    • Added a new OPA Rego policy to detect custom IAM policies granting full administrative access (Action:* and Resource:*).
  • rules/AWS/AWS_IAMPolicy_202602252020_900031/relation.json
    • Added a new OPA rule relation JSON for IAM Policy.
  • rules/AWS/AWS_IAMPolicy_202602261640_900045/input.json
    • Added a new OPA rule input JSON for IAM Policy.
  • rules/AWS/AWS_IAMPolicy_202602261640_900045/metadata.json
    • Added a new OPA rule metadata JSON for IAM Policy.
  • rules/AWS/AWS_IAMPolicy_202602261640_900045/policy.rego
    • Added a new OPA Rego policy to detect IAM policies allowing iam:PassRole to any resource without conditions.
  • rules/AWS/AWS_IAMPolicy_202602261640_900045/relation.json
    • Added a new OPA rule relation JSON for IAM Policy.
  • rules/AWS/AWS_IAM_202602251430_900001/input.json
    • Added a new OPA rule input JSON for IAM User.
  • rules/AWS/AWS_IAM_202602251430_900001/metadata.json
    • Added a new OPA rule metadata JSON for IAM User.
  • rules/AWS/AWS_IAM_202602251430_900001/policy.rego
    • Added a new OPA Rego policy to detect high-privilege IAM users without MFA enabled.
  • rules/AWS/AWS_IAM_202602251430_900001/relation.json
    • Added a new OPA rule relation JSON for IAM User.
  • rules/AWS/AWS_IAM_202602251450_900002/input.json
    • Added a new OPA rule input JSON for IAM User.
  • rules/AWS/AWS_IAM_202602251450_900002/metadata.json
    • Added a new OPA rule metadata JSON for IAM User.
  • rules/AWS/AWS_IAM_202602251450_900002/policy.rego
    • Added a new OPA Rego policy to detect high-privilege IAM users with active long-term Access Keys.
  • rules/AWS/AWS_IAM_202602251450_900002/relation.json
    • Added a new OPA rule relation JSON for IAM User.
  • rules/AWS/AWS_IAM_202602251450_900003/input.json
    • Added a new OPA rule input JSON for IAM Role.
  • rules/AWS/AWS_IAM_202602251450_900003/metadata.json
    • Added a new OPA rule metadata JSON for IAM Role.
  • rules/AWS/AWS_IAM_202602251450_900003/policy.rego
    • Added a new OPA Rego policy to detect IAM roles with trust policies allowing wildcard principals.
  • rules/AWS/AWS_IAM_202602251450_900003/relation.json
    • Added a new OPA rule relation JSON for IAM Role.
  • rules/AWS/AWS_IAM_202602251450_900004/input.json
    • Added a new OPA rule input JSON for IAM User.
  • rules/AWS/AWS_IAM_202602251450_900004/metadata.json
    • Added a new OPA rule metadata JSON for IAM User.
  • rules/AWS/AWS_IAM_202602251450_900004/policy.rego
    • Added a new OPA Rego policy to detect IAM users with inline policies but no MFA enabled.
  • rules/AWS/AWS_IAM_202602251450_900004/relation.json
    • Added a new OPA rule relation JSON for IAM User.
  • rules/AWS/AWS_IAM_202602251450_900009/input.json
    • Added a new OPA rule input JSON for IAM Role.
  • rules/AWS/AWS_IAM_202602251450_900009/metadata.json
    • Added a new OPA rule metadata JSON for IAM Role.
  • rules/AWS/AWS_IAM_202602251450_900009/policy.rego
    • Added a new OPA Rego policy to detect high-privilege IAM roles with overly permissive trust policies.
  • rules/AWS/AWS_IAM_202602251450_900009/relation.json
    • Added a new OPA rule relation JSON for IAM Role.
  • rules/AWS/AWS_IAM_202602251620_900013/input.json
    • Added a new OPA rule input JSON for IAM User.
  • rules/AWS/AWS_IAM_202602251620_900013/metadata.json
    • Added a new OPA rule metadata JSON for IAM User.
  • rules/AWS/AWS_IAM_202602251620_900013/policy.rego
    • Added a new OPA Rego policy to detect IAM console users without MFA enabled.
  • rules/AWS/AWS_IAM_202602251620_900013/relation.json
    • Added a new OPA rule relation JSON for IAM User.
  • rules/AWS/AWS_IAM_202602252020_900029/input.json
    • Added a new OPA rule input JSON for IAM User.
  • rules/AWS/AWS_IAM_202602252020_900029/metadata.json
    • Added a new OPA rule metadata JSON for IAM User.
  • rules/AWS/AWS_IAM_202602252020_900029/policy.rego
    • Added a new OPA Rego policy to detect IAM Access Keys older than 90 days.
  • rules/AWS/AWS_IAM_202602252020_900029/relation.json
    • Added a new OPA rule relation JSON for IAM User.
  • rules/AWS/AWS_IAM_202602252020_900030/input.json
    • Added a new OPA rule input JSON for IAM User.
  • rules/AWS/AWS_IAM_202602252020_900030/metadata.json
    • Added a new OPA rule metadata JSON for IAM User.
  • rules/AWS/AWS_IAM_202602252020_900030/policy.rego
    • Added a new OPA Rego policy to detect IAM credentials (password or Access Key) unused for over 45 days.
  • rules/AWS/AWS_IAM_202602252020_900030/relation.json
    • Added a new OPA rule relation JSON for IAM User.
  • rules/AWS/AWS_IAM_202602261520_900043/input.json
    • Added a new OPA rule input JSON for IAM Role.
  • rules/AWS/AWS_IAM_202602261520_900043/metadata.json
    • Added a new OPA rule metadata JSON for IAM Role.
  • rules/AWS/AWS_IAM_202602261520_900043/policy.rego
    • Added a new OPA Rego policy to detect high-privilege IAM roles allowing cross-account AssumeRole without conditions.
  • rules/AWS/AWS_IAM_202602261520_900043/relation.json
    • Added a new OPA rule relation JSON for IAM Role.
  • rules/AWS/AWS_Lambda_202602261430_900037/input.json
    • Added a new OPA rule input JSON for Lambda Function.
  • rules/AWS/AWS_Lambda_202602261430_900037/metadata.json
    • Added a new OPA rule metadata JSON for Lambda Function.
  • rules/AWS/AWS_Lambda_202602261430_900037/policy.rego
    • Added a new OPA Rego policy to detect Lambda Function URLs allowing anonymous access.
  • rules/AWS/AWS_Lambda_202602261430_900037/relation.json
    • Added a new OPA rule relation JSON for Lambda Function.
  • rules/AWS/AWS_NetworkAcl_202602251620_900014/input.json
    • Added a new OPA rule input JSON for Network ACL.
  • rules/AWS/AWS_NetworkAcl_202602251620_900014/metadata.json
    • Added a new OPA rule metadata JSON for Network ACL.
  • rules/AWS/AWS_NetworkAcl_202602251620_900014/policy.rego
    • Added a new OPA Rego policy to detect Network ACLs allowing all inbound traffic from 0.0.0.0/0.
  • rules/AWS/AWS_NetworkAcl_202602251620_900014/relation.json
    • Added a new OPA rule relation JSON for Network ACL.
  • rules/AWS/AWS_NetworkAcl_202602252020_900034/input.json
    • Added a new OPA rule input JSON for Network ACL.
  • rules/AWS/AWS_NetworkAcl_202602252020_900034/metadata.json
    • Added a new OPA rule metadata JSON for Network ACL.
  • rules/AWS/AWS_NetworkAcl_202602252020_900034/policy.rego
    • Added a new OPA Rego policy to detect Network ACLs allowing inbound access to ports 22 or 3389 from 0.0.0.0/0.
  • rules/AWS/AWS_NetworkAcl_202602252020_900034/relation.json
    • Added a new OPA rule relation JSON for Network ACL.
  • rules/AWS/AWS_OpenSearch_202602251820_900019/input.json
    • Added a new OPA rule input JSON for OpenSearch Domain.
  • rules/AWS/AWS_OpenSearch_202602251820_900019/metadata.json
    • Added a new OPA rule metadata JSON for OpenSearch Domain.
  • rules/AWS/AWS_OpenSearch_202602251820_900019/policy.rego
    • Added a new OPA Rego policy to detect public OpenSearch domains with access policies allowing wildcard principals.
  • rules/AWS/AWS_OpenSearch_202602251820_900019/relation.json
    • Added a new OPA rule relation JSON for OpenSearch Domain.
  • rules/AWS/AWS_OpenSearch_202602251820_900020/input.json
    • Added a new OPA rule input JSON for OpenSearch Domain.
  • rules/AWS/AWS_OpenSearch_202602251820_900020/metadata.json
    • Added a new OPA rule metadata JSON for OpenSearch Domain.
  • rules/AWS/AWS_OpenSearch_202602251820_900020/policy.rego
    • Added a new OPA Rego policy to detect VPC-enabled OpenSearch domains with security groups exposing port 443 to the internet.
  • rules/AWS/AWS_OpenSearch_202602251820_900020/relation.json
    • Added a new OPA rule relation JSON for OpenSearch Domain.
  • rules/AWS/AWS_RDS_202602251450_900008/input.json
    • Added a new OPA rule input JSON for RDS Instance.
  • rules/AWS/AWS_RDS_202602251450_900008/metadata.json
    • Added a new OPA rule metadata JSON for RDS Instance.
  • rules/AWS/AWS_RDS_202602251450_900008/policy.rego
    • Added a new OPA Rego policy to detect publicly accessible RDS instances with database ports open to 0.0.0.0/0.
  • rules/AWS/AWS_RDS_202602251450_900008/relation.json
    • Added a new OPA rule relation JSON for RDS Instance.
  • rules/AWS/AWS_SNSTopic_202602261430_900040/input.json
    • Added a new OPA rule input JSON for SNS Topic.
  • rules/AWS/AWS_SNSTopic_202602261430_900040/metadata.json
    • Added a new OPA rule metadata JSON for SNS Topic.
  • rules/AWS/AWS_SNSTopic_202602261430_900040/policy.rego
    • Added a new OPA Rego policy to detect SNS topics with policies allowing wildcard principals to publish or subscribe.
  • rules/AWS/AWS_SNSTopic_202602261430_900040/relation.json
    • Added a new OPA rule relation JSON for SNS Topic.
  • rules/AWS/AWS_SQSQueue_202602261430_900039/input.json
    • Added a new OPA rule input JSON for SQS Queue.
  • rules/AWS/AWS_SQSQueue_202602261430_900039/metadata.json
    • Added a new OPA rule metadata JSON for SQS Queue.
  • rules/AWS/AWS_SQSQueue_202602261430_900039/policy.rego
    • Added a new OPA Rego policy to detect SQS queues with policies allowing wildcard principals to perform sensitive message operations.
  • rules/AWS/AWS_SQSQueue_202602261430_900039/relation.json
    • Added a new OPA rule relation JSON for SQS Queue.
  • rules/AWS/AWS_SecurityGroup_202602252020_900033/input.json
    • Added a new OPA rule input JSON for Security Group.
  • rules/AWS/AWS_SecurityGroup_202602252020_900033/metadata.json
    • Added a new OPA rule metadata JSON for Security Group.
  • rules/AWS/AWS_SecurityGroup_202602252020_900033/policy.rego
    • Added a new OPA Rego policy to detect default security groups with inbound or broad outbound rules.
  • rules/AWS/AWS_SecurityGroup_202602252020_900033/relation.json
    • Added a new OPA rule relation JSON for Security Group.
  • rules/AWS/AWS_VPCEndpointService_202602251620_900016/input.json
    • Added a new OPA rule input JSON for VPC Endpoint Service.
  • rules/AWS/AWS_VPCEndpointService_202602251620_900016/metadata.json
    • Added a new OPA rule metadata JSON for VPC Endpoint Service.
  • rules/AWS/AWS_VPCEndpointService_202602251620_900016/policy.rego
    • Added a new OPA Rego policy to detect VPC Endpoint Services allowing wildcard principals.
  • rules/AWS/AWS_VPCEndpointService_202602251620_900016/relation.json
    • Added a new OPA rule relation JSON for VPC Endpoint Service.
Activity
  • The pull request introduces new features for AWS, specifically in the collector and rule components.
  • The author has provided a clear structure for the PR, indicating changes in collector and rule components.
  • The PR includes a new documentation file explaining the process for rule-driven collector enhancements, suggesting a focus on process improvement and clarity.
  • Numerous new OPA rules have been added, indicating a significant expansion of security checks across various AWS services.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request significantly enhances several AWS collectors to gather more detailed information, particularly around network exposure and identity/access configurations. It adds details like security groups for ElastiCache and OpenSearch, network exposure information for ElastiCache, listeners for ELBs, Access Analyzer results for account settings, parsed policy documents for IAM roles, and access key last-used timestamps for IAM users. To complement these data enhancements, a comprehensive set of new Rego rules has been added to improve security posture assessment. The changes are well-structured and greatly increase the platform's security detection capabilities. I have a few suggestions to improve code consistency and robustness.

collector/aws/collector/elasticache/elasticache.go Outdated
Comment on lines +255 to +257
func stringPtr(v string) *string {
return &v
}
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This helper function stringPtr duplicates functionality from the AWS SDK. It's more idiomatic and consistent with other parts of the codebase to use aws.String() from the github.com/aws/aws-sdk-go-v2/aws package. Please remove this local helper and replace its usages with aws.String(). This will require adding an import for github.com/aws/aws-sdk-go-v2/aws.

collector/aws/collector/iam/role.go
Comment on lines +230 to +244
func parsePolicyDocument(raw string) map[string]interface{} {
decoded, err := url.QueryUnescape(raw)
if err != nil {
decoded = raw
}

var doc map[string]interface{}
if err := json.Unmarshal([]byte(decoded), &doc); err == nil {
return doc
}
if err := json.Unmarshal([]byte(raw), &doc); err == nil {
return doc
}
return nil
}
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The parsePolicyDocument function currently returns nil if JSON unmarshalling fails, without logging the error. This can silently hide issues with malformed policy documents, making debugging difficult. It would be beneficial to log a warning when both unmarshalling attempts fail.

Suggested change
func parsePolicyDocument(raw string) map[string]interface{} {
decoded, err := url.QueryUnescape(raw)
if err != nil {
decoded = raw
}
var doc map[string]interface{}
if err := json.Unmarshal([]byte(decoded), &doc); err == nil {
return doc
}
if err := json.Unmarshal([]byte(raw), &doc); err == nil {
return doc
}
return nil
}
func parsePolicyDocument(raw string) map[string]interface{} {
decoded, err := url.QueryUnescape(raw)
if err != nil {
decoded = raw
}
var doc map[string]interface{}
if err := json.Unmarshal([]byte(decoded), &doc); err == nil {
return doc
}
if err := json.Unmarshal([]byte(raw), &doc); err == nil {
return doc
}
log.GetWLogger().Warn("failed to unmarshal IAM policy document", zap.String("document", raw))
return nil
}

collector/aws/collector/opensearch/domain.go Outdated
Comment on lines +121 to +123
func stringPtr(v string) *string {
return &v
}
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This helper function stringPtr duplicates functionality from the AWS SDK. It's more idiomatic and consistent with other parts of the codebase to use aws.String() from the github.com/aws/aws-sdk-go-v2/aws package. Please remove this local helper and replace its usage with aws.String(). This will require adding an import for github.com/aws/aws-sdk-go-v2/aws.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@j3ttt