-
Notifications
You must be signed in to change notification settings - Fork 7
/
managed_rules_locals.tf
3200 lines (2770 loc) · 201 KB
/
managed_rules_locals.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
locals {
managed_rules = {
access-keys-rotated = {
description = "Checks if active IAM access keys are rotated (changed) within the number of days specified in maxAccessKeyAge . The rule is NON_COMPLIANT if access keys are not rotated within the specified time period. The default value is 90 days."
identifier = "ACCESS_KEYS_ROTATED"
input_parameters = var.access_keys_rotated_parameters
resource_types_scope = ["AWS::IAM::User"]
severity = "Medium"
}
account-part-of-organizations = {
description = "Checks if an AWS account is part of AWS Organizations. The rule is NON_COMPLIANT if an AWS account is not part of AWS Organizations or AWS Organizations master account ID does not match rule parameter MasterAccountId ."
identifier = "ACCOUNT_PART_OF_ORGANIZATIONS"
input_parameters = var.account_part_of_organizations_parameters
severity = "High"
}
acm-certificate-expiration-check = {
description = "Checks if AWS Certificate Manager Certificates in your account are marked for expiration within the specified number of days. Certificates provided by ACM are automatically renewed. ACM does not automatically renew certificates that you import. The rule..."
identifier = "ACM_CERTIFICATE_EXPIRATION_CHECK"
input_parameters = var.acm_certificate_expiration_check_parameters
resource_types_scope = ["AWS::ACM::Certificate"]
severity = "Medium"
}
acm-certificate-rsa-check = {
description = "Checks if RSA certificates managed by AWS Certificate Manager (ACM) have a key length of at least 2048 bits.The rule is NON_COMPLIANT if the minimum key length is less than 2048 bits."
identifier = "ACM_CERTIFICATE_RSA_CHECK"
resource_types_scope = ["AWS::ACM::Certificate"]
severity = "High"
}
acm-pca-root-ca-disabled = {
description = "Checks if AWS Private Certificate Authority (AWS Private CA) has a root CA that is disabled. The rule is NON_COMPLIANT for root CAs with status that is not DISABLED."
identifier = "ACM_PCA_ROOT_CA_DISABLED"
input_parameters = var.acm_pca_root_ca_disabled_parameters
resource_types_scope = ["AWS::ACMPCA::CertificateAuthority"]
severity = "Low"
}
alb-desync-mode-check = {
description = "Checks if an Application Load Balancer (ALB) is configured with a user defined desync mitigation mode. The rule is NON_COMPLIANT if ALB desync mitigation mode does not match with the user defined desync mitigation mode."
identifier = "ALB_DESYNC_MODE_CHECK"
input_parameters = var.alb_desync_mode_check_parameters
resource_types_scope = ["AWS::ElasticLoadBalancingV2::LoadBalancer"]
severity = "Medium"
}
alb-http-drop-invalid-header-enabled = {
description = "Checks if rule evaluates AWS Application Load Balancers (ALB) to ensure they are configured to drop http headers. The rule is NON_COMPLIANT if the value of routing.http.drop_invalid_header_fields.enabled is set to false."
identifier = "ALB_HTTP_DROP_INVALID_HEADER_ENABLED"
resource_types_scope = ["AWS::ElasticLoadBalancingV2::LoadBalancer"]
severity = "Medium"
}
alb-http-to-https-redirection-check = {
description = "Checks if HTTP to HTTPS redirection is configured on all HTTP listeners of Application Load Balancers. The rule is NON_COMPLIANT if one or more HTTP listeners of Application Load Balancer do not have HTTP to HTTPS redirection configured. The rule is..."
identifier = "ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK"
resource_types_scope = ["AWS::ElasticLoadBalancingV2::LoadBalancer"]
severity = "Medium"
}
alb-waf-enabled = {
description = "Checks if AWS WAF is enabled on Application Load Balancers (ALBs). The rule is NON_COMPLIANT if key: waf.enabled is set to false."
identifier = "ALB_WAF_ENABLED"
input_parameters = var.alb_waf_enabled_parameters
resource_types_scope = ["AWS::ElasticLoadBalancingV2::LoadBalancer"]
severity = "Medium"
}
api-gwv2-access-logs-enabled = {
description = "Checks if Amazon API Gateway V2 stages have access logging enabled. The rule is NON_COMPLIANT if accessLogSettings is not present in Stage configuration."
identifier = "API_GWV2_ACCESS_LOGS_ENABLED"
resource_types_scope = ["AWS::ApiGatewayV2::Stage"]
severity = "Medium"
}
api-gwv2-authorization-type-configured = {
description = "Checks if Amazon API Gatewayv2 API routes have an authorization type set. This rule is NON_COMPLIANT if the authorization type is NONE."
identifier = "API_GWV2_AUTHORIZATION_TYPE_CONFIGURED"
input_parameters = var.api_gwv2_authorization_type_configured_parameters
resource_types_scope = ["AWS::ApiGatewayV2::Route"]
severity = "Medium"
}
api-gw-associated-with-waf = {
description = "Checks if an Amazon API Gateway API stage is using an AWS WAF web access control list (web ACL). The rule is NON_COMPLIANT if an AWS WAF Web ACL is not used or if a used AWS Web ACL does not match what is listed in the rule parameter."
identifier = "API_GW_ASSOCIATED_WITH_WAF"
input_parameters = var.api_gw_associated_with_waf_parameters
resource_types_scope = ["AWS::ApiGateway::Stage"]
severity = "Medium"
}
api-gw-cache-enabled-and-encrypted = {
description = "Checks if all methods in Amazon API Gateway stages have cache enabled and cache encrypted. The rule is NON_COMPLIANT if any method in an Amazon API Gateway stage is not configured to cache or the cache is not encrypted."
identifier = "API_GW_CACHE_ENABLED_AND_ENCRYPTED"
resource_types_scope = ["AWS::ApiGateway::Stage"]
severity = "Medium"
}
api-gw-endpoint-type-check = {
description = "Checks if Amazon API Gateway APIs are of the type specified in the rule parameter endpointConfigurationType . The rule returns NON_COMPLIANT if the REST API does not match the endpoint type configured in the rule parameter."
identifier = "API_GW_ENDPOINT_TYPE_CHECK"
input_parameters = var.api_gw_endpoint_type_check_parameters
resource_types_scope = ["AWS::ApiGateway::RestApi"]
severity = "Medium"
}
api-gw-execution-logging-enabled = {
description = "Checks if all methods in Amazon API Gateway stages have logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or if loggingLevel is neither ERROR nor INFO."
identifier = "API_GW_EXECUTION_LOGGING_ENABLED"
input_parameters = var.api_gw_execution_logging_enabled_parameters
resource_types_scope = ["AWS::ApiGateway::Stage", "AWS::ApiGatewayV2::Stage"]
severity = "Medium"
}
api-gw-ssl-enabled = {
description = "Checks if a REST API stage uses an SSL certificate. The rule is NON_COMPLIANT if the REST API stage does not have an associated SSL certificate."
identifier = "API_GW_SSL_ENABLED"
input_parameters = var.api_gw_ssl_enabled_parameters
resource_types_scope = ["AWS::ApiGateway::Stage"]
severity = "Medium"
}
api-gw-xray-enabled = {
description = "Checks if AWS X-Ray tracing is enabled on Amazon API Gateway REST APIs. The rule is COMPLIANT if X-Ray tracing is enabled and NON_COMPLIANT otherwise."
identifier = "API_GW_XRAY_ENABLED"
resource_types_scope = ["AWS::ApiGateway::Stage"]
severity = "Low"
}
approved-amis-by-id = {
description = "Checks if running EC2 instances are using specified Amazon Machine Images (AMIs). Specify a list of approved AMI IDs. Running instances with AMIs that are not on this list are NON_COMPLIANT."
identifier = "APPROVED_AMIS_BY_ID"
input_parameters = var.approved_amis_by_id_parameters
resource_types_scope = ["AWS::EC2::Instance"]
severity = "Medium"
}
approved-amis-by-tag = {
description = "Checks if running instances are using specified Amazon Machine Images (AMIs). Specify the tags that identify the AMIs. Running instances with AMIs that don t have at least one of the specified tags are NON_COMPLIANT."
identifier = "APPROVED_AMIS_BY_TAG"
input_parameters = var.approved_amis_by_tag_parameters
resource_types_scope = ["AWS::EC2::Instance"]
severity = "Medium"
}
appsync-associated-with-waf = {
description = "Checks if AWS AppSync APIs are associated with AWS WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT for an AWS AppSync API if it is not associated with a web ACL."
identifier = "APPSYNC_ASSOCIATED_WITH_WAF"
input_parameters = var.appsync_associated_with_waf_parameters
resource_types_scope = ["AWS::AppSync::GraphQLApi"]
severity = "Medium"
}
appsync-authorization-check = {
description = "Checks if an AWS AppSync API is using allowed authorization mechanisms. The rule is NON_COMPLIANT if an unapproved authorization mechanism is being used."
identifier = "APPSYNC_AUTHORIZATION_CHECK"
input_parameters = var.appsync_authorization_check_parameters
resource_types_scope = ["AWS::AppSync::GraphQLApi"]
severity = "High"
}
appsync-cache-encryption-at-rest = {
description = "Checks if an AWS AppSync API cache has encryption at rest enabled. This rule is NON_COMPLIANT if AtRestEncryptionEnabled is false."
identifier = "APPSYNC_CACHE_ENCRYPTION_AT_REST"
resource_types_scope = ["AWS::AppSync::GraphQLApi"]
severity = "Medium"
}
appsync-logging-enabled = {
description = "Checks if an AWS AppSync API has logging enabled. The rule is NON_COMPLIANT if logging is not enabled, or fieldLogLevel is neither ERROR nor ALL."
identifier = "APPSYNC_LOGGING_ENABLED"
input_parameters = var.appsync_logging_enabled_parameters
resource_types_scope = ["AWS::AppSync::GraphQLApi"]
severity = "Medium"
}
athena-workgroup-encrypted-at-rest = {
description = "Checks if an Amazon Athena workgroup is encrypted at rest. The rule is NON_COMPLIANT if encryption of data at rest is not enabled for an Athena workgroup."
identifier = "ATHENA_WORKGROUP_ENCRYPTED_AT_REST"
resource_types_scope = ["AWS::Athena::WorkGroup"]
severity = "Medium"
}
athena-workgroup-logging-enabled = {
description = "Checks if Amazon Athena WorkGroup publishes usage metrics to Amazon CloudWatch. The rule is NON_COMPLIANT if an Amazon Athena WorkGroup PublishCloudWatchMetricsEnabled is set to false."
identifier = "ATHENA_WORKGROUP_LOGGING_ENABLED"
resource_types_scope = ["AWS::Athena::WorkGroup"]
severity = "Medium"
}
aurora-last-backup-recovery-point-created = {
description = "Checks if a recovery point was created for Amazon Aurora DB clusters. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) DB Cluster does not have a corresponding recovery point created within the specified time period."
identifier = "AURORA_LAST_BACKUP_RECOVERY_POINT_CREATED"
input_parameters = var.aurora_last_backup_recovery_point_created_parameters
resource_types_scope = ["AWS::RDS::DBCluster"]
severity = "Medium"
}
aurora-meets-restore-time-target = {
description = "Checks if the restore time of Amazon Aurora DB clusters meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Aurora DB Cluster is greater than maxRestoreTime minutes."
identifier = "AURORA_MEETS_RESTORE_TIME_TARGET"
input_parameters = var.aurora_meets_restore_time_target_parameters
resource_types_scope = ["AWS::RDS::DBCluster"]
severity = "Medium"
}
aurora-mysql-backtracking-enabled = {
description = "Checks if an Amazon Aurora MySQL cluster has backtracking enabled. The rule is NON_COMPLIANT if the Aurora cluster uses MySQL and it does not have backtracking enabled."
identifier = "AURORA_MYSQL_BACKTRACKING_ENABLED"
input_parameters = var.aurora_mysql_backtracking_enabled_parameters
resource_types_scope = ["AWS::RDS::DBCluster"]
severity = "Medium"
}
aurora-resources-in-logically-air-gapped-vault = {
description = "Checks if Amazon Aurora DB clusters are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon Aurora DB cluster is not in a logically air-gapped vault within the specified time period."
identifier = "AURORA_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT"
input_parameters = var.aurora_resources_in_logically_air_gapped_vault_parameters
resource_types_scope = ["AWS::RDS::DBCluster"]
severity = "Medium"
}
aurora-resources-protected-by-backup-plan = {
description = "Checks if Amazon Aurora DB clusters are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon Relational Database Service (Amazon RDS) Database Cluster is not protected by a backup plan."
identifier = "AURORA_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
input_parameters = var.aurora_resources_protected_by_backup_plan_parameters
resource_types_scope = ["AWS::RDS::DBCluster"]
severity = "Medium"
}
autoscaling-capacity-rebalancing = {
description = "Checks if Capacity Rebalancing is enabled for Amazon EC2 Auto Scaling groups that use multiple instance types. The rule is NON_COMPLIANT if capacity Rebalancing is not enabled."
identifier = "AUTOSCALING_CAPACITY_REBALANCING"
resource_types_scope = ["AWS::AutoScaling::AutoScalingGroup"]
severity = "Medium"
}
autoscaling-group-elb-healthcheck-required = {
description = "Checks if your Amazon EC2 Auto Scaling groups that are associated with an Elastic Load Balancer use Elastic Load Balancing health checks. The rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling groups are not using Elastic Load Balancing health checks."
identifier = "AUTOSCALING_GROUP_ELB_HEALTHCHECK_REQUIRED"
resource_types_scope = ["AWS::AutoScaling::AutoScalingGroup"]
severity = "Low"
}
autoscaling-launchconfig-requires-imdsv2 = {
description = "Checks whether only IMDSv2 is enabled. This rule is NON_COMPLIANT if the Metadata version is not included in the launch configuration or if both Metadata V1 and V2 are enabled."
identifier = "AUTOSCALING_LAUNCHCONFIG_REQUIRES_IMDSV2"
resource_types_scope = ["AWS::AutoScaling::LaunchConfiguration"]
severity = "High"
}
autoscaling-launch-config-hop-limit = {
description = "Checks the number of network hops that the metadata token can travel. This rule is NON_COMPLIANT if the Metadata response hop limit is greater than 1."
identifier = "AUTOSCALING_LAUNCH_CONFIG_HOP_LIMIT"
resource_types_scope = ["AWS::AutoScaling::LaunchConfiguration"]
severity = "High"
}
autoscaling-launch-config-public-ip-disabled = {
description = "Checks if Amazon EC2 Auto Scaling groups have public IP addresses enabled through Launch Configurations. The rule is NON_COMPLIANT if the Launch Configuration for an Amazon EC2 Auto Scaling group has AssociatePublicIpAddress set to true ."
identifier = "AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED"
resource_types_scope = ["AWS::AutoScaling::LaunchConfiguration"]
severity = "High"
}
autoscaling-launch-template = {
description = "Checks if an Amazon Elastic Compute Cloud (EC2) Auto Scaling group is created from an EC2 launch template. The rule is NON_COMPLIANT if the scaling group is not created from an EC2 launch template."
identifier = "AUTOSCALING_LAUNCH_TEMPLATE"
resource_types_scope = ["AWS::AutoScaling::AutoScalingGroup"]
severity = "Medium"
}
autoscaling-multiple-az = {
description = "Checks if the Auto Scaling group spans multiple Availability Zones. The rule is NON_COMPLIANT if the Auto Scaling group does not span multiple Availability Zones."
identifier = "AUTOSCALING_MULTIPLE_AZ"
input_parameters = var.autoscaling_multiple_az_parameters
resource_types_scope = ["AWS::AutoScaling::AutoScalingGroup"]
severity = "Medium"
}
autoscaling-multiple-instance-types = {
description = "Checks if an Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling group uses multiple instance types. This rule is NON_COMPLIANT if the Amazon EC2 Auto Scaling group has only one instance type defined."
identifier = "AUTOSCALING_MULTIPLE_INSTANCE_TYPES"
resource_types_scope = ["AWS::AutoScaling::AutoScalingGroup"]
severity = "Medium"
}
backup-plan-min-frequency-and-min-retention-check = {
description = "Checks if a backup plan has a backup rule that satisfies the required frequency and retention period. The rule is NON_COMPLIANT if recovery points are not created at least as often as the specified frequency or expire before the specified period."
identifier = "BACKUP_PLAN_MIN_FREQUENCY_AND_MIN_RETENTION_CHECK"
input_parameters = var.backup_plan_min_frequency_and_min_retention_check_parameters
resource_types_scope = ["AWS::Backup::BackupPlan"]
severity = "Medium"
}
backup-recovery-point-encrypted = {
description = "Checks if a recovery point is encrypted. The rule is NON_COMPLIANT if the recovery point is not encrypted."
identifier = "BACKUP_RECOVERY_POINT_ENCRYPTED"
resource_types_scope = ["AWS::Backup::RecoveryPoint"]
severity = "Medium"
}
backup-recovery-point-manual-deletion-disabled = {
description = "Checks if a backup vault has an attached resource-based policy which prevents deletion of recovery points. The rule is NON_COMPLIANT if the Backup Vault does not have resource-based policies or has policies without a suitable Deny statement (statement..."
identifier = "BACKUP_RECOVERY_POINT_MANUAL_DELETION_DISABLED"
input_parameters = var.backup_recovery_point_manual_deletion_disabled_parameters
resource_types_scope = ["AWS::Backup::BackupVault"]
severity = "Medium"
}
backup-recovery-point-minimum-retention-check = {
description = "Checks if a recovery point expires no earlier than after the specified period. The rule is NON_COMPLIANT if the recovery point has a retention point that is less than the required retention period."
identifier = "BACKUP_RECOVERY_POINT_MINIMUM_RETENTION_CHECK"
input_parameters = var.backup_recovery_point_minimum_retention_check_parameters
resource_types_scope = ["AWS::Backup::RecoveryPoint"]
severity = "Medium"
}
beanstalk-enhanced-health-reporting-enabled = {
description = "Checks if an AWS Elastic Beanstalk environment is configured for enhanced health reporting. The rule is COMPLIANT if the environment is configured for enhanced health reporting. The rule is NON_COMPLIANT if the environment is configured for basic health..."
identifier = "BEANSTALK_ENHANCED_HEALTH_REPORTING_ENABLED"
resource_types_scope = ["AWS::ElasticBeanstalk::Environment"]
severity = "Low"
}
clb-desync-mode-check = {
description = "Checks if Classic Load Balancers (CLB) are configured with a user defined Desync mitigation mode. The rule is NON_COMPLIANT if CLB Desync mitigation mode does not match with user defined Desync mitigation mode."
identifier = "CLB_DESYNC_MODE_CHECK"
input_parameters = var.clb_desync_mode_check_parameters
resource_types_scope = ["AWS::ElasticLoadBalancing::LoadBalancer"]
severity = "Medium"
}
clb-multiple-az = {
description = "Checks if a Classic Load Balancer spans multiple Availability Zones (AZs). The rule is NON_COMPLIANT if a Classic Load Balancer spans less than 2 AZs or does not span number of AZs mentioned in the minAvailabilityZones parameter (if provided)."
identifier = "CLB_MULTIPLE_AZ"
input_parameters = var.clb_multiple_az_parameters
resource_types_scope = ["AWS::ElasticLoadBalancing::LoadBalancer"]
severity = "Medium"
}
cloudformation-stack-drift-detection-check = {
description = "Checks if the actual configuration of a AWS CloudFormation (AWS CloudFormation) stack differs, or has drifted, from the expected configuration. A stack is considered to have drifted if one or more of its resources differ from their expected..."
identifier = "CLOUDFORMATION_STACK_DRIFT_DETECTION_CHECK"
input_parameters = var.cloudformation_stack_drift_detection_check_parameters
resource_types_scope = ["AWS::CloudFormation::Stack"]
severity = "Low"
}
cloudformation-stack-notification-check = {
description = "Checks if your CloudFormation stacks send event notifications to an Amazon SNS topic. Optionally checks if specified Amazon SNS topics are used. The rule is NON_COMPLIANT if CloudFormation stacks do not send notifications."
identifier = "CLOUDFORMATION_STACK_NOTIFICATION_CHECK"
input_parameters = var.cloudformation_stack_notification_check_parameters
resource_types_scope = ["AWS::CloudFormation::Stack"]
severity = "Low"
}
cloudfront-accesslogs-enabled = {
description = "Checks if Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured."
identifier = "CLOUDFRONT_ACCESSLOGS_ENABLED"
input_parameters = var.cloudfront_accesslogs_enabled_parameters
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "Medium"
}
cloudfront-associated-with-waf = {
description = "Checks if Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL."
identifier = "CLOUDFRONT_ASSOCIATED_WITH_WAF"
input_parameters = var.cloudfront_associated_with_waf_parameters
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "Medium"
}
cloudfront-custom-ssl-certificate = {
description = "Checks if the certificate associated with an Amazon CloudFront distribution is the default SSL certificate. The rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate."
identifier = "CLOUDFRONT_CUSTOM_SSL_CERTIFICATE"
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "Medium"
}
cloudfront-default-root-object-configured = {
description = "Checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON_COMPLIANT if Amazon CloudFront distribution does not have a default root object configured."
identifier = "CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED"
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "High"
}
cloudfront-no-deprecated-ssl-protocols = {
description = "Checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any OriginSslProtocols includes SSLv3 ."
identifier = "CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS"
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "Medium"
}
cloudfront-origin-access-identity-enabled = {
description = "Checks if CloudFront distribution with Amazon S3 Origin type has origin access identity configured. The rule is NON_COMPLIANT if the CloudFront distribution is backed by S3 and any origin type is not OAI configured, or the origin is not an S3 bucket."
identifier = "CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED"
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "Medium"
}
cloudfront-origin-failover-enabled = {
description = "Checks if an origin group is configured for the distribution of at least two origins in the origin group for Amazon CloudFront. The rule is NON_COMPLIANT if there are no origin groups for the distribution."
identifier = "CLOUDFRONT_ORIGIN_FAILOVER_ENABLED"
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "Low"
}
cloudfront-s3-origin-access-control-enabled = {
description = "Checks if an Amazon CloudFront distribution with an Amazon Simple Storage Service (Amazon S3) Origin type has origin access control (OAC) enabled. The rule is NON_COMPLIANT for CloudFront distributions with Amazon S3 origins that don t have OAC enabled."
identifier = "CLOUDFRONT_S3_ORIGIN_ACCESS_CONTROL_ENABLED"
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "Medium"
}
cloudfront-s3-origin-non-existent-bucket = {
description = "Checks if Amazon CloudFront distributions point to a non-existent S3 bucket. The rule is NON_COMPLIANT if S3OriginConfig for a CloudFront distribution points to a non-existent S3 bucket. The rule does not evaluate S3 buckets with static website hosting."
identifier = "CLOUDFRONT_S3_ORIGIN_NON_EXISTENT_BUCKET"
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "High"
}
cloudfront-security-policy-check = {
description = "Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections. This rule is NON_COMPLIANT for a CloudFront distribution if the minimumProtocolVersion is below TLSv1.2_2018."
identifier = "CLOUDFRONT_SECURITY_POLICY_CHECK"
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "Medium"
}
cloudfront-sni-enabled = {
description = "Checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. The rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is a dedicated IP address."
identifier = "CLOUDFRONT_SNI_ENABLED"
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "Low"
}
cloudfront-traffic-to-origin-encrypted = {
description = "Checks if Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if OriginProtocolPolicy is http-only or if OriginProtocolPolicy is match-viewer and ViewerProtocolPolicy is allow-all ."
identifier = "CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED"
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "Medium"
}
cloudfront-viewer-policy-https = {
description = "Checks if your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON_COMPLIANT if the value of ViewerProtocolPolicy is set to allow-all for the DefaultCacheBehavior or for the CacheBehaviors."
identifier = "CLOUDFRONT_VIEWER_POLICY_HTTPS"
resource_types_scope = ["AWS::CloudFront::Distribution"]
severity = "Medium"
}
cloudtrail-all-read-s3-data-event-check = {
description = "Checks if an AWS CloudTrail multi-Region trail is enabled and logs all read S3 data events for your buckets. The rule is NON_COMPLIANT if no multi-Region trail logs all read S3 data event types for all current and future S3 buckets."
identifier = "CLOUDTRAIL_ALL_READ_S3_DATA_EVENT_CHECK"
resource_types_scope = ["AWS::::Account"]
severity = "Medium"
}
cloudtrail-all-write-s3-data-event-check = {
description = "Checks if an AWS CloudTrail multi-Region trail is enabled and logs all write S3 data events for your buckets. The rule is NON_COMPLIANT if no multi-Region trail logs all write S3 data event types for all current and future S3 buckets."
identifier = "CLOUDTRAIL_ALL_WRITE_S3_DATA_EVENT_CHECK"
resource_types_scope = ["AWS::::Account"]
severity = "Medium"
}
cloudtrail-s3-bucket-access-logging = {
description = "Checks if the S3 bucket configurations for your AWS CloudTrail logs have Amazon S3 server access logging enabled. The rule is NON_COMPLIANT if at least one S3 bucket for a CloudTrail trail does not have S3 server access logging enabled."
identifier = "CLOUDTRAIL_S3_BUCKET_ACCESS_LOGGING"
resource_types_scope = ["AWS::CloudTrail::Trail"]
severity = "Medium"
}
cloudtrail-s3-bucket-public-access-prohibited = {
description = "Checks if the S3 bucket configurations for your AWS CloudTrail logs block public access. The rule is NON_COMPLIANT if at least one S3 bucket for a CloudTrail trail is publicly accessible."
identifier = "CLOUDTRAIL_S3_BUCKET_PUBLIC_ACCESS_PROHIBITED"
resource_types_scope = ["AWS::CloudTrail::Trail"]
severity = "High"
}
cloudtrail-s3-dataevents-enabled = {
description = "Checks if at least one AWS CloudTrail trail is logging Amazon Simple Storage Service (Amazon S3) data events for all S3 buckets. The rule is NON_COMPLIANT if there are trails or if no trails record S3 data events."
identifier = "CLOUDTRAIL_S3_DATAEVENTS_ENABLED"
input_parameters = var.cloudtrail_s3_dataevents_enabled_parameters
severity = "Medium"
}
cloudtrail-security-trail-enabled = {
description = "Checks that there is at least one AWS CloudTrail trail defined with security best practices. This rule is COMPLIANT if there is at least one trail that meets all of the following:"
identifier = "CLOUDTRAIL_SECURITY_TRAIL_ENABLED"
severity = "Medium"
}
cloudwatch-alarm-action-check = {
description = "Checks if CloudWatch alarms have an action configured for the ALARM, INSUFFICIENT_DATA, or OK state. Optionally checks if any actions match a named ARN. The rule is NON_COMPLIANT if there is no action specified for the alarm or optional parameter."
identifier = "CLOUDWATCH_ALARM_ACTION_CHECK"
input_parameters = var.cloudwatch_alarm_action_check_parameters
resource_types_scope = ["AWS::CloudWatch::Alarm"]
severity = "High"
}
cloudwatch-alarm-action-enabled-check = {
description = "Checks if Amazon CloudWatch alarms actions are in enabled state. The rule is NON_COMPLIANT if the CloudWatch alarms actions are not in enabled state."
identifier = "CLOUDWATCH_ALARM_ACTION_ENABLED_CHECK"
resource_types_scope = ["AWS::CloudWatch::Alarm"]
severity = "High"
}
cloudwatch-alarm-resource-check = {
description = "Checks if a resource type has a CloudWatch alarm for the named metric. For resource type, you can specify EBS volumes, EC2 instances, Amazon RDS clusters, or S3 buckets. The rule is COMPLIANT if the named metric has a resource ID and CloudWatch alarm."
identifier = "CLOUDWATCH_ALARM_RESOURCE_CHECK"
input_parameters = var.cloudwatch_alarm_resource_check_parameters
resource_types_scope = ["AWS::EC2::Instance", "AWS::RDS::DBCluster", "AWS::S3::Bucket", "AWS::EC2::Volume"]
severity = "Medium"
}
cloudwatch-alarm-settings-check = {
description = "Checks whether CloudWatch alarms with the given metric name have the specified settings."
identifier = "CLOUDWATCH_ALARM_SETTINGS_CHECK"
input_parameters = var.cloudwatch_alarm_settings_check_parameters
resource_types_scope = ["AWS::CloudWatch::Alarm"]
severity = "Medium"
}
cloudwatch-log-group-encrypted = {
description = "Checks if Amazon CloudWatch Log Groups are encrypted with any AWS KMS key or a specified AWS KMS key Id. The rule is NON_COMPLIANT if a CloudWatch Log Group is not encrypted with a KMS key or is encrypted with a KMS key not supplied in the rule parameter."
identifier = "CLOUDWATCH_LOG_GROUP_ENCRYPTED"
input_parameters = var.cloudwatch_log_group_encrypted_parameters
resource_types_scope = ["AWS::Logs::LogGroup"]
severity = "Medium"
}
cloud-trail-cloud-watch-logs-enabled = {
description = "Checks if AWS CloudTrail trails are configured to send logs to CloudWatch logs. The trail is NON_COMPLIANT if the CloudWatchLogsLogGroupArn property of the trail is empty."
identifier = "CLOUD_TRAIL_CLOUD_WATCH_LOGS_ENABLED"
input_parameters = var.cloud_trail_cloud_watch_logs_enabled_parameters
resource_types_scope = ["AWS::CloudTrail::Trail"]
severity = "Low"
}
cloudtrail-enabled = {
description = "Checks if an AWS CloudTrail trail is enabled in your AWS account. The rule is NON_COMPLIANT if a trail is not enabled. Optionally, the rule checks a specific S3 bucket, Amazon Simple Notification Service (Amazon SNS) topic, and CloudWatch log group."
identifier = "CLOUD_TRAIL_ENABLED"
input_parameters = var.cloudtrail_enabled_parameters
severity = "High"
}
cloud-trail-encryption-enabled = {
description = "Checks if AWS CloudTrail is configured to use the server side encryption (SSE) AWS Key Management Service (AWS KMS) encryption. The rule is COMPLIANT if the KmsKeyId is defined."
identifier = "CLOUD_TRAIL_ENCRYPTION_ENABLED"
resource_types_scope = ["AWS::CloudTrail::Trail"]
severity = "Medium"
}
cloud-trail-log-file-validation-enabled = {
description = "Checks if AWS CloudTrail creates a signed digest file with logs. AWS recommends that the file validation must be enabled on all trails. The rule is NON_COMPLIANT if the validation is not enabled."
identifier = "CLOUD_TRAIL_LOG_FILE_VALIDATION_ENABLED"
resource_types_scope = ["AWS::CloudTrail::Trail"]
severity = "Low"
}
cmk-backing-key-rotation-enabled = {
description = "Checks if automatic key rotation is enabled for each key and matches to the key ID of the customer created AWS KMS key. The rule is NON_COMPLIANT if the AWS Config recorder role for a resource does not have the kms:DescribeKey permission."
identifier = "CMK_BACKING_KEY_ROTATION_ENABLED"
resource_types_scope = ["AWS::KMS::Key"]
severity = "Medium"
}
codebuild-project-artifact-encryption = {
description = "Checks if an AWS CodeBuild project has encryption enabled for all of its artifacts. The rule is NON_COMPLIANT if encryptionDisabled is set to true for any primary or secondary (if present) artifact configurations."
identifier = "CODEBUILD_PROJECT_ARTIFACT_ENCRYPTION"
resource_types_scope = ["AWS::CodeBuild::Project"]
severity = "Medium"
}
codebuild-project-environment-privileged-check = {
description = "Checks if an AWS CodeBuild project environment has privileged mode enabled. The rule is NON_COMPLIANT for a CodeBuild project if privilegedMode is set to true ."
identifier = "CODEBUILD_PROJECT_ENVIRONMENT_PRIVILEGED_CHECK"
input_parameters = var.codebuild_project_environment_privileged_check_parameters
resource_types_scope = ["AWS::CodeBuild::Project"]
severity = "High"
}
codebuild-project-envvar-awscred-check = {
description = "Checks if the project contains environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. The rule is NON_COMPLIANT when the project environment variables contains plaintext credentials."
identifier = "CODEBUILD_PROJECT_ENVVAR_AWSCRED_CHECK"
resource_types_scope = ["AWS::CodeBuild::Project"]
severity = "Critical"
}
codebuild-project-logging-enabled = {
description = "Checks if an AWS CodeBuild project environment has at least one log option enabled. The rule is NON_COMPLIANT if the status of all present log configurations is set to DISABLED ."
identifier = "CODEBUILD_PROJECT_LOGGING_ENABLED"
input_parameters = var.codebuild_project_logging_enabled_parameters
resource_types_scope = ["AWS::CodeBuild::Project"]
severity = "Medium"
}
codebuild-project-s3-logs-encrypted = {
description = "Checks if a AWS CodeBuild project configured with Amazon S3 Logs has encryption enabled for its logs. The rule is NON_COMPLIANT if encryptionDisabled is set to true in a S3LogsConfig of a CodeBuild project."
identifier = "CODEBUILD_PROJECT_S3_LOGS_ENCRYPTED"
input_parameters = var.codebuild_project_s3_logs_encrypted_parameters
resource_types_scope = ["AWS::CodeBuild::Project"]
severity = "Low"
}
codebuild-project-source-repo-url-check = {
description = "Checks if the Bitbucket source repository URL contains sign-in credentials or not. The rule is NON_COMPLIANT if the URL contains any sign-in information and COMPLIANT if it doesn t."
identifier = "CODEBUILD_PROJECT_SOURCE_REPO_URL_CHECK"
resource_types_scope = ["AWS::CodeBuild::Project"]
severity = "Critical"
}
codebuild-report-group-encrypted-at-rest = {
description = "Checks if an AWS CodeBuild report group has encryption at rest setting enabled. The rule is NON_COMPLIANT if EncryptionDisabled is true ."
identifier = "CODEBUILD_REPORT_GROUP_ENCRYPTED_AT_REST"
resource_types_scope = ["AWS::CodeBuild::ReportGroup"]
severity = "Medium"
}
codedeploy-auto-rollback-monitor-enabled = {
description = "Checks if the deployment group is configured with automatic deployment rollback and deployment monitoring with alarms attached. The rule is NON_COMPLIANT if AutoRollbackConfiguration or AlarmConfiguration has not been configured or is not enabled."
identifier = "CODEDEPLOY_AUTO_ROLLBACK_MONITOR_ENABLED"
resource_types_scope = ["AWS::CodeDeploy::DeploymentGroup"]
severity = "Medium"
}
codedeploy-ec2-minimum-healthy-hosts-configured = {
description = "Checks if the deployment group for EC2/On-Premises Compute Platform is configured with a minimum healthy hosts fleet percentage or host count greater than or equal to the input threshold. The rule is NON_COMPLIANT if either is below the threshold."
identifier = "CODEDEPLOY_EC2_MINIMUM_HEALTHY_HOSTS_CONFIGURED"
input_parameters = var.codedeploy_ec2_minimum_healthy_hosts_configured_parameters
resource_types_scope = ["AWS::CodeDeploy::DeploymentGroup"]
severity = "Medium"
}
codedeploy-lambda-allatonce-traffic-shift-disabled = {
description = "Checks if the deployment group for Lambda Compute Platform is not using the default deployment configuration. The rule is NON_COMPLIANT if the deployment group is using the deployment configuration CodeDeployDefault.LambdaAllAtOnce ."
identifier = "CODEDEPLOY_LAMBDA_ALLATONCE_TRAFFIC_SHIFT_DISABLED"
resource_types_scope = ["AWS::CodeDeploy::DeploymentGroup"]
severity = "Medium"
}
codepipeline-deployment-count-check = {
description = "Checks if the first deployment stage of AWS CodePipeline performs more than one deployment. Optionally checks if each of the subsequent remaining stages deploy to more than the specified number of deployments ( deploymentLimit )."
identifier = "CODEPIPELINE_DEPLOYMENT_COUNT_CHECK"
input_parameters = var.codepipeline_deployment_count_check_parameters
resource_types_scope = ["AWS::CodePipeline::Pipeline"]
severity = "Low"
}
codepipeline-region-fanout-check = {
description = "Checks if each stage in the AWS CodePipeline deploys to more than N times the number of the regions the AWS CodePipeline has deployed in all the previous combined stages, where N is the region fanout number. The first deployment stage can deploy to a..."
identifier = "CODEPIPELINE_REGION_FANOUT_CHECK"
input_parameters = var.codepipeline_region_fanout_check_parameters
resource_types_scope = ["AWS::CodePipeline::Pipeline"]
severity = "Low"
}
cognito-user-pool-advanced-security-enabled = {
description = "Checks if an Amazon Cognito user pool has Advanced security enabled. This rule is NON_COMPLIANT if Advanced security is not enabled."
identifier = "COGNITO_USER_POOL_ADVANCED_SECURITY_ENABLED"
resource_types_scope = ["AWS::Cognito::UserPool"]
severity = "Medium"
}
custom-eventbus-policy-attached = {
description = "Checks if Amazon EventBridge custom event buses have a resource-based policy attached. The rule is NON_COMPLIANT if a custom event bus policy does not have an attached resource-based policy."
identifier = "CUSTOM_EVENTBUS_POLICY_ATTACHED"
resource_types_scope = ["AWS::Events::EventBus"]
severity = "Low"
}
custom-schema-registry-policy-attached = {
description = "Checks if custom Amazon EventBridge schema registries have a resource policy attached. The rule is NON_COMPLIANT for custom schema registries without a resource policy attached."
identifier = "CUSTOM_SCHEMA_REGISTRY_POLICY_ATTACHED"
resource_types_scope = ["AWS::EventSchemas::Registry"]
severity = "Medium"
}
cw-loggroup-retention-period-check = {
description = "Checks if an Amazon CloudWatch LogGroup retention period is set to greater than 365 days or else a specified retention period. The rule is NON_COMPLIANT if the retention period is less than MinRetentionTime , if specified, or else 365 days."
identifier = "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
input_parameters = var.cw_loggroup_retention_period_check_parameters
resource_types_scope = ["AWS::Logs::LogGroup"]
severity = "Medium"
}
datasync-task-logging-enabled = {
description = "Checks if an AWS DataSync task has Amazon CloudWatch logging enabled. The rule is NON_COMPLIANT if an AWS DataSync task does not have Amazon CloudWatch logging enabled or if the logging level is not equivalent to the logging level that you specify."
identifier = "DATASYNC_TASK_LOGGING_ENABLED"
input_parameters = var.datasync_task_logging_enabled_parameters
resource_types_scope = ["AWS::DataSync::Task"]
severity = "Medium"
}
dax-encryption-enabled = {
description = "Checks if Amazon DynamoDB Accelerator (DAX) clusters are encrypted. The rule is NON_COMPLIANT if a DAX cluster is not encrypted."
identifier = "DAX_ENCRYPTION_ENABLED"
resource_types_scope = ["AWS::DAX::Cluster"]
severity = "Medium"
}
dax-tls-endpoint-encryption = {
description = "Checks if your Amazon DynamoDB Accelerator (DAX) cluster has ClusterEndpointEncryptionType set to TLS. The rule is NON_COMPLIANT if a DAX cluster is not encrypted by transport layer security (TLS)."
identifier = "DAX_TLS_ENDPOINT_ENCRYPTION"
resource_types_scope = ["AWS::DAX::Cluster"]
severity = "Medium"
}
db-instance-backup-enabled = {
description = "Checks if RDS DB instances have backups enabled. Optionally, the rule checks the backup retention period and the backup window."
identifier = "DB_INSTANCE_BACKUP_ENABLED"
input_parameters = var.db_instance_backup_enabled_parameters
resource_types_scope = ["AWS::RDS::DBInstance"]
severity = "Medium"
}
desired-instance-tenancy = {
description = "Checks EC2 instances for a tenancy value. Also checks if AMI IDs are specified to be launched from those AMIs or if Host IDs are launched on those Dedicated Hosts. The rule is COMPLIANT if the instance matches a host and an AMI, if specified, in a list."
identifier = "DESIRED_INSTANCE_TENANCY"
input_parameters = var.desired_instance_tenancy_parameters
resource_types_scope = ["AWS::EC2::Instance"]
severity = "Low"
}
desired-instance-type = {
description = "Checks if your EC2 instances are of a specific instance type. The rule is NON_COMPLIANT if an EC2 instance is not specified in the parameter list. For a list of supported EC2 instance types, see Instance types in the EC2 User Guide for Linux Instances."
identifier = "DESIRED_INSTANCE_TYPE"
input_parameters = var.desired_instance_type_parameters
resource_types_scope = ["AWS::EC2::Instance"]
severity = "Low"
}
dms-auto-minor-version-upgrade-check = {
description = "Checks if an AWS Database Migration Service (AWS DMS) replication instance has automatic minor version upgrades enabled. The rule is NON_COMPLIANT if an AWS DMS replication instance is not configured with automatic minor version upgrades."
identifier = "DMS_AUTO_MINOR_VERSION_UPGRADE_CHECK"
resource_types_scope = ["AWS::DMS::ReplicationInstance"]
severity = "Medium"
}
dms-endpoint-ssl-configured = {
description = "Checks if AWS Database Migration Service (AWS DMS) endpoints are configured with an SSL connection. The rule is NON_COMPLIANT if AWS DMS does not have an SSL connection configured."
identifier = "DMS_ENDPOINT_SSL_CONFIGURED"
resource_types_scope = ["AWS::DMS::Endpoint"]
severity = "Medium"
}
dms-mongo-db-authentication-enabled = {
description = "Checks if AWS Database Migration Service (AWS DMS) endpoints for MongoDb data stores are enabled for password-based authentication and access control. The rule is NON_COMPLIANT if password-based authentication and access control is not enabled."
identifier = "DMS_MONGO_DB_AUTHENTICATION_ENABLED"
resource_types_scope = ["AWS::DMS::Endpoint"]
severity = "Medium"
}
dms-neptune-iam-authorization-enabled = {
description = "Checks if an AWS Database Migration Service (AWS DMS) endpoint for Amazon Neptune databases is configured with IAM authorization. The rule is NON_COMPLIANT if an AWS DMS endpoint where Neptune is the target has IamAuthEnabled set to false."
identifier = "DMS_NEPTUNE_IAM_AUTHORIZATION_ENABLED"
resource_types_scope = ["AWS::DMS::Endpoint"]
severity = "Medium"
}
dms-redis-tls-enabled = {
description = "Checks if AWS Database Migration Service (AWS DMS) endpoints for Redis data stores are enabled for TLS/SSL encryption of data communicated with other endpoints. The rule is NON_COMPLIANT if TLS/SSL encryption is not enabled."
identifier = "DMS_REDIS_TLS_ENABLED"
resource_types_scope = ["AWS::DMS::Endpoint"]
severity = "Medium"
}
dms-replication-not-public = {
description = "Checks if AWS Database Migration Service (AWS DMS) replication instances are public. The rule is NON_COMPLIANT if PubliclyAccessible field is set to true."
identifier = "DMS_REPLICATION_NOT_PUBLIC"
resource_types_scope = ["AWS::DMS::ReplicationInstance"]
severity = "Critical"
}
dms-replication-task-sourcedb-logging = {
description = "Checks if logging is enabled with a valid severity level for AWS DMS replication tasks of a source database. The rule is NON_COMPLIANT if logging is not enabled or logs for DMS replication tasks of a source database have a severity level that is not valid."
identifier = "DMS_REPLICATION_TASK_SOURCEDB_LOGGING"
resource_types_scope = ["AWS::DMS::ReplicationTask"]
severity = "Medium"
}
dms-replication-task-targetdb-logging = {
description = "Checks if logging is enabled with a valid severity level for AWS DMS replication task events of a target database. The rule is NON_COMPLIANT if logging is not enabled or replication task logging of a target database has a severity level that is not valid."
identifier = "DMS_REPLICATION_TASK_TARGETDB_LOGGING"
resource_types_scope = ["AWS::DMS::ReplicationTask"]
severity = "Medium"
}
docdb-cluster-audit-logging-enabled = {
description = "Checks if an Amazon DocumentDB (with MongoDB compatibility) instance cluster has CloudWatch log export enabled for audit logs. The rule is NON_COMPLIANT if an Amazon DocumentDB instance cluster does not have CloudWatch log export enabled for audit logs."
identifier = "DOCDB_CLUSTER_AUDIT_LOGGING_ENABLED"
resource_types_scope = ["AWS::RDS::DBCluster"]
severity = "Medium"
}
docdb-cluster-backup-retention-check = {
description = "Checks if an Amazon Document DB cluster retention period is set to specific number of days. The rule is NON_COMPLIANT if the retention period is less than the value specified by the parameter."
identifier = "DOCDB_CLUSTER_BACKUP_RETENTION_CHECK"
input_parameters = var.docdb_cluster_backup_retention_check_parameters
resource_types_scope = ["AWS::RDS::DBCluster"]
severity = "Medium"
}
docdb-cluster-deletion-protection-enabled = {
description = "Checks if an Amazon DocumentDB (with MongoDB compatibility) cluster has deletion protection enabled. The rule is NON_COMPLIANT if an Amazon DocumentDB cluster has the deletionProtection field set to false."
identifier = "DOCDB_CLUSTER_DELETION_PROTECTION_ENABLED"
resource_types_scope = ["AWS::RDS::DBCluster"]
severity = "Medium"
}
docdb-cluster-encrypted = {
description = "Checks if storage encryption is enabled for your Amazon DocumentDB (with MongoDB compatibility) clusters. The rule is NON_COMPLIANT if storage encryption is not enabled."
identifier = "DOCDB_CLUSTER_ENCRYPTED"
input_parameters = var.docdb_cluster_encrypted_parameters
resource_types_scope = ["AWS::RDS::DBCluster"]
severity = "Medium"
}
docdb-cluster-snapshot-public-prohibited = {
description = "Checks if Amazon DocumentDB manual cluster snapshots are public. The rule is NON_COMPLIANT if any Amazon DocumentDB manual cluster snapshots are public."
identifier = "DOCDB_CLUSTER_SNAPSHOT_PUBLIC_PROHIBITED"
resource_types_scope = ["AWS::RDS::DBClusterSnapshot"]
severity = "Critical"
}
dynamodb-autoscaling-enabled = {
description = "Checks if Amazon DynamoDB tables or global secondary indexes can process read/write capacity using on-demand mode or provisioned mode with auto scaling enabled. The rule is NON_COMPLIANT if either mode is used without auto scaling enabled"
identifier = "DYNAMODB_AUTOSCALING_ENABLED"
input_parameters = var.dynamodb_autoscaling_enabled_parameters
resource_types_scope = ["AWS::DynamoDB::Table"]
severity = "Medium"
}
dynamodb-in-backup-plan = {
description = "Checks whether Amazon DynamoDB table is present in AWS Backup Plans. The rule is NON_COMPLIANT if Amazon DynamoDB tables are not present in any AWS Backup plan."
identifier = "DYNAMODB_IN_BACKUP_PLAN"
resource_types_scope = ["AWS::DynamoDB::Table"]
severity = "Medium"
}
dynamodb-last-backup-recovery-point-created = {
description = "Checks if a recovery point was created for Amazon DynamoDB Tables within the specified period. The rule is NON_COMPLIANT if the DynamoDB Table does not have a corresponding recovery point created within the specified time period."
identifier = "DYNAMODB_LAST_BACKUP_RECOVERY_POINT_CREATED"
input_parameters = var.dynamodb_last_backup_recovery_point_created_parameters
resource_types_scope = ["AWS::DynamoDB::Table"]
severity = "Medium"
}
dynamodb-meets-restore-time-target = {
description = "Checks if the restore time of Amazon DynamoDB Tables meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of a DynamoDB Table is greater than maxRestoreTime minutes."
identifier = "DYNAMODB_MEETS_RESTORE_TIME_TARGET"
input_parameters = var.dynamodb_meets_restore_time_target_parameters
resource_types_scope = ["AWS::DynamoDB::Table"]
severity = "Medium"
}
dynamodb-pitr-enabled = {
description = "Checks if point-in-time recovery (PITR) is enabled for Amazon DynamoDB tables. The rule is NON_COMPLIANT if PITR is not enabled for DynamoDB tables."
identifier = "DYNAMODB_PITR_ENABLED"
resource_types_scope = ["AWS::DynamoDB::Table"]
severity = "Medium"
}
dynamodb-resources-protected-by-backup-plan = {
description = "Checks if Amazon DynamoDB tables are protected by a backup plan. The rule is NON_COMPLIANT if the DynamoDB Table is not covered by a backup plan."
identifier = "DYNAMODB_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
input_parameters = var.dynamodb_resources_protected_by_backup_plan_parameters
resource_types_scope = ["AWS::DynamoDB::Table"]
severity = "Medium"
}
dynamodb-table-deletion-protection-enabled = {
description = "Checks if an Amazon DynamoDB table have deletion protection set to enabled. The rule is NON_COMPLIANT if the table have deletion protection set to disabled."
identifier = "DYNAMODB_TABLE_DELETION_PROTECTION_ENABLED"
resource_types_scope = ["AWS::DynamoDB::Table"]
severity = "Medium"
}
dynamodb-table-encrypted-kms = {
description = "Checks if Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS). The rule is NON_COMPLIANT if Amazon DynamoDB table is not encrypted with AWS KMS. The rule is also NON_COMPLIANT if the encrypted AWS KMS key is not present in..."
identifier = "DYNAMODB_TABLE_ENCRYPTED_KMS"
input_parameters = var.dynamodb_table_encrypted_kms_parameters
resource_types_scope = ["AWS::DynamoDB::Table"]
severity = "Medium"
}
dynamodb-table-encryption-enabled = {
description = "Checks if the Amazon DynamoDB tables are encrypted and checks their status. The rule is COMPLIANT if the status is enabled or enabling."
identifier = "DYNAMODB_TABLE_ENCRYPTION_ENABLED"
resource_types_scope = ["AWS::DynamoDB::Table"]
severity = "Medium"
}
dynamodb-throughput-limit-check = {
description = "Checks if provisioned DynamoDB throughput is approaching the maximum limit for your account. By default, the rule checks if provisioned throughput exceeds a threshold of 80 percent of your account limits."
identifier = "DYNAMODB_THROUGHPUT_LIMIT_CHECK"
input_parameters = var.dynamodb_throughput_limit_check_parameters
severity = "Medium"
}
ebs-in-backup-plan = {
description = "Check if Amazon Elastic Block Store (Amazon EBS) volumes are added in backup plans of AWS Backup. The rule is NON_COMPLIANT if Amazon EBS volumes are not included in backup plans."
identifier = "EBS_IN_BACKUP_PLAN"
resource_types_scope = ["AWS::EC2::Volume"]
severity = "Medium"
}
ebs-last-backup-recovery-point-created = {
description = "Checks if a recovery point was created for Amazon Elastic Block Store (Amazon EBS). The rule is NON_COMPLIANT if the Amazon EBS volume does not have a corresponding recovery point created within the specified time period."
identifier = "EBS_LAST_BACKUP_RECOVERY_POINT_CREATED"
input_parameters = var.ebs_last_backup_recovery_point_created_parameters
resource_types_scope = ["AWS::EC2::Volume"]
severity = "Medium"
}
ebs-meets-restore-time-target = {
description = "Checks if the restore time of Amazon Elastic Block Store (Amazon EBS) volumes meets the specified duration. The rule is NON_COMPLIANT if LatestRestoreExecutionTimeMinutes of an Amazon EBS volume is greater than maxRestoreTime minutes."
identifier = "EBS_MEETS_RESTORE_TIME_TARGET"
input_parameters = var.ebs_meets_restore_time_target_parameters
resource_types_scope = ["AWS::EC2::Volume"]
severity = "Medium"
}
ebs-optimized-instance = {
description = "Checks if Amazon EBS optimization is enabled for your Amazon Elastic Compute Cloud (Amazon EC2) instances that can be Amazon EBS-optimized. The rule is NON_COMPLIANT if EBS optimization is not enabled for an Amazon EC2 instance that can be EBS-optimized."
identifier = "EBS_OPTIMIZED_INSTANCE"
resource_types_scope = ["AWS::EC2::Instance"]
severity = "Low"
}
ebs-resources-in-logically-air-gapped-vault = {
description = "Checks if Amazon Elastic Block Store (Amazon EBS) volumes are in a logically air-gapped vault. The rule is NON_COMPLIANT if an Amazon EBS volume is not in a logically air-gapped vault within the specified time period."
identifier = "EBS_RESOURCES_IN_LOGICALLY_AIR_GAPPED_VAULT"
input_parameters = var.ebs_resources_in_logically_air_gapped_vault_parameters
resource_types_scope = ["AWS::EC2::Volume"]
severity = "Medium"
}
ebs-resources-protected-by-backup-plan = {
description = "Checks if Amazon Elastic Block Store (Amazon EBS) volumes are protected by a backup plan. The rule is NON_COMPLIANT if the Amazon EBS volume is not covered by a backup plan."
identifier = "EBS_RESOURCES_PROTECTED_BY_BACKUP_PLAN"
input_parameters = var.ebs_resources_protected_by_backup_plan_parameters
resource_types_scope = ["AWS::EC2::Volume"]
severity = "Low"
}
ebs-snapshot-public-restorable-check = {
description = "Checks if Amazon Elastic Block Store (Amazon EBS) snapshots are not publicly restorable. The rule is NON_COMPLIANT if one or more snapshots with RestorableByUserIds field are set to all, that is, Amazon EBS snapshots are public."
identifier = "EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK"
severity = "Critical"
}
ec2-client-vpn-connection-log-enabled = {
description = "Checks if AWS Client VPN endpoint has client connection logging enabled. The rule is NON_COMPLIANT if Configuration.ConnectionLogOptions.Enabled is set to false."
identifier = "EC2_CLIENT_VPN_CONNECTION_LOG_ENABLED"
resource_types_scope = ["AWS::EC2::ClientVpnEndpoint"]
severity = "Low"
}
ec2-client-vpn-not-authorize-all = {
description = "Checks if the AWS Client VPN authorization rules authorizes connection access for all clients. The rule is NON_COMPLIANT if AccessAll is present and set to true."
identifier = "EC2_CLIENT_VPN_NOT_AUTHORIZE_ALL"
resource_types_scope = ["AWS::EC2::ClientVpnEndpoint"]
severity = "Medium"
}
ec2-ebs-encryption-by-default = {
description = "Checks if Amazon Elastic Block Store (EBS) encryption is enabled by default. The rule is NON_COMPLIANT if the encryption is not enabled."
identifier = "EC2_EBS_ENCRYPTION_BY_DEFAULT"
severity = "Medium"
}
ec2-imdsv2-check = {
description = "Checks if your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The rule is NON_COMPLIANT if the HttpTokens is set to optional."
identifier = "EC2_IMDSV2_CHECK"
resource_types_scope = ["AWS::EC2::Instance"]
severity = "High"
}
ec2-instance-detailed-monitoring-enabled = {
description = "Checks if detailed monitoring is enabled for EC2 instances. The rule is NON_COMPLIANT if detailed monitoring is not enabled."
identifier = "EC2_INSTANCE_DETAILED_MONITORING_ENABLED"
resource_types_scope = ["AWS::EC2::Instance"]
severity = "Low"
}
ec2-instance-managed-by-systems-manager = {
description = "Checks if your Amazon EC2 instances are managed by AWS Systems Manager Agent (SSM Agent). The rule is NON_COMPLIANT if an EC2 instance is running and the SSM Agent is stopped, or if an EC2 instance is running and the SSM Agent is terminated."
identifier = "EC2_INSTANCE_MANAGED_BY_SSM"
resource_types_scope = ["AWS::EC2::Instance", "AWS::SSM::ManagedInstanceInventory"]
severity = "Medium"
}
ec2-instance-multiple-eni-check = {
description = "Checks if Amazon Elastic Compute Cloud (Amazon EC2) uses multiple Elastic Network Interfaces (ENIs) or Elastic Fabric Adapters (EFAs). The rule is NON_COMPLIANT an Amazon EC2 instance use multiple network interfaces."
identifier = "EC2_INSTANCE_MULTIPLE_ENI_CHECK"
input_parameters = var.ec2_instance_multiple_eni_check_parameters
resource_types_scope = ["AWS::EC2::Instance"]
severity = "Low"