Skip to main content

Policy Library Rules

important

The AWS policies in Styra's Terraform Policy Library are currently tested against version 3 of the Terraform AWS provider. Version 4 of the provider introduced breaking changes for a number of AWS resources. AWS policies in the library which only apply to Terraform AWS provider v3 resources are noted in the policies below and may not result in accurate policy evaluation when used with provider v4.

AWS: Autoscaling Group: Deny public IP address in launch configuration

Prohibit creation of autoscaling group if the launch configuration used has public IP address enabled. Checks the resources with type 'aws_launch_configuration' for the value of 'associate_public_ip_address'.

Parameters

None

AWS: CloudFront: Prohibit CloudFront distributions without a default root object

Requires AWS/CloudFront distributions to be configured with a default root object. Checks resources with type 'aws_cloudfront_distribution'.

Parameters

None

AWS: DMS: Prohibit publicly accessible DMS replication instances

Require AWS/DMS replication instances to not be publicly accessible. Checks resources with type 'aws_dms_replication_instance'.

Parameters

None

AWS: EC2/EBS: Requires snapshot enabled.

Ensure individually created EBS volumes have snapshots enabled. Checks resources with type 'aws_ebs_volume'.

Parameters

None

AWS: EC2: Ensure the EBS volumes are encrypted.

Require individually created EBS volumes to be encrypted. Checks resources with type 'aws_ebs_volume'.

Parameters

None

AWS: EC2: Restrict volume deletion after instance termination

Prevent volume being deleted after the termination of EC2 instance.Retaining volumes until they are explicitly deleted can protect against adversaries deleting critical data, or evidence of an intrusion. Checks resources with type 'aws_instance'.

Parameters

None

AWS: EC2: Restrict instances with unapproved AMIs

Ensure EC2 instances are using an AMI from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_ami_ids

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ami_ids

AWS: EC2: Restrict instances with unapproved Regions

Ensure EC2 instances are deployed in a Region from a pre-approved list (due to plan format restrictions, this policy only works for Terraform 12 onward). Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_regions

      • Type: array
      • Unique: true
  • Required Parameters: allowed_regions

AWS: EC2: Restrict instances with unapproved subnets

Ensure EC2 instances are deployed in a subnet from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_subnets

      • Type: array
      • Unique: true
  • Required Parameters: allowed_subnets

AWS: EC2: Restrict instances with unapproved Security Groups

Require AWS/EC2 to use Security Groups from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_security_groups

      • Type: array
      • Unique: true
  • Required Parameters: allowed_security_groups

AWS: EC2: Ensure the instances use encrypted volume.

Require AWS/EC2 instances to use encrypted block storage volume. Checks resources with type 'aws_instance'.

Parameters

None

AWS: EC2: Restrict instances without IMDSv2

EC2 instances and EC2 Launch templates require Instance Metadata Service Version 2 (IMDSv2) enabled. Checks resources with type 'aws_instance' and 'aws_launch_template'.

Parameters

None

AWS: EC2: Prohibit EC2 instances without a VPC

Require AWS/EC2 instance to be deployed in a VPC. Checks resources with type 'aws_instance'.

Parameters

None

AWS: IAM: Ensure IAM account has Complex and Unique password policy

Require AWS/IAM account to have complex and unique password policy. As recommended by https://attack.mitre.org/techniques/T1110/ the standards here are based off of those established in https://pages.nist.gov/800-63-3/sp800-63b.html#appA and https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6234434 Checks resources with type 'aws_iam_account_password_policy'.

Parameters

None

AWS: IAM: Restrict Attaching AdministratorAccess Policy.

Restricts attaching Managed AdministratorAccess policy to user, role and group. Checks resources with type 'aws_iam_user_policy_attachment', 'aws_iam_role_policy_attachment' and 'aws_iam_group_policy_attachment'.

Parameters

None

AWS: IAM: Restrict Access Key Actions in IAM policies

Require AWS/IAM user/group/role policies to not have Create/Update/List/Delete AccessKeys permissions and allow all ('iam:' or '') in 'Action'. Checks resources with type 'aws_iam_user_policy', 'aws_iam_role_policy', 'aws_iam_group_policy' and 'aws_iam_policy'.

Parameters

None

AWS: IAM: Restrict hardcoded secret credentials.

Hardcoding of AWS 'access_key' and 'secret_key' in Terraform files is restricted. Due to plan format restrictions, this policy only works for Terraform 12 onward.

Parameters

None

AWS: IAM: Prohibit IAM policies directly being attached to IAM users

Requires AWS/IAM policies not to be attached directly to IAM users. Checks resources with type 'aws_iam_user_policy_attachment'.

Parameters

None

AWS: IAM: Prohibit Policies containing an Asterisk

Require AWS/IAM policies not have an asterisk ("") in Actions and asterisk("") without prefix in Resources. Checks resources with type 'aws_iam_policy'.

Parameters

None

AWS: Security Groups: Restrict Ingress from public IPs.

Require AWS/Security Groups to allow ingress from private IPv4 CIDRs only. Private IPv4 CIDR IP range: "10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.168.0.0/16" Checks resources with type 'aws_security_group'.

Parameters

None

AWS: Security Groups: Ingress Allow only whitelisted CIDR and Ports

Require AWS/Security Groups to have ingress from whitelisted CIDR blocks on whitelisted ports. To allow all, use wildcard entry '*' Checks resources with type 'aws_security_group'.

Parameters

  • Parameters:

    • allowed_cidr_ports

      • Type: object
      • Unique: false
  • Required Parameters: allowed_cidr_ports

AWS: Security Groups: Ingress Allow only whitelisted Ports

Require AWS/Security Groups with whitelisted ports only for CIDR "0.0.0.0/0". Checks resources with type 'aws_security_group'.

Parameters

  • Parameters:

    • allowed_ports

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ports

AWS: RDS: Prohibit publicly accessible RDS instances

Require AWS/RDS instances to not be publicly accessible. Checks resources with type 'aws_db_instance'.

Parameters

None

AWS: S3: Block All Public Access to Buckets

Require AWS/S3 buckets to have blocked all public access. Checks resources with type 'aws_s3_bucket' along with 'aws_s3_bucket_public_access_block'.

Parameters

None

AWS: S3: Ensure Logging is Enabled in S3 Buckets

Require AWS/S3 buckets to have logging enabled. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None

AWS: S3: Prohibit Bucket Policies containing An Asterisk In Actions

Require AWS/S3 bucket policy to not use asterisk in 'Action'. Checks resources with type 'aws_s3_bucket_policy'.

Parameters

None

AWS: S3: Prohibit Unencrypted Buckets

Require AWS/S3 buckets to be encrypted. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None

AWS: S3: Prohibit Unencrypted Bucket Object

Require AWS/S3 bucket object to be server side encrypted Checks resources with type 'aws_s3_bucket_object'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None

AWS: S3: Ensure Versioning is Enabled for S3 Buckets

Require AWS/S3 buckets to have versioning enabled. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None

AWS: S3: Restrict S3 buckets with unapproved ACL

Require AWS/S3 to use Canned ACL from a pre-approved list. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

  • Parameters:

    • allowed_acls

      • Type: array
      • Unique: true
  • Required Parameters: allowed_acls

AWS: S3: Allow ingress only from whitelisted IP's

Require AWS/S3 bucket policy with whitelisted source IP's. To allow all, use wildcard entry '*'. Checks resources with type 'aws_s3_bucket_policy'.

Parameters

  • Parameters:

    • allowed_ips

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ips

AWS: SageMaker: Prohibit SageMaker Notebook instance with direct internet access enabled

Require AWS/SageMaker instance to have direct internet access disabled. Checks resources with type 'aws_sagemaker_notebook_instance'.

Parameters

None

AWS: SSM: Prohibit publicly accessible SSM documents

Require AWS/SSM Document not to be publicly accessible. Checks resources with type 'aws_ssm_document'.

Parameters

None

Azure: IAM: Prohibit assignment of Owner role

Require Azure/IAM role assignment to not have owner role assigned to any principal. Checks resources with type 'azurerm_role_assignment'.

Parameters

None

Azure: MariaDB: Prohibit backup disabled MariaDB database

Require Azure/MariaDB database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mariadb_server'.

Parameters

None

Azure: MySQL: Prohibit backup disabled MySQL database

Require Azure/MySQL database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mysql_server'.

Parameters

None

Azure: Security Groups: Block port 22 for '0.0.0.0/0'

Azure/Network Security Groups should block Inbound traffic on 22 port for "0.0.0.0/0" or "*". Checks resources with type 'azurerm_network_security_group'.

Parameters

None

Azure: Postgres: Prohibit backup disabled Postgres database

Require Azure/Postgres database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_postgresql_server'.

Parameters

None

Azure: Storage Account: Deny Unencrypted transit

Azure/Storage Account should accept requests from secure connections (https) only. Checks resources with type 'azurerm_storage_account'.

Parameters

None

GCP: Service Account: Prohibit using default Service Account

Requires custom service account for google_compute_instance resource. Checks resources with type 'google_compute_instance'.

Parameters

None

GCP: Bigquery Dataset: Prohibit Dataset accessible to all authenticated users

Restrict public accessibilty for google_bigquery_dataset resource. Checks resources with type 'google_bigquery_dataset'.

Parameters

None

GCP: IAM: Prohibit service account with admin privileges

Restrict service account to have admin privileges while adding google_project_iam_member resource. Checks resources with type 'google_project_iam_member'.

Parameters

None

GCP: Network: Prohibit firewall allowing SSH access over internet

Network firewall resource should not allow ingress from '0.0.0.0/0' to port 22. Checks resources with type 'google_compute_firewall'.

Parameters

None

GCP: Storage Bucket: Prohibit buckets without versioning

Requires versioning to be enabled for google_storage_bucket resource. Checks resources with type 'google_storage_bucket'.

Parameters

None