Skip to main content

Policy Library Rules

info

The AWS policies in Styra's Terraform Policy Library are currently tested against version 3 of the Terraform AWS provider. Version 4 of the provider introduced breaking changes for a number of AWS resources. AWS policies in the library which only apply to Terraform AWS provider v3 resources are noted in the policies below and may not result in accurate policy evaluation when used with provider v4.

AWS: Autoscaling Group: Deny public IP address in launch configuration

Prohibit creation of autoscaling group if the launch configuration used has public IP address enabled. Checks the resources with type 'aws_launch_configuration' for the value of 'associate_public_ip_address'.

Parameters

None


AWS: CloudFront: Prohibit CloudFront distributions without a default root object

Requires AWS/CloudFront distributions to be configured with a default root object. Checks resources with type 'aws_cloudfront_distribution'.

Parameters

None


AWS: CloudFront: Prohibit CloudFront distributions without access logging

Requires AWS/CloudFront distributions to be configured with access logging. Checks resources with type 'aws_cloudfront_distribution'.

Parameters

None


AWS: CloudFront: Prohibit CloudFront distributions without encrypted traffic to origin

Requires AWS/CloudFront distributions to be configured with encrypted traffic to origin. Prohibits 'origin_protocol_policy' set to 'http-only' and prohibits 'origin_protocol_policy' set to 'match-viewer' if 'viewer_protocol_policy' is set to 'allow-all'. Checks resources with type 'aws_cloudfront_distribution'.

Parameters

None


AWS: CloudFront: Prohibit CloudFront distributions without an HTTPS viewer protocol policy

Requires AWS/CloudFront distribution default and ordered cache behaviors to be configured with an 'https-only' or 'redirect-to-https' viewer_protocol_policy. Checks resources with type 'aws_cloudfront_distribution'.

Parameters

None


AWS: CloudFront: Prohibit CloudFront distributions without a WAF association

Requires AWS/CloudFront distributions to be configured with a WAF web ACL ID. Checks resources with type 'aws_cloudfront_distribution'.

Parameters

None


AWS: CloudTrail: Prohibit CloudTrails without server side encryption

Require AWS/Cloudtrail to have server side encryption using an AWS KMS key. Checks resources with type 'aws_cloudtrail'.

Parameters

None


AWS: CodeBuild Project: Prohibit if logging is not configured

Require CodeBuild Projects to have 'logs_config' with either s3_logs or 'cloudwatch_logs' enabled. Checks resources with type 'aws_codebuild_project'.

Parameters

None


AWS: Codebuild Project: Prohibit Privileged Mode enabled.

Require CodeBuild Projects to set 'privileged_mode' to false. Checks resources with type 'aws_codebuild_project'.

Parameters

None


AWS: DAX: Prohibit DAX clusters with disabled encryption at rest

Require AWS/DAX clusters to have enabled encryption at rest. Checks resources with type 'aws_dax_cluster'.

Parameters

None


AWS: DMS: Prohibit publicly accessible DMS replication instances

Require AWS/DMS replication instances to not be publicly accessible. Checks resources with type 'aws_dms_replication_instance'.

Parameters

None


AWS: EC2/EBS: Requires snapshot enabled.

Ensure individually created EBS volumes have snapshots enabled. Checks resources with type 'aws_ebs_volume'.

Parameters

None


AWS: EC2: Ensure the EBS volumes are encrypted.

Require individually created EBS volumes to be encrypted. Checks resources with type 'aws_ebs_volume'.

Parameters

None


AWS: EC2: Prohibit EC2 instances with a Public IP Address

Require AWS/EC2 instance to not have a Public IP Address. Checks resources with type 'aws_instance' and 'aws_launch_template'.

Parameters

None


AWS: EC2: Restrict volume deletion after instance termination

Prevent volume being deleted after the termination of EC2 instance.Retaining volumes until they are explicitly deleted can protect against adversaries deleting critical data, or evidence of an intrusion. Checks resources with type 'aws_instance'.

Parameters

None


AWS: EC2: Restrict instances with unapproved AMIs

Ensure EC2 instances are using an AMI from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_ami_ids

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ami_ids

AWS: EC2: Restrict instances with unapproved Regions

Ensure EC2 instances are deployed in a Region from a pre-approved list (due to plan format restrictions, this policy only works for Terraform 12 onward). Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_regions

      • Type: array
      • Unique: true
  • Required Parameters: allowed_regions

AWS: EC2: Restrict instances with unapproved subnets

Ensure EC2 instances are deployed in a subnet from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_subnets

      • Type: array
      • Unique: true
  • Required Parameters: allowed_subnets

AWS: EC2: Restrict instances with unapproved Security Groups

Require AWS/EC2 to use Security Groups from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_security_groups

      • Type: array
      • Unique: true
  • Required Parameters: allowed_security_groups

AWS: EC2: Ensure the instances use encrypted volume.

Require AWS/EC2 instances to use encrypted block storage volume. Checks resources with type 'aws_instance'.

Parameters

None


AWS: EC2: Restrict instances without IMDSv2

EC2 instances and EC2 Launch templates require Instance Metadata Service Version 2 (IMDSv2) enabled. Checks resources with type 'aws_instance' and 'aws_launch_template'.

Parameters

None


AWS: EC2: Prohibit EC2 instances without a VPC

Require AWS/EC2 instance to be deployed in a VPC. Checks resources with type 'aws_instance'.

Parameters

None


AWS: ECS: Prohibit ECS Service which has Assign Public IP enabled

Require AWS/ECS Service to have 'assign_public_ip' set as false in 'network_configuration'. Checks resources with type 'aws_ecs_service'.

Parameters

None


AWS: Elastic Beanstalk: Prohibit the Elastic beanstalk environments with disabled managed actions

Require AWS/Elastic Beanstalk environments to have the managed actions setting enabled. Checks resources with type 'aws_elastic_beanstalk_environment'.

Parameters

None


AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled encryption at rest

Require AWS/Elasticsearch domains to have enabled encryption at rest. Checks resources with type 'aws_elasticsearch_domain'.

Parameters

None


AWS: Elasticsearch: Prohibit Elasticsearch Domains not created in VPC

Require AWS/Elasticsearch domains to have subnets added in vpc_options. Checks resources with type 'aws_elasticsearch_domain'.

Parameters

None


AWS: Elasticsearch: Prohibit Elasticsearch Domains which does not use TLS 1.2 and have https enforced.

Require AWS/Elasticsearch domains to have https enforced and use TLS 1.2. Checks resources with type 'aws_elasticsearch_domain'.

Parameters

None


AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled node to node encryption

Require AWS/Elasticsearch domains to have enabled node to node encryption. Checks resources with type 'aws_elasticsearch_domain'.

Parameters

None


AWS: ELB: Prohibit Elastic Load Balancers with listener's lb_protocol not set to SSL/HTTPS.

Requires AWS/ELB listeners to be configured with lb_protocol as either SSL or HTTPS. Checks resources with type 'aws_elb'.

Parameters

None


AWS: ELB: Prohibit Elastic Load Balancers with connection draining not set to true.

Requires AWS/ELB listeners to be configured with connection_draining as true. Checks resources with type 'aws_elb'.

Parameters

None


AWS: GuardDuty: Block GuardDuty organization with disabled GuardDuty detector

Require GuardDuty Detector to be enabled for a GuardDuty Organiztion. Checks resources with type 'aws_guardduty_organization_configuration' along with 'aws_guardduty_detector'.

Parameters

None


AWS: IAM: Ensure IAM account has Complex and Unique password policy

Require AWS/IAM account to have complex and unique password policy. As recommended by https://attack.mitre.org/techniques/T1110/ the standards here are based off of those established in https://pages.nist.gov/800-63-3/sp800-63b.html#appA and https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6234434 Checks resources with type 'aws_iam_account_password_policy'.

Parameters

None


AWS: IAM: Ensure IAM account password policy meets AWS Foundational Security Best Practices

Require AWS/IAM account to have complex and unique password policy. As recommended by https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html Checks resources with type 'aws_iam_account_password_policy'.

Parameters

None


AWS: IAM: Restrict Attaching AdministratorAccess Policy.

Restricts attaching Managed AdministratorAccess policy to user, role and group. Checks resources with type 'aws_iam_user_policy_attachment', 'aws_iam_role_policy_attachment' and 'aws_iam_group_policy_attachment'.

Parameters

None


AWS: IAM: Restrict Access Key Actions in IAM policies

Require AWS/IAM user/group/role policies to not have Create/Update/List/Delete AccessKeys permissions and allow all ('iam:' or '') in 'Action'. Checks resources with type 'aws_iam_user_policy', 'aws_iam_role_policy', 'aws_iam_group_policy' and 'aws_iam_policy'.

Parameters

None


AWS: IAM: Restrict hardcoded secret credentials.

Hardcoding of AWS 'access_key' and 'secret_key' in Terraform files is restricted. Due to plan format restrictions, this policy only works for Terraform 12 onward.

Parameters

None


AWS: IAM: Prohibit IAM policies directly being attached to IAM users

Requires AWS/IAM policies not to be attached directly to IAM users. Checks resources with type 'aws_iam_user_policy_attachment'.

Parameters

None


AWS: IAM: Prohibit IAM policies providing admin access

Require AWS/IAM policy statements to not allow all actions ('') on all resources (''). Checks resources with type 'aws_iam_policy' and data sources with type 'aws_iam_policy_document'.

Parameters

None


AWS: IAM: Prohibit Policies containing an Asterisk

Require AWS/IAM policies not have an asterisk ("") in Actions and asterisk("") without prefix in Resources. Checks resources with type 'aws_iam_policy'.

Parameters

None


AWS: Lambda: Prohibit publicly accessible Lambda functions

Requires AWS/Lambda Function Permissions to include an AWS account ID principal, principal_org_id, source_account AWS account ID, or source_arn resource ARN to prevent public access. Checks resources with type 'aws_lambda_permission'.

Parameters

None


AWS: Security Groups: Restrict Ingress from public IPs.

Require AWS/Security Groups to allow ingress from private IPv4 CIDRs only. Private IPv4 CIDR IP range: "10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.168.0.0/16" Checks resources with type 'aws_security_group'.

Parameters

None


AWS: Security Groups: Ingress Allow only whitelisted CIDR and Ports

Require AWS/Security Groups to have ingress from whitelisted CIDR blocks on whitelisted ports. To allow all, use wildcard entry '*' Checks resources with type 'aws_security_group'.

Parameters

  • Parameters:

    • allowed_cidr_ports

      • Type: object
      • Unique: false
  • Required Parameters: allowed_cidr_ports

AWS: Security Groups: Ingress Allow only whitelisted Ports

Require AWS/Security Groups with whitelisted ports only for CIDR "0.0.0.0/0". Checks resources with type 'aws_security_group'.

Parameters

  • Parameters:

    • allowed_ports

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ports

AWS: OpenSearch: Prohibit OpenSearch Domains with disabled encryption at rest

Require AWS/OpenSearch domains to have enabled encryption at rest. Checks resources with type 'aws_opensearch_domain'.

Parameters

None


AWS: Opensearch: Prohibit Opensearch Domains with disabled node to node encryption

Require AWS/Opensearch domains to have enabled node to node encryption. Checks resources with type 'aws_opensearch_domain'.

Parameters

None


AWS: Opensearch: Prohibit Opensearch Domains not created in VPC

Require AWS/Opensearch domains to have subnets added in vpc_options. Checks resources with type 'aws_opensearch_domain'.

Parameters

None


AWS: RDS: Prohibit RDS instance with disabled automatic minor version upgrade

Require AWS/RDS instances to have automatic minor version upgrade enabled. Checks resources with type 'aws_db_instance'.

Parameters

None


AWS: RDS: Prohibit RDS instances with disabled IAM database authentication

Require AWS/RDS instances to have IAM authentication enabled. Checks resources with type 'aws_db_instance'.

Parameters

None


AWS: RDS: Prohibit publicly accessible RDS instances

Require AWS/RDS instances to not be publicly accessible. Checks resources with type 'aws_db_instance'.

Parameters

None


AWS: RDS: Prohibit RDS clusters with disabled IAM authentication

Require AWS/RDS clusters to have IAM authentication enabled. Checks resources with type 'aws_rds_cluster'.

Parameters

None


AWS: RDS: Prohibit RDS instances with disabled CloudWatch log exports

Require AWS/RDS instances to have CloudWatch log exports enabled. Checks resources with type 'aws_db_instance'.

Parameters

None


AWS: Redshift: Prohibit Redshift cluster with disabled enhanced VPC routing

Require AWS/Redshift cluster to have enhanced VPC routing enabled. Checks resources with type 'aws_redshift_cluster'.

Parameters

None


AWS: Redshift: Prohibit publicly accessible Redshift cluster

Require AWS/Redshift cluster to not be publicly accessible. Checks resources with type 'aws_redshift_cluster'.

Parameters

None


AWS: S3: Block All Public Access to Buckets

Require AWS/S3 buckets to have blocked all public access. Checks resources with type 'aws_s3_bucket' along with 'aws_s3_bucket_public_access_block'.

Parameters

None


AWS: S3: Ensure Logging is Enabled in S3 Buckets

Require AWS/S3 buckets to have logging enabled. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None


AWS: S3: Prohibit Bucket Policies containing An Asterisk In Actions

Require AWS/S3 bucket policy to not use asterisk in 'Action'. Checks resources with type 'aws_s3_bucket_policy'.

Parameters

None


AWS: S3: Prohibit Unencrypted Buckets

Require AWS/S3 buckets to be encrypted. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None


AWS: S3: Prohibit Unencrypted Bucket Object

Require AWS/S3 bucket object to be server side encrypted Checks resources with type 'aws_s3_bucket_object'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None


AWS: S3: Ensure Versioning is Enabled for S3 Buckets

Require AWS/S3 buckets to have versioning enabled. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

None


AWS: S3: Restrict S3 buckets with unapproved ACL

Require AWS/S3 to use Canned ACL from a pre-approved list. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.

Parameters

  • Parameters:

    • allowed_acls

      • Type: array
      • Unique: true
  • Required Parameters: allowed_acls

AWS: S3: Allow ingress only from whitelisted IP's

Require AWS/S3 bucket policy with whitelisted source IP's. To allow all, use wildcard entry '*'. Checks resources with type 'aws_s3_bucket_policy'.

Parameters

  • Parameters:

    • allowed_ips

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ips

AWS: SageMaker: Prohibit SageMaker Notebook instance with direct internet access enabled

Require AWS/SageMaker instance to have direct internet access disabled. Checks resources with type 'aws_sagemaker_notebook_instance'.

Parameters

None


AWS: SSM: Prohibit publicly accessible SSM documents

Require AWS/SSM Document not to be publicly accessible. Checks resources with type 'aws_ssm_document'.

Parameters

None


Azure: IAM: Prohibit assignment of Owner role

Require Azure/IAM role assignment to not have owner role assigned to any principal. Checks resources with type 'azurerm_role_assignment'.

Parameters

None


Azure: MariaDB: Prohibit backup disabled MariaDB database

Require Azure/MariaDB database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mariadb_server'.

Parameters

None


Azure: MySQL: Prohibit backup disabled MySQL database

Require Azure/MySQL database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mysql_server'.

Parameters

None


Azure: Security Groups: Block port 22 for '0.0.0.0/0'

Azure/Network Security Groups should block Inbound traffic on 22 port for "0.0.0.0/0" or "*". Checks resources with type 'azurerm_network_security_group'.

Parameters

None


Azure: Postgres: Prohibit backup disabled Postgres database

Require Azure/Postgres database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_postgresql_server'.

Parameters

None


Azure: Storage Account: Deny Unencrypted transit

Azure/Storage Account should accept requests from secure connections (https) only. Checks resources with type 'azurerm_storage_account'.

Parameters

None


GCP: Service Account: Prohibit using default Service Account

Requires custom service account for google_compute_instance resource. Checks resources with type 'google_compute_instance'.

Parameters

None


GCP: Bigquery Dataset: Prohibit Dataset accessible to all authenticated users

Restrict public accessibilty for google_bigquery_dataset resource. Checks resources with type 'google_bigquery_dataset'.

Parameters

None


GCP: IAM: Prohibit service account with admin privileges

Restrict service account to have admin privileges while adding google_project_iam_member resource. Checks resources with type 'google_project_iam_member'.

Parameters

None


GCP: Network: Prohibit firewall allowing SSH access over internet

Network firewall resource should not allow ingress from '0.0.0.0/0' to port 22. Checks resources with type 'google_compute_firewall'.

Parameters

None


GCP: Storage Bucket: Prohibit buckets without versioning

Requires versioning to be enabled for google_storage_bucket resource. Checks resources with type 'google_storage_bucket'.

Parameters

None