Policy Library Rules
important
The AWS policies in Styra's Terraform Policy Library are currently tested against version 3 of the Terraform AWS provider. Version 4 of the provider introduced breaking changes for a number of AWS resources. AWS policies in the library which only apply to Terraform AWS provider v3 resources are noted in the policies below and may not result in accurate policy evaluation when used with provider v4.
AWS: Autoscaling Group: Deny public IP address in launch configuration
Prohibit creation of autoscaling group if the launch configuration used has public IP address enabled. Checks the resources with type 'aws_launch_configuration' for the value of 'associate_public_ip_address'.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without a default root object
Requires AWS/CloudFront distributions to be configured with a default root object. Checks resources with type 'aws_cloudfront_distribution'.
Parameters
None
AWS: DMS: Prohibit publicly accessible DMS replication instances
Require AWS/DMS replication instances to not be publicly accessible. Checks resources with type 'aws_dms_replication_instance'.
Parameters
None
AWS: EC2/EBS: Requires snapshot enabled.
Ensure individually created EBS volumes have snapshots enabled. Checks resources with type 'aws_ebs_volume'.
Parameters
None
AWS: EC2: Ensure the EBS volumes are encrypted.
Require individually created EBS volumes to be encrypted. Checks resources with type 'aws_ebs_volume'.
Parameters
None
AWS: EC2: Restrict volume deletion after instance termination
Prevent volume being deleted after the termination of EC2 instance.Retaining volumes until they are explicitly deleted can protect against adversaries deleting critical data, or evidence of an intrusion. Checks resources with type 'aws_instance'.
Parameters
None
AWS: EC2: Restrict instances with unapproved AMIs
Ensure EC2 instances are using an AMI from a pre-approved list. Checks resources with type 'aws_instance'.
Parameters
Parameters:
allowed_ami_ids
- Type: array
- Unique: true
- Required Parameters: allowed_ami_ids
AWS: EC2: Restrict instances with unapproved Regions
Ensure EC2 instances are deployed in a Region from a pre-approved list (due to plan format restrictions, this policy only works for Terraform 12 onward). Checks resources with type 'aws_instance'.
Parameters
Parameters:
allowed_regions
- Type: array
- Unique: true
- Required Parameters: allowed_regions
AWS: EC2: Restrict instances with unapproved subnets
Ensure EC2 instances are deployed in a subnet from a pre-approved list. Checks resources with type 'aws_instance'.
Parameters
Parameters:
allowed_subnets
- Type: array
- Unique: true
- Required Parameters: allowed_subnets
AWS: EC2: Restrict instances with unapproved Security Groups
Require AWS/EC2 to use Security Groups from a pre-approved list. Checks resources with type 'aws_instance'.
Parameters
Parameters:
allowed_security_groups
- Type: array
- Unique: true
- Required Parameters: allowed_security_groups
AWS: EC2: Ensure the instances use encrypted volume.
Require AWS/EC2 instances to use encrypted block storage volume. Checks resources with type 'aws_instance'.
Parameters
None
AWS: EC2: Restrict instances without IMDSv2
EC2 instances and EC2 Launch templates require Instance Metadata Service Version 2 (IMDSv2) enabled. Checks resources with type 'aws_instance' and 'aws_launch_template'.
Parameters
None
AWS: EC2: Prohibit EC2 instances without a VPC
Require AWS/EC2 instance to be deployed in a VPC. Checks resources with type 'aws_instance'.
Parameters
None
AWS: IAM: Ensure IAM account has Complex and Unique password policy
Require AWS/IAM account to have complex and unique password policy. As recommended by https://attack.mitre.org/techniques/T1110/ the standards here are based off of those established in https://pages.nist.gov/800-63-3/sp800-63b.html#appA and https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6234434 Checks resources with type 'aws_iam_account_password_policy'.
Parameters
None
AWS: IAM: Restrict Attaching AdministratorAccess Policy.
Restricts attaching Managed AdministratorAccess policy to user, role and group. Checks resources with type 'aws_iam_user_policy_attachment', 'aws_iam_role_policy_attachment' and 'aws_iam_group_policy_attachment'.
Parameters
None
AWS: IAM: Restrict Access Key Actions in IAM policies
Require AWS/IAM user/group/role policies to not have Create/Update/List/Delete AccessKeys permissions and allow all ('iam:' or '') in 'Action'. Checks resources with type 'aws_iam_user_policy', 'aws_iam_role_policy', 'aws_iam_group_policy' and 'aws_iam_policy'.
Parameters
None
AWS: IAM: Restrict hardcoded secret credentials.
Hardcoding of AWS 'access_key' and 'secret_key' in Terraform files is restricted. Due to plan format restrictions, this policy only works for Terraform 12 onward.
Parameters
None
AWS: IAM: Prohibit IAM policies directly being attached to IAM users
Requires AWS/IAM policies not to be attached directly to IAM users. Checks resources with type 'aws_iam_user_policy_attachment'.
Parameters
None
AWS: IAM: Prohibit Policies containing an Asterisk
Require AWS/IAM policies not have an asterisk ("") in Actions and asterisk("") without prefix in Resources. Checks resources with type 'aws_iam_policy'.
Parameters
None
AWS: Security Groups: Restrict Ingress from public IPs.
Require AWS/Security Groups to allow ingress from private IPv4 CIDRs only. Private IPv4 CIDR IP range: "10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.168.0.0/16" Checks resources with type 'aws_security_group'.
Parameters
None
AWS: Security Groups: Ingress Allow only whitelisted CIDR and Ports
Require AWS/Security Groups to have ingress from whitelisted CIDR blocks on whitelisted ports. To allow all, use wildcard entry '*' Checks resources with type 'aws_security_group'.
Parameters
Parameters:
allowed_cidr_ports
- Type: object
- Unique: false
- Required Parameters: allowed_cidr_ports
AWS: Security Groups: Ingress Allow only whitelisted Ports
Require AWS/Security Groups with whitelisted ports only for CIDR "0.0.0.0/0". Checks resources with type 'aws_security_group'.
Parameters
Parameters:
allowed_ports
- Type: array
- Unique: true
- Required Parameters: allowed_ports
AWS: RDS: Prohibit publicly accessible RDS instances
Require AWS/RDS instances to not be publicly accessible. Checks resources with type 'aws_db_instance'.
Parameters
None
AWS: S3: Block All Public Access to Buckets
Require AWS/S3 buckets to have blocked all public access. Checks resources with type 'aws_s3_bucket' along with 'aws_s3_bucket_public_access_block'.
Parameters
None
AWS: S3: Ensure Logging is Enabled in S3 Buckets
Require AWS/S3 buckets to have logging enabled. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.
Parameters
None
AWS: S3: Prohibit Bucket Policies containing An Asterisk In Actions
Require AWS/S3 bucket policy to not use asterisk in 'Action'. Checks resources with type 'aws_s3_bucket_policy'.
Parameters
None
AWS: S3: Prohibit Unencrypted Buckets
Require AWS/S3 buckets to be encrypted. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.
Parameters
None
AWS: S3: Prohibit Unencrypted Bucket Object
Require AWS/S3 bucket object to be server side encrypted Checks resources with type 'aws_s3_bucket_object'. This policy is only compatible with v3 of the Terraform AWS provider.
Parameters
None
AWS: S3: Ensure Versioning is Enabled for S3 Buckets
Require AWS/S3 buckets to have versioning enabled. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.
Parameters
None
AWS: S3: Restrict S3 buckets with unapproved ACL
Require AWS/S3 to use Canned ACL from a pre-approved list. Checks resources with type 'aws_s3_bucket'. This policy is only compatible with v3 of the Terraform AWS provider.
Parameters
Parameters:
allowed_acls
- Type: array
- Unique: true
- Required Parameters: allowed_acls
AWS: S3: Allow ingress only from whitelisted IP's
Require AWS/S3 bucket policy with whitelisted source IP's. To allow all, use wildcard entry '*'. Checks resources with type 'aws_s3_bucket_policy'.
Parameters
Parameters:
allowed_ips
- Type: array
- Unique: true
- Required Parameters: allowed_ips
AWS: SageMaker: Prohibit SageMaker Notebook instance with direct internet access enabled
Require AWS/SageMaker instance to have direct internet access disabled. Checks resources with type 'aws_sagemaker_notebook_instance'.
Parameters
None
AWS: SSM: Prohibit publicly accessible SSM documents
Require AWS/SSM Document not to be publicly accessible. Checks resources with type 'aws_ssm_document'.
Parameters
None
Azure: IAM: Prohibit assignment of Owner role
Require Azure/IAM role assignment to not have owner role assigned to any principal. Checks resources with type 'azurerm_role_assignment'.
Parameters
None
Azure: MariaDB: Prohibit backup disabled MariaDB database
Require Azure/MariaDB database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mariadb_server'.
Parameters
None
Azure: MySQL: Prohibit backup disabled MySQL database
Require Azure/MySQL database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mysql_server'.
Parameters
None
Azure: Security Groups: Block port 22 for '0.0.0.0/0'
Azure/Network Security Groups should block Inbound traffic on 22 port for "0.0.0.0/0" or "*". Checks resources with type 'azurerm_network_security_group'.
Parameters
None
Azure: Postgres: Prohibit backup disabled Postgres database
Require Azure/Postgres database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_postgresql_server'.
Parameters
None
Azure: Storage Account: Deny Unencrypted transit
Azure/Storage Account should accept requests from secure connections (https) only. Checks resources with type 'azurerm_storage_account'.
Parameters
None
GCP: Service Account: Prohibit using default Service Account
Requires custom service account for google_compute_instance resource. Checks resources with type 'google_compute_instance'.
Parameters
None
GCP: Bigquery Dataset: Prohibit Dataset accessible to all authenticated users
Restrict public accessibilty for google_bigquery_dataset resource. Checks resources with type 'google_bigquery_dataset'.
Parameters
None
GCP: IAM: Prohibit service account with admin privileges
Restrict service account to have admin privileges while adding google_project_iam_member resource. Checks resources with type 'google_project_iam_member'.
Parameters
None
GCP: Network: Prohibit firewall allowing SSH access over internet
Network firewall resource should not allow ingress from '0.0.0.0/0' to port 22. Checks resources with type 'google_compute_firewall'.
Parameters
None
GCP: Storage Bucket: Prohibit buckets without versioning
Requires versioning to be enabled for google_storage_bucket resource. Checks resources with type 'google_storage_bucket'.
Parameters
None