Terraform Policy Library Rules
AWS: AutoScaling Group: Deny public IP address in launch configuration
Prohibit creation of autoscaling group if the launch configuration used has public IP address enabled.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without a default root object.
Requires AWS/CloudFront distributions to be configured with a default root object.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without access logging
Requires AWS/CloudFront distributions to be configured with access logging.
Parameters
None
Requires AWS/CloudFront distributions to be configured with encrypted traffic to origin.
Requires AWS/CloudFront distributions to be configured with access logging. Prohibits 'origin_protocol_policy' set to 'http-only' and prohibits 'origin_protocol_policy' set to 'match-viewer' if 'viewer_protocol_policy' is set to 'allow-all'.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without an HTTPS viewer protocol policy
Requires AWS/CloudFront distribution default and ordered cache behaviors to be configured with an 'https-only' or 'redirect-to-https' viewer_protocol_policy.
Parameters
None
AWS: CloudFront: Prohibit CloudFront distributions without a WAF association
Requires AWS/CloudFront distributions to be configured with a WAF web ACL ID.
Parameters
None
AWS: CloudTrail: Prohibit CloudTrails without server side encryption
Require AWS/Cloudtrail to have server side encryption using an AWS KMS key.
Parameters
None
AWS: CodeBuild Project: Prohibit if logging is not configured
Require CodeBuild Projects to have 'logs_config' with either s3_logs or 'cloudwatch_logs' enabled.
Parameters
None
AWS: Codebuild Project: Prohibit Privileged Mode enabled.
Require CodeBuild Projects environment config to have 'privileged_mode' set to false.
Parameters
None
AWS: DAX: Prohibit DAX clusters with disabled encryption at rest
Require AWS/DAX clusters to have enabled encryption at rest.
Parameters
None
AWS: DMS: Prohibit publicly accessible DMS replication instances
Require AWS/DMS replication instances to not be publicly accessible.
Parameters
None
AWS: EC2/EBS: Requires volumes to have a snapshot.
Ensure individually created EBS volumes have at least one associated snapshot.
Parameters
None
AWS: EC2: Ensure the EBS volumes are encrypted
Require individually created EBS volumes to be encrypted.
Parameters
None
AWS: EC2: Prohibit EC2 instances with a Public IP Address
Require AWS/EC2 instance to not have a Public IP Address.
Parameters
None
AWS: EC2: Restrict volume deletion after instance termination
Prevent volume being deleted after the termination of EC2 instance.
Parameters
None
AWS: EC2: Restrict instances with unapproved AMIs
Require EC2 instances to use an AMI from a pre-approved list.
Parameters
-
Parameters:
-
allowed_ami_ids: A list of AMI IDs (e.g., ami-830c94e3, ami-0022c769)
- Type: set_of_strings
- Unique: false
- Required: true
-
-
Required Parameters: allowed_ami_ids
AWS: EC2: Restrict instances with unapproved Regions
Require EC2 instances to use an AWS Region from a pre-approved list.
Parameters
-
Parameters:
-
allowed_regions: A list of AWS regions (eg., us-east-1, us-west-2)
- Type: set_of_strings
- Unique: false
- Required: true
-
-
Required Parameters: allowed_regions
AWS: EC2: Restrict instances with unapproved subnets
Require EC2 instances to use a subnet from a pre-approved list.
Parameters
-
Parameters:
-
allowed_subnets: A list of subnet IDs (e.g., subnet-012, subnet-890)
- Type: set_of_strings
- Unique: false
- Required: true
-
-
Required Parameters: allowed_subnets
AWS: EC2: Restrict instances with unapproved Security Groups
Require AWS/EC2 to use Security Groups from a pre-approved list.
Parameters
-
Parameters:
-
allowed_security_groups: A list of Security Groups (e.g., sg-830c94e3, sg-0022c769)
- Type: set_of_strings
- Unique: false
- Required: true
-
-
Required Parameters: allowed_security_groups
AWS: EC2: Ensure the instances use encrypted volume.
Require AWS/EC2 instances to use encrypted block storage volume.
Parameters
None
AWS: EC2: Restrict instances without IMDSv2
EC2 instances and EC2 Launch templates require Instance Metadata Service Version 2 (IMDSv2) enabled.
Parameters
None
AWS: EC2: Prohibit EC2 instances without a VPC
Require AWS/EC2 instances to be deployed in a dedicated VPC with specified security group IDs
Parameters
None
AWS: ECS: Prohibit ECS Service which has Assign Public IP enabled
Require AWS/ECS Service to have 'assign_public_ip' set as false in 'network_configuration'.
Parameters
None
AWS: Elastic Beanstalk: Prohibit the Elastic beanstalk environments with disabled managed actions
Require AWS/Elastic Beanstalk environments to have the managed actions setting enabled.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled encryption at rest
Require AWS/Elasticsearch domains to have enabled encryption at rest.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains not created in VPC
Require AWS/Elasticsearch domains to have subnets added in vpc_options.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains which does not use TLS 1.2 and have https enforced.
Require AWS/Elasticsearch domains to have https enforced and use TLS 1.2.
Parameters
None
AWS: Elasticsearch: Prohibit Elasticsearch Domains with disabled node to node encryption
Require AWS/Elasticsearch domains to have enabled node to node encryption.
Parameters
None
AWS: ELB: Prohibit Elastic Load Balancers with listener's lb_protocol not set to SSL/HTTPS
Requires AWS/ELB listeners to be configured with lb_protocol as either SSL or HTTPS.
Parameters
None
AWS: ELB: Prohibit Elastic Load Balancers with connection draining not set to true
Requires AWS/ELB listeners to be configured with connection_draining as true.
Parameters
None
AWS: GuardDuty: Block GuardDuty organization with disabled GuardDuty detector
Require GuardDuty Detector to be enabled for a GuardDuty Organiztion.
Parameters
None
AWS: IAM: Ensure IAM account has Complex and Unique password policy
Require AWS/IAM account to have complex and unique password policy. As recommended by https://attack.mitre.org/techniques/T1110/ the standards here are based off of those established in https://pages.nist.gov/800-63-3/sp800-63b.html#appA and https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6234434
Parameters
None
AWS: IAM: Ensure IAM account password policy meets AWS Foundational Security Best Practices
Require AWS/IAM account to have complex and unique password policy. As recommended by https://docs.aws.amazon.com/config/latest/developerguide/iam-password-policy.html
Parameters
None
AWS: IAM: Restrict Access Key Actions in IAM policies
Require AWS/IAM user/group/role policies to not have Create/Update/List/Delete AccessKeys permissions and allow all ('iam:' or '') in 'Action'.
Parameters
None
AWS: IAM: Restrict hardcoded secret credentials.
Hardcoding of AWS 'access_key' and 'secret_key' in Terraform files is prohibited.
Parameters
None
AWS: IAM: Prohibit IAM policies directly being attached to IAM users
Requires AWS/IAM policies not to be attached directly to IAM users.
Parameters
None
AWS: IAM: Prohibit Policies containing an Asterisk
Require AWS/IAM policies not have an asterisk ("") in Actions nor asterisk ("") without prefix in Resources.
Parameters
None
KICS: ALB Deletion Protection Disabled
Application Load Balancer should have deletion protection enabled
Parameters
None
KICS: ALB Is Not Integrated With WAF
All Application Load Balancers (ALB) must be protected with Web Application Firewall (WAF) service
Parameters
None
KICS: ALB Listening on HTTP
AWS Application Load Balancer (alb) should not listen on HTTP
Parameters
None
KICS: ALB Not Dropping Invalid Headers
It's considered a best practice when using Application Load Balancers to drop invalid header fields
Parameters
None
KICS: AmazonMQ Broker Encryption Disabled
AmazonMQ Broker should have Encryption Options defined
Parameters
None
KICS: AMI Not Encrypted
AWS AMI Encryption is not enabled
Parameters
None
KICS: AMI Shared With Multiple Accounts
Limits access to AWS AMIs by checking if more than one account is using the same image
Parameters
None
KICS: API Gateway Access Logging Disabled
API Gateway should have Access Log Settings defined
Parameters
None
KICS: API Gateway Deployment Without Access Log Setting
API Gateway Deployment should have access log setting defined when connected to an API Gateway Stage.
Parameters
None
KICS: API Gateway Deployment Without API Gateway UsagePlan Associated
API Gateway Deployment should have API Gateway UsagePlan defined and associated.
Parameters
None
KICS: API Gateway Endpoint Config is Not Private
The API Endpoint type in API Gateway should be set to PRIVATE so it's not exposed to the public internet
Parameters
None
KICS: API Gateway Method Does Not Contains An API Key
An API Key should be required on a method request.
Parameters
None
KICS: API Gateway Method Settings Cache Not Encrypted
API Gateway Method Settings Cache should be encrypted
Parameters
None
KICS: API Gateway Stage Without API Gateway UsagePlan Associated
API Gateway Stage should have API Gateway UsagePlan defined and associated.
Parameters
None
KICS: API Gateway With CloudWatch Logging Disabled
AWS CloudWatch Logs for APIs should be enabled and using the naming convention described in documentation
Parameters
None
KICS: API Gateway With Invalid Compression
API Gateway should have valid compression, which means attribute 'minimum_compression_size' should be set and its value should be greater than -1 and smaller than 10485760.
Parameters
None
KICS: API Gateway With Open Access
API Gateway Method should restrict the authorization type, except for the HTTP OPTIONS method.
Parameters
None
KICS: API Gateway Without Configured Authorizer
API Gateway REST API should have an API Gateway Authorizer
Parameters
None
KICS: API Gateway Without Security Policy
API Gateway should have a Security Policy defined and use TLS 1.2.
Parameters
None
KICS: API Gateway Without SSL Certificate
SSL Client Certificate should be enabled
Parameters
None
KICS: API Gateway without WAF
API Gateway should have WAF (Web Application Firewall) enabled
Parameters
None
KICS: API Gateway X-Ray Disabled
API Gateway should have X-Ray Tracing enabled
Parameters
None
KICS: Athena Database Not Encrypted
AWS Athena Database data in S3 should be encrypted
Parameters
None
KICS: Athena Workgroup Not Encrypted
Athena Workgroup query results should be encrypted, for all queries that run in the workgroup
Parameters
None
KICS: Authentication Without MFA
Users should authenticate with MFA (Multi-factor Authentication) to ensure an extra layer of protection when authenticating
Parameters
None
KICS: Auto Scaling Group With No Associated ELB
AWS Auto Scaling Groups must have associated ELBs to ensure high availability and improve application performance. This means the attribute 'load_balancers' must be defined and not empty.
Parameters
None
KICS: Automatic Minor Upgrades Disabled
RDS instance should have automatic minor upgrades enabled, which means the attribute 'auto_minor_version_upgrade' must be set to true.
Parameters
None
KICS: Autoscaling Groups Supply Tags
Autoscaling groups should supply tags to configurate
Parameters
None
KICS: AWS Password Policy With Unchangeable Passwords
Unchangeable passwords in AWS password policy
Parameters
None
KICS: Batch Job Definition With Privileged Container Properties
Batch Job Definition should not have Privileged Container Properties
Parameters
None
KICS: CA Certificate Identifier Is Outdated
The CA certificate Identifier must be 'rds-ca-2019'.
Parameters
None
KICS: CDN Configuration Is Missing
Content Delivery Network (CDN) service is used within an AWS account to secure and accelerate the delivery of websites. The use of a CDN can provide a layer of security between your origin content and the destination.
Parameters
None
KICS: Certificate Has Expired
Expired SSL/TLS certificates should be removed
Parameters
None
KICS: Certificate RSA Key Bytes Lower Than 256
The certificate should use a RSA key with a length equal to or higher than 256 bytes
Parameters
None
KICS: CloudFront Logging Disabled
AWS CloudFront distributions should have logging enabled to collect all viewer requests, which means the attribute 'logging_config' should be defined
Parameters
None
KICS: Cloudfront Viewer Protocol Policy Allows HTTP
Checks if the connection between CloudFront and the viewer is encrypted
Parameters
None
KICS: CloudFront Without Minimum Protocol TLS 1.2
CloudFront Minimum Protocol version should be at least TLS 1.2
Parameters
None
KICS: CloudFront Without WAF
All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
Parameters
None
KICS: CloudTrail Log File Validation Disabled
CloudTrail log file validation should be enabled to determine whether a log file has not been tampered
Parameters
None
KICS: CloudTrail Log Files Not Encrypted With KMS
Logs delivered by CloudTrail should be encrypted using KMS to increase security of your CloudTrail
Parameters
None
KICS: CloudTrail Log Files S3 Bucket is Publicly Accessible
CloudTrail Log Files S3 Bucket should not be publicly accessible
Parameters
None
KICS: CloudTrail Log Files S3 Bucket with Logging Disabled
CloudTrail Log Files S3 Bucket should have 'logging' enabled
Parameters
None
KICS: CloudTrail Logging Disabled
Checks if logging is enabled for CloudTrail.
Parameters
None
KICS: CloudTrail Multi Region Disabled
CloudTrail multi region should be enabled, which means attributes 'is_multi_region_trail' and 'include_global_service_events' should be enabled
Parameters
None
KICS: CloudTrail Not Integrated With CloudWatch
CloudTrail should be integrated with CloudWatch
Parameters
None
KICS: CloudTrail SNS Topic Name Undefined
Check if SNS topic name is set for CloudTrail
Parameters
None
KICS: CloudWatch AWS Config Configuration Changes Alarm Missing
Ensure a log metric filter and alarm exist for AWS Config configuration changes
Parameters
None
KICS: CloudWatch AWS Organizations Changes Missing Alarm
Ensure a log metric filter and alarm exist for AWS organizations changes
Parameters
None
KICS: CloudWatch Changes To NACL Alarm Missing
Ensure a log metric filter and alarm exist for changes to NACL
Parameters
None
KICS: Cloudwatch Cloudtrail Configuration Changes Alarm Missing
Ensure a log metric filter and alarm exist for CloudTrail configuration changes
Parameters
None
KICS: CloudWatch Disabling Or Scheduled Deletion Of Customer Created CMK Alarm Missing
Ensure a log metric filter and alarm exist for disabling or scheduled deletion of customer created CMK
Parameters
None
KICS: CloudWatch IAM Policy Changes Alarm Missing
Ensure a log metric filter and alarm exist for IAM policy changes
Parameters
None
KICS: CloudWatch Log Group Without KMS
AWS CloudWatch Log groups should be encrypted using KMS
Parameters
None
KICS: CloudWatch Logging Disabled
Check if CloudWatch logging is disabled for Route53 hosted zones
Parameters
None