Skip to main content

Policy Library Rules

AWS: EC2/EBS: Requires snapshot enabled.

Ensure individually created EBS volumes have snapshots enabled. Checks resources with type 'aws_ebs_volume'.

Parameters

None


AWS: EC2: Ensure the EBS volumes are encrypted.

Require individually created EBS volumes to be encrypted. Checks resources with type 'aws_ebs_volume'.

Parameters

None


AWS: EC2: Restrict volume deletion after instance termination

Prevent volume being deleted after the termination of EC2 instance.Retaining volumes until they are explicitly deleted can protect against adversaries deleting critical data, or evidence of an intrusion. Checks resources with type 'aws_instance'.

Parameters

None


AWS: EC2: Restrict instances with unapproved AMIs

Ensure EC2 instances are using an AMI from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_ami_ids

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ami_ids

AWS: EC2: Restrict instances with unapproved Regions

Ensure EC2 instances are deployed in a Region from a pre-approved list.(Due to plan format restrictions, this policy only works for Terraform 12 onward.) Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_regions

      • Type: array
      • Unique: true
  • Required Parameters: allowed_regions

AWS: EC2: Restrict instances with unapproved subnets

Ensure EC2 instances are deployed in a subnet from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_subnets

      • Type: array
      • Unique: true
  • Required Parameters: allowed_subnets

AWS: EC2: Restrict instances with unapproved Security Groups

Require AWS/EC2 to use Security Groups from a pre-approved list. Checks resources with type 'aws_instance'.

Parameters

  • Parameters:

    • allowed_security_groups

      • Type: array
      • Unique: true
  • Required Parameters: allowed_security_groups

AWS: EC2: Ensure the instances use encrypted volume.

Require AWS/EC2 instances to use encrypted block storage volume. Checks resources with type 'aws_instance'.

Parameters

None


AWS: EC2: Restrict instances without IMDSv2

EC2 instances and EC2 Launch templates require Instance Metadata Service Version 2 (IMDSv2) enabled. Checks resources with type 'aws_instance' and 'aws_launch_template'.

Parameters

None


AWS: EC2: Prohibit EC2 instances without a VPC

Require AWS/EC2 instance to be deployed in a VPC. Checks resources with type 'aws_instance'.

Parameters

None


AWS: IAM: Ensure IAM account has Complex and Unique password policy

Require AWS/IAM account to have complex and unique password policy. As recommended by https://attack.mitre.org/techniques/T1110/ the standards here are based off of those established in https://pages.nist.gov/800-63-3/sp800-63b.html#appA and https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6234434 Checks resources with type 'aws_iam_account_password_policy'.

Parameters

None


AWS: IAM: Restrict Attaching AdministratorAccess Policy.

Restricts attaching Managed AdministratorAccess policy to user, role and group. Checks resources with type 'aws_iam_user_policy_attachment', 'aws_iam_role_policy_attachment' and 'aws_iam_group_policy_attachment'.

Parameters

None


AWS: IAM: Restrict Access Key Actions in IAM policies

Require AWS/IAM user/group/role policies to not have Create/Update/List/Delete AccessKeys permissions and allow all ('iam:' or '') in 'Action'. Checks resources with type 'aws_iam_user_policy', 'aws_iam_role_policy', 'aws_iam_group_policy' and 'aws_iam_policy'.

Parameters

None


AWS: IAM: Restrict hardcoded secret credentials.

Hardcoding of AWS 'access_key' and 'secret_key' in Terraform files is restricted. (Due to plan format restrictions, this policy only works for Terraform 12 onward.)

Parameters

None


AWS: IAM: Prohibit IAM policies directly being attached to IAM users

Requires AWS/IAM policies not to be attached directly to IAM users. Checks resources with type 'aws_iam_user_policy_attachment'.

Parameters

None


AWS: IAM: Prohibit Policies containing an Asterisk

Require AWS/IAM policies not have an asterisk ("") in Actions and asterisk("") without prefix in Resources. Checks resources with type 'aws_iam_policy'.

Parameters

None


AWS: Security Groups: Restrict Ingress from public IPs.

Require AWS/Security Groups to allow ingress from private IPv4 CIDRs only. Private IPv4 CIDR IP range: "10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.168.0.0/16" Checks resources with type 'aws_security_group'.

Parameters

None


AWS: Secuity Groups: Ingress Allow only whitelisted CIDR and Ports

Require AWS/Security Groups to have ingress from whitelisted CIDR blocks on whitelisted ports. To allow all, use wildcard entry '*' Checks resources with type 'aws_security_group'.

Parameters

  • Parameters:

    • allowed_cidr_ports

      • Type: object
      • Unique: false
  • Required Parameters: allowed_cidr_ports

AWS: Secuity Groups: Ingress Allow only whitelisted Ports

Require AWS/Security Groups with whitelisted ports only for cidr "0.0.0.0/0". Checks resources with type 'aws_security_group'.

Parameters

  • Parameters:

    • allowed_ports

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ports

AWS: RDS: Prohibit publicly accessible RDS instances

Require AWS/RDS instances to not be publicly accessible. Checks resources with type 'aws_db_instance'.

Parameters

None


AWS: S3: Block All Public Access to Buckets

Require AWS/S3 buckets to have blocked all public access. Checks resources with type 'aws_s3_bucket along' with 'aws_s3_bucket_public_access_block'.

Parameters

None


AWS: S3: Ensure Logging is Enabled in S3 Buckets

Require AWS/S3 buckets to have logging enabled. Checks resources with type 'aws_s3_bucket'.

Parameters

None


AWS: S3: Prohibit Bucket Policies containing An Asterisk In Actions

Require AWS/S3 bucket policy to not use asterisk in 'Action'. Checks resources with type 'aws_s3_bucket_policy'.

Parameters

None


AWS: S3: Prohibit Unencrypted Buckets

Require AWS/S3 buckets to be encrypted. Checks resources with type 'aws_s3_bucket'.

Parameters

None


AWS: S3: Prohibit Unencrypted Bucket Object

Require AWS/S3 bucket object to be server side encrypted Checks resources with type 'aws_s3_bucket_object'.

Parameters

None


AWS: S3: Ensure Versioning is Enabled for S3 Buckets

Require AWS/S3 buckets to have versioning enabled. Checks resources with type 'aws_s3_bucket'.

Parameters

None


AWS: S3: Restrict S3 buckets with unapproved ACL

Require AWS/S3 to use Canned ACL from a pre-approved list. Checks resources with type 'aws_s3_bucket'.

Parameters

  • Parameters:

    • allowed_acls

      • Type: array
      • Unique: true
  • Required Parameters: allowed_acls

AWS: S3: Allow ingress only from whitelisted IP's

Require AWS/S3 bucket policy with whitelisted source IP's. To allow all, use wildcard entry '*'. Checks resources with type 'aws_s3_bucket_policy'.

Parameters

  • Parameters:

    • allowed_ips

      • Type: array
      • Unique: true
  • Required Parameters: allowed_ips

Azure: IAM: Prohibit assignment of Owner role

Require Azure/IAM role assignment to not have owner role assigned to any principal. Checks resources with type 'azurerm_role_assignment'.

Parameters

None


Azure: MariaDB: Prohibit backup disabled MariaDB database

Require Azure/MariaDB database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mariadb_server'.

Parameters

None


Azure: MySQL: Prohibit backup disabled MySQL database

Require Azure/MySQL database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_mysql_server'.

Parameters

None


Azure: Secuity Groups: Block port 22 for '0.0.0.0/0'

Azure/Network Security Groups should block Inbound traffic on 22 port for "0.0.0.0/0" or "*". Checks resources with type 'azurerm_network_security_group'.

Parameters

None


Azure: Postgres: Prohibit backup disabled Postgres database

Require Azure/Postgres database to have Geo-redundant backup enabled. Checks resources with type 'azurerm_postgresql_server'.

Parameters

None


Azure: Storage Account: Deny Unencrypted transit

Azure/Storage Account should accept requests from secure connections (https) only. Checks resources with type 'azurerm_storage_account'.

Parameters

None


GCP: Service Account: Prohibit using default Service Account

Requires custom service account for google_compute_instance resource. Checks resources with type 'google_compute_instance'.

Parameters

None


GCP: Bigquery Dataset: Prohibit Dataset accessible to all authenticated users

Restrict public accessibilty for google_bigquery_dataset resource. Checks resources with type 'google_bigquery_dataset'.

Parameters

None


GCP: IAM: Prohibit service account with admin privileges

Restrict service account to have admin privileges while adding google_project_iam_member resource. Checks resources with type 'google_project_iam_member'.

Parameters

None


GCP: Network: Prohibit firewall allowing SSH access over internet

Network firewall resource should not allow ingress from '0.0.0.0/0' to port 22. Checks resources with type 'google_compute_firewall'.

Parameters

None


GCP: Storage Bucket: Prohibit buckets without versioning

Requires versioning to be enabled for google_storage_bucket resource. Checks resources with type 'google_storage_bucket'.

Parameters

None