cdklabs / cdk-validator-cfnguard

Apache License 2.0
69 stars 6 forks source link

CDK CFN Guard Validator Plugin


cdk-constructs: Experimental

The APIs of higher level constructs in this module are experimental and under active development. They are subject to non-backward compatible changes or removal in any future version. These are not subject to the Semantic Versioning model and breaking changes will be announced in the release notes. This means that while you may use them, you may need to update your source code when upgrading to a newer version of this package.

Installing

TypeScript/JavaScript

npm install @cdklabs/cdk-validator-cfnguard

Python

pip install cdklabs.cdk-validator-cfnguard

Java

// add this to your pom.xml
<dependency>
    <groupId>io.github.cdklabs</groupId>
    <artifactId>cdk-validator-cfnguard</artifactId>
    <version>0.0.0</version> // replace with version
</dependency>

.NET

dotnet add package Cdklabs.CdkValidatorCfnGuard --version X.X.X

Usage

To use this plugin in your CDK application add it to the CDK App.

new App({
  policyValidationBeta1: [
    new CfnGuardValidator(),
  ],
});

By default the CfnGuardValidator plugin comes with the Control Tower proactive controls enabled. In order to disable these rules you can use the controlTowerRulesEnabled: false property.

new CfnGuardValidator({
  controlTowerRulesEnabled: false,
});

It is also possible to disable individual rules.

new CfnGuardValidator({
  disabledRules: [
    'ct-s3-pr-1',
  ],
});

Additional rules

To provide additional rules to the plugin, provide a list of local file or directory paths.

new CfnGuardValidator({
  rules: [
    'path/to/local-rules-directory',
    'path/to/s3/local-rules/my-rule.guard',
  ],
});

If the path provided is a directory then the directory must only contain guard rule files, and all rules within the directory will be used.

Using the bundled Control Tower proactive controls in CDK

The bundled Control Tower proactive controls use CloudFormation Guard policies that are also used in managed controls from the Control Tower service. You can use these CDK bundled controls without having a Control Tower environment in AWS, but there are many benefits to using the two together.

When you enable Control Tower proactive controls in your Control Tower environment, the controls can stop the deployment of non-compliant resources deployed via CloudFormation. For more information about managed proactive controls and how they work, see the Control Tower documentation.

These CDK bundled controls and managed Control Tower proactive controls are best used together. In this scenario you can configure this validation plugin with the same proactive controls that are active in your Control Tower cloud environment. You can then quickly gain confidence that your CDK application will pass the Control Tower controls by running cdk synth locally or in a pipeline as described above.

Regardless of whether you or your organization use Control Tower, however, you should understand the following things about these bundled controls when run locally using this plugin:

  1. These CloudFormation guard policies accept a limited subset of CloudFormation syntax for the properties they evaluate. For instance, a property called EncryptionEnabled may pass if it is specified with the literal value true, but it may fail if it is specified with a reference to a CloudFormation stack parameter instead. Similarly, if a rule checks for a string value, it may fail for Fn::Join objects. If you discover that a rule can be bypassed with a particular configuration of a resource, please file an issue.
  2. Some rules may check references to other resources, but this reference checking is limited. For instance, a rule may require that an access logging bucket is specified for each S3 bucket. In this case, the rule can check whether you have passed a reference to a bucket in the same template, but it cannot verify that a hardcoded bucket name like "examplebucket" actually refers to a real bucket or a bucket you own.

You can add a layer of security protection by enabling the same proactive controls in your Control Tower cloud environment. There are different considerations for using these controls since they operate in a different way. For more information, see the Control Tower proactive controls documentation.

If you do not yet have a Control Tower environment, see What is AWS Control Tower?.

Bundled Control Tower Rules

ID Name Evaluated Resource Types
CT.ACM.PR.1 Require an AWS Private CA certificate to have a single domain name AWS::CertificateManager::Certificate
CT.APIGATEWAY.PR.1 Require an Amazon API Gateway REST and WebSocket API to have logging activated AWS::ApiGateway::Stage
CT.APIGATEWAY.PR.2 Require an Amazon API Gateway REST API stage to have AWS X-Ray tracing activated AWS::ApiGateway::Stage
CT.APIGATEWAY.PR.3 Require that an Amazon API Gateway REST API stage has encryption at rest configured for cache data AWS::ApiGateway::Stage
CT.APIGATEWAY.PR.4 Require an Amazon API Gateway V2 stage to have access logging activated AWS::ApiGatewayV2::Stage
CT.APIGATEWAY.PR.5 Require Amazon API Gateway V2 Websocket and HTTP routes to specify an authorization type AWS::ApiGatewayV2::Route
AWS::ApiGatewayV2::ApiGatewayManagedOverrides
CT.APIGATEWAY.PR.6 Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2 AWS::ApiGateway::DomainName
CT.APPSYNC.PR.1 Require an AWS AppSync GraphQL API to have logging enabled AWS::AppSync::GraphQLApi
CT.APPSYNC.PR.2 Require an AWS AppSync GraphQL API to be configured with private visibility AWS::AppSync::GraphQLApi
CT.APPSYNC.PR.3 Require that an AWS AppSync GraphQL API is not authenticated with API keys AWS::AppSync::GraphQLApi
CT.APPSYNC.PR.4 Require an AWS AppSync GraphQL API cache to have encryption in transit enabled. AWS::AppSync::ApiCache
CT.APPSYNC.PR.5 Require an AWS AppSync GraphQL API cache to have encryption at rest enabled. AWS::AppSync::ApiCache
CT.ATHENA.PR.1 Require an Amazon Athena workgroup to encrypt Athena query results at rest AWS::Athena::WorkGroup
CT.ATHENA.PR.2 Require an Amazon Athena workgroup to encrypt Athena query results at rest with an AWS Key Management Service (KMS) key AWS::Athena::WorkGroup
CT.AUTOSCALING.PR.1 Require an Amazon EC2 Auto Scaling group to have multiple Availability Zones AWS::AutoScaling::AutoScalingGroup
CT.AUTOSCALING.PR.2 Require an Amazon EC2 Auto Scaling group launch configuration to configure Amazon EC2 instances for IMDSv2 AWS::AutoScaling::LaunchConfiguration
CT.AUTOSCALING.PR.3 Require an Amazon EC2 Auto Scaling launch configuration to have a single-hop metadata response limit AWS::AutoScaling::LaunchConfiguration
CT.AUTOSCALING.PR.4 Require an Amazon EC2 Auto Scaling group associated with an AWS Elastic Load Balancer (ELB) to have ELB health checks activated AWS::AutoScaling::AutoScalingGroup
CT.AUTOSCALING.PR.5 Require that an Amazon EC2 Auto Scaling group launch configuration does not have Amazon EC2 instances with public IP addresses AWS::AutoScaling::LaunchConfiguration
CT.AUTOSCALING.PR.6 Require any Amazon EC2 Auto Scaling groups to use multiple instance types AWS::AutoScaling::AutoScalingGroup
CT.AUTOSCALING.PR.8 Require an Amazon EC2 Auto Scaling group to have EC2 launch templates configured AWS::AutoScaling::AutoScalingGroup
CT.AUTOSCALING.PR.9 Require an Amazon EBS volume configured through an Amazon EC2 Auto Scaling launch configuration to encrypt data at rest AWS::AutoScaling::LaunchConfiguration
CT.AUTOSCALING.PR.10 Require an Amazon EC2 Auto Scaling group to use only AWS Nitro instance types when overriding a launch template AWS::AutoScaling::AutoScalingGroup
CT.AUTOSCALING.PR.11 Require only AWS Nitro instance types that support network traffic encryption between instances to be added to an Amazon EC2 Auto Scaling group, when overriding a launch template AWS::AutoScaling::AutoScalingGroup
CT.CLOUDFRONT.PR.1 Require an Amazon CloudFront distribution to have a default root object configured AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.3 Require an Amazon CloudFront distribution to have encryption in transit configured AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.4 Require an Amazon CloudFront distribution to have origin failover configured AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.5 Require any Amazon CloudFront distribution to have logging enabled AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.6 Require an Amazon CloudFront distribution to use custom SSL/TLS certificates AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.7 Require an Amazon CloudFront distribution to use SNI to serve HTTPS requests AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.8 Require an Amazon CloudFront distribution to encrypt traffic to custom origins AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.9 Require an Amazon CloudFront distribution to have a security policy of TLSv1.2 as a minimum AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.10 Require any Amazon CloudFront distributions with Amazon S3 backed origins to have origin access control configured AWS::CloudFront::Distribution
CT.CLOUDFRONT.PR.11 Require an Amazon CloudFront distribution to use updated SSL protocols between edge locations and custom origins AWS::CloudFront::Distribution
CT.CLOUDTRAIL.PR.1 Require an AWS CloudTrail trail to have encryption at rest activated AWS::CloudTrail::Trail
CT.CLOUDTRAIL.PR.2 Require an AWS CloudTrail trail to have log file validation activated AWS::CloudTrail::Trail
CT.CLOUDTRAIL.PR.3 Require an AWS CloudTrail trail to have an Amazon CloudWatch log group configuration AWS::CloudTrail::Trail
CT.CLOUDTRAIL.PR.4 Require an AWS CloudTrail Lake event data store to enable encryption at rest with an AWS KMS key AWS::CloudTrail::EventDataStore
CT.CLOUDWATCH.PR.1 Require an Amazon CloudWatch alarm to have an action configured for the alarm state AWS::CloudWatch::Alarm
CT.CLOUDWATCH.PR.2 Require an Amazon CloudWatch log group to be retained for at least one year AWS::Logs::LogGroup
CT.CLOUDWATCH.PR.3 Require an Amazon CloudWatch log group to be encrypted at rest with an AWS KMS key AWS::Logs::LogGroup
CT.CLOUDWATCH.PR.4 Require an Amazon CloudWatch alarm to have actions activated AWS::CloudWatch::Alarm
CT.CODEBUILD.PR.1 Require OAuth on GitHub or Bitbucket source repository URLs for AWS CodeBuild projects AWS::CodeBuild::Project
CT.CODEBUILD.PR.2 Require any AWS CodeBuild project environment variable to encrypt credentials in environment variables AWS::CodeBuild::Project
CT.CODEBUILD.PR.3 Require any AWS CodeBuild project environment to have logging configured AWS::CodeBuild::Project
CT.CODEBUILD.PR.4 Require any AWS CodeBuild project to deactivate privileged mode when running AWS::CodeBuild::Project
CT.CODEBUILD.PR.5 Require encryption on all AWS CodeBuild project artifacts AWS::CodeBuild::Project
CT.CODEBUILD.PR.6 Require encryption on all Amazon S3 logs for AWS CodeBuild projects AWS::CodeBuild::Project
CT.DAX.PR.1 Require encryption at rest for all Amazon DynamoDB Accelerator (DAX) clusters AWS::DAX::Cluster
CT.DAX.PR.2 Require an Amazon DAX cluster to deploy nodes to at least three Availability Zones AWS::DAX::Cluster
CT.DAX.PR.3 Require an Amazon DAX cluster to encrypt data in transit with Transport Layer Security (TLS) AWS::DAX::Cluster
CT.DMS.PR.1 Require that a public AWS DMS replication instance is not public AWS::DMS::ReplicationInstance
CT.DMS.PR.2 Require an AWS Database Migration Service (DMS) Endpoint to encrypt connections for source and target endpoints AWS::DMS::Endpoint
CT.DOCUMENTDB.PR.1 Require an Amazon DocumentDB cluster to be encrypted at rest AWS::DocDB::DBCluster
CT.DOCUMENTDB.PR.2 Require an Amazon DocumentDB cluster to have a backup retention period greater than or equal to seven days AWS::DocDB::DBCluster
CT.DYNAMODB.PR.1 Require that point-in-time recovery for an Amazon DynamoDB table is activated AWS::DynamoDB::Table
CT.DYNAMODB.PR.2 Require an Amazon DynamoDB table to be encrypted at rest using an AWS KMS key AWS::DynamoDB::Table
CT.EC2.PR.1 Require an Amazon EC2 launch template to have IMDSv2 configured AWS::EC2::LaunchTemplate
CT.EC2.PR.2 Require that Amazon EC2 launch templates restrict the token hop limit to a maximum of one AWS::EC2::LaunchTemplate
CT.EC2.PR.3 Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for ports other than 80 and 443 AWS::EC2::SecurityGroup
AWS::EC2::SecurityGroupIngress
CT.EC2.PR.4 Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for specific high-risk ports AWS::EC2::SecurityGroup
AWS::EC2::SecurityGroupIngress
CT.EC2.PR.5 Require any Amazon EC2 network ACL to prevent ingress from 0.0.0.0/0 to port 22 or port 3389 AWS::EC2::NetworkAclEntry
CT.EC2.PR.6 Require that Amazon EC2 transit gateways refuse automatic Amazon VPC attachment requests AWS::EC2::TransitGateway
CT.EC2.PR.7 Require an Amazon EBS volume resource to be encrypted at rest when defined by means of the AWS::EC2::Instance BlockDeviceMappings property or AWS::EC2::Volume resource type AWS::EC2::Instance
AWS::EC2::Volume
CT.EC2.PR.8 Require an Amazon EC2 instance to set AssociatePublicIpAddress to false on a new network interface created by means of the NetworkInterfaces property in the AWS::EC2::Instance resource AWS::EC2::Instance
CT.EC2.PR.9 Require any Amazon EC2 launch template not to auto-assign public IP addresses to network interfaces AWS::EC2::LaunchTemplate
CT.EC2.PR.10 Require Amazon EC2 launch templates to have Amazon CloudWatch detailed monitoring activated AWS::EC2::LaunchTemplate
CT.EC2.PR.11 Require that an Amazon EC2 subnet does not automatically assign public IP addresses AWS::EC2::Subnet
CT.EC2.PR.12 Require an Amazon EC2 instance to specify at most one network interface by means of the NetworkInterfaces property in the AWS::EC2::Instance resource AWS::EC2::Instance
CT.EC2.PR.13 Require an Amazon EC2 instance to have detailed monitoring enabled AWS::EC2::Instance
CT.EC2.PR.14 Require an Amazon EBS volume configured through an Amazon EC2 launch template to encrypt data at rest AWS::EC2::LaunchTemplate
CT.EC2.PR.15 Require an Amazon EC2 instance to use an AWS Nitro instance type when creating from the 'AWS::EC2::LaunchTemplate' resource type AWS::EC2::LaunchTemplate
CT.EC2.PR.16 Require an Amazon EC2 instance to use an AWS Nitro instance type when created using the 'AWS::EC2::Instance' resource type AWS::EC2::Instance
CT.EC2.PR.17 Require an Amazon EC2 dedicated host to use an AWS Nitro instance type AWS::EC2::Host
CT.EC2.PR.18 Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance types AWS::EC2::EC2Fleet
CT.EC2.PR.19 Require an EC2 instance to use an AWS Nitro instance type that supports encryption in-transit between instances when created using the AWS::EC2::Instance resource type AWS::EC2::Instance
CT.EC2.PR.20 Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance types that support encryption in transit between instances AWS::EC2::EC2Fleet
CT.ECR.PR.1 Require Amazon ECR repositories to have a lifecycle policy configured AWS::ECR::Repository
CT.ECR.PR.2 Require Amazon ECR private repositories to have image scanning enabled AWS::ECR::Repository
CT.ECR.PR.3 Require Amazon ECR private repositories to have tag immutability enabled AWS::ECR::Repository
CT.ECS.PR.1 Require AWS ECS Fargate Services to run on the latest Fargate platform version AWS::ECS::Service
CT.ECS.PR.2 Require any Amazon ECS cluster to have container insights activated AWS::ECS::Cluster
CT.ECS.PR.3 Require any Amazon ECS task definition to specify a user that is not the root AWS::ECS::TaskDefinition
CT.ECS.PR.4 Require Amazon ECS tasks to use 'awsvpc' networking mode AWS::ECS::TaskDefinition
CT.ECS.PR.5 Require an active Amazon ECS task definition to have a logging configuration AWS::ECS::TaskDefinition
CT.ECS.PR.6 Require Amazon ECS containers to allow read-only access to the root filesystem AWS::ECS::TaskDefinition
CT.ECS.PR.7 Require an Amazon ECS task definition to have a specific memory usage limit AWS::ECS::TaskDefinition
CT.ECS.PR.8 Require Amazon ECS task definitions to have secure networking modes and user definitions AWS::ECS::TaskDefinition
CT.ECS.PR.9 Require Amazon ECS services not to assign public IP addresses automatically AWS::ECS::Service
CT.ECS.PR.10 Require that Amazon ECS task definitions do not share the host's process namespace AWS::ECS::TaskDefinition
CT.ECS.PR.11 Require an Amazon ECS container to run as non-privileged AWS::ECS::TaskDefinition
CT.ECS.PR.12 Require that Amazon ECS task definitions do not pass secrets as container environment variables AWS::ECS::TaskDefinition
CT.EKS.PR.1 Require an Amazon EKS cluster to be configured with public access disabled to the cluster Kubernetes API server endpoint. AWS::EKS::Cluster
CT.EKS.PR.2 Require an Amazon EKS cluster to be configured with secret encryption using AWS Key Management Service (KMS) keys AWS::EKS::Cluster
CT.ELASTICACHE.PR.1 Require an Amazon ElastiCache for Redis cluster to have automatic backups activated AWS::ElastiCache::CacheCluster
CT.ELASTICACHE.PR.2 Require an Amazon ElastiCache for Redis cluster to have automatic minor version upgrades activated AWS::ElastiCache::CacheCluster
CT.ELASTICACHE.PR.3 Require an Amazon ElastiCache for Redis replication group to have automatic failover activated AWS::ElastiCache::ReplicationGroup
CT.ELASTICACHE.PR.4 Require an Amazon ElastiCache replication group to have encryption at rest activated AWS::ElastiCache::ReplicationGroup
CT.ELASTICACHE.PR.5 Require an Amazon ElastiCache for Redis replication group to have encryption in transit activated AWS::ElastiCache::ReplicationGroup
CT.ELASTICACHE.PR.6 Require an Amazon ElastiCache cache cluster to use a custom subnet group AWS::ElastiCache::CacheCluster
CT.ELASTICACHE.PR.7 Require an Amazon ElastiCache replication group of earlier Redis versions to have Redis AUTH activated AWS::ElastiCache::ReplicationGroup
CT.ELASTICACHE.PR.8 Require an Amazon ElastiCache replication group of later Redis versions to have RBAC authentication activated AWS::ElastiCache::ReplicationGroup
CT.ELASTICBEANSTALK.PR.1 Require AWS Elastic Beanstalk environments to have enhanced health reporting enabled AWS::ElasticBeanstalk::Environment
AWS::ElasticBeanstalk::ConfigurationTemplate
CT.ELASTICBEANSTALK.PR.2 Require an AWS Elastic Beanstalk environment to have managed platform updates configured AWS::ElasticBeanstalk::Environment
AWS::ElasticBeanstalk::ConfigurationTemplate
CT.ELASTICBEANSTALK.PR.3 Require an AWS Elastic Beanstalk environment to have a logging configuration AWS::ElasticBeanstalk::Environment
AWS::ElasticBeanstalk::ConfigurationTemplate
CT.ELASTICFILESYSYSTEM.PR.1 Require an Amazon EFS file system to encrypt file data at rest using AWS KMS AWS::EFS::FileSystem
CT.ELASTICFILESYSYSTEM.PR.2 Require an Amazon EFS volume to have an automated backup plan AWS::EFS::FileSystem
CT.ELASTICFILESYSYSTEM.PR.3 Require Amazon EFS access points to have a root directory AWS::EFS::AccessPoint
CT.ELASTICFILESYSYSTEM.PR.4 Require Amazon EFS access points to enforce a user identity AWS::EFS::AccessPoint
CT.ELASTICLOADBALANCING.PR.1 Require any application load balancer listener default actions to redirect all HTTP requests to HTTPS AWS::ElasticLoadBalancingV2::Listener
CT.ELASTICLOADBALANCING.PR.2 Require any Amazon ELB application or network load balancer to have an AWS Certificate Manager certificate AWS::ElasticLoadBalancingV2::Listener
AWS::ElasticLoadBalancingV2::ListenerCertificate
CT.ELASTICLOADBALANCING.PR.3 Require any application load balancer to have defensive or strictest desync mitigation mode activated AWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.4 Require that any application load balancer must be configured to drop HTTP headers AWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.5 Require that application load balancer deletion protection is activated AWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.6 Require that application and network load balancer access logging is activated AWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.7 Require any classic load balancer to have multiple Availability Zones configured AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.8 Require any classic load balancer SSL/HTTPS listener to have a certificate provided by AWS Certificate Manager AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.9 Require that an AWS ELB application or classic load balancer listener is configured with HTTPS or TLS termination AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.10 Require an ELB application or classic load balancer to have logging activated AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.11 Require any ELB classic load balancer to have connection draining activated AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.12 Require any ELB classic load balancer SSL/HTTPS listener to have a predefined security policy with a strong configuration AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.13 Require any ELB classic load balancer to have cross-zone load balancing activated AWS::ElasticLoadBalancing::LoadBalancer
CT.ELASTICLOADBALANCING.PR.14 Require a Network Load Balancer to have cross-zone load balancing activated AWS::ElasticLoadBalancingV2::LoadBalancer
CT.ELASTICLOADBALANCING.PR.15 Require that an Elastic Load Balancing v2 target group does not explicitly disable cross-zone load balancing AWS::ElasticLoadBalancingV2::TargetGroup
CT.EMR.PR.1 Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3 AWS::EMR::SecurityConfiguration
CT.EMR.PR.2 Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3 with an AWS KMS key AWS::EMR::SecurityConfiguration
CT.EMR.PR.3 Require that an Amazon Elastic MapReduce (EMR) security configuration is configured with EBS volume local disk encryption using an AWS KMS key AWS::EMR::SecurityConfiguration
CT.EMR.PR.4 Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data in transit AWS::EMR::SecurityConfiguration
CT.GLUE.PR.1 Require an AWS Glue job to have an associated security configuration AWS::Glue::Job
CT.GUARDDUTY.PR.1 Require an Amazon GuardDuty detector to have Amazon S3 protection activated AWS::GuardDuty::Detector
CT.IAM.PR.1 Require that an AWS Identity and Access Management (IAM) inline policy does not have a statement that includes "*" in the Action and Resource elements AWS::IAM::Policy
AWS::IAM::Role
AWS::IAM::User
AWS::IAM::Group
CT.IAM.PR.2 Require that AWS Identity and Access Management (IAM) customer-managed policies do not contain a statement that includes "*" in the Action and Resource elements AWS::IAM::ManagedPolicy
CT.IAM.PR.3 Require that AWS Identity and Access Management (IAM) customer-managed policies do not have wildcard service actions AWS::IAM::ManagedPolicy
CT.IAM.PR.4 Require that an AWS Identity and Access Management (IAM) user does not have an inline or managed policy attached attached AWS::IAM::User
AWS::IAM::Policy
AWS::IAM::ManagedPolicy
CT.IAM.PR.5 Require that AWS Identity and Access Management (IAM) inline policies do not have wildcard service actions AWS::IAM::Policy
AWS::IAM::Role
AWS::IAM::User
AWS::IAM::Group
CT.KINESIS.PR.1 Require any Amazon Kinesis data stream to have encryption at rest configured AWS::Kinesis::Stream
CT.KMS.PR.1 Require any AWS KMS key to have rotation configured AWS::KMS::Key
CT.KMS.PR.2 Require that an AWS KMS asymmetric key with RSA key material used for encryption has a key length greater than 2048 bits AWS::KMS::Key
CT.KMS.PR.3 Require an AWS KMS key policy to have a statement that limits creation of AWS KMS grants to AWS services AWS::KMS::Key
CT.LAMBDA.PR.2 Require AWS Lambda function policies to prohibit public access AWS::Lambda::Permission
CT.LAMBDA.PR.3 Require an AWS Lambda function to be in a customer-managed Amazon Virtual Private Cloud (VPC) AWS::Lambda::Function
CT.LAMBDA.PR.4 Require an AWS Lambda layer permission to grant access to an AWS organization or specific AWS account AWS::Lambda::LayerVersionPermission
CT.LAMBDA.PR.5 Require an AWS Lambda function URL to use AWS IAM-based authentication AWS::Lambda::Url
CT.LAMBDA.PR.6 Require an AWS Lambda function URL CORS policy to restrict access to specific origins AWS::Lambda::Url
CT.MQ.PR.1 Require an Amazon MQ ActiveMQ broker to use use active/standby deployment mode for high availability AWS::AmazonMQ::Broker
CT.MQ.PR.2 Require an Amazon MQ Rabbit MQ broker to use Multi-AZ cluster mode for high availability AWS::AmazonMQ::Broker
CT.MSK.PR.1 Require an Amazon Managed Streaming for Apache Kafka (MSK) cluster to enforce encryption in transit between cluster broker nodes AWS::MSK::Cluster
CT.MSK.PR.2 Require an Amazon Managed Streaming for Apache Kafka (MSK) cluster to be configured with PublicAccess disabled AWS::MSK::Cluster
CT.NEPTUNE.PR.1 Require an Amazon Neptune DB cluster to have AWS Identity and Access Management (IAM) database authentication enabled AWS::Neptune::DBCluster
CT.NEPTUNE.PR.2 Require an Amazon Neptune DB cluster to have deletion protection enabled AWS::Neptune::DBCluster
CT.NEPTUNE.PR.3 Require an Amazon Neptune DB cluster to have storage encryption enabled AWS::Neptune::DBCluster
CT.NEPTUNE.PR.4 Require an Amazon Neptune DB cluster to enable Amazon CloudWatch log export for audit logs AWS::Neptune::DBCluster
CT.NEPTUNE.PR.5 Require an Amazon Neptune DB cluster to set a backup retention period greater than or equal to seven days AWS::Neptune::DBCluster
CT.NETWORK-FIREWALL.PR.1 Require any AWS Network Firewall firewall policy to have an associated rule group AWS::NetworkFirewall::FirewallPolicy
CT.NETWORK-FIREWALL.PR.2 Require any AWS Network Firewall firewall policy to drop or forward stateless full packets by default when they do not match a rule AWS::NetworkFirewall::FirewallPolicy
CT.NETWORK-FIREWALL.PR.3 Require any AWS Network Firewall firewall policy to drop or forward fragmented packets by default when they do not match a stateless rule AWS::NetworkFirewall::FirewallPolicy
CT.NETWORK-FIREWALL.PR.4 Require any AWS Network Firewall rule group to contain at least one rule AWS::NetworkFirewall::RuleGroup
CT.NETWORK-FIREWALL.PR.5 Require an AWS Network Firewall firewall to be deployed across multiple Availability Zones AWS::NetworkFirewall::Firewall
CT.OPENSEARCH.PR.1 Require an Elasticsearch domain to encrypt data at rest AWS::Elasticsearch::Domain
CT.OPENSEARCH.PR.2 Require an Elasticsearch domain to be created in a user-specified Amazon VPC AWS::Elasticsearch::Domain
CT.OPENSEARCH.PR.3 Require an Elasticsearch domain to encrypt data sent between nodes AWS::Elasticsearch::Domain
CT.OPENSEARCH.PR.4 Require an Elasticsearch domain to send error logs to Amazon CloudWatch Logs AWS::Elasticsearch::Domain
CT.OPENSEARCH.PR.5 Require an Elasticsearch domain to send audit logs to Amazon CloudWatch Logs AWS::Elasticsearch::Domain
CT.OPENSEARCH.PR.6 Require an Elasticsearch domain to have zone awareness and at least three data nodes AWS::Elasticsearch::Domain
CT.OPENSEARCH.PR.7 Require an Elasticsearch domain to have at least three dedicated master nodes AWS::Elasticsearch::Domain
CT.OPENSEARCH.PR.8 Require an Elasticsearch Service domain to use TLSv1.2 AWS::Elasticsearch::Domain
CT.OPENSEARCH.PR.9 Require an Amazon OpenSearch Service domain to encrypt data at rest AWS::OpenSearchService::Domain
CT.OPENSEARCH.PR.10 Require an Amazon OpenSearch Service domain to be created in a user-specified Amazon VPC AWS::OpenSearchService::Domain
CT.OPENSEARCH.PR.11 Require an Amazon OpenSearch Service domain to encrypt data sent between nodes AWS::OpenSearchService::Domain
CT.OPENSEARCH.PR.12 Require an Amazon OpenSearch Service domain to send error logs to Amazon CloudWatch Logs AWS::OpenSearchService::Domain
CT.OPENSEARCH.PR.13 Require an Amazon OpenSearch Service domain to send audit logs to Amazon CloudWatch Logs AWS::OpenSearchService::Domain
CT.OPENSEARCH.PR.14 Require an Amazon OpenSearch Service domain to have zone awareness and at least three data nodes AWS::OpenSearchService::Domain
CT.OPENSEARCH.PR.15 Require an Amazon OpenSearch Service domain to use fine-grained access control AWS::OpenSearchService::Domain
CT.OPENSEARCH.PR.16 Require an Amazon OpenSearch Service domain to use TLSv1.2 AWS::OpenSearchService::Domain
CT.RDS.PR.1 Require that an Amazon RDS database instance is configured with multiple Availability Zones AWS::RDS::DBInstance
CT.RDS.PR.2 Require an Amazon RDS database instance or cluster to have enhanced monitoring configured AWS::RDS::DBInstance
CT.RDS.PR.3 Require an Amazon RDS cluster to have deletion protection configured AWS::RDS::DBCluster
CT.RDS.PR.4 Require an Amazon RDS database cluster to have AWS IAM database authentication configured AWS::RDS::DBCluster
CT.RDS.PR.5 Require an Amazon RDS database instance to have minor version upgrades configured AWS::RDS::DBInstance
CT.RDS.PR.6 Require an Amazon RDS database cluster to have backtracking configured AWS::RDS::DBCluster
CT.RDS.PR.7 Require Amazon RDS database instances to have AWS IAM authentication configured AWS::RDS::DBInstance
CT.RDS.PR.8 Require an Amazon RDS database instance to have automatic backups configured AWS::RDS::DBInstance
CT.RDS.PR.9 Require an Amazon RDS database cluster to copy tags to snapshots AWS::RDS::DBCluster
CT.RDS.PR.10 Require an Amazon RDS database instance to copy tags to snapshots AWS::RDS::DBInstance
CT.RDS.PR.11 Require an Amazon RDS database instance to have a VPC configuration AWS::RDS::DBInstance
CT.RDS.PR.12 Require an Amazon RDS event subscription to have critical cluster events configured AWS::RDS::EventSubscription
CT.RDS.PR.13 Require any Amazon RDS instance to have deletion protection configured AWS::RDS::DBInstance
CT.RDS.PR.14 Require an Amazon RDS database instance to export logs to Amazon CloudWatch Logs by means of the EnableCloudwatchLogsExports property AWS::RDS::DBInstance
CT.RDS.PR.15 Require that an Amazon RDS instance does not create DB security groups AWS::RDS::DBInstance
AWS::RDS::DBSecurityGroup
CT.RDS.PR.16 Require an Amazon RDS database cluster to have encryption at rest configured AWS::RDS::DBCluster
CT.RDS.PR.17 Require an Amazon RDS event notification subscription to have critical database instance events configured AWS::RDS::EventSubscription
CT.RDS.PR.18 Require an Amazon RDS event notification subscription to have critical database parameter group events configured AWS::RDS::EventSubscription
CT.RDS.PR.19 Require an Amazon RDS event notifications subscription to have critical database security group events configured AWS::RDS::EventSubscription
CT.RDS.PR.20 Require an Amazon RDS database instance not to use a database engine default port AWS::RDS::DBInstance
CT.RDS.PR.21 Require an Amazon RDS DB cluster to have a unique administrator username AWS::RDS::DBCluster
CT.RDS.PR.22 Require an Amazon RDS database instance to have a unique administrator username AWS::RDS::DBInstance
CT.RDS.PR.23 Require an Amazon RDS database instance to not be publicly accessible AWS::RDS::DBInstance
CT.RDS.PR.24 Require an Amazon RDS database instance to have encryption at rest configured AWS::RDS::DBInstance
CT.RDS.PR.25 Require an Amazon RDS database cluster to export logs to Amazon CloudWatch Logs by means of the EnableCloudwatchLogsExports property AWS::RDS::DBCluster
CT.RDS.PR.26 Require an Amazon RDS DB Proxy to require Transport Layer Security (TLS) connections AWS::RDS::DBProxy
CT.RDS.PR.27 Require an Amazon RDS DB cluster parameter group to require Transport Layer Security (TLS) connections for supported engine types AWS::RDS::DBClusterParameterGroup
CT.RDS.PR.28 Require an Amazon RDS DB parameter group to require Transport Layer Security (TLS) connections for supported engine types AWS::RDS::DBParameterGroup
CT.RDS.PR.29 Require an Amazon RDS cluster not be configured to be publicly accessible by means of the 'PubliclyAccessible' property AWS::RDS::DBCluster
CT.RDS.PR.30 Require that an Amazon RDS database instance has encryption at rest configured to use a KMS key that you specify for supported engine types AWS::RDS::DBInstance
CT.REDSHIFT.PR.1 Require an Amazon Redshift cluster to prohibit public access AWS::Redshift::Cluster
CT.REDSHIFT.PR.2 Require an Amazon Redshift cluster to have automatic snapshots configured AWS::Redshift::Cluster
CT.REDSHIFT.PR.3 Require an Amazon Redshift cluster to have audit logging configured AWS::Redshift::Cluster
CT.REDSHIFT.PR.4 Require an Amazon Redshift cluster to have automatic upgrades to major versions configured AWS::Redshift::Cluster
CT.REDSHIFT.PR.5 Require an Amazon Redshift cluster to have enhanced VPC routing AWS::Redshift::Cluster
CT.REDSHIFT.PR.6 Require an Amazon Redshift cluster to have a unique administrator username AWS::Redshift::Cluster
CT.REDSHIFT.PR.7 Require an Amazon Redshift cluster to have a unique database name AWS::Redshift::Cluster
CT.REDSHIFT.PR.8 Require an Amazon Redshift cluster to be encrypted AWS::Redshift::Cluster
CT.REDSHIFT.PR.9 Require that an Amazon Redshift cluster parameter group is configured to use Secure Sockets Layer (SSL) for encryption of data in transit AWS::Redshift::ClusterParameterGroup
CT.S3.PR.1 Require an Amazon S3 bucket to have block public access settings configured AWS::S3::Bucket
CT.S3.PR.2 Require an Amazon S3 bucket to have server access logging configured AWS::S3::Bucket
CT.S3.PR.3 Require an Amazon S3 buckets to have versioning configured and a lifecycle policy AWS::S3::Bucket
CT.S3.PR.4 Require an Amazon S3 bucket to have event notifications configured AWS::S3::Bucket
CT.S3.PR.5 Require that an Amazon S3 bucket does not manage user access with an access control list (ACL) AWS::S3::Bucket
CT.S3.PR.6 Require an Amazon S3 bucket to have lifecycle policies configured AWS::S3::Bucket
CT.S3.PR.8 Require that Amazon S3 bucket requests use Secure Sockets Layer AWS::S3::BucketPolicy
CT.S3.PR.9 Require that an Amazon S3 bucket has S3 Object Lock activated AWS::S3::Bucket
CT.S3.PR.10 Require an Amazon S3 bucket to have server-side encryption configured using an AWS KMS key AWS::S3::Bucket
CT.S3.PR.11 Require an Amazon S3 bucket to have versioning enabled AWS::S3::Bucket
CT.S3.PR.12 Require an Amazon S3 access point to have a Block Public Access (BPA) configuration with all options set to true AWS::S3::AccessPoint
CT.SAGEMAKER.PR.1 Require an Amazon SageMaker notebook instance to prevent direct internet access AWS::SageMaker::NotebookInstance
CT.SAGEMAKER.PR.2 Require Amazon SageMaker notebook instances to be deployed within a custom Amazon VPC AWS::SageMaker::NotebookInstance
CT.SAGEMAKER.PR.3 Require Amazon SageMaker notebook instances to have root access disallowed AWS::SageMaker::NotebookInstance
CT.SQS.PR.1 Require any Amazon SQS queue to have a dead-letter queue configured AWS::SQS::Queue
CT.SQS.PR.2 Require any Amazon SQS queue to have encryption at rest configured AWS::SQS::Queue
CT.STEPFUNCTIONS.PR.1 Require an AWS Step Functions state machine to have logging activated AWS::StepFunctions::StateMachine
CT.STEPFUNCTIONS.PR.2 Require an AWS Step Functions state machine to have AWS X-Ray tracing activated AWS::StepFunctions::StateMachine
CT.WAF-REGIONAL.PR.1 Require any AWS WAF Classic regional rule to have a condition AWS::WAFRegional::Rule
CT.WAF-REGIONAL.PR.2 Require any AWS WAF Classic regional web access control list (ACL) to have a rule or rule group AWS::WAFRegional::WebACL
CT.WAF.PR.1 Require any AWS WAF Classic global rule to have a condition AWS::WAF::Rule
CT.WAF.PR.2 Require any AWS WAF Classic global web ACL to have a rule or rule group AWS::WAF::WebACL
CT.WAFV2.PR.1 Require an AWS WAF web ACL to be non-empty AWS::WAFv2::WebACL
CT.WAFV2.PR.2 Require an AWS WAF rule group to be non-empty AWS::WAFv2::RuleGroup