pulumi / pulumi-policy-aws

A policy pack of rules to enforce AWS best practices for security, reliability, cost, and more!
https://www.pulumi.com
Apache License 2.0
36 stars 7 forks source link

Provide a way to create and configure AWSGuard #33

Closed justinvp closed 4 years ago

justinvp commented 4 years ago

This provides a nicer way to create and configure the AWS Guard policies:

const awsGuard = new AwsGuard();

The above is equivalent to:

const awsGuard = new AwsGuard({ all: "advisory" });

To make all policies mandatory rather than advisory:

const awsGuard = new AwsGuard({ all: "mandatory" });

To make all policies mandatory, but change a couple to be advisory:

const awsGuard = new AwsGuard({
    all: "mandatory",
    ec2InstanceNoPublicIP: "advisory",
    elbAccessLoggingEnabled: "advisory",
});

To disable a particular policy:

const awsGuard = new AwsGuard({
    ec2InstanceNoPublicIP: "disabled",
});

To disable all policies except ones explicitly enabled:

const awsGuard = new AwsGuard({
    all: "disabled",
    ec2InstanceNoPublicIP: "mandatory",
    elbAccessLoggingEnabled: "mandatory",
});

To specify configuration for policies that have it:


const awsGuard = new AwsGuard({
    ec2VolumeInUseCheck: { checkDeletion: false },
    encryptedVolumes: { enforcementLevel: "mandatory", kmsId: "id" },
    redshiftClusterMaintenanceSettingsCheck: { preferredMaintenanceWindow: "Mon:09:30-Mon:10:00" },
    acmCheckCertificateExpiration: { maxDaysUntilExpiration: 10 },
});