forked from stelligent/config-lint
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rule_list.yml
333 lines (305 loc) · 8.05 KB
/
rule_list.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
---
rules:
- id: CLOUDTRAIL_ENCRYPTION
message: CloudTrail should use encryption
resource: aws_cloudtrail
severity: FAILURE
assertions:
- key: kms_key_id
op: present
tags:
- cloudtrail
- id: CODEBUILD_PROJECT_ENCRYPTION
message: CodeBuild Project artifacts should be encrypted
resource: aws_codebuild_project
severity: FAILURE
assertions:
- key: encryption_key
op: present
tags:
- codebuild
- id: CODEPIPELINE_ENCRYPTION
message: CodePipeline should encrypt artifacts
resource: aws_codepipeline
severity: FAILURE
assertions:
- every:
key: artifact_store
expressions:
- key: encryption_key
op: present
- id: DB_INSTANCE_ENCRYPTION
message: DB Instance encryption
resource: aws_db_instance
severity: FAILURE
assertions:
- or:
- key: storage_encrypted
op: is-true
- key: kms_key_id
op: present
tags:
- rds
- id: RDS_CLUSTER_ENCYPTION
message: RDSCluster encryption
resource: aws_rds_cluster
severity: FAILURE
assertions:
- key: storage_encrypted
op: is-true
- key: kms_key_id
op: present
tags:
- rds
- id: EBS_BLOCK_DEVICE_ENCRYPTED
message: EBS block devices should use encryption
resource: aws_instance
severity: FAILURE
assertions:
- every:
key: ebs_block_device
expressions:
- key: encrypted
op: is-true
tags:
- ec2
- ebs
- id: EBS_VOLUME_ENCRYPTION
message: EBS Volume should be encrypted
resource: aws_ebs_volume
severity: FAILURE
assertions:
- key: encrypted
op: is-true
- key: kms_key_id
op: present
tags:
- ec2
- ebs
- id: EFS_ENCRYPTED
message: EFS should be encrypted
resource: aws_efs_file_system
severity: FAILURE
assertions:
- and:
- key: encrypted
op: is-true
- key: kms_key_id
op: present
tags:
- efs
- id: KINESIS_FIREHOSE_DELIVERY_STREAM_ENCRYPTION
message: KinesisFirehoseDeliveryStream should use encrytion
resource: aws_kinesis_firehose_delivery_stream
severity: FAILURE
assertions:
- every:
key: s3_configuration
expressions:
- key: kms_key_arn
op: present
- every:
key: extended_s3_configuration
expressions:
- key: kms_key_arn
op: present
tags:
- firehose
- id: KINESIS_STREAM_KMS
message: Kinesis streams should be associated with a kms key
resource: aws_kinesis_stream
severity: FAILING
assertions:
- key: kms_key_id
op: present
tags:
- kinesis
- id: REDSHIFT_CLUSTER_ENCRYPTION
message: RedshiftCluster should use encryption
resource: aws_redshift_cluster
severity: FAILURE
assertions:
- key: encrypted
op: is-true
tags:
- redshift
- id: REDSHIFT_CLUSTER_KMS_KEY_ID
message: RedshiftCluster should specify kms_key_id
resource: aws_redshift_cluster
severity: WARNING
assertions:
- key: kms_key_id
op: present
tags:
- redshift
- id: REDSHIFT_CLUSTER_ENHANCED_VPC_ROUTING
message: RedshiftCluster should use enhanced vpc routing
resource: aws_redshift_cluster
severity: WARNING
assertions:
- key: enhanced_vpc_routing
op: is-true
- id: REDSHIFT_CLUSTER_PARAMETER_GROUP_REQUIRE_SSL
message: RedshiftCluster Parameter Group should set require_ssl to true
resource: aws_redshift_parameter_group
severity: WARNING
assertions:
- key: parameter
op: present
- every:
key: parameter
expressions:
- key: name
op: eq
value: require_ssl
- key: value
op: is-true
- id: REDSHIFT_CLUSTER_AUDIT_LOGGING
message: RedshiftCluster should have audit logging enabled
resource: aws_redshift_cluster
severity: WARNING
assertions:
- key: logging
op: present
- every:
key: logging
expressions:
- key: enable
op: is-true
- id: REDSHIFT_CLUSTER_PUBLICLY_ACCESSIBLE
message: RedshiftCluster should not be publicly accessible
resource: aws_redshift_cluster
severity: FAILURE
assertions:
- key: publicly_accessible
op: is-false
tags:
- redshift
- id: ECS_ENVIRONMENT_SECRETS
message: Environment for ECS task definition should not include AWS secrets
resource: aws_ecs_task_definition
severity: FAILURE
assertions:
- none:
key: container_definitions[].environment[]
expressions:
- or:
- and:
- key: name
op: contains
value: KEY
- key: value
op: regex
value: "^(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}$"
- and:
- key: name
op: contains
value: SECRET
- key: value
op: regex
value: "^[A-Za-z0-9/\\+=]{40}$"
tags:
- ecs
- id: BATCH_DEFINITION_PRIVILEGED
message: Batch Job Definition Container Properties should not have Privileged set to true
resource: aws_batch_job_definition
severity: WARNING
assertions:
- not:
- key: container_properties.privileged
op: is-true
tags:
- batch
- id: EC2_SUBNET_MAP_PUBLIC
message: EC2 Subnet should not have MapPublicIpOnLaunch set to true
resource: aws_subnet
severity: WARNING
assertions:
- not:
- key: map_public_ip_on_launch
op: is-true
tags:
- ec2
- subnet
- id: ELASTICACHE_ENCRYPTION_REST
message: ElastiCache ReplicationGroup should have encryption enabled for at rest
resource: aws_elasticache_replication_group
severity: FAILING
assertions:
- key: at_rest_encryption_enabled
op: is-true
tags:
- elasticache
- id: ELASTICACHE_ENCRYPTION_TRANSIT
message: ElastiCache ReplicationGroup should have encryption enabled for in transit
resource: aws_elasticache_replication_group
severity: FAILING
assertions:
- key: transit_encryption_enabled
op: is-true
tags:
- elasticache
- id: NEPTUNE_DB_ENCRYPTION
message: Neptune database cluster storage should have encryption enabled
resource: aws_neptune_cluster
severity: FAILING
assertions:
- key: storage_encrypted
op: is-true
tags:
- neptune
- id: RDS_PUBLIC_AVAILABILITY
message: RDS instance should not be publicly accessible
resource: aws_db_instance
severity: FAILING
assertions:
- not:
- key: publicly_accessible
op: is-true
tags:
- rds
- id: AWS_DMS_ENDPOINT_ENCRYPTION
message: AWS DMS Endpoint should have a kms key present
resource: aws_dms_endpoint
severity: WARNING
assertions:
- key: kms_key_arn
op: present
tags:
- dms
- id: AWS_EMR_CLUSTER_LOGGING
message: AWS EMR Should have logging enabled
resource: aws_emr_cluster
severity: WARNING
assertions:
- key: log_uri
op: present
tags:
- emr
- id: AWS_KMS_KEY_ROTATION
message: AWS KMS Key Rotation should be enabled
resource: aws_kms_key
severity: WARNING
assertions:
- key: enable_key_rotation
op: is-true
tags:
- kms
- id: SAGEMAKER_ENDPOINT_ENCRYPTION
message: Sagemaker configuration should be encrypted
resource: aws_sagemaker_endpoint_configuration
severity: WARNING
assertions:
- key: kms_key_arn
op: present
tags:
- sagemaker
- id: SAGEMAKER_NOTEBOOK_ENCRYPTION
message: Sagemaker Notebook should be encrypted
resource: aws_sagemaker_notebook_instance
severity: WARNING
assertions:
- key: kms_key_id
op: present
tags:
- sagemaker