UNPKG

@pulumi/aws-compliance-policies

Version:

This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.

120 lines (119 loc) 5.39 kB
"use strict"; // Copyright 2016-2024, Pulumi Corporation. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // // ------------------------------- WARNING ------------------------------------- // This file was programmatically generated. Do not edit unless you know what // you're doing. // ------------------------------- WARNING ------------------------------------- Object.defineProperty(exports, "__esModule", { value: true }); exports.Flow = exports.ConnectorProfile = void 0; const appflow_1 = require("@pulumi/aws/appflow"); const policy_1 = require("@pulumi/policy"); const compliance_policy_manager_1 = require("@pulumi/compliance-policy-manager"); const appflow_2 = require("@pulumi/aws/appflow"); var ConnectorProfile; (function (ConnectorProfile) { /** * Check that AppFlow ConnectorProfile uses a customer-managed KMS key. * * @severity low * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/appflow/latest/userguide/data-protection.html#encryption-transit */ ConnectorProfile.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-appflow-connectorprofile-configure-customer-managed-key", description: "Check that AppFlow ConnectorProfile uses a customer-managed KMS key.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(appflow_1.ConnectorProfile, (connectorProfile, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!connectorProfile.kmsArn) { reportViolation("AppFlow Connector Profiles should be encrypted using a customer-managed KMS key."); } }), }, vendors: ["aws"], services: ["appflow"], severity: "low", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); })(ConnectorProfile || (ConnectorProfile = {})); exports.ConnectorProfile = ConnectorProfile; var Flow; (function (Flow) { /** * Check that AppFlow Flow uses a customer-managed KMS key. * * @severity low * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/appflow/latest/userguide/data-protection.html#encryption-transit */ Flow.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-appflow-flow-configure-customer-managed-key", description: "Check that AppFlow Flow uses a customer-managed KMS key.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(appflow_2.Flow, (flow, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!flow.kmsArn) { reportViolation("AppFlow Flow should be encrypted using a customer-managed KMS key."); } }), }, vendors: ["aws"], services: ["appflow"], severity: "low", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that AppFlow Flows have a description. * * @severity low * @frameworks none * @topics documentation * @link https://docs.aws.amazon.com/appflow/latest/userguide/create-flow-console.html */ Flow.missingDescription = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-appflow-flow-missing-description", description: "Checks that AppFlow Flows have a description.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(appflow_2.Flow, (flow, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!flow.description) { reportViolation("AppFlow Flow should have a description."); } }), }, vendors: ["aws"], services: ["appflow"], severity: "low", topics: ["documentation"], }); })(Flow || (Flow = {})); exports.Flow = Flow;