UNPKG

@pulumi/aws-compliance-policies

Version:

This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.

140 lines (139 loc) 5.07 kB
import { ResourceValidationPolicy } from "@pulumi/policy"; declare namespace Instance { /** * Checks that EC2 instances do not have a public IP address. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics network * @link none */ const disallowPublicIp: ResourceValidationPolicy; /** * Checks that EC2 instances do not have unencrypted block devices. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html */ const disallowUnencryptedBlockDevice: ResourceValidationPolicy; /** * Checks that EC2 instances does not have unencrypted root volumes. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html */ const disallowUnencryptedRootBlockDevice: ResourceValidationPolicy; } export { Instance }; declare namespace LaunchConfiguration { /** * Checks that EC2 Launch Configurations do not have a public IP address. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics network * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html */ const disallowPublicIp: ResourceValidationPolicy; /** * Checks that EC2 Launch Configurations do not have unencrypted block devices. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html */ const disallowUnencryptedBlockDevice: ResourceValidationPolicy; /** * Checks that EC2 launch configuration do not have unencrypted root block device. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html */ const disallowUnencryptedRootBlockDevice: ResourceValidationPolicy; } export { LaunchConfiguration }; declare namespace LaunchTemplate { /** * Check that encrypted EBS volume uses a customer-managed KMS key. * * @severity low * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html */ const configureCustomerManagedKey: ResourceValidationPolicy; /** * Checks that EC2 Launch Templates do not have public IP addresses. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics network * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html */ const disallowPublicIp: ResourceValidationPolicy; /** * Checks that EC2 Launch Templates do not have unencrypted block device. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html */ const disallowUnencryptedBlockDevice: ResourceValidationPolicy; } export { LaunchTemplate }; declare namespace SecurityGroup { /** * Check that EC2 Security Groups do not allow inbound HTTP traffic. * * @severity critical * @frameworks hitrust, iso27001, pcidss * @topics encryption, network * @link https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol */ const disallowInboundHttpTraffic: ResourceValidationPolicy; /** * Check that EC2 Security Groups do not allow ingress traffic from the Internet. * * @severity critical * @frameworks hitrust, iso27001, pcidss * @topics network * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html */ const disallowPublicInternetIngress: ResourceValidationPolicy; /** * Checks that all security groups have a description. * * @severity low * @frameworks none * @topics documentation * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html */ const missingDescription: ResourceValidationPolicy; /** * Checks that all Egress Security Groups rules have a description. * * @severity low * @frameworks none * @topics documentation * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html */ const missingEgressRuleDescription: ResourceValidationPolicy; /** * Checks that all Ingress Security Groups rules have a description. * * @severity low * @frameworks none * @topics documentation * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html */ const missingIngressRuleDescription: ResourceValidationPolicy; } export { SecurityGroup };