UNPKG

@pulumi/aws-compliance-policies

Version:

This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.

489 lines (488 loc) 23.9 kB
"use strict"; // Copyright 2016-2024, Pulumi Corporation. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // // ------------------------------- WARNING ------------------------------------- // This file was programmatically generated. Do not edit unless you know what // you're doing. // ------------------------------- WARNING ------------------------------------- Object.defineProperty(exports, "__esModule", { value: true }); exports.SecurityGroup = exports.LaunchTemplate = exports.LaunchConfiguration = exports.Instance = void 0; const ec2_1 = require("@pulumi/aws/ec2"); const policy_1 = require("@pulumi/policy"); const compliance_policy_manager_1 = require("@pulumi/compliance-policy-manager"); const ec2_2 = require("@pulumi/aws/ec2"); const ec2_3 = require("@pulumi/aws/ec2"); const compliance_policy_manager_2 = require("@pulumi/compliance-policy-manager"); const ec2_4 = require("@pulumi/aws/ec2"); var Instance; (function (Instance) { /** * Checks that EC2 instances do not have a public IP address. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics network * @link none */ Instance.disallowPublicIp = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-instance-disallow-public-ip", description: "Checks that EC2 instances do not have a public IP address.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_1.Instance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (instance.associatePublicIpAddress === undefined || instance.associatePublicIpAddress === true) { reportViolation("EC2 Instances should not have a public IP address."); } }), }, vendors: ["aws"], services: ["ec2"], severity: "high", topics: ["network"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that EC2 instances do not have unencrypted block devices. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html */ Instance.disallowUnencryptedBlockDevice = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-instance-disallow-unencrypted-block-device", description: "Checks that EC2 instances do not have unencrypted block devices.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_1.Instance, (instance, args, reportViolation) => { var _a; if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } (_a = instance.ebsBlockDevices) === null || _a === void 0 ? void 0 : _a.forEach((device) => { if (!device.encrypted) { reportViolation("EC2 instances should not have an unencypted block device."); } }); }), }, vendors: ["aws"], services: ["ec2"], severity: "high", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that EC2 instances does not have unencrypted root volumes. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html */ Instance.disallowUnencryptedRootBlockDevice = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-instance-disallow-unencrypted-root-block-device", description: "Checks that EC2 instances does not have unencrypted root volumes.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_1.Instance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (instance.rootBlockDevice && !instance.rootBlockDevice.encrypted) { reportViolation("EC2 instances should not have an unencypted root block device."); } }), }, vendors: ["aws"], services: ["ec2"], severity: "high", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); })(Instance || (Instance = {})); exports.Instance = Instance; var LaunchConfiguration; (function (LaunchConfiguration) { /** * Checks that EC2 Launch Configurations do not have a public IP address. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics network * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html */ LaunchConfiguration.disallowPublicIp = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-launchconfiguration-disallow-public-ip", description: "Checks that EC2 Launch Configurations do not have a public IP address.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_2.LaunchConfiguration, (launchConfiguration, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (launchConfiguration.associatePublicIpAddress === undefined || launchConfiguration.associatePublicIpAddress === true) { reportViolation("EC2 Launch Configurations should not have a public IP address."); } }), }, vendors: ["aws"], services: ["ec2"], severity: "high", topics: ["network"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that EC2 Launch Configurations do not have unencrypted block devices. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html */ LaunchConfiguration.disallowUnencryptedBlockDevice = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-launchconfiguration-disallow-unencrypted-block-device", description: "Checks that EC2 Launch Configurations do not have unencrypted block devices.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_2.LaunchConfiguration, (launchConfiguration, args, reportViolation) => { var _a; if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } (_a = launchConfiguration.ebsBlockDevices) === null || _a === void 0 ? void 0 : _a.forEach((device) => { if (!device.encrypted) { reportViolation("EC2 Launch Configurations should not have an unencypted block device."); } }); }), }, vendors: ["aws"], services: ["ec2"], severity: "high", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that EC2 launch configuration do not have unencrypted root block device. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html */ LaunchConfiguration.disallowUnencryptedRootBlockDevice = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-launchconfiguration-disallow-unencrypted-root-block-device", description: "Checks that EC2 launch configuration do not have unencrypted root block device.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_2.LaunchConfiguration, (launchConfiguration, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (launchConfiguration.rootBlockDevice && !launchConfiguration.rootBlockDevice.encrypted) { reportViolation("EC2 Launch Configurations should not have an unencypted root block device."); } }), }, vendors: ["aws"], services: ["ec2"], severity: "high", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); })(LaunchConfiguration || (LaunchConfiguration = {})); exports.LaunchConfiguration = LaunchConfiguration; var LaunchTemplate; (function (LaunchTemplate) { /** * Check that encrypted EBS volume uses a customer-managed KMS key. * * @severity low * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html */ LaunchTemplate.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-launchtemplate-configure-customer-managed-key", description: "Check that encrypted EBS volume uses a customer-managed KMS key.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_3.LaunchTemplate, (lt, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (lt.blockDeviceMappings) { lt.blockDeviceMappings.forEach((blockDevice) => { // see https://github.com/pulumi/pulumi-aws/issues/2257 if (blockDevice.ebs && (0, compliance_policy_manager_2.valToBoolean)(blockDevice.ebs.encrypted) && !blockDevice.ebs.kmsKeyId) { reportViolation("EC2 Launch Templates should not have encrypted block device using a customer-managed KMS key."); } }); } }), }, vendors: ["aws"], services: ["ec2"], severity: "low", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that EC2 Launch Templates do not have public IP addresses. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics network * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html */ LaunchTemplate.disallowPublicIp = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-launchtemplate-disallow-public-ip", description: "Checks that EC2 Launch Templates do not have public IP addresses.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_3.LaunchTemplate, (launchTemplate, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (launchTemplate.networkInterfaces) { launchTemplate.networkInterfaces.forEach((iface) => { // see https://github.com/pulumi/pulumi-aws/issues/2257 if ((0, compliance_policy_manager_2.valToBoolean)(iface.associatePublicIpAddress)) { reportViolation("EC2 Launch templates should not associate a public IP address to an interface."); } }); } }), }, vendors: ["aws"], services: ["ec2"], severity: "high", topics: ["network"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that EC2 Launch Templates do not have unencrypted block device. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html */ LaunchTemplate.disallowUnencryptedBlockDevice = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-launchtemplate-disallow-unencrypted-block-device", description: "Checks that EC2 Launch Templates do not have unencrypted block device.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_3.LaunchTemplate, (lt, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (lt.blockDeviceMappings) { lt.blockDeviceMappings.forEach((blockDevice) => { // see https://github.com/pulumi/pulumi-aws/issues/2257 if (blockDevice.ebs && !(0, compliance_policy_manager_2.valToBoolean)(blockDevice.ebs.encrypted)) { reportViolation("EC2 Launch Templates should not have an unencypted block device."); } }); } }), }, vendors: ["aws"], services: ["ec2"], severity: "high", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); })(LaunchTemplate || (LaunchTemplate = {})); exports.LaunchTemplate = LaunchTemplate; var SecurityGroup; (function (SecurityGroup) { /** * Check that EC2 Security Groups do not allow inbound HTTP traffic. * * @severity critical * @frameworks hitrust, iso27001, pcidss * @topics encryption, network * @link https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol */ SecurityGroup.disallowInboundHttpTraffic = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-securitygroup-disallow-inbound-http-traffic", description: "Check that EC2 Security Groups do not allow inbound HTTP traffic.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_4.SecurityGroup, (securityGroup, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (securityGroup.ingress) { securityGroup.ingress.forEach((ingress) => { if (ingress.protocol.toLowerCase() === "tcp" && (ingress.fromPort === 80 || ingress.toPort === 80)) { reportViolation("EC2 Security Groups should not allow ingress HTTP traffic."); } if (ingress.protocol.toLowerCase() === "tcp" && ingress.fromPort < 80 && ingress.toPort > 80) { reportViolation("EC2 Security Groups should not allow ingress HTTP traffic."); } }); } }), }, vendors: ["aws"], services: ["ec2"], severity: "critical", topics: ["network", "encryption"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Check that EC2 Security Groups do not allow ingress traffic from the Internet. * * @severity critical * @frameworks hitrust, iso27001, pcidss * @topics network * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html */ SecurityGroup.disallowPublicInternetIngress = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-securitygroup-disallow-public-internet-ingress", description: "Check that EC2 Security Groups do not allow ingress traffic from the Internet.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_4.SecurityGroup, (securityGroup, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (securityGroup.ingress) { if (securityGroup.ingress.some((ingressRule) => { var _a; return (_a = ingressRule.cidrBlocks) === null || _a === void 0 ? void 0 : _a.includes("0.0.0.0/0"); })) { reportViolation("EC2 Security Groups should not permit ingress traffic from the public internet (0.0.0.0/0)."); } if (securityGroup.ingress.some((ingressRule) => { var _a; return (_a = ingressRule.ipv6CidrBlocks) === null || _a === void 0 ? void 0 : _a.includes("::/0"); })) { reportViolation("EC2 Security Groups should not permit ingress traffic from the public internet (::/0)."); } } }), }, vendors: ["aws"], services: ["ec2"], severity: "critical", topics: ["network"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that all security groups have a description. * * @severity low * @frameworks none * @topics documentation * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html */ SecurityGroup.missingDescription = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-securitygroup-missing-description", description: "Checks that all security groups have a description.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_4.SecurityGroup, (securityGroup, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!securityGroup.description) { reportViolation("EC2 Security Groups should have a description."); } }), }, vendors: ["aws"], services: ["ec2"], severity: "low", topics: ["documentation"], }); /** * Checks that all Egress Security Groups rules have a description. * * @severity low * @frameworks none * @topics documentation * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html */ SecurityGroup.missingEgressRuleDescription = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-securitygroup-missing-egress-rule-description", description: "Checks that all Egress Security Groups rules have a description.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_4.SecurityGroup, (securityGroup, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (securityGroup.egress) { securityGroup.egress.forEach((ingress) => { if (!ingress.description) { reportViolation("EC2 Security Groups Egress rules should have a description."); } }); } }), }, vendors: ["aws"], services: ["ec2"], severity: "low", topics: ["documentation"], }); /** * Checks that all Ingress Security Groups rules have a description. * * @severity low * @frameworks none * @topics documentation * @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html */ SecurityGroup.missingIngressRuleDescription = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-ec2-securitygroup-missing-ingress-rule-description", description: "Checks that all Ingress Security Groups rules have a description.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ec2_4.SecurityGroup, (securityGroup, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (securityGroup.ingress) { securityGroup.ingress.forEach((ingress) => { if (!ingress.description) { reportViolation("EC2 Security Groups Ingress rules should have a description."); } }); } }), }, vendors: ["aws"], services: ["ec2"], severity: "low", topics: ["documentation"], }); })(SecurityGroup || (SecurityGroup = {})); exports.SecurityGroup = SecurityGroup;