@pulumi/aws-compliance-policies
Version:
This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.
489 lines (488 loc) • 23.9 kB
JavaScript
"use strict";
// Copyright 2016-2024, Pulumi Corporation.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// ------------------------------- WARNING -------------------------------------
// This file was programmatically generated. Do not edit unless you know what
// you're doing.
// ------------------------------- WARNING -------------------------------------
Object.defineProperty(exports, "__esModule", { value: true });
exports.SecurityGroup = exports.LaunchTemplate = exports.LaunchConfiguration = exports.Instance = void 0;
const ec2_1 = require("@pulumi/aws/ec2");
const policy_1 = require("@pulumi/policy");
const compliance_policy_manager_1 = require("@pulumi/compliance-policy-manager");
const ec2_2 = require("@pulumi/aws/ec2");
const ec2_3 = require("@pulumi/aws/ec2");
const compliance_policy_manager_2 = require("@pulumi/compliance-policy-manager");
const ec2_4 = require("@pulumi/aws/ec2");
var Instance;
(function (Instance) {
/**
* Checks that EC2 instances do not have a public IP address.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics network
* @link none
*/
Instance.disallowPublicIp = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-instance-disallow-public-ip",
description: "Checks that EC2 instances do not have a public IP address.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_1.Instance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (instance.associatePublicIpAddress === undefined || instance.associatePublicIpAddress === true) {
reportViolation("EC2 Instances should not have a public IP address.");
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "high",
topics: ["network"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that EC2 instances do not have unencrypted block devices.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
*/
Instance.disallowUnencryptedBlockDevice = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-instance-disallow-unencrypted-block-device",
description: "Checks that EC2 instances do not have unencrypted block devices.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_1.Instance, (instance, args, reportViolation) => {
var _a;
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
(_a = instance.ebsBlockDevices) === null || _a === void 0 ? void 0 : _a.forEach((device) => {
if (!device.encrypted) {
reportViolation("EC2 instances should not have an unencypted block device.");
}
});
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "high",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that EC2 instances does not have unencrypted root volumes.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html
*/
Instance.disallowUnencryptedRootBlockDevice = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-instance-disallow-unencrypted-root-block-device",
description: "Checks that EC2 instances does not have unencrypted root volumes.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_1.Instance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (instance.rootBlockDevice && !instance.rootBlockDevice.encrypted) {
reportViolation("EC2 instances should not have an unencypted root block device.");
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "high",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
})(Instance || (Instance = {}));
exports.Instance = Instance;
var LaunchConfiguration;
(function (LaunchConfiguration) {
/**
* Checks that EC2 Launch Configurations do not have a public IP address.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics network
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
*/
LaunchConfiguration.disallowPublicIp = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-launchconfiguration-disallow-public-ip",
description: "Checks that EC2 Launch Configurations do not have a public IP address.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_2.LaunchConfiguration, (launchConfiguration, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (launchConfiguration.associatePublicIpAddress === undefined || launchConfiguration.associatePublicIpAddress === true) {
reportViolation("EC2 Launch Configurations should not have a public IP address.");
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "high",
topics: ["network"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that EC2 Launch Configurations do not have unencrypted block devices.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
*/
LaunchConfiguration.disallowUnencryptedBlockDevice = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-launchconfiguration-disallow-unencrypted-block-device",
description: "Checks that EC2 Launch Configurations do not have unencrypted block devices.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_2.LaunchConfiguration, (launchConfiguration, args, reportViolation) => {
var _a;
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
(_a = launchConfiguration.ebsBlockDevices) === null || _a === void 0 ? void 0 : _a.forEach((device) => {
if (!device.encrypted) {
reportViolation("EC2 Launch Configurations should not have an unencypted block device.");
}
});
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "high",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that EC2 launch configuration do not have unencrypted root block device.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.html
*/
LaunchConfiguration.disallowUnencryptedRootBlockDevice = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-launchconfiguration-disallow-unencrypted-root-block-device",
description: "Checks that EC2 launch configuration do not have unencrypted root block device.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_2.LaunchConfiguration, (launchConfiguration, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (launchConfiguration.rootBlockDevice && !launchConfiguration.rootBlockDevice.encrypted) {
reportViolation("EC2 Launch Configurations should not have an unencypted root block device.");
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "high",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
})(LaunchConfiguration || (LaunchConfiguration = {}));
exports.LaunchConfiguration = LaunchConfiguration;
var LaunchTemplate;
(function (LaunchTemplate) {
/**
* Check that encrypted EBS volume uses a customer-managed KMS key.
*
* @severity low
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
*/
LaunchTemplate.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-launchtemplate-configure-customer-managed-key",
description: "Check that encrypted EBS volume uses a customer-managed KMS key.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_3.LaunchTemplate, (lt, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (lt.blockDeviceMappings) {
lt.blockDeviceMappings.forEach((blockDevice) => {
// see https://github.com/pulumi/pulumi-aws/issues/2257
if (blockDevice.ebs && (0, compliance_policy_manager_2.valToBoolean)(blockDevice.ebs.encrypted) && !blockDevice.ebs.kmsKeyId) {
reportViolation("EC2 Launch Templates should not have encrypted block device using a customer-managed KMS key.");
}
});
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "low",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that EC2 Launch Templates do not have public IP addresses.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics network
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html
*/
LaunchTemplate.disallowPublicIp = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-launchtemplate-disallow-public-ip",
description: "Checks that EC2 Launch Templates do not have public IP addresses.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_3.LaunchTemplate, (launchTemplate, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (launchTemplate.networkInterfaces) {
launchTemplate.networkInterfaces.forEach((iface) => {
// see https://github.com/pulumi/pulumi-aws/issues/2257
if ((0, compliance_policy_manager_2.valToBoolean)(iface.associatePublicIpAddress)) {
reportViolation("EC2 Launch templates should not associate a public IP address to an interface.");
}
});
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "high",
topics: ["network"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that EC2 Launch Templates do not have unencrypted block device.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
*/
LaunchTemplate.disallowUnencryptedBlockDevice = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-launchtemplate-disallow-unencrypted-block-device",
description: "Checks that EC2 Launch Templates do not have unencrypted block device.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_3.LaunchTemplate, (lt, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (lt.blockDeviceMappings) {
lt.blockDeviceMappings.forEach((blockDevice) => {
// see https://github.com/pulumi/pulumi-aws/issues/2257
if (blockDevice.ebs && !(0, compliance_policy_manager_2.valToBoolean)(blockDevice.ebs.encrypted)) {
reportViolation("EC2 Launch Templates should not have an unencypted block device.");
}
});
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "high",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
})(LaunchTemplate || (LaunchTemplate = {}));
exports.LaunchTemplate = LaunchTemplate;
var SecurityGroup;
(function (SecurityGroup) {
/**
* Check that EC2 Security Groups do not allow inbound HTTP traffic.
*
* @severity critical
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, network
* @link https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol
*/
SecurityGroup.disallowInboundHttpTraffic = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-securitygroup-disallow-inbound-http-traffic",
description: "Check that EC2 Security Groups do not allow inbound HTTP traffic.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_4.SecurityGroup, (securityGroup, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (securityGroup.ingress) {
securityGroup.ingress.forEach((ingress) => {
if (ingress.protocol.toLowerCase() === "tcp" && (ingress.fromPort === 80 || ingress.toPort === 80)) {
reportViolation("EC2 Security Groups should not allow ingress HTTP traffic.");
}
if (ingress.protocol.toLowerCase() === "tcp" && ingress.fromPort < 80 && ingress.toPort > 80) {
reportViolation("EC2 Security Groups should not allow ingress HTTP traffic.");
}
});
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "critical",
topics: ["network", "encryption"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Check that EC2 Security Groups do not allow ingress traffic from the Internet.
*
* @severity critical
* @frameworks hitrust, iso27001, pcidss
* @topics network
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html
*/
SecurityGroup.disallowPublicInternetIngress = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-securitygroup-disallow-public-internet-ingress",
description: "Check that EC2 Security Groups do not allow ingress traffic from the Internet.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_4.SecurityGroup, (securityGroup, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (securityGroup.ingress) {
if (securityGroup.ingress.some((ingressRule) => { var _a; return (_a = ingressRule.cidrBlocks) === null || _a === void 0 ? void 0 : _a.includes("0.0.0.0/0"); })) {
reportViolation("EC2 Security Groups should not permit ingress traffic from the public internet (0.0.0.0/0).");
}
if (securityGroup.ingress.some((ingressRule) => { var _a; return (_a = ingressRule.ipv6CidrBlocks) === null || _a === void 0 ? void 0 : _a.includes("::/0"); })) {
reportViolation("EC2 Security Groups should not permit ingress traffic from the public internet (::/0).");
}
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "critical",
topics: ["network"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that all security groups have a description.
*
* @severity low
* @frameworks none
* @topics documentation
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html
*/
SecurityGroup.missingDescription = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-securitygroup-missing-description",
description: "Checks that all security groups have a description.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_4.SecurityGroup, (securityGroup, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!securityGroup.description) {
reportViolation("EC2 Security Groups should have a description.");
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "low",
topics: ["documentation"],
});
/**
* Checks that all Egress Security Groups rules have a description.
*
* @severity low
* @frameworks none
* @topics documentation
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html
*/
SecurityGroup.missingEgressRuleDescription = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-securitygroup-missing-egress-rule-description",
description: "Checks that all Egress Security Groups rules have a description.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_4.SecurityGroup, (securityGroup, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (securityGroup.egress) {
securityGroup.egress.forEach((ingress) => {
if (!ingress.description) {
reportViolation("EC2 Security Groups Egress rules should have a description.");
}
});
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "low",
topics: ["documentation"],
});
/**
* Checks that all Ingress Security Groups rules have a description.
*
* @severity low
* @frameworks none
* @topics documentation
* @link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/working-with-security-groups.html
*/
SecurityGroup.missingIngressRuleDescription = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-ec2-securitygroup-missing-ingress-rule-description",
description: "Checks that all Ingress Security Groups rules have a description.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(ec2_4.SecurityGroup, (securityGroup, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (securityGroup.ingress) {
securityGroup.ingress.forEach((ingress) => {
if (!ingress.description) {
reportViolation("EC2 Security Groups Ingress rules should have a description.");
}
});
}
}),
},
vendors: ["aws"],
services: ["ec2"],
severity: "low",
topics: ["documentation"],
});
})(SecurityGroup || (SecurityGroup = {}));
exports.SecurityGroup = SecurityGroup;