UNPKG

@pulumi/aws-compliance-policies

Version:

This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.

50 lines (49 loc) 1.8 kB
import { ResourceValidationPolicy } from "@pulumi/policy"; declare namespace Repository { /** * Checks that ECR repositories use a customer-managed KMS key. * * @severity low * @frameworks hitrust, iso27001, pcidss * @topics container, encryption, storage * @link https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html */ const configureCustomerManagedKey: ResourceValidationPolicy; /** * Checks that ECR repositories have 'scan-on-push' configured. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics container, vulnerability * @link https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html */ const configureImageScan: ResourceValidationPolicy; /** * Checks that ECR Repositories have immutable images enabled. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics container * @link https://sysdig.com/blog/toctou-tag-mutability/ */ const disallowMutableImage: ResourceValidationPolicy; /** * Checks that ECR Repositories are encrypted. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics container, encryption, storage * @link https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html */ const disallowUnencryptedRepository: ResourceValidationPolicy; /** * Checks that ECR repositories have 'scan-on-push' enabled. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics container, vulnerability * @link https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html */ const enableImageScan: ResourceValidationPolicy; } export { Repository };