UNPKG

@pulumi/aws-compliance-policies

Version:

This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.

154 lines (153 loc) 7.16 kB
"use strict"; // Copyright 2016-2024, Pulumi Corporation. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // // ------------------------------- WARNING ------------------------------------- // This file was programmatically generated. Do not edit unless you know what // you're doing. // ------------------------------- WARNING ------------------------------------- Object.defineProperty(exports, "__esModule", { value: true }); exports.UserPolicyAttachment = exports.PolicyAttachment = exports.AccountPasswordPolicy = void 0; const iam_1 = require("@pulumi/aws/iam"); const policy_1 = require("@pulumi/policy"); const compliance_policy_manager_1 = require("@pulumi/compliance-policy-manager"); const iam_2 = require("@pulumi/aws/iam"); const iam_3 = require("@pulumi/aws/iam"); var AccountPasswordPolicy; (function (AccountPasswordPolicy) { /** * Ensure IAM password policy requires minimum length of 14 or greater. * * @severity high * @frameworks cis * @topics vulnerability * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html */ AccountPasswordPolicy.minimumPasswordLength = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-iam-password-policy-minimum-password-length", description: "Ensure IAM password policy requires minimum length of 14 or greater.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "mandatory", validateResource: (0, policy_1.validateResourceOfType)(iam_1.AccountPasswordPolicy, (policy, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!policy.minimumPasswordLength || policy.minimumPasswordLength < 14) { reportViolation("Passwords should be minimal 14 characters long."); } }), }, vendors: ["aws"], services: ["iam"], severity: "high", topics: ["vulnerability"], frameworks: ["cis"], }); /** * Ensure IAM password policy prevents password reuse. * * @severity high * @frameworks cis, hitrust * @topics vulnerability * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html */ AccountPasswordPolicy.passwordReusePrevention = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-iam-password-policy-prevent-reuse", description: "Ensure IAM password policy prevents password reuse.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "mandatory", validateResource: (0, policy_1.validateResourceOfType)(iam_1.AccountPasswordPolicy, (policy, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!policy.passwordReusePrevention || policy.passwordReusePrevention === 24) { reportViolation("Previous 24 passwords can't be reused."); } }), }, vendors: ["aws"], services: ["iam"], severity: "high", topics: ["vulnerability"], frameworks: ["cis", "hitrust"], }); })(AccountPasswordPolicy || (AccountPasswordPolicy = {})); exports.AccountPasswordPolicy = AccountPasswordPolicy; var PolicyAttachment; (function (PolicyAttachment) { /** * Ensure IAM Users Receive Permissions Only Through Groups. * * @severity high * @frameworks cis * @topics vulnerability * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html */ PolicyAttachment.onlyPermissionsViaGroups = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-iam-policy-attachment-only-attachment-through-groups", description: "Ensure IAM Users Receive Permissions Only Through Groups.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "mandatory", validateResource: (0, policy_1.validateResourceOfType)(iam_2.PolicyAttachment, (policyAttachment, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (policyAttachment.users && policyAttachment.users.length > 0) { reportViolation("Users should receive permissions via Group membership."); } }), }, vendors: ["aws"], services: ["iam"], severity: "high", topics: ["vulnerability"], frameworks: ["cis"], }); })(PolicyAttachment || (PolicyAttachment = {})); exports.PolicyAttachment = PolicyAttachment; var UserPolicyAttachment; (function (UserPolicyAttachment) { /** * Ensure IAM Users Receive Permissions Only Through Groups. * * @severity high * @frameworks cis * @topics vulnerability * @link https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups_manage_attach-policy.html */ UserPolicyAttachment.onlyPermissionsViaGroups = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-iam-user-policy-attachment-only-attachment-through-groups", description: "Ensure IAM Users Receive Permissions Only Through Groups.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "mandatory", validateResource: (0, policy_1.validateResourceOfType)(iam_3.UserPolicyAttachment, (policyAttachment, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } // Report violation when this resource is used at all. reportViolation("Users should receive permissions via Group membership."); }), }, vendors: ["aws"], services: ["iam"], severity: "high", topics: ["vulnerability"], frameworks: ["cis"], }); })(UserPolicyAttachment || (UserPolicyAttachment = {})); exports.UserPolicyAttachment = UserPolicyAttachment;