@pulumi/aws-compliance-policies
Version:
This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.
119 lines (118 loc) • 5.12 kB
JavaScript
"use strict";
// Copyright 2016-2024, Pulumi Corporation.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// ------------------------------- WARNING -------------------------------------
// This file was programmatically generated. Do not edit unless you know what
// you're doing.
// ------------------------------- WARNING -------------------------------------
Object.defineProperty(exports, "__esModule", { value: true });
exports.Key = void 0;
const kms_1 = require("@pulumi/aws/kms");
const policy_1 = require("@pulumi/policy");
const compliance_policy_manager_1 = require("@pulumi/compliance-policy-manager");
var Key;
(function (Key) {
/**
* Checks that KMS Keys do not bypass the key policy lockout safety check.
*
* @severity critical
* @frameworks none
* @topics encryption
* @link https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-bypass-policy-lockout-safety-check
*/
Key.disallowBypassPolicyLockoutSafetyCheck = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-kms-key-disallow-bypass-policy-lockout-safety-check",
description: "Checks that KMS Keys do not bypass the key policy lockout safety check.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(kms_1.Key, (key, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (key.bypassPolicyLockoutSafetyCheck) {
reportViolation("KMS Keys should not bypass the key policy lockout safety check.");
}
}),
},
vendors: ["aws"],
services: ["kms"],
severity: "critical",
topics: ["encryption"],
});
/**
* Checks that KMS Keys have key rotation enabled.
*
* @severity medium
* @frameworks hitrust, iso27001, pcidss
* @topics encryption
* @link https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
*/
Key.enableKeyRotation = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-kms-key-enable-key-rotation",
description: "Checks that KMS Keys have key rotation enabled.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(kms_1.Key, (key, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!key.enableKeyRotation) {
reportViolation("KMS Keys should have key rotation enabled.");
}
}),
},
vendors: ["aws"],
services: ["kms"],
severity: "medium",
topics: ["encryption"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that KMS Keys have a description.
*
* @severity low
* @frameworks none
* @topics documentation
* @link https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html
*/
Key.missingDescription = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-kms-key-missing-description",
description: "Checks that KMS Keys have a description.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(kms_1.Key, (key, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!key.description) {
reportViolation("KMS Keys should have a description.");
}
else {
if (key.description.length < 6) {
reportViolation("KMS Keys should have a meaningful description.");
}
}
}),
},
vendors: ["aws"],
services: ["kms"],
severity: "low",
topics: ["documentation"],
});
})(Key || (Key = {}));
exports.Key = Key;