UNPKG

@pulumi/aws-compliance-policies

Version:

This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.

476 lines (475 loc) 22.1 kB
"use strict"; // Copyright 2016-2024, Pulumi Corporation. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // // ------------------------------- WARNING ------------------------------------- // This file was programmatically generated. Do not edit unless you know what // you're doing. // ------------------------------- WARNING ------------------------------------- Object.defineProperty(exports, "__esModule", { value: true }); exports.Instance = exports.ClusterInstance = exports.Cluster = void 0; const rds_1 = require("@pulumi/aws/rds"); const policy_1 = require("@pulumi/policy"); const compliance_policy_manager_1 = require("@pulumi/compliance-policy-manager"); const rds_2 = require("@pulumi/aws/rds"); const rds_3 = require("@pulumi/aws/rds"); var Cluster; (function (Cluster) { /** * Checks that RDS Cluster backup retention policy is configured. * * @severity medium * @frameworks iso27001, pcidss * @topics backup, resilience * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention */ Cluster.configureBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-cluster-configure-backup-retention", description: "Checks that RDS Cluster backup retention policy is configured.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_1.Cluster, (cluster, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } /** * 3 (three) days should be the minimum in order to have full weekend coverage. */ if (cluster.backupRetentionPeriod && cluster.backupRetentionPeriod < 3) { reportViolation("RDS Cluster backup retention period is lower than 3 days."); } }), }, vendors: ["aws"], services: ["rds"], severity: "medium", topics: ["backup", "resilience"], frameworks: ["pcidss", "iso27001"], }); /** * Checks that RDS Clusters storage uses a customer-managed KMS key. * * @severity low * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html */ Cluster.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-cluster-configure-customer-managed-key", description: "Checks that RDS Clusters storage uses a customer-managed KMS key.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_1.Cluster, (cluster, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (cluster.storageEncrypted && !cluster.kmsKeyId) { reportViolation("RDS Cluster storage should be encrypted using a customer-managed key."); } }), }, vendors: ["aws"], services: ["rds"], severity: "low", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Check that RDS Cluster doesn't use single availability zone. * * @severity high * @frameworks hitrust * @topics availability * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html */ Cluster.disallowSingleAvailabilityZone = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-cluster-disallow-single-availability-zone", description: "Check that RDS Cluster doesn't use single availability zone.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_1.Cluster, (cluster, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (cluster.availabilityZones && cluster.availabilityZones.length < 2) { reportViolation("RDS Clusters should use more than one availability zone."); } }), }, vendors: ["aws"], services: ["rds"], severity: "high", topics: ["availability"], frameworks: ["hitrust"], }); /** * Checks that RDS Clusters storage is encrypted. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html */ Cluster.disallowUnencryptedStorage = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-cluster-disallow-unencrypted-storage", description: "Checks that RDS Clusters storage is encrypted.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_1.Cluster, (cluster, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!cluster.storageEncrypted) { reportViolation("RDS Cluster storage should be encrypted."); } }), }, vendors: ["aws"], services: ["rds"], severity: "high", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS Clusters backup retention policy is enabled. * * @severity medium * @frameworks hitrust, iso27001, pcidss * @topics backup, resilience * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention */ Cluster.enableBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-cluster-enable-backup-retention", description: "Checks that RDS Clusters backup retention policy is enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_1.Cluster, (cluster, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!cluster.backupRetentionPeriod) { reportViolation("RDS Clusters backup retention should be enabled."); } }), }, vendors: ["aws"], services: ["rds"], severity: "medium", topics: ["backup", "resilience"], frameworks: ["pcidss", "hitrust", "iso27001"], }); })(Cluster || (Cluster = {})); exports.Cluster = Cluster; var ClusterInstance; (function (ClusterInstance) { /** * Checks that RDS Cluster Instances public access is not enabled. * * @severity critical * @frameworks hitrust, iso27001, pcidss * @topics network * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html */ ClusterInstance.disallowPublicAccess = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-clusterinstance-disallow-public-access", description: "Checks that RDS Cluster Instances public access is not enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_2.ClusterInstance, (clusterInstance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (clusterInstance.publiclyAccessible) { reportViolation("RDS Cluster Instances public access should not be enabled."); } }), }, vendors: ["aws"], services: ["rds"], severity: "critical", topics: ["network"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS Cluster Instances performance insights is encrypted. * * @severity high * @frameworks none * @topics encryption, storage * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html */ ClusterInstance.disallowUnencryptedPerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-clusterinstance-disallow-unencrypted-performance-insights", description: "Checks that RDS Cluster Instances performance insights is encrypted.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_2.ClusterInstance, (clusterInstance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (clusterInstance.performanceInsightsEnabled && !clusterInstance.performanceInsightsKmsKeyId) { reportViolation("RDS Cluster Instances should have performance insights encrypted."); } }), }, vendors: ["aws"], services: ["rds"], severity: "high", topics: ["encryption", "storage"], }); /** * Checks that RDS Cluster Instances have performance insights enabled. * * @severity low * @frameworks none * @topics logging, performance * @link https://aws.amazon.com/rds/performance-insights/ */ ClusterInstance.enablePerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-clusterinstance-enable-performance-insights", description: "Checks that RDS Cluster Instances have performance insights enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_2.ClusterInstance, (clusterInstance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!clusterInstance.performanceInsightsEnabled) { reportViolation("RDS Cluster Instances should have performance insights enabled."); } }), }, vendors: ["aws"], services: ["rds"], severity: "low", topics: ["logging", "performance"], }); })(ClusterInstance || (ClusterInstance = {})); exports.ClusterInstance = ClusterInstance; var Instance; (function (Instance) { /** * Checks that backup retention policy is adequate. * * @severity medium * @frameworks iso27001, pcidss * @topics backup, resilience * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention */ Instance.configureBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-instance-configure-backup-retention", description: "Checks that backup retention policy is adequate.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } /** * 3 (three) days should be the minimum in order to have full weekend coverage. */ if (instance.backupRetentionPeriod && instance.backupRetentionPeriod < 3) { reportViolation("RDS Instances backup retention period is lower than 3 days."); } }), }, vendors: ["aws"], services: ["rds"], severity: "medium", topics: ["backup", "resilience"], frameworks: ["pcidss", "iso27001"], }); /** * Checks that RDS Instance storage uses a customer-managed KMS key. * * @severity low * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html */ Instance.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-instance-configure-customer-managed-key", description: "Checks that RDS Instance storage uses a customer-managed KMS key.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (instance.storageEncrypted && !instance.kmsKeyId) { reportViolation("RDS Instance storage should be encrypted using a customer-managed key."); } }), }, vendors: ["aws"], services: ["rds"], severity: "low", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS Instance public access is not enabled. * * @severity critical * @frameworks hitrust, iso27001, pcidss * @topics network * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html */ Instance.disallowPublicAccess = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-instance-disallow-public-access", description: "Checks that RDS Instance public access is not enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (instance.publiclyAccessible === true) { reportViolation("RDS Instances public access should not be enabled."); } }), }, vendors: ["aws"], services: ["rds"], severity: "critical", topics: ["network"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS Instance performance insights is encrypted. * * @severity high * @frameworks none * @topics encryption, storage * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.htm */ Instance.disallowUnencryptedPerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-instance-disallow-unencrypted-performance-insights", description: "Checks that RDS Instance performance insights is encrypted.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (instance.performanceInsightsEnabled && !instance.performanceInsightsKmsKeyId) { reportViolation("RDS Instances performance insights should be encrypted."); } }), }, vendors: ["aws"], services: ["rds"], severity: "high", topics: ["encryption", "storage"], }); /** * Checks that RDS instance storage is encrypted. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html */ Instance.disallowUnencryptedStorage = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-instance-disallow-unencrypted-storage", description: "Checks that RDS instance storage is encrypted.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!instance.storageEncrypted) { reportViolation("RDS Instance storage should be encrypted."); } }), }, vendors: ["aws"], services: ["rds"], severity: "high", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS Instances backup retention policy is enabled. * * @severity medium * @frameworks hitrust, iso27001, pcidss * @topics backup, resilience * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention */ Instance.enableBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-instance-enable-backup-retention", description: "Checks that RDS Instances backup retention policy is enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!instance.backupRetentionPeriod) { reportViolation("RDS Clusters backup retention should be enabled."); } }), }, vendors: ["aws"], services: ["rds"], severity: "medium", topics: ["backup", "resilience"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS instances have performance insights enabled. * * @severity low * @frameworks none * @topics logging, performance * @link https://aws.amazon.com/rds/performance-insights/ */ Instance.enablePerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "aws-rds-instance-enable-performance-insights", description: "Checks that RDS instances have performance insights enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!instance.performanceInsightsEnabled) { reportViolation("RDS Instances should have performance insights enabled."); } }), }, vendors: ["aws"], services: ["rds"], severity: "low", topics: ["logging", "performance"], }); })(Instance || (Instance = {})); exports.Instance = Instance;