@pulumi/aws-compliance-policies
Version:
This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.
476 lines (475 loc) • 22.1 kB
JavaScript
"use strict";
// Copyright 2016-2024, Pulumi Corporation.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// ------------------------------- WARNING -------------------------------------
// This file was programmatically generated. Do not edit unless you know what
// you're doing.
// ------------------------------- WARNING -------------------------------------
Object.defineProperty(exports, "__esModule", { value: true });
exports.Instance = exports.ClusterInstance = exports.Cluster = void 0;
const rds_1 = require("@pulumi/aws/rds");
const policy_1 = require("@pulumi/policy");
const compliance_policy_manager_1 = require("@pulumi/compliance-policy-manager");
const rds_2 = require("@pulumi/aws/rds");
const rds_3 = require("@pulumi/aws/rds");
var Cluster;
(function (Cluster) {
/**
* Checks that RDS Cluster backup retention policy is configured.
*
* @severity medium
* @frameworks iso27001, pcidss
* @topics backup, resilience
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention
*/
Cluster.configureBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-cluster-configure-backup-retention",
description: "Checks that RDS Cluster backup retention policy is configured.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_1.Cluster, (cluster, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
/**
* 3 (three) days should be the minimum in order to have full weekend coverage.
*/
if (cluster.backupRetentionPeriod && cluster.backupRetentionPeriod < 3) {
reportViolation("RDS Cluster backup retention period is lower than 3 days.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "medium",
topics: ["backup", "resilience"],
frameworks: ["pcidss", "iso27001"],
});
/**
* Checks that RDS Clusters storage uses a customer-managed KMS key.
*
* @severity low
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
*/
Cluster.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-cluster-configure-customer-managed-key",
description: "Checks that RDS Clusters storage uses a customer-managed KMS key.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_1.Cluster, (cluster, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (cluster.storageEncrypted && !cluster.kmsKeyId) {
reportViolation("RDS Cluster storage should be encrypted using a customer-managed key.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "low",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Check that RDS Cluster doesn't use single availability zone.
*
* @severity high
* @frameworks hitrust
* @topics availability
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html
*/
Cluster.disallowSingleAvailabilityZone = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-cluster-disallow-single-availability-zone",
description: "Check that RDS Cluster doesn't use single availability zone.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_1.Cluster, (cluster, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (cluster.availabilityZones && cluster.availabilityZones.length < 2) {
reportViolation("RDS Clusters should use more than one availability zone.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "high",
topics: ["availability"],
frameworks: ["hitrust"],
});
/**
* Checks that RDS Clusters storage is encrypted.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
*/
Cluster.disallowUnencryptedStorage = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-cluster-disallow-unencrypted-storage",
description: "Checks that RDS Clusters storage is encrypted.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_1.Cluster, (cluster, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!cluster.storageEncrypted) {
reportViolation("RDS Cluster storage should be encrypted.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "high",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS Clusters backup retention policy is enabled.
*
* @severity medium
* @frameworks hitrust, iso27001, pcidss
* @topics backup, resilience
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention
*/
Cluster.enableBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-cluster-enable-backup-retention",
description: "Checks that RDS Clusters backup retention policy is enabled.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_1.Cluster, (cluster, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!cluster.backupRetentionPeriod) {
reportViolation("RDS Clusters backup retention should be enabled.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "medium",
topics: ["backup", "resilience"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
})(Cluster || (Cluster = {}));
exports.Cluster = Cluster;
var ClusterInstance;
(function (ClusterInstance) {
/**
* Checks that RDS Cluster Instances public access is not enabled.
*
* @severity critical
* @frameworks hitrust, iso27001, pcidss
* @topics network
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html
*/
ClusterInstance.disallowPublicAccess = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-clusterinstance-disallow-public-access",
description: "Checks that RDS Cluster Instances public access is not enabled.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_2.ClusterInstance, (clusterInstance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (clusterInstance.publiclyAccessible) {
reportViolation("RDS Cluster Instances public access should not be enabled.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "critical",
topics: ["network"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS Cluster Instances performance insights is encrypted.
*
* @severity high
* @frameworks none
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
*/
ClusterInstance.disallowUnencryptedPerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-clusterinstance-disallow-unencrypted-performance-insights",
description: "Checks that RDS Cluster Instances performance insights is encrypted.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_2.ClusterInstance, (clusterInstance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (clusterInstance.performanceInsightsEnabled && !clusterInstance.performanceInsightsKmsKeyId) {
reportViolation("RDS Cluster Instances should have performance insights encrypted.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "high",
topics: ["encryption", "storage"],
});
/**
* Checks that RDS Cluster Instances have performance insights enabled.
*
* @severity low
* @frameworks none
* @topics logging, performance
* @link https://aws.amazon.com/rds/performance-insights/
*/
ClusterInstance.enablePerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-clusterinstance-enable-performance-insights",
description: "Checks that RDS Cluster Instances have performance insights enabled.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_2.ClusterInstance, (clusterInstance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!clusterInstance.performanceInsightsEnabled) {
reportViolation("RDS Cluster Instances should have performance insights enabled.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "low",
topics: ["logging", "performance"],
});
})(ClusterInstance || (ClusterInstance = {}));
exports.ClusterInstance = ClusterInstance;
var Instance;
(function (Instance) {
/**
* Checks that backup retention policy is adequate.
*
* @severity medium
* @frameworks iso27001, pcidss
* @topics backup, resilience
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention
*/
Instance.configureBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-instance-configure-backup-retention",
description: "Checks that backup retention policy is adequate.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
/**
* 3 (three) days should be the minimum in order to have full weekend coverage.
*/
if (instance.backupRetentionPeriod && instance.backupRetentionPeriod < 3) {
reportViolation("RDS Instances backup retention period is lower than 3 days.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "medium",
topics: ["backup", "resilience"],
frameworks: ["pcidss", "iso27001"],
});
/**
* Checks that RDS Instance storage uses a customer-managed KMS key.
*
* @severity low
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
*/
Instance.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-instance-configure-customer-managed-key",
description: "Checks that RDS Instance storage uses a customer-managed KMS key.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (instance.storageEncrypted && !instance.kmsKeyId) {
reportViolation("RDS Instance storage should be encrypted using a customer-managed key.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "low",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS Instance public access is not enabled.
*
* @severity critical
* @frameworks hitrust, iso27001, pcidss
* @topics network
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html
*/
Instance.disallowPublicAccess = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-instance-disallow-public-access",
description: "Checks that RDS Instance public access is not enabled.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (instance.publiclyAccessible === true) {
reportViolation("RDS Instances public access should not be enabled.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "critical",
topics: ["network"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS Instance performance insights is encrypted.
*
* @severity high
* @frameworks none
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.htm
*/
Instance.disallowUnencryptedPerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-instance-disallow-unencrypted-performance-insights",
description: "Checks that RDS Instance performance insights is encrypted.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (instance.performanceInsightsEnabled && !instance.performanceInsightsKmsKeyId) {
reportViolation("RDS Instances performance insights should be encrypted.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "high",
topics: ["encryption", "storage"],
});
/**
* Checks that RDS instance storage is encrypted.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
*/
Instance.disallowUnencryptedStorage = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-instance-disallow-unencrypted-storage",
description: "Checks that RDS instance storage is encrypted.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!instance.storageEncrypted) {
reportViolation("RDS Instance storage should be encrypted.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "high",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS Instances backup retention policy is enabled.
*
* @severity medium
* @frameworks hitrust, iso27001, pcidss
* @topics backup, resilience
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention
*/
Instance.enableBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-instance-enable-backup-retention",
description: "Checks that RDS Instances backup retention policy is enabled.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!instance.backupRetentionPeriod) {
reportViolation("RDS Clusters backup retention should be enabled.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "medium",
topics: ["backup", "resilience"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS instances have performance insights enabled.
*
* @severity low
* @frameworks none
* @topics logging, performance
* @link https://aws.amazon.com/rds/performance-insights/
*/
Instance.enablePerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "aws-rds-instance-enable-performance-insights",
description: "Checks that RDS instances have performance insights enabled.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_3.Instance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!instance.performanceInsightsEnabled) {
reportViolation("RDS Instances should have performance insights enabled.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "low",
topics: ["logging", "performance"],
});
})(Instance || (Instance = {}));
exports.Instance = Instance;