UNPKG

@pulumi/aws-compliance-policies

Version:

This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.

179 lines (178 loc) 8.36 kB
"use strict"; // Copyright 2016-2024, Pulumi Corporation. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // // ------------------------------- WARNING ------------------------------------- // This file was programmatically generated. Do not edit unless you know what // you're doing. // ------------------------------- WARNING ------------------------------------- Object.defineProperty(exports, "__esModule", { value: true }); exports.Repository = void 0; const ecr_1 = require("@pulumi/aws-native/ecr"); const policy_1 = require("@pulumi/policy"); const compliance_policy_manager_1 = require("@pulumi/compliance-policy-manager"); var Repository; (function (Repository) { /** * Checks that ECR repositories use a customer-managed KMS key. * * @severity low * @frameworks hitrust, iso27001, pcidss * @topics container, encryption, storage * @link https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html */ Repository.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-ecr-repository-configure-customer-managed-key", description: "Checks that ECR repositories use a customer-managed KMS key.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ecr_1.Repository, (repo, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (repo.encryptionConfiguration) { if (repo.encryptionConfiguration.encryptionType !== "KMS") { reportViolation("ECR repositories should be encrypted using a customer-managed KMS key."); } if (repo.encryptionConfiguration.encryptionType === "KMS" && !repo.encryptionConfiguration.kmsKey) { reportViolation("ECR repositories should be encrypted using a customer-managed KMS key."); } } }), }, vendors: ["aws"], services: ["ecr"], severity: "low", topics: ["container", "encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that ECR repositories have 'scan-on-push' configured. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics container, vulnerability * @link https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html */ Repository.configureImageScan = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-ecr-repository-configure-image-scan", description: "Checks that ECR repositories have 'scan-on-push' configured.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ecr_1.Repository, (repo, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!repo.imageScanningConfiguration) { reportViolation("ECR Repositories should have image scanning configured."); } }), }, vendors: ["aws"], services: ["ecr"], severity: "high", topics: ["container", "vulnerability"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that ECR Repositories have immutable images enabled. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics container * @link https://sysdig.com/blog/toctou-tag-mutability/ */ Repository.disallowMutableImage = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-ecr-repository-disallow-mutable-image", description: "Checks that ECR Repositories have immutable images enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ecr_1.Repository, (repo, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (repo.imageTagMutability !== "IMMUTABLE") { reportViolation("ECR repositories should enable immutable images."); } }), }, vendors: ["aws"], services: ["ecr"], severity: "high", topics: ["container"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that ECR Repositories are encrypted. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics container, encryption, storage * @link https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html */ Repository.disallowUnencryptedRepository = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-ecr-repository-disallow-unencrypted-repository", description: "Checks that ECR Repositories are encrypted.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ecr_1.Repository, (repo, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (repo.encryptionConfiguration === undefined) { reportViolation("ECR repositories should be encrypted."); } }), }, vendors: ["aws"], services: ["ecr"], severity: "high", topics: ["container", "encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that ECR repositories have 'scan-on-push' enabled. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics container, vulnerability * @link https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html */ Repository.enableImageScan = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-ecr-repository-enable-image-scan", description: "Checks that ECR repositories have 'scan-on-push' enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(ecr_1.Repository, (repo, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (repo.imageScanningConfiguration && !repo.imageScanningConfiguration.scanOnPush) { reportViolation("ECR Repositories should enable 'scan-on-push'."); } }), }, vendors: ["aws"], services: ["ecr"], severity: "high", topics: ["container", "vulnerability"], frameworks: ["pcidss", "hitrust", "iso27001"], }); })(Repository || (Repository = {})); exports.Repository = Repository;