UNPKG

@pulumi/aws-compliance-policies

Version:

This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.

386 lines (385 loc) 18.2 kB
"use strict"; // Copyright 2016-2024, Pulumi Corporation. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // // ------------------------------- WARNING ------------------------------------- // This file was programmatically generated. Do not edit unless you know what // you're doing. // ------------------------------- WARNING ------------------------------------- Object.defineProperty(exports, "__esModule", { value: true }); exports.DbInstance = exports.DbCluster = void 0; const rds_1 = require("@pulumi/aws-native/rds"); const policy_1 = require("@pulumi/policy"); const compliance_policy_manager_1 = require("@pulumi/compliance-policy-manager"); const rds_2 = require("@pulumi/aws-native/rds"); var DbCluster; (function (DbCluster) { /** * Checks that RDS DB Cluster backup retention policy is configured. * * @severity medium * @frameworks hitrust, iso27001, pcidss * @topics backup, resilience * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention */ DbCluster.configureBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbcluster-configure-backup-retention", description: "Checks that RDS DB Cluster backup retention policy is configured.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_1.DbCluster, (cluster, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } /** * 3 (three) days should be the minimum in order to have full weekend coverage. */ if (cluster.backupRetentionPeriod && cluster.backupRetentionPeriod < 3) { reportViolation("RDS DB Cluster backup retention period is lower than 3 days."); } }), }, vendors: ["aws"], services: ["rds"], severity: "medium", topics: ["backup", "resilience"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS DB Cluster storage uses a customer-managed KMS key. * * @severity low * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html */ DbCluster.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbcluster-configure-customer-managed-key", description: "Checks that RDS DB Cluster storage uses a customer-managed KMS key.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_1.DbCluster, (cluster, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (cluster.storageEncrypted && !cluster.kmsKeyId) { reportViolation("RDS DB Cluster storage should be encrypted using a customer-managed key."); } }), }, vendors: ["aws"], services: ["rds"], severity: "low", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Check that RDS DB Cluster doesn't use single availability zone. * * @severity high * @frameworks hitrust * @topics availability * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html */ DbCluster.disallowSingleAvailabilityZone = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbcluster-disallow-single-availability-zone", description: "Check that RDS DB Cluster doesn't use single availability zone.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_1.DbCluster, (cluster, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (cluster.availabilityZones && cluster.availabilityZones.length < 2) { reportViolation("RDS DB Clusters should use more than one availability zone."); } }), }, vendors: ["aws"], services: ["rds"], severity: "high", topics: ["availability"], frameworks: ["hitrust"], }); /** * Checks that RDS DB Cluster storage is encrypted. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html */ DbCluster.disallowUnencryptedStorage = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbcluster-disallow-unencrypted-storage", description: "Checks that RDS DB Cluster storage is encrypted.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_1.DbCluster, (cluster, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!cluster.storageEncrypted) { reportViolation("RDS DB Cluster storage should be encrypted."); } }), }, vendors: ["aws"], services: ["rds"], severity: "high", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS DB Clusters backup retention policy is enabled. * * @severity medium * @frameworks hitrust, iso27001, pcidss * @topics backup, resilience * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention */ DbCluster.enableBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbcluster-enable-backup-retention", description: "Checks that RDS DB Clusters backup retention policy is enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_1.DbCluster, (cluster, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!cluster.backupRetentionPeriod) { reportViolation("RDS DB Clusters backup retention should be enabled."); } }), }, vendors: ["aws"], services: ["rds"], severity: "medium", topics: ["backup", "resilience"], frameworks: ["pcidss", "hitrust", "iso27001"], }); })(DbCluster || (DbCluster = {})); exports.DbCluster = DbCluster; var DbInstance; (function (DbInstance) { /** * Checks that RDS DB Instances backup retention policy is adequate. * * @severity medium * @frameworks iso27001, pcidss * @topics backup, resilience * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention */ DbInstance.configureBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbinstance-configure-backup-retention", description: "Checks that RDS DB Instances backup retention policy is adequate.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } /** * 3 (three) days should be the minimum in order to have full weekend coverage. */ if (instance.backupRetentionPeriod && instance.backupRetentionPeriod < 3) { reportViolation("RDS DB Instances backup retention period should be greater than 3 days."); } }), }, vendors: ["aws"], services: ["rds"], severity: "medium", topics: ["backup", "resilience"], frameworks: ["pcidss", "iso27001"], }); /** * Checks that RDS DB Instance storage uses a customer-managed KMS key. * * @severity low * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html */ DbInstance.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbinstance-configure-customer-managed-key", description: "Checks that RDS DB Instance storage uses a customer-managed KMS key.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (instance.storageEncrypted && !instance.kmsKeyId) { reportViolation("RDS DB Instances storage should be encrypted using a customer-managed key."); } }), }, vendors: ["aws"], services: ["rds"], severity: "low", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS DB Instances public access is not enabled. * * @severity critical * @frameworks hitrust, iso27001, pcidss * @topics network * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html */ DbInstance.disallowPublicAccess = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbinstance-disallow-public-access", description: "Checks that RDS DB Instances public access is not enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (dbInstance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (dbInstance.publiclyAccessible) { reportViolation("RDS DB Instances public access should not be enabled."); } }), }, vendors: ["aws"], services: ["rds"], severity: "critical", topics: ["network"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS DB Instances performance insights is encrypted. * * @severity high * @frameworks none * @topics encryption, storage * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html */ DbInstance.disallowUnencryptedPerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbinstance-disallow-unencrypted-performance-insights", description: "Checks that RDS DB Instances performance insights is encrypted.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (dbInstance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (dbInstance.enablePerformanceInsights && !dbInstance.performanceInsightsKmsKeyId) { reportViolation("RDS DB Instances should have performance insights encrypted."); } }), }, vendors: ["aws"], services: ["rds"], severity: "high", topics: ["encryption", "storage"], }); /** * Checks that RDS DB Instance storage is encrypted. * * @severity high * @frameworks hitrust, iso27001, pcidss * @topics encryption, storage * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html */ DbInstance.disallowUnencryptedStorage = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbinstance-disallow-unencrypted-storage", description: "Checks that RDS DB Instance storage is encrypted.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!instance.storageEncrypted) { reportViolation("RDS DB Instances storage should be encrypted."); } }), }, vendors: ["aws"], services: ["rds"], severity: "high", topics: ["encryption", "storage"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS DB Instances backup retention policy is enabled. * * @severity medium * @frameworks hitrust, iso27001, pcidss * @topics backup, resilience * @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention */ DbInstance.enableBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbinstance-enable-backup-retention", description: "Checks that RDS DB Instances backup retention policy is enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (instance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!instance.backupRetentionPeriod) { reportViolation("RDS DB Instances backup retention should be enabled."); } }), }, vendors: ["aws"], services: ["rds"], severity: "medium", topics: ["backup", "resilience"], frameworks: ["pcidss", "hitrust", "iso27001"], }); /** * Checks that RDS DB Instances have performance insights enabled. * * @severity low * @frameworks none * @topics logging, performance * @link https://aws.amazon.com/rds/performance-insights/ */ DbInstance.enablePerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "awsnative-rds-dbinstance-enable-performance-insights", description: "Checks that RDS DB Instances have performance insights enabled.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (dbInstance, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (!dbInstance.enablePerformanceInsights) { reportViolation("RDS DB Instances should have performance insights enabled."); } }), }, vendors: ["aws"], services: ["rds"], severity: "low", topics: ["logging", "performance"], }); })(DbInstance || (DbInstance = {})); exports.DbInstance = DbInstance;