@pulumi/aws-compliance-policies
Version:
This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.
386 lines (385 loc) • 18.2 kB
JavaScript
"use strict";
// Copyright 2016-2024, Pulumi Corporation.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// ------------------------------- WARNING -------------------------------------
// This file was programmatically generated. Do not edit unless you know what
// you're doing.
// ------------------------------- WARNING -------------------------------------
Object.defineProperty(exports, "__esModule", { value: true });
exports.DbInstance = exports.DbCluster = void 0;
const rds_1 = require("@pulumi/aws-native/rds");
const policy_1 = require("@pulumi/policy");
const compliance_policy_manager_1 = require("@pulumi/compliance-policy-manager");
const rds_2 = require("@pulumi/aws-native/rds");
var DbCluster;
(function (DbCluster) {
/**
* Checks that RDS DB Cluster backup retention policy is configured.
*
* @severity medium
* @frameworks hitrust, iso27001, pcidss
* @topics backup, resilience
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention
*/
DbCluster.configureBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbcluster-configure-backup-retention",
description: "Checks that RDS DB Cluster backup retention policy is configured.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_1.DbCluster, (cluster, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
/**
* 3 (three) days should be the minimum in order to have full weekend coverage.
*/
if (cluster.backupRetentionPeriod && cluster.backupRetentionPeriod < 3) {
reportViolation("RDS DB Cluster backup retention period is lower than 3 days.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "medium",
topics: ["backup", "resilience"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS DB Cluster storage uses a customer-managed KMS key.
*
* @severity low
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
*/
DbCluster.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbcluster-configure-customer-managed-key",
description: "Checks that RDS DB Cluster storage uses a customer-managed KMS key.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_1.DbCluster, (cluster, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (cluster.storageEncrypted && !cluster.kmsKeyId) {
reportViolation("RDS DB Cluster storage should be encrypted using a customer-managed key.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "low",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Check that RDS DB Cluster doesn't use single availability zone.
*
* @severity high
* @frameworks hitrust
* @topics availability
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/multi-az-db-clusters-concepts.html
*/
DbCluster.disallowSingleAvailabilityZone = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbcluster-disallow-single-availability-zone",
description: "Check that RDS DB Cluster doesn't use single availability zone.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_1.DbCluster, (cluster, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (cluster.availabilityZones && cluster.availabilityZones.length < 2) {
reportViolation("RDS DB Clusters should use more than one availability zone.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "high",
topics: ["availability"],
frameworks: ["hitrust"],
});
/**
* Checks that RDS DB Cluster storage is encrypted.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
*/
DbCluster.disallowUnencryptedStorage = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbcluster-disallow-unencrypted-storage",
description: "Checks that RDS DB Cluster storage is encrypted.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_1.DbCluster, (cluster, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!cluster.storageEncrypted) {
reportViolation("RDS DB Cluster storage should be encrypted.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "high",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS DB Clusters backup retention policy is enabled.
*
* @severity medium
* @frameworks hitrust, iso27001, pcidss
* @topics backup, resilience
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention
*/
DbCluster.enableBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbcluster-enable-backup-retention",
description: "Checks that RDS DB Clusters backup retention policy is enabled.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_1.DbCluster, (cluster, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!cluster.backupRetentionPeriod) {
reportViolation("RDS DB Clusters backup retention should be enabled.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "medium",
topics: ["backup", "resilience"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
})(DbCluster || (DbCluster = {}));
exports.DbCluster = DbCluster;
var DbInstance;
(function (DbInstance) {
/**
* Checks that RDS DB Instances backup retention policy is adequate.
*
* @severity medium
* @frameworks iso27001, pcidss
* @topics backup, resilience
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention
*/
DbInstance.configureBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbinstance-configure-backup-retention",
description: "Checks that RDS DB Instances backup retention policy is adequate.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
/**
* 3 (three) days should be the minimum in order to have full weekend coverage.
*/
if (instance.backupRetentionPeriod && instance.backupRetentionPeriod < 3) {
reportViolation("RDS DB Instances backup retention period should be greater than 3 days.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "medium",
topics: ["backup", "resilience"],
frameworks: ["pcidss", "iso27001"],
});
/**
* Checks that RDS DB Instance storage uses a customer-managed KMS key.
*
* @severity low
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
*/
DbInstance.configureCustomerManagedKey = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbinstance-configure-customer-managed-key",
description: "Checks that RDS DB Instance storage uses a customer-managed KMS key.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (instance.storageEncrypted && !instance.kmsKeyId) {
reportViolation("RDS DB Instances storage should be encrypted using a customer-managed key.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "low",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS DB Instances public access is not enabled.
*
* @severity critical
* @frameworks hitrust, iso27001, pcidss
* @topics network
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_CommonTasks.Connect.html
*/
DbInstance.disallowPublicAccess = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbinstance-disallow-public-access",
description: "Checks that RDS DB Instances public access is not enabled.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (dbInstance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (dbInstance.publiclyAccessible) {
reportViolation("RDS DB Instances public access should not be enabled.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "critical",
topics: ["network"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS DB Instances performance insights is encrypted.
*
* @severity high
* @frameworks none
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
*/
DbInstance.disallowUnencryptedPerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbinstance-disallow-unencrypted-performance-insights",
description: "Checks that RDS DB Instances performance insights is encrypted.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (dbInstance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (dbInstance.enablePerformanceInsights && !dbInstance.performanceInsightsKmsKeyId) {
reportViolation("RDS DB Instances should have performance insights encrypted.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "high",
topics: ["encryption", "storage"],
});
/**
* Checks that RDS DB Instance storage is encrypted.
*
* @severity high
* @frameworks hitrust, iso27001, pcidss
* @topics encryption, storage
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
*/
DbInstance.disallowUnencryptedStorage = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbinstance-disallow-unencrypted-storage",
description: "Checks that RDS DB Instance storage is encrypted.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!instance.storageEncrypted) {
reportViolation("RDS DB Instances storage should be encrypted.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "high",
topics: ["encryption", "storage"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS DB Instances backup retention policy is enabled.
*
* @severity medium
* @frameworks hitrust, iso27001, pcidss
* @topics backup, resilience
* @link https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html#USER_WorkingWithAutomatedBackups.BackupRetention
*/
DbInstance.enableBackupRetention = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbinstance-enable-backup-retention",
description: "Checks that RDS DB Instances backup retention policy is enabled.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (instance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!instance.backupRetentionPeriod) {
reportViolation("RDS DB Instances backup retention should be enabled.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "medium",
topics: ["backup", "resilience"],
frameworks: ["pcidss", "hitrust", "iso27001"],
});
/**
* Checks that RDS DB Instances have performance insights enabled.
*
* @severity low
* @frameworks none
* @topics logging, performance
* @link https://aws.amazon.com/rds/performance-insights/
*/
DbInstance.enablePerformanceInsights = compliance_policy_manager_1.policyManager.registerPolicy({
resourceValidationPolicy: {
name: "awsnative-rds-dbinstance-enable-performance-insights",
description: "Checks that RDS DB Instances have performance insights enabled.",
configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema,
enforcementLevel: "advisory",
validateResource: (0, policy_1.validateResourceOfType)(rds_2.DbInstance, (dbInstance, args, reportViolation) => {
if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) {
return;
}
if (!dbInstance.enablePerformanceInsights) {
reportViolation("RDS DB Instances should have performance insights enabled.");
}
}),
},
vendors: ["aws"],
services: ["rds"],
severity: "low",
topics: ["logging", "performance"],
});
})(DbInstance || (DbInstance = {}));
exports.DbInstance = DbInstance;