hashicorp/policy-library-nist-policy-set-for-aws-terraform
1
0
Fork 0
mirror of https://github.com/hashicorp/policy-library-nist-policy-set-for-aws-terraform synced 2026-04-05 19:10:12 +00:00
Code Issues Projects Releases Packages Wiki Activity
No description
103 commits 12 branches 2 tags 1.9 MiB
  • HCL 99.6%
  • Makefile 0.4%
Find a file
Exact
Blake Ryder a3d2c4d6af
 Merge pull request #43 from hashicorp/chore/policy-library-nist-policy-set-for-aws-terraform-license-pr-2026-03-11 
Update LICENSE
2026-03-11 12:54:08 +05:30
.github Bump actions/checkout from 5.0.0 to 6.0.1 2025-12-03 16:26:04 +00:00
docs/policies Cleared undefined error from the policies (#40) 2025-12-05 12:24:06 +05:30
modules Updated the license part for NIST policy files (#32) 2025-09-09 10:34:06 +05:30
policies Cleared undefined error from the policies (#40) 2025-12-05 12:24:06 +05:30
.gitignore Merge branch 'main' into IND-4439-lambda.3 2025-08-28 16:46:29 +05:30
.go_private_repos Added the overlapping policies from fsbp and nist 2025-07-29 12:25:07 +05:30
CONTRIBUTING.md Updated the readme file with NIST revision details (#33) 2025-09-19 10:48:36 +05:30
LICENSE Update LICENSE 2026-03-11 12:53:45 +05:30
Makefile Added the overlapping policies from fsbp and nist 2025-07-29 12:25:07 +05:30
README.md Cleared undefined error from the policies (#40) 2025-12-05 12:24:06 +05:30
sentinel.hcl Cleared undefined error from the policies (#40) 2025-12-05 12:24:06 +05:30

README.md

Pre-written Sentinel Policies for AWS NIST SP 800-53 Revision 5

Pre-written Sentinel policies are ready to use compliance checks for NIST SP 800-53 Revision 5 to help enable your AWS resources meet industry security standards.

At HashiCorp, were committed to making policy management easier for our customers. We understand that developing policies from scratch can be time-consuming and resource-intensive. To address this, were introducing our Prewritten Policy Libraries—expertly crafted, ready-to-use policies designed to streamline your compliance processes and enhance security across your infrastructure.

This repository contains several policies designed to accelerate the adoption of the NIST SP 800-53, tailored for public sector and government-aligned environments will enable users to continuously evaluate and enforce security and privacy controls across their systems and resources, ensuring compliance, reducing risk, and improving overall security posture with actionable guidance.

For more details on how to work with these policies and to understand the Sentinel language and framework, please refer to the Sentinel documentation or the README documentation included with each of the policy libraries.

Feedback

We aim to validate the effectiveness of our policies by collecting diverse user feedback and understanding real-world use cases. This input will help refine our policies and enhance their overall impact.

  1. You can submit your feedback via a public survey.

  2. If you have any issues or enhancement suggestions to the library, please create a new GitHub issue.

  3. Alternatively, we welcome any contributions that improve the impact of this library! To learn more about contributing and suggesting changes to this library, refer to the contributing guide.

Getting Started

This getting started guide assumes that:

  1. You are familiar with core workflows in HCP Terraform and Terraform Enterprise, and you have an existing workspace configured with AWS access credentials.

    Tip: If you do not have these prerequisites, please refer to the Use VCS-Driven Workflow and Create a Variable Set tutorials for guidance.

  2. You have a user account that is part of the "owners" team or have "Manage Policies" organization-level permissions to create new policy sets and policies.

  3. Ensure you are using HCP Terraform or Terraform Enterprise v202312-1 or a later version.

  4. You are using Sentinel version 0.26.x and later version.

By default, the module will enable all policies within the library, and they will be enforced by the HCP Platform with the enforcement_level set to advisory only.

Example:

policy "iam-password-expiry" {
  source = "./policies/iam/iam-password-expiry.sentinel"
  enforcement_level = "advisory"
  params = {
    password_expiry_days = 90
  }
}

If you want to enable only a subset of the policies or change the enforcement levels to either soft-mandatory or hard-mandatory, we recommend updating the contents of the sentinel.hcl file in each library before applying the Terraform configuration.

Important: The policies in each library are opinionated and depend on several Sentinel modules. To learn more about modules, please refer to the Sentinel module documentation.

To learn more about how to configure a policy set as a policy evaluation, please review the Terraform Enterprise provider documentation.

Consuming Pre-Written Sentinel Policies for NIST SP 800-53 Revision 5

Following methods outlines various ways to consume and implement pre-written Sentinel policies for the NIST SP 800-53 Revision 5. These policies can be used in both Terraform Enterprise (TFE) and HCP Terraform environments. Below are the recommended methods for integrating these policies into your workflows.

Terraform Registry Method:

  • Navigate to the Terraform Registry and select the desired Sentinel policy.
  • Copy the provided policy snippet from the registry.
  • Create a GitHub repository (or use an existing one) to store your policies.
  • Add a Sentinel.hcl file to the repository and paste the copied policy snippet(s) into this file.
  • Connect the repository to HCP Terraform or Terraform Enterprise using the VCS (Version Control System) workflow.
  • Trigger policy execution automatically during the plan stage in HCP Terraform or Terraform Enterprise.

Using the Public GitHub Repository:

  • Access the public GitHub repository containing the policy library.
  • You can directly use the repository as-is or fork it to customize the policies for your specific requirements.
  • If forking, ensure you sync your fork with the upstream repository periodically to stay updated with the latest changes.
  • Avoid using the default branch for consumption in HCP Terraform or Terraform Enterprise. Instead, use the release branches for better stability.
  • Attach the repository (or your fork) to HCP Terraform or Terraform Enterprise using the VCS workflow.
  • Run a Terraform plan to execute the policies during the post-plan stage.

Notes and Best Practices

  • These policies are compatible with both HCP Terraform (HCPT) and Terraform Enterprise (TFE). Ensure your workflow is configured accordingly.
  • When using the public GitHub repository, it is recommended to use release branches for stability and avoid consuming policies directly from the default branch.
  • Regularly update your policies to align with the latest NIST SP 800-53 Revision 5 compliance standard and Terraform best practices.
  • Customize policies as needed to meet your organization's specific compliance and security requirements.

Resources

Policies Included

  • Lambda functions should be in a VPC (docs | code)

  • Amazon EFS volumes should be in backup plans (docs | code)

  • AWS WAF web ACL logging should be enabled (docs | code)

  • Application Load Balancer should be configured with defensive or strictest desync mitigation mode (docs | code)

  • Ensure that S3 Buckets are configured with 'Block public access (bucket settings)' (docs | code)

  • Amazon Dynamo DB accelerator clusters should have encryption at rest enabled (docs | code)

  • AWS Redshift Cluster should have the encrypted attribute set to true (docs | code)

  • AWS OpenSearch Domain should have the enabled in encrypt_at_rest attribute set to true (docs | code)

  • Amazon EC2 instances should not use multiple ENIs (docs | code)

  • EventBridge global endpoints should have event replication enabled (docs | code)

  • AWS RDS cluster should have backtracking enabled (docs | code)

  • ECS task definitions should have a logging configuration (docs | code)

  • Classic Load Balancers should have connection draining enabled (docs | code)

  • Neptune DB clusters should be deployed across multiple Availability Zones (docs | code)

  • Security groups should only allow unrestricted incoming traffic for authorized ports (docs | code)

  • ECS task definitions should not share the host's process namespace (docs | code)

  • AWS RDS Cluster should have the storage_encrypted attribute set to true (docs | code)

  • RabbitMQ brokers should use cluster deployment mode (docs | code)

  • AWS WAF Classic Regional rules should have at least one condition (docs | code)

  • CloudFront distributions should not point to non-existent S3 origins (docs | code)

  • CloudFront distributions should have WAF enabled (docs | code)

  • VPCs should be configured with an interface endpoint for ECR API (docs | code)

  • EC2 - Network Acls should not allow ingress traffic from 0.0.0.0/0 or ::/0 to ports 22 or 3389 (docs | code)

  • AWS RDS instance should have logging configured (docs | code)

  • EC2 - Ensure Metadata Service only allows IMDSv2 (docs | code)

  • FSx for Lustre file systems should be configured to copy tags to backups (docs | code)

  • AWS OpenSearch domains should have fine-grained access control enabled (docs | code)

  • AWS WAF Classic global rules should have at least one condition (docs | code)

  • Classic Load Balancers with SSL/HTTPS listeners should use a certificate provided by AWS Certificate Manager (docs | code)

  • RDS for MariaDB DB instances should publish logs to CloudWatch Logs (docs | code)

  • AWS DocumentDB clusters should be encrypted at rest (docs | code)

  • AWS Redshift Cluster should have the enable attribute set to true in logging or referenced to the resource 'aws_redshift_logging' (docs | code)

  • GuardDuty should be enabled (docs | code)

  • CodeBuild project environments should have a logging AWS Configuration (docs | code)

  • CloudTrail should have encryption at-rest enabled (docs | code)

  • IAM users should not have IAM policies attached (docs | code)

  • OpenSearch domains should not be publicly accessible (docs | code)

  • AWS DMS Replication Instances should have the publicly_accessible attribute set to false (docs | code)

  • AWS RDS DB instances should have automatic minor version upgrade enabled (docs | code)

  • EKS clusters should use encrypted Kubernetes secrets (docs | code)

  • Amazon ElastiCache for Redis cluster should not use the default subnet group (docs | code)

  • Network Firewall policy default action full packets (docs | code)

  • CloudFront distributions should have logging enabled (docs | code)

  • AWS RDS cluster should be configured to copy tags to snapshots (docs | code)

  • VPCs should be configured with an interface endpoint for Docker Registry (docs | code)

  • CloudTrail Lake event data stores should be encrypted with customer managed AWS KMS keys (docs | code)

  • Amazon ElastiCache for Redis replication-group should have automatic failovers enabled (docs | code)

  • AWS Redshift Cluster should have the master_username attribute not set to null or 'awsuser' (default_value) (docs | code)

  • AWS DMS Endpoint resource should have the 'ssl_security_protocol' attribute is 'ssl-encryption' in 'redis_settings' for engine of type redis (docs | code)

  • AWS Event Subscriptions should have Event Notifications configured for the AWS RDS Parameter Group resource (docs | code)

  • Network Firewall firewalls should have deletion protection enabled (docs | code)

  • Amazon ECS task definitions should have secure networking modes and user definitions (docs | code)

  • RDS for SQL Server DB instances should publish logs to CloudWatch Logs (docs | code)

  • Amazon EC2 launch templates should not assign public IPs to network interfaces (docs | code)

  • AWS WAF Classic Global Web ACL logging should be enabled (docs | code)

  • AWS RDS instance should have monitoring configured (docs | code)

  • Access logging should be configured for API Gateway V2 Stages (docs | code)

  • Elasticsearch domain error logging to CloudWatch Logs should be enabled (docs | code)

  • Attached Amazon EBS volumes should be encrypted at-rest (docs | code)

  • DynamoDB tables should be present in a backup plan (docs | code)

  • ECR repositories should have at least one lifecycle policy configured (docs | code)

  • Neptune DB clusters should publish audit logs to cloudwatch (docs | code)

  • Neptune DB clusters should have IAM database authentication enabled (docs | code)

  • AWS DMS Endpoint resource should have the 'auth_mechanism' attribute not 'default' in 'mongodb_settings' for engine of type mongodb (docs | code)

  • AWS OpenSearch should have the enabled in node-to-node-encryption attribute set to true (docs | code)

  • AWS OpenSearch should have the enabled in log_publishing_options attribute set to true (docs | code)

  • Amazon SQS queues should be encrypted at rest (docs | code)

  • AWS RDS DB instances should have encryption at-rest enabled (docs | code)

  • Classic Load Balancer should span multiple Availability Zones (docs | code)

  • Amazon ElastiCache for Redis replication groups should have auth token set when redis version is below 6.0 (docs | code)

  • CloudFront distributions should use SNI to serve HTTPS requests (docs | code)

  • SNS topics should be encrypted at-rest using AWS KMS (docs | code)

  • Amazon Dynamo DB tables should scale its read and write capacity as needed (docs | code)

  • AWS WAF Classic global web ACLs should have at least one rule or rule group (docs | code)

  • RDS instances should not use a database engine default port (docs | code)

  • Neptune DB cluster snapshots should be encrypted at rest (docs | code)

  • AWS Elasticsearch domain should not be publicly accessible (docs | code)

  • S3 general purpose buckets should have Object Lock enabled (docs | code)

  • EC2 VPC Flow Logging Enabled (docs | code)

  • ActiveMQ brokers should use active/standby deployment mode (docs | code)

  • EKS clusters should run on a supported Kubernetes version (docs | code)

  • AWS Redshift Cluster should have the enhanced_vpc_routing attribute set to true (docs | code)

  • Connections to AWS OpenSearch domains should be encrypted using the latest TLS security policy (docs | code)

  • AWS Glue Spark jobs should run on supported versions of AWS Glue (docs | code)

  • Application and Classic Load Balancers logging should be enabled (docs | code)

  • ECS containers should be limited to read-only access to root filesystems (docs | code)

  • Amazon Elastic Beanstalk environments should have managed platform updates enabled (docs | code)

  • Network Firewall firewalls should be deployed across multiple Availability Zones (docs | code)

  • AWS Elasticsearch domain should be encrypt data between nodes (docs | code)

  • VPCs should be configured with an interface endpoint for Systems Manager Incident Manager (docs | code)

  • ECR private repositories should have tag immutability configured (docs | code)

  • ECS Fargate services should run on the latest Fargate platform version (docs | code)

  • AWS DMS Endpoint resource should have the certificate for ssl configured (docs | code)

  • Amazon EC2 instances should not have a public IPv4 address (docs | code)

  • EFS access points should enforce a user identity (docs | code)

  • Amazon ElastiCache for Redis replication groups should have encryption at transit enabled (docs | code)

  • API Gateway REST API cache data should be encrypted at rest (docs | code)

  • Route 53 public hosted zones should log DNS queries (docs | code)

  • AWS Sagemaker Endpoint Configuration should have the initial_instance_count greater than one for the production_variants attribute (docs | code)

  • Network Firewall policies should have at least one rule group associated (docs | code)

  • AWS RDS instance ensure deletion protection enabled (docs | code)

  • Amazon EC2 Auto Scaling group should cover multiple Availability Zones (docs | code)

  • AWS EC2 Client VPN endpoints should have client connection logging enabled (docs | code)

  • AWS RDS cluster should be configured for multiple Availability Zones (docs | code)

  • AWS DMS Replication Task should have Logging enabled for the attribute 'replication_task_settings' for target db (docs | code)

  • CloudFront distributions should encrypt traffic to custom origins (docs | code)

  • Elastic File System should be configured to encrypt file data at-rest using AWS KMS (docs | code)

  • Application, Gateway, and Network Load Balancers should have deletion protection enabled (docs | code)

  • ActiveMQ brokers should stream audit logs to CloudWatch (docs | code)

  • S3 general purpose buckets should use cross-Region replication (docs | code)

  • AWS RDS DB Instance should have the username attribute not set to 'admin' (default_value) (docs | code)

  • AWS Redshift clusters should have automated_snapshot_retention_period set between '7 to 35' (docs | code)

  • API Gateway REST and WebSocket API execution logging should be enabled (docs | code)

  • AWS Backup Framework Recovery Point should be encrypted at rest (docs | code)

  • AWS Elasticsearch domain should be encrypted at rest (docs | code)

  • Elasticsearch domains should be configured with at least three dedicated master nodes (docs | code)

  • CloudFront distributions should have origin failover configured (docs | code)

  • Password policies for IAM users should have strong configurations (docs | code)

  • Cloudtrail LogFile Validation is enabled (docs | code)

  • AWS RDS instance ensure deletion protection enabled (docs | code)

  • AWS DocumentDB clusters should have backup_retention_period set between '7 to 35' (docs | code)

  • AWS MQ Broker should have the in_cluster attribute set to true for encryption_in_transit of encryption_info attribute (docs | code)

  • CloudFront distributions should require encryption in transit (docs | code)

  • AWS RDS cluster snapshots and database snapshots should be encrypted at rest (docs | code)

  • Amazon EMR block public access setting should be enabled (docs | code)

  • AWS WAF Classic Regional web ACLs should have at least one rule or rule group (docs | code)

  • ECR repositories should be encrypted with customer managed AWS KMS keys (docs | code)

  • AWS RDS cluster ensure IAM authentication configured (docs | code)

  • Amazon ElastiCache for Redis replication groups should have encryption at rest enabled (docs | code)

  • Classic Load Balancer should be configured with defensive or strictest desync mitigation mode (docs | code)

  • DMS endpoints should use SSL (docs | code)

  • ECS containers should run as non-privileged (docs | code)

  • AWS RDS instance ensure IAM authentication configured (docs | code)

  • S3 general purpose buckets should have block public access settings enabled (docs | code)

  • Network Firewall firewalls should have subnet change protection enabled (docs | code)

  • EBS volumes should be covered by a backup plan (docs | code)

  • CloudWatch alarms should have specified actions configured (docs | code)

  • Kinesis streams should be encrypted at rest (docs | code)

  • AWS OpenSearch should have the enabled in log_publishing_options attribute set to true and log_type set to 'AUDIT_LOGS' (docs | code)

  • AWS AppSync GraphQL APIs should not be authenticated with API keys (docs | code)

  • Amazon ElastiCache for Redis cluster should have automatic backups scheduled (docs | code)

  • Redshift Serverless namespaces should be encrypted with customer managed AWS KMS keys (docs | code)

  • Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses (docs | code)

  • AWS Sagemaker Notebook instance should have the root_access set to "Disabled" (docs | code)

  • EKS cluster endpoints should not be publicly accessible (docs | code)

  • AWS Event Subscriptions should have Event Notifications configured for the AWS RDS Cluster resource (docs | code)

  • AWS MQ Broker should have the auto_minor_version_upgrade attribute set to true (docs | code)

  • S3 general purpose bucket policies should restrict access to other AWS accounts (docs | code)

  • S3 general purpose buckets should be encrypted at rest with AWS KMS keys (docs | code)

  • EventBridge custom event buses should have a resource-based policy attached (docs | code)

  • AWS OpenSearch domains should have the latest software update installed (docs | code)

  • Lambda function policies should prohibit public access (docs | code)

  • Ensure S3 Bucket Policy is set to deny HTTP requests (docs | code)

  • CloudFront distributions should have a default root object configured (docs | code)

  • ECS task definitions should not use host network mode (docs | code)

  • AWS Redshift Serverless namespaces should not use the default database name (docs | code)

  • Application Load Balancer should be configured to redirect all HTTP requests to HTTPS (docs | code)

  • Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates (docs | code)

  • Amazon EMR security configurations should be encrypted at rest (docs | code)

  • EKS clusters should have audit logging enabled (docs | code)

  • AWS RDS instance should be private (docs | code)

  • AWS RDS instance should be configured with Multi AZ (docs | code)

  • AWS RDS DB instances should have automatic backups enabled (docs | code)

  • FSx for OpenZFS file systems should be configured to copy tags to backups and volumes (docs | code)

  • CodeBuild S3 logs should be encrypted (docs | code)

  • Amazon Dynamo DB tables should have point in time recovery enabled (docs | code)

  • AWS DocumentDB clusters should have deletion protection enabled (docs | code)

  • Amazon EC2 Transit Gateways should not automatically accept VPC attachment requests (docs | code)

  • Secrets Manager secrets should have automatic rotation enabled (docs | code)

  • AWS DocumentDB clusters should have enabled_cloudwatch_logs_exports attribute set to 'audit' (docs | code)

  • AWS Redshift Cluster should have the publicly_accessible attribute set to false (docs | code)

  • S3 general purpose buckets should have versioning enabled (docs | code)

  • Unused Network Access Control Lists should be removed (docs | code)

  • SSM documents should not be public (docs | code)

  • KMS restrict IAM inline policies decrypt all KMS keys (docs | code)

  • VPC Lambda functions should operate in multiple Availability Zones (docs | code)

  • Auto Scaling groups associated with a load balancer should use ELB health checks (docs | code)

  • Auto Scaling groups should use multiple instance types in multiple Availability Zones (docs | code)

  • Application Load Balancers should be associated with an AWS WAF web ACL (docs | code)

  • Neptune DB clusters should have deletion protection enabled (docs | code)

  • Elasticsearch domains should have audit logging enabled (docs | code)

  • Amazon EMR security configurations should be encrypted in transit (docs | code)

  • AWS RDS Cluster should have the master_username attribute not set to 'admin' (default_value) (docs | code)

  • IAM policies should not allow full "*" administrative privileges (docs | code)

  • VPCs should be configured with an interface endpoint for Systems Manager (docs | code)

  • CloudWatch alarm actions should be activated (docs | code)

  • Amazon Elastic Beanstalk environments should have enhanced health reporting enabled (docs | code)

  • AWS Redshift Cluster should have the database_name attribute not set to 'dev' (default_value) (docs | code)

  • Network Firewall logging should be enabled (docs | code)

  • AWS Security Group should not allow ingress traffic from 0.0.0.0/0 or ::/0 to common ports (docs | code)

  • Cloudtrail Cloudwatch Logs Group Arn is set (docs | code)

  • ECR private repositories should have image scanning configured (docs | code)

  • Neptune DB clusters should be encrypted at rest (docs | code)

  • AWS Redshift Cluster should have the require_ssl parameter in the AWS Redshift Parameter Group set to true (docs | code)

  • The default stateless action for Network Firewall policies should be drop or forward for fragmented packets (docs | code)

  • AWS WAF web ACLs should have at least one rule or rule group (docs | code)

  • AWS Transfer Family connectors should have logging enabled (docs | code)

  • Secrets should not be passed as container environment variables (docs | code)

  • Amazon ElastiCache for Redis cluster should have automatic minor version upgrades enabled (docs | code)

  • Connections to Elasticsearch domains should be encrypted using the latest TLS security policy (docs | code)

  • Amazon EBS snapshots should not be publicly restorable (docs | code)

  • Application, Network and Gateway Load Balancers should span multiple Availability Zones (docs | code)

  • EC2 - AWS EBS volume are encrypted (docs | code)

  • Elasticsearch domains should have at least three data nodes (docs | code)

  • ECS services should not have public IP addresses assigned to them automatically (docs | code)

  • AWS RDS Aurora MySQL Cluster should contain 'audit' for enabled_cloudwatch_logs_exports attribute (docs | code)

  • AWS Event Subscriptions should have Event Notifications configured for the AWS RDS Instance resource (docs | code)

  • Amazon Dynamo DB tables should have delete protection enabled (docs | code)

  • API Gateway REST API stages should have AWS X-Ray tracing enabled (docs | code)

  • API Gateway REST API stages should be configured to use SSL certificates for backend authentication (docs | code)

  • Service Catalog portfolios should be shared within an AWS organization only (docs | code)

  • EFS access points should enforce a root directory (docs | code)

  • OpenSearch domains should have at least three dedicated primary nodes (docs | code)

  • S3 access points should have block public access settings enabled (docs | code)

  • S3 general purpose buckets with versioning enabled should have Lifecycle configurations (docs | code)

  • Transfer Family servers should not use FTP protocol for endpoint connection (docs | code)

  • AWS Sagemaker Notebook instance should have the direct_internet_access set to "Disabled" (docs | code)

  • Stateless Network Firewall rule group should not be empty in AWS Network Firewall (docs | code)

  • Firehose delivery streams should be encrypted at rest (docs | code)

  • AWS WAF Classic global rule groups should have at least one rule (docs | code)

  • Application and Network Load Balancers with listeners should use recommended security policies (docs | code)

  • AWS Redshift Cluster should have the allow_version_upgrade attribute set to true (docs | code)

  • Application Load Balancer should be configured to drop http headers (docs | code)

  • Classic Load Balancer listeners should be configured with HTTPS or TLS termination (docs | code)

  • AWS Sagemaker Notebook instance should be launched in custom vpc (docs | code)

  • AWS Private CA root certificate authority should be disabled (docs | code)

  • IAM customer managed policies that you create should not allow wildcard actions for services (docs | code)

  • S3 general purpose buckets should have event notifications enabled (docs | code)

  • Lambda functions should use supported runtimes (docs | code)

  • Classic Load Balancers with SSL listeners should use a predefined security policy that has strong AWS Configuration (docs | code)

  • AWS DMS Replication Instances should have the auto_minor_version_upgrade attribute set to true (docs | code)

  • AWS WAF Classic Regional rule groups should have at least one rule (docs | code)

  • Amazon EC2 subnets should not automatically assign public IP addresses (docs | code)

  • Amazon EC2 should be configured to use VPC endpoints that are created for the Amazon EC2 service (docs | code)

  • EC2 VPC Default Security Group No Traffic (docs | code)

  • VPCs should be configured with an interface endpoint for Systems Manager Incident Manager Contacts (docs | code)

  • AWS OpenSearch should have the instance count in cluster_config attribute greater than or equal to 3 (docs | code)

  • AWS Macie Account should have the status attribute set to "ENABLED" (docs | code)

  • CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins (docs | code)

  • CloudWatch log groups should be retained for a specified time period (docs | code)

  • ECS clusters should use Container Insights (docs | code)

  • Classic Load Balancers should have cross-zone load balancing enabled (docs | code)

  • AWS RDS DB instances should be configured to copy tags to snapshots (docs | code)

  • API Gateway should be associated with a WAF Web ACL (docs | code)

  • CloudFront distributions should use custom SSL/TLS certificates (docs | code)

  • S3 general purpose buckets should block public read access (docs | code)

  • S3 general purpose buckets should block public write access (docs | code)

  • Amazon EC2 paravirtual instance types should not be used (docs | code)

  • Neptune DB clusters should be configured to copy tags to snapshots (docs | code)

  • MSK clusters should have enhanced monitoring configured (docs | code)

  • AWS WAF rules should have CloudWatch metrics enabled (docs | code)

  • Application Load Balancers should be associated with an AWS WAF web ACL (docs | code)

  • AWS Event Subscriptions should have Event Notifications configured for the AWS RDS Security Group resource (docs | code)

  • Neptune DB clusters should have automated backups enabled (docs | code)

  • AWS SageMaker notebook instances should be launched in a custom VPC (docs | code)

  • AWS DMS Replication Task should have Logging enabled for the attribute 'replication_task_settings' for source db (docs | code)

  • API Gateway routes should specify an authorization type (docs | code)