├── .eslintrc.json ├── .gitattributes ├── .github ├── CODEOWNERS ├── pull_request_template.md └── workflows │ ├── auto-approve.yml │ ├── auto-queue.yml │ ├── build.yml │ ├── pull-request-lint.yml │ ├── release.yml │ ├── update-guard.yml │ ├── upgrade-cdklabs-projen-project-types-main.yml │ ├── upgrade-dev-deps-main.yml │ └── upgrade-main.yml ├── .gitignore ├── .npmignore ├── .projen ├── deps.json ├── files.json └── tasks.json ├── .projenrc.ts ├── API.md ├── LICENSE ├── README.md ├── guard-version.json ├── package.json ├── projenrc ├── bundle-guard.ts ├── index.ts ├── update-guard.ts └── utils.ts ├── rosetta └── default.ts-fixture ├── rules └── control-tower │ ├── cfn-guard │ ├── apigateway │ │ ├── ct-apigateway-pr-1.guard │ │ ├── ct-apigateway-pr-2.guard │ │ ├── ct-apigateway-pr-3.guard │ │ ├── ct-apigateway-pr-4.guard │ │ ├── ct-apigateway-pr-5.guard │ │ └── ct-apigateway-pr-6.guard │ ├── appsync │ │ ├── ct-appsync-pr-1.guard │ │ ├── ct-appsync-pr-2.guard │ │ ├── ct-appsync-pr-3.guard │ │ ├── ct-appsync-pr-4.guard │ │ └── ct-appsync-pr-5.guard │ ├── athena │ │ ├── ct-athena-pr-1.guard │ │ └── ct-athena-pr-2.guard │ ├── certificatemanager │ │ └── ct-acm-pr-1.guard │ ├── cloudfront │ │ ├── ct-cloudfront-pr-1.guard │ │ ├── ct-cloudfront-pr-10.guard │ │ ├── ct-cloudfront-pr-11.guard │ │ ├── ct-cloudfront-pr-3.guard │ │ ├── ct-cloudfront-pr-4.guard │ │ ├── ct-cloudfront-pr-5.guard │ │ ├── ct-cloudfront-pr-6.guard │ │ ├── ct-cloudfront-pr-7.guard │ │ ├── ct-cloudfront-pr-8.guard │ │ └── ct-cloudfront-pr-9.guard │ ├── cloudtrail │ │ ├── ct-cloudtrail-pr-1.guard │ │ ├── ct-cloudtrail-pr-2.guard │ │ ├── ct-cloudtrail-pr-3.guard │ │ └── ct-cloudtrail-pr-4.guard │ ├── cloudwatch │ │ ├── ct-cloudwatch-pr-1.guard │ │ ├── ct-cloudwatch-pr-2.guard │ │ ├── ct-cloudwatch-pr-3.guard │ │ └── ct-cloudwatch-pr-4.guard │ ├── codebuild │ │ ├── ct-codebuild-pr-1.guard │ │ ├── ct-codebuild-pr-2.guard │ │ ├── ct-codebuild-pr-3.guard │ │ ├── ct-codebuild-pr-4.guard │ │ ├── ct-codebuild-pr-5.guard │ │ └── ct-codebuild-pr-6.guard │ ├── databasemigrationservice │ │ ├── ct-dms-pr-1.guard │ │ └── ct-dms-pr-2.guard │ ├── documentdb │ │ ├── ct-documentdb-pr-1.guard │ │ └── ct-documentdb-pr-2.guard │ ├── dynamodb │ │ ├── ct-dax-pr-1.guard │ │ ├── ct-dax-pr-2.guard │ │ ├── ct-dax-pr-3.guard │ │ ├── ct-dynamodb-pr-1.guard │ │ └── ct-dynamodb-pr-2.guard │ ├── ec2 │ │ ├── ct-ec2-pr-1.guard │ │ ├── ct-ec2-pr-10.guard │ │ ├── ct-ec2-pr-11.guard │ │ ├── ct-ec2-pr-12.guard │ │ ├── ct-ec2-pr-13.guard │ │ ├── ct-ec2-pr-14.guard │ │ ├── ct-ec2-pr-15.guard │ │ ├── ct-ec2-pr-16.guard │ │ ├── ct-ec2-pr-17.guard │ │ ├── ct-ec2-pr-18.guard │ │ ├── ct-ec2-pr-19.guard │ │ ├── ct-ec2-pr-2.guard │ │ ├── ct-ec2-pr-20.guard │ │ ├── ct-ec2-pr-3.guard │ │ ├── ct-ec2-pr-4.guard │ │ ├── ct-ec2-pr-5.guard │ │ ├── ct-ec2-pr-6.guard │ │ ├── ct-ec2-pr-7.guard │ │ ├── ct-ec2-pr-8.guard │ │ └── ct-ec2-pr-9.guard │ ├── ec2autoscaling │ │ ├── ct-autoscaling-pr-1.guard │ │ ├── ct-autoscaling-pr-10.guard │ │ ├── ct-autoscaling-pr-11.guard │ │ ├── ct-autoscaling-pr-2.guard │ │ ├── ct-autoscaling-pr-3.guard │ │ ├── ct-autoscaling-pr-4.guard │ │ ├── ct-autoscaling-pr-5.guard │ │ ├── ct-autoscaling-pr-6.guard │ │ ├── ct-autoscaling-pr-8.guard │ │ └── ct-autoscaling-pr-9.guard │ ├── ecr │ │ ├── ct-ecr-pr-1.guard │ │ ├── ct-ecr-pr-2.guard │ │ └── ct-ecr-pr-3.guard │ ├── ecs │ │ ├── ct-ecs-pr-1.guard │ │ ├── ct-ecs-pr-10.guard │ │ ├── ct-ecs-pr-11.guard │ │ ├── ct-ecs-pr-12.guard │ │ ├── ct-ecs-pr-2.guard │ │ ├── ct-ecs-pr-3.guard │ │ ├── ct-ecs-pr-4.guard │ │ ├── ct-ecs-pr-5.guard │ │ ├── ct-ecs-pr-6.guard │ │ ├── ct-ecs-pr-7.guard │ │ ├── ct-ecs-pr-8.guard │ │ └── ct-ecs-pr-9.guard │ ├── efs │ │ ├── ct-elasticfilesysystem-pr-1.guard │ │ ├── ct-elasticfilesysystem-pr-2.guard │ │ ├── ct-elasticfilesysystem-pr-3.guard │ │ └── ct-elasticfilesysystem-pr-4.guard │ ├── eks │ │ ├── ct-eks-pr-1.guard │ │ └── ct-eks-pr-2.guard │ ├── elasticache │ │ ├── ct-elasticache-pr-1.guard │ │ ├── ct-elasticache-pr-2.guard │ │ ├── ct-elasticache-pr-3.guard │ │ ├── ct-elasticache-pr-4.guard │ │ ├── ct-elasticache-pr-5.guard │ │ ├── ct-elasticache-pr-6.guard │ │ ├── ct-elasticache-pr-7.guard │ │ └── ct-elasticache-pr-8.guard │ ├── elasticbeanstalk │ │ ├── ct-elasticbeanstalk-pr-1.guard │ │ ├── ct-elasticbeanstalk-pr-2.guard │ │ └── ct-elasticbeanstalk-pr-3.guard │ ├── elasticloadbalancing │ │ ├── ct-elasticloadbalancing-pr-1.guard │ │ ├── ct-elasticloadbalancing-pr-10.guard │ │ ├── ct-elasticloadbalancing-pr-11.guard │ │ ├── ct-elasticloadbalancing-pr-12.guard │ │ ├── ct-elasticloadbalancing-pr-13.guard │ │ ├── ct-elasticloadbalancing-pr-14.guard │ │ ├── ct-elasticloadbalancing-pr-15.guard │ │ ├── ct-elasticloadbalancing-pr-2.guard │ │ ├── ct-elasticloadbalancing-pr-3.guard │ │ ├── ct-elasticloadbalancing-pr-4.guard │ │ ├── ct-elasticloadbalancing-pr-5.guard │ │ ├── ct-elasticloadbalancing-pr-6.guard │ │ ├── ct-elasticloadbalancing-pr-7.guard │ │ ├── ct-elasticloadbalancing-pr-8.guard │ │ └── ct-elasticloadbalancing-pr-9.guard │ ├── emr │ │ ├── ct-emr-pr-1.guard │ │ ├── ct-emr-pr-2.guard │ │ ├── ct-emr-pr-3.guard │ │ └── ct-emr-pr-4.guard │ ├── glue │ │ └── ct-glue-pr-1.guard │ ├── guardduty │ │ └── ct-guardduty-pr-1.guard │ ├── identityandaccessmanagement │ │ ├── ct-iam-pr-1.guard │ │ ├── ct-iam-pr-2.guard │ │ ├── ct-iam-pr-3.guard │ │ ├── ct-iam-pr-4.guard │ │ └── ct-iam-pr-5.guard │ ├── keymanagementservice │ │ ├── ct-kms-pr-1.guard │ │ ├── ct-kms-pr-2.guard │ │ └── ct-kms-pr-3.guard │ ├── kinesis │ │ └── ct-kinesis-pr-1.guard │ ├── lambda │ │ ├── ct-lambda-pr-2.guard │ │ ├── ct-lambda-pr-3.guard │ │ ├── ct-lambda-pr-4.guard │ │ ├── ct-lambda-pr-5.guard │ │ └── ct-lambda-pr-6.guard │ ├── mq │ │ ├── ct-mq-pr-1.guard │ │ └── ct-mq-pr-2.guard │ ├── msk │ │ ├── ct-msk-pr-1.guard │ │ └── ct-msk-pr-2.guard │ ├── neptune │ │ ├── ct-neptune-pr-1.guard │ │ ├── ct-neptune-pr-2.guard │ │ ├── ct-neptune-pr-3.guard │ │ ├── ct-neptune-pr-4.guard │ │ └── ct-neptune-pr-5.guard │ ├── networkfirewall │ │ ├── ct-network-firewall-pr-1.guard │ │ ├── ct-network-firewall-pr-2.guard │ │ ├── ct-network-firewall-pr-3.guard │ │ ├── ct-network-firewall-pr-4.guard │ │ └── ct-network-firewall-pr-5.guard │ ├── opensearchservice │ │ ├── ct-opensearch-pr-1.guard │ │ ├── ct-opensearch-pr-10.guard │ │ ├── ct-opensearch-pr-11.guard │ │ ├── ct-opensearch-pr-12.guard │ │ ├── ct-opensearch-pr-13.guard │ │ ├── ct-opensearch-pr-14.guard │ │ ├── ct-opensearch-pr-15.guard │ │ ├── ct-opensearch-pr-16.guard │ │ ├── ct-opensearch-pr-2.guard │ │ ├── ct-opensearch-pr-3.guard │ │ ├── ct-opensearch-pr-4.guard │ │ ├── ct-opensearch-pr-5.guard │ │ ├── ct-opensearch-pr-6.guard │ │ ├── ct-opensearch-pr-7.guard │ │ ├── ct-opensearch-pr-8.guard │ │ └── ct-opensearch-pr-9.guard │ ├── rds │ │ ├── ct-rds-pr-1.guard │ │ ├── ct-rds-pr-10.guard │ │ ├── ct-rds-pr-11.guard │ │ ├── ct-rds-pr-12.guard │ │ ├── ct-rds-pr-13.guard │ │ ├── ct-rds-pr-14.guard │ │ ├── ct-rds-pr-15.guard │ │ ├── ct-rds-pr-16.guard │ │ ├── ct-rds-pr-17.guard │ │ ├── ct-rds-pr-18.guard │ │ ├── ct-rds-pr-19.guard │ │ ├── ct-rds-pr-2.guard │ │ ├── ct-rds-pr-20.guard │ │ ├── ct-rds-pr-21.guard │ │ ├── ct-rds-pr-22.guard │ │ ├── ct-rds-pr-23.guard │ │ ├── ct-rds-pr-24.guard │ │ ├── ct-rds-pr-25.guard │ │ ├── ct-rds-pr-26.guard │ │ ├── ct-rds-pr-27.guard │ │ ├── ct-rds-pr-28.guard │ │ ├── ct-rds-pr-29.guard │ │ ├── ct-rds-pr-3.guard │ │ ├── ct-rds-pr-30.guard │ │ ├── ct-rds-pr-4.guard │ │ ├── ct-rds-pr-5.guard │ │ ├── ct-rds-pr-6.guard │ │ ├── ct-rds-pr-7.guard │ │ ├── ct-rds-pr-8.guard │ │ └── ct-rds-pr-9.guard │ ├── redshift │ │ ├── ct-redshift-pr-1.guard │ │ ├── ct-redshift-pr-2.guard │ │ ├── ct-redshift-pr-3.guard │ │ ├── ct-redshift-pr-4.guard │ │ ├── ct-redshift-pr-5.guard │ │ ├── ct-redshift-pr-6.guard │ │ ├── ct-redshift-pr-7.guard │ │ ├── ct-redshift-pr-8.guard │ │ └── ct-redshift-pr-9.guard │ ├── s3 │ │ ├── ct-s3-pr-1.guard │ │ ├── ct-s3-pr-10.guard │ │ ├── ct-s3-pr-11.guard │ │ ├── ct-s3-pr-12.guard │ │ ├── ct-s3-pr-2.guard │ │ ├── ct-s3-pr-3.guard │ │ ├── ct-s3-pr-4.guard │ │ ├── ct-s3-pr-5.guard │ │ ├── ct-s3-pr-6.guard │ │ ├── ct-s3-pr-8.guard │ │ └── ct-s3-pr-9.guard │ ├── sagemaker │ │ ├── ct-sagemaker-pr-1.guard │ │ ├── ct-sagemaker-pr-2.guard │ │ └── ct-sagemaker-pr-3.guard │ ├── sqs │ │ ├── ct-sqs-pr-1.guard │ │ └── ct-sqs-pr-2.guard │ ├── stepfunctions │ │ ├── ct-stepfunctions-pr-1.guard │ │ └── ct-stepfunctions-pr-2.guard │ └── waf │ │ ├── ct-waf-pr-1.guard │ │ ├── ct-waf-pr-2.guard │ │ ├── ct-waf-regional-pr-1.guard │ │ ├── ct-waf-regional-pr-2.guard │ │ ├── ct-wafv2-pr-1.guard │ │ └── ct-wafv2-pr-2.guard │ └── metadata │ ├── apigateway │ ├── ct-apigateway-pr-1.metadata.json │ ├── ct-apigateway-pr-2.metadata.json │ ├── ct-apigateway-pr-3.metadata.json │ ├── ct-apigateway-pr-4.metadata.json │ ├── ct-apigateway-pr-5.metadata.json │ └── ct-apigateway-pr-6.metadata.json │ ├── appsync │ ├── ct-appsync-pr-1.metadata.json │ ├── ct-appsync-pr-2.metadata.json │ ├── ct-appsync-pr-3.metadata.json │ ├── ct-appsync-pr-4.metadata.json │ └── ct-appsync-pr-5.metadata.json │ ├── athena │ ├── ct-athena-pr-1.metadata.json │ └── ct-athena-pr-2.metadata.json │ ├── certificatemanager │ └── ct-acm-pr-1.metadata.json │ ├── cloudfront │ ├── ct-cloudfront-pr-1.metadata.json │ ├── ct-cloudfront-pr-10.metadata.json │ ├── ct-cloudfront-pr-11.metadata.json │ ├── ct-cloudfront-pr-3.metadata.json │ ├── ct-cloudfront-pr-4.metadata.json │ ├── ct-cloudfront-pr-5.metadata.json │ ├── ct-cloudfront-pr-6.metadata.json │ ├── ct-cloudfront-pr-7.metadata.json │ ├── ct-cloudfront-pr-8.metadata.json │ └── ct-cloudfront-pr-9.metadata.json │ ├── cloudtrail │ ├── ct-cloudtrail-pr-1.metadata.json │ ├── ct-cloudtrail-pr-2.metadata.json │ ├── ct-cloudtrail-pr-3.metadata.json │ └── ct-cloudtrail-pr-4.metadata.json │ ├── cloudwatch │ ├── ct-cloudwatch-pr-1.metadata.json │ ├── ct-cloudwatch-pr-2.metadata.json │ ├── ct-cloudwatch-pr-3.metadata.json │ └── ct-cloudwatch-pr-4.metadata.json │ ├── codebuild │ ├── ct-codebuild-pr-1.metadata.json │ ├── ct-codebuild-pr-2.metadata.json │ ├── ct-codebuild-pr-3.metadata.json │ ├── ct-codebuild-pr-4.metadata.json │ ├── ct-codebuild-pr-5.metadata.json │ └── ct-codebuild-pr-6.metadata.json │ ├── databasemigrationservice │ ├── ct-dms-pr-1.metadata.json │ └── ct-dms-pr-2.metadata.json │ ├── documentdb │ ├── ct-documentdb-pr-1.metadata.json │ └── ct-documentdb-pr-2.metadata.json │ ├── dynamodb │ ├── ct-dax-pr-1.metadata.json │ ├── ct-dax-pr-2.metadata.json │ ├── ct-dax-pr-3.metadata.json │ ├── ct-dynamodb-pr-1.metadata.json │ └── ct-dynamodb-pr-2.metadata.json │ ├── ec2 │ ├── ct-ec2-pr-1.metadata.json │ ├── ct-ec2-pr-10.metadata.json │ ├── ct-ec2-pr-11.metadata.json │ ├── ct-ec2-pr-12.metadata.json │ ├── ct-ec2-pr-13.metadata.json │ ├── ct-ec2-pr-14.metadata.json │ ├── ct-ec2-pr-15.metadata.json │ ├── ct-ec2-pr-16.metadata.json │ ├── ct-ec2-pr-17.metadata.json │ ├── ct-ec2-pr-18.metadata.json │ ├── ct-ec2-pr-19.metadata.json │ ├── ct-ec2-pr-2.metadata.json │ ├── ct-ec2-pr-20.metadata.json │ ├── ct-ec2-pr-3.metadata.json │ ├── ct-ec2-pr-4.metadata.json │ ├── ct-ec2-pr-5.metadata.json │ ├── ct-ec2-pr-6.metadata.json │ ├── ct-ec2-pr-7.metadata.json │ ├── ct-ec2-pr-8.metadata.json │ └── ct-ec2-pr-9.metadata.json │ ├── ec2autoscaling │ ├── ct-autoscaling-pr-1.metadata.json │ ├── ct-autoscaling-pr-10.metadata.json │ ├── ct-autoscaling-pr-11.metadata.json │ ├── ct-autoscaling-pr-2.metadata.json │ ├── ct-autoscaling-pr-3.metadata.json │ ├── ct-autoscaling-pr-4.metadata.json │ ├── ct-autoscaling-pr-5.metadata.json │ ├── ct-autoscaling-pr-6.metadata.json │ ├── ct-autoscaling-pr-8.metadata.json │ └── ct-autoscaling-pr-9.metadata.json │ ├── ecr │ ├── ct-ecr-pr-1.metadata.json │ ├── ct-ecr-pr-2.metadata.json │ └── ct-ecr-pr-3.metadata.json │ ├── ecs │ ├── ct-ecs-pr-1.metadata.json │ ├── ct-ecs-pr-10.metadata.json │ ├── ct-ecs-pr-11.metadata.json │ ├── ct-ecs-pr-12.metadata.json │ ├── ct-ecs-pr-2.metadata.json │ ├── ct-ecs-pr-3.metadata.json │ ├── ct-ecs-pr-4.metadata.json │ ├── ct-ecs-pr-5.metadata.json │ ├── ct-ecs-pr-6.metadata.json │ ├── ct-ecs-pr-7.metadata.json │ ├── ct-ecs-pr-8.metadata.json │ └── ct-ecs-pr-9.metadata.json │ ├── efs │ ├── ct-elasticfilesysystem-pr-1.metadata.json │ ├── ct-elasticfilesysystem-pr-2.metadata.json │ ├── ct-elasticfilesysystem-pr-3.metadata.json │ └── ct-elasticfilesysystem-pr-4.metadata.json │ ├── eks │ ├── ct-eks-pr-1.metadata.json │ └── ct-eks-pr-2.metadata.json │ ├── elasticache │ ├── ct-elasticache-pr-1.metadata.json │ ├── ct-elasticache-pr-2.metadata.json │ ├── ct-elasticache-pr-3.metadata.json │ ├── ct-elasticache-pr-4.metadata.json │ ├── ct-elasticache-pr-5.metadata.json │ ├── ct-elasticache-pr-6.metadata.json │ ├── ct-elasticache-pr-7.metadata.json │ └── ct-elasticache-pr-8.metadata.json │ ├── elasticbeanstalk │ ├── ct-elasticbeanstalk-pr-1.metadata.json │ ├── ct-elasticbeanstalk-pr-2.metadata.json │ └── ct-elasticbeanstalk-pr-3.metadata.json │ ├── elasticloadbalancing │ ├── ct-elasticloadbalancing-pr-1.metadata.json │ ├── ct-elasticloadbalancing-pr-10.metadata.json │ ├── ct-elasticloadbalancing-pr-11.metadata.json │ ├── ct-elasticloadbalancing-pr-12.metadata.json │ ├── ct-elasticloadbalancing-pr-13.metadata.json │ ├── ct-elasticloadbalancing-pr-14.metadata.json │ ├── ct-elasticloadbalancing-pr-15.metadata.json │ ├── ct-elasticloadbalancing-pr-2.metadata.json │ ├── ct-elasticloadbalancing-pr-3.metadata.json │ ├── ct-elasticloadbalancing-pr-4.metadata.json │ ├── ct-elasticloadbalancing-pr-5.metadata.json │ ├── ct-elasticloadbalancing-pr-6.metadata.json │ ├── ct-elasticloadbalancing-pr-7.metadata.json │ ├── ct-elasticloadbalancing-pr-8.metadata.json │ └── ct-elasticloadbalancing-pr-9.metadata.json │ ├── emr │ ├── ct-emr-pr-1.metadata.json │ ├── ct-emr-pr-2.metadata.json │ ├── ct-emr-pr-3.metadata.json │ └── ct-emr-pr-4.metadata.json │ ├── glue │ └── ct-glue-pr-1.metadata.json │ ├── guardduty │ └── ct-guardduty-pr-1.metadata.json │ ├── identityandaccessmanagement │ ├── ct-iam-pr-1.metadata.json │ ├── ct-iam-pr-2.metadata.json │ ├── ct-iam-pr-3.metadata.json │ ├── ct-iam-pr-4.metadata.json │ └── ct-iam-pr-5.metadata.json │ ├── keymanagementservice │ ├── ct-kms-pr-1.metadata.json │ ├── ct-kms-pr-2.metadata.json │ └── ct-kms-pr-3.metadata.json │ ├── kinesis │ └── ct-kinesis-pr-1.metadata.json │ ├── lambda │ ├── ct-lambda-pr-2.metadata.json │ ├── ct-lambda-pr-3.metadata.json │ ├── ct-lambda-pr-4.metadata.json │ ├── ct-lambda-pr-5.metadata.json │ └── ct-lambda-pr-6.metadata.json │ ├── mq │ ├── ct-mq-pr-1.metadata.json │ └── ct-mq-pr-2.metadata.json │ ├── msk │ ├── ct-msk-pr-1.metadata.json │ └── ct-msk-pr-2.metadata.json │ ├── neptune │ ├── ct-neptune-pr-1.metadata.json │ ├── ct-neptune-pr-2.metadata.json │ ├── ct-neptune-pr-3.metadata.json │ ├── ct-neptune-pr-4.metadata.json │ └── ct-neptune-pr-5.metadata.json │ ├── networkfirewall │ ├── ct-network-firewall-pr-1.metadata.json │ ├── ct-network-firewall-pr-2.metadata.json │ ├── ct-network-firewall-pr-3.metadata.json │ ├── ct-network-firewall-pr-4.metadata.json │ └── ct-network-firewall-pr-5.metadata.json │ ├── opensearchservice │ ├── ct-opensearch-pr-1.metadata.json │ ├── ct-opensearch-pr-10.metadata.json │ ├── ct-opensearch-pr-11.metadata.json │ ├── ct-opensearch-pr-12.metadata.json │ ├── ct-opensearch-pr-13.metadata.json │ ├── ct-opensearch-pr-14.metadata.json │ ├── ct-opensearch-pr-15.metadata.json │ ├── ct-opensearch-pr-16.metadata.json │ ├── ct-opensearch-pr-2.metadata.json │ ├── ct-opensearch-pr-3.metadata.json │ ├── ct-opensearch-pr-4.metadata.json │ ├── ct-opensearch-pr-5.metadata.json │ ├── ct-opensearch-pr-6.metadata.json │ ├── ct-opensearch-pr-7.metadata.json │ ├── ct-opensearch-pr-8.metadata.json │ └── ct-opensearch-pr-9.metadata.json │ ├── rds │ ├── ct-rds-pr-1.metadata.json │ ├── ct-rds-pr-10.metadata.json │ ├── ct-rds-pr-11.metadata.json │ ├── ct-rds-pr-12.metadata.json │ ├── ct-rds-pr-13.metadata.json │ ├── ct-rds-pr-14.metadata.json │ ├── ct-rds-pr-15.metadata.json │ ├── ct-rds-pr-16.metadata.json │ ├── ct-rds-pr-17.metadata.json │ ├── ct-rds-pr-18.metadata.json │ ├── ct-rds-pr-19.metadata.json │ ├── ct-rds-pr-2.metadata.json │ ├── ct-rds-pr-20.metadata.json │ ├── ct-rds-pr-21.metadata.json │ ├── ct-rds-pr-22.metadata.json │ ├── ct-rds-pr-23.metadata.json │ ├── ct-rds-pr-24.metadata.json │ ├── ct-rds-pr-25.metadata.json │ ├── ct-rds-pr-26.metadata.json │ ├── ct-rds-pr-27.metadata.json │ ├── ct-rds-pr-28.metadata.json │ ├── ct-rds-pr-29.metadata.json │ ├── ct-rds-pr-3.metadata.json │ ├── ct-rds-pr-30.metadata.json │ ├── ct-rds-pr-4.metadata.json │ ├── ct-rds-pr-5.metadata.json │ ├── ct-rds-pr-6.metadata.json │ ├── ct-rds-pr-7.metadata.json │ ├── ct-rds-pr-8.metadata.json │ └── ct-rds-pr-9.metadata.json │ ├── redshift │ ├── ct-redshift-pr-1.metadata.json │ ├── ct-redshift-pr-2.metadata.json │ ├── ct-redshift-pr-3.metadata.json │ ├── ct-redshift-pr-4.metadata.json │ ├── ct-redshift-pr-5.metadata.json │ ├── ct-redshift-pr-6.metadata.json │ ├── ct-redshift-pr-7.metadata.json │ ├── ct-redshift-pr-8.metadata.json │ └── ct-redshift-pr-9.metadata.json │ ├── s3 │ ├── ct-s3-pr-1.metadata.json │ ├── ct-s3-pr-10.metadata.json │ ├── ct-s3-pr-11.metadata.json │ ├── ct-s3-pr-12.metadata.json │ ├── ct-s3-pr-2.metadata.json │ ├── ct-s3-pr-3.metadata.json │ ├── ct-s3-pr-4.metadata.json │ ├── ct-s3-pr-5.metadata.json │ ├── ct-s3-pr-6.metadata.json │ ├── ct-s3-pr-8.metadata.json │ └── ct-s3-pr-9.metadata.json │ ├── sagemaker │ ├── ct-sagemaker-pr-1.metadata.json │ ├── ct-sagemaker-pr-2.metadata.json │ └── ct-sagemaker-pr-3.metadata.json │ ├── sqs │ ├── ct-sqs-pr-1.metadata.json │ └── ct-sqs-pr-2.metadata.json │ ├── stepfunctions │ ├── ct-stepfunctions-pr-1.metadata.json │ └── ct-stepfunctions-pr-2.metadata.json │ └── waf │ ├── ct-waf-pr-1.metadata.json │ ├── ct-waf-pr-2.metadata.json │ ├── ct-waf-regional-pr-1.metadata.json │ ├── ct-waf-regional-pr-2.metadata.json │ ├── ct-wafv2-pr-1.metadata.json │ └── ct-wafv2-pr-2.metadata.json ├── src ├── check.ts ├── index.ts ├── plugin.ts └── utils.ts ├── test ├── constants.ts ├── integ.plugin.ts ├── plugin.integ.test.ts ├── plugin.test.ts ├── rules │ └── control-tower │ │ ├── ec2 │ │ ├── ct-ec2-pr-5.test.ts │ │ └── ct-ec2-pr-7.test.ts │ │ ├── iam │ │ └── ct-iam-pr-2.test.ts │ │ ├── metadata.test.ts │ │ ├── rds │ │ └── ct-rds-pr-16.test.ts │ │ └── s3 │ │ ├── ct-s3-pr-1.test.ts │ │ ├── ct-s3-pr-2.test.ts │ │ └── ct-s3-pr-8.test.ts └── test-data │ ├── guard-disjunction-resolved-check.json │ ├── guard-mix-checks-and-nested-checks.json │ ├── guard-resolved-clause-check.json │ ├── guard-resolved-rule-check-multiple-resources.json │ ├── guard-resolved-rule-check.json │ ├── guard-unresolved-clause-check.json │ ├── guard-unresolved-nested-rule-check.json │ └── guard-unresolved-rule-check.json ├── tsconfig.dev.json └── yarn.lock /.gitattributes: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". 2 | 3 | * text=auto eol=lf 4 | *.snap linguist-generated 5 | /.eslintrc.json linguist-generated 6 | /.gitattributes linguist-generated 7 | /.github/CODEOWNERS linguist-generated 8 | /.github/pull_request_template.md linguist-generated 9 | /.github/workflows/auto-approve.yml linguist-generated 10 | /.github/workflows/auto-queue.yml linguist-generated 11 | /.github/workflows/build.yml linguist-generated 12 | /.github/workflows/pull-request-lint.yml linguist-generated 13 | /.github/workflows/release.yml linguist-generated 14 | /.github/workflows/update-guard.yml linguist-generated 15 | /.github/workflows/upgrade-cdklabs-projen-project-types-main.yml linguist-generated 16 | /.github/workflows/upgrade-dev-deps-main.yml linguist-generated 17 | /.github/workflows/upgrade-main.yml linguist-generated 18 | /.gitignore linguist-generated 19 | /.npmignore linguist-generated 20 | /.projen/** linguist-generated 21 | /.projen/deps.json linguist-generated 22 | /.projen/files.json linguist-generated 23 | /.projen/tasks.json linguist-generated 24 | /API.md linguist-generated 25 | /LICENSE linguist-generated 26 | /package.json linguist-generated 27 | /rosetta/default.ts-fixture linguist-generated 28 | /tsconfig.dev.json linguist-generated 29 | /yarn.lock linguist-generated -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # global owners 2 | # These owners will be the default owners for everything in 3 | # the repo. Unless a later match takes precedence 4 | # @cdklabs/aws-cdk-team will be requested for 5 | # review when someone opens a pull request. 6 | * @cdklabs/aws-cdk-team 7 | 8 | # CT team owns the policies 9 | /rules/ @cdklabs/cdk-validator-cfnguard 10 | 11 | # allow bot to approve dependency updates 12 | package.json @cdklabs/aws-cdk-team @cdklabs-automation 13 | yarn.lock @cdklabs/aws-cdk-team @cdklabs-automation -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | Fixes # -------------------------------------------------------------------------------- /.github/workflows/auto-approve.yml: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". 2 | 3 | name: auto-approve 4 | on: 5 | pull_request_target: 6 | types: 7 | - labeled 8 | - opened 9 | - synchronize 10 | - reopened 11 | - ready_for_review 12 | jobs: 13 | approve: 14 | runs-on: ubuntu-latest 15 | permissions: 16 | pull-requests: write 17 | if: contains(github.event.pull_request.labels.*.name, 'auto-approve') && (github.event.pull_request.user.login == 'cdklabs-automation' || github.event.pull_request.user.login == 'dependabot[bot]') 18 | steps: 19 | - uses: hmarr/auto-approve-action@v2.2.1 20 | with: 21 | github-token: ${{ secrets.GITHUB_TOKEN }} 22 | -------------------------------------------------------------------------------- /.github/workflows/auto-queue.yml: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". 2 | 3 | name: auto-queue 4 | on: 5 | pull_request_target: 6 | types: 7 | - opened 8 | - reopened 9 | - ready_for_review 10 | jobs: 11 | enableAutoQueue: 12 | name: "Set AutoQueue on PR #${{ github.event.number }}" 13 | runs-on: ubuntu-latest 14 | permissions: 15 | pull-requests: write 16 | contents: write 17 | steps: 18 | - uses: peter-evans/enable-pull-request-automerge@v3 19 | with: 20 | token: ${{ secrets.PROJEN_GITHUB_TOKEN }} 21 | pull-request-number: ${{ github.event.number }} 22 | merge-method: squash 23 | -------------------------------------------------------------------------------- /.github/workflows/pull-request-lint.yml: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". 2 | 3 | name: pull-request-lint 4 | on: 5 | pull_request_target: 6 | types: 7 | - labeled 8 | - opened 9 | - synchronize 10 | - reopened 11 | - ready_for_review 12 | - edited 13 | merge_group: {} 14 | jobs: 15 | validate: 16 | name: Validate PR title 17 | runs-on: ubuntu-latest 18 | permissions: 19 | pull-requests: write 20 | if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') 21 | steps: 22 | - uses: amannn/action-semantic-pull-request@v5.4.0 23 | env: 24 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 25 | with: 26 | types: |- 27 | feat 28 | fix 29 | chore 30 | requireScope: false 31 | -------------------------------------------------------------------------------- /.github/workflows/update-guard.yml: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". 2 | 3 | name: update-guard 4 | on: 5 | workflow_dispatch: {} 6 | schedule: 7 | - cron: 0 6 * * MON 8 | jobs: 9 | update: 10 | runs-on: ubuntu-latest 11 | permissions: 12 | contents: write 13 | steps: 14 | - uses: actions/checkout@v3 15 | - run: yarn install 16 | - run: npx projen update-guard 17 | - uses: peter-evans/create-pull-request@v4 18 | with: 19 | token: ${{ secrets.PROJEN_GITHUB_TOKEN }} 20 | title: "feat: update guard version" 21 | commit-message: "feat: update guard version" 22 | branch: automation/update-guard 23 | committer: GitHub Automation 24 | labels: auto-approve 25 | - if: steps.create-pr.outputs.pull-request-number != 0 26 | uses: peter-evans/enable-pull-request-automerge@v2 27 | with: 28 | token: ${{ secrets.PROJEN_GITHUB_TOKEN }} 29 | pull-request-number: ${{ steps.create-pr.outputs.pull-request-number }} 30 | merge-method: squash 31 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". 2 | !/.gitattributes 3 | !/.projen/tasks.json 4 | !/.projen/deps.json 5 | !/.projen/files.json 6 | !/.github/workflows/pull-request-lint.yml 7 | !/.github/workflows/auto-approve.yml 8 | !/package.json 9 | !/LICENSE 10 | !/.npmignore 11 | logs 12 | *.log 13 | npm-debug.log* 14 | yarn-debug.log* 15 | yarn-error.log* 16 | lerna-debug.log* 17 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 18 | pids 19 | *.pid 20 | *.seed 21 | *.pid.lock 22 | lib-cov 23 | coverage 24 | *.lcov 25 | .nyc_output 26 | build/Release 27 | node_modules/ 28 | jspm_packages/ 29 | *.tsbuildinfo 30 | .eslintcache 31 | *.tgz 32 | .yarn-integrity 33 | .cache 34 | /test-reports/ 35 | junit.xml 36 | /coverage/ 37 | !/.github/workflows/build.yml 38 | /dist/changelog.md 39 | /dist/version.txt 40 | !/.github/workflows/release.yml 41 | !/.github/pull_request_template.md 42 | !/test/ 43 | !/tsconfig.dev.json 44 | !/src/ 45 | /lib 46 | /dist/ 47 | !/.eslintrc.json 48 | .jsii 49 | tsconfig.json 50 | !/API.md 51 | !/.github/workflows/auto-queue.yml 52 | !/.github/workflows/upgrade-cdklabs-projen-project-types-main.yml 53 | !/.github/workflows/upgrade-main.yml 54 | !/.github/workflows/upgrade-dev-deps-main.yml 55 | !/rosetta/default.ts-fixture 56 | !/.github/CODEOWNERS 57 | .jsii.tabl.json 58 | bin 59 | cdk.out 60 | test/*.snapshot 61 | test/cdk-integ.out* 62 | !/.github/workflows/update-guard.yml 63 | !/.projenrc.ts 64 | -------------------------------------------------------------------------------- /.npmignore: -------------------------------------------------------------------------------- 1 | # ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". 2 | /.projen/ 3 | /test-reports/ 4 | junit.xml 5 | /coverage/ 6 | permissions-backup.acl 7 | /dist/changelog.md 8 | /dist/version.txt 9 | /test/ 10 | /tsconfig.dev.json 11 | /src/ 12 | !/lib/ 13 | !/lib/**/*.js 14 | !/lib/**/*.d.ts 15 | dist 16 | /tsconfig.json 17 | /.github/ 18 | /.vscode/ 19 | /.idea/ 20 | /.projenrc.js 21 | tsconfig.tsbuildinfo 22 | /.eslintrc.json 23 | !.jsii 24 | /.gitattributes 25 | /.projenrc.ts 26 | /projenrc 27 | -------------------------------------------------------------------------------- /.projen/files.json: -------------------------------------------------------------------------------- 1 | { 2 | "files": [ 3 | ".eslintrc.json", 4 | ".gitattributes", 5 | ".github/CODEOWNERS", 6 | ".github/pull_request_template.md", 7 | ".github/workflows/auto-approve.yml", 8 | ".github/workflows/auto-queue.yml", 9 | ".github/workflows/build.yml", 10 | ".github/workflows/pull-request-lint.yml", 11 | ".github/workflows/release.yml", 12 | ".github/workflows/update-guard.yml", 13 | ".github/workflows/upgrade-cdklabs-projen-project-types-main.yml", 14 | ".github/workflows/upgrade-dev-deps-main.yml", 15 | ".github/workflows/upgrade-main.yml", 16 | ".gitignore", 17 | ".projen/deps.json", 18 | ".projen/files.json", 19 | ".projen/tasks.json", 20 | "LICENSE", 21 | "rosetta/default.ts-fixture", 22 | "tsconfig.dev.json" 23 | ], 24 | "//": "~~ Generated by projen. To modify, edit .projenrc.ts and run \"npx projen\"." 25 | } 26 | -------------------------------------------------------------------------------- /guard-version.json: -------------------------------------------------------------------------------- 1 | { 2 | "release_id": 150967690, 3 | "version": "3.1.1" 4 | } -------------------------------------------------------------------------------- /projenrc/bundle-guard.ts: -------------------------------------------------------------------------------- 1 | import { spawnSync } from 'child_process'; 2 | import * as fs from 'fs'; 3 | import * as os from 'os'; 4 | import * as path from 'path'; 5 | import { getOctokit, getReleaseId, Octo, Release, ReleaseAsset } from './utils'; 6 | 7 | 8 | /** 9 | * Download a GitHub release asset 10 | */ 11 | async function downloadReleaseAsset(octokit: Octo, asset: ReleaseAsset): Promise { 12 | if (getPlatform(asset.name) === 'other') { 13 | return; 14 | } 15 | if (getArchitecture(asset.name) === 'other') { 16 | return; 17 | } 18 | const tmpDir = fs.realpathSync(os.tmpdir()); 19 | const tarPath = path.join(tmpDir, asset.name); 20 | const res = await octokit.octo.repos.getReleaseAsset({ 21 | asset_id: asset.id, 22 | owner: octokit.owner, 23 | repo: octokit.repo, 24 | headers: { 25 | ...octokit.headers, 26 | accept: 'application/octet-stream', 27 | }, 28 | }); 29 | fs.appendFileSync(tarPath, Buffer.from(res.data as unknown as ArrayBuffer)); 30 | return tarPath; 31 | } 32 | 33 | async function getRelease(octokit: Octo): Promise { 34 | const version = getReleaseId(); 35 | if (!version) { 36 | throw new Error("Guard version file does not exist. Run 'yarn update-guard'"); 37 | } 38 | const release = await octokit.octo.repos.getRelease({ 39 | owner: octokit.owner, 40 | repo: octokit.repo, 41 | headers: octokit.headers, 42 | release_id: version, 43 | }); 44 | return release; 45 | } 46 | 47 | /** 48 | * Get the latest release of cfn-guard from GitHub 49 | * and bundle it in the repo. 50 | */ 51 | export async function main() { 52 | const octokit = getOctokit(); 53 | const release = await getRelease(octokit); 54 | if (!fs.existsSync(path.join(__dirname, '..', 'bin'))) { 55 | for (const asset of release.data.assets) { 56 | const platform = getPlatform(asset.name); 57 | const architecture = getArchitecture(asset.name); 58 | const downloadPath = await downloadReleaseAsset(octokit, asset); 59 | if (downloadPath) { 60 | spawnSync('tar', ['-xzf', asset.name], { 61 | cwd: path.join(downloadPath, '..'), 62 | }); 63 | const directoryPath = path.join(__dirname, '..', 'bin', platform, architecture); 64 | fs.mkdirSync(directoryPath, { recursive: true }); 65 | fs.copyFileSync( 66 | path.join(downloadPath, '..', path.basename(asset.name, '.tar.gz'), 'cfn-guard'), 67 | path.join(directoryPath, 'cfn-guard'), 68 | ); 69 | } 70 | } 71 | } 72 | } 73 | 74 | function getPlatform(name: string): 'ubuntu' | 'macos' | 'other' { 75 | if (name.includes('ubuntu')) return 'ubuntu'; 76 | if (name.includes('macos')) return 'macos'; 77 | return 'other'; 78 | } 79 | 80 | function getArchitecture(name: string): 'x86_64' | 'aarch64' | 'other' { 81 | if (name.includes('x86_64')) return 'x86_64'; 82 | if (name.includes('aarch64')) return 'aarch64'; 83 | return 'other'; 84 | } 85 | 86 | main().catch(e => { 87 | console.log(e); 88 | }); 89 | -------------------------------------------------------------------------------- /projenrc/index.ts: -------------------------------------------------------------------------------- 1 | import { CdklabsJsiiProject } from 'cdklabs-projen-project-types'; 2 | import { Component } from 'projen'; 3 | import { JobPermission } from 'projen/lib/github/workflows-model'; 4 | 5 | export class BundleGuard extends Component { 6 | constructor(project: CdklabsJsiiProject) { 7 | super(project); 8 | const updateTask = project.addTask('update-guard', { 9 | exec: 'ts-node projenrc/update-guard.ts', 10 | }); 11 | const bundleTask = project.addTask('bundle-guard', { 12 | exec: 'ts-node projenrc/bundle-guard.ts', 13 | }); 14 | updateTask.spawn(bundleTask); 15 | project.defaultTask?.spawn(bundleTask); 16 | 17 | const workflow = project.github?.addWorkflow('update-guard'); 18 | workflow?.on({ 19 | workflowDispatch: {}, 20 | schedule: [{ cron: '0 6 * * MON' }], 21 | }); 22 | workflow?.addJobs({ 23 | update: { 24 | permissions: { 25 | contents: JobPermission.WRITE, 26 | }, 27 | runsOn: ['ubuntu-latest'], 28 | steps: [ 29 | { uses: 'actions/checkout@v3' }, 30 | { run: 'yarn install' }, 31 | { run: this.project.runTaskCommand(updateTask) }, 32 | 33 | // create a pull request 34 | { 35 | uses: 'peter-evans/create-pull-request@v4', 36 | with: { 37 | 'token': '${{ secrets.PROJEN_GITHUB_TOKEN }}', 38 | 'title': 'feat: update guard version', 39 | 'commit-message': 'feat: update guard version', 40 | 'branch': 'automation/update-guard', 41 | 'committer': 'GitHub Automation ', 42 | 'labels': 'auto-approve', 43 | }, 44 | }, 45 | // Auto-approve PR 46 | { 47 | if: 'steps.create-pr.outputs.pull-request-number != 0', 48 | uses: 'peter-evans/enable-pull-request-automerge@v2', 49 | with: { 50 | 'token': '${{ secrets.PROJEN_GITHUB_TOKEN }}', 51 | 'pull-request-number': '${{ steps.create-pr.outputs.pull-request-number }}', 52 | 'merge-method': 'squash', 53 | }, 54 | }, 55 | ], 56 | }, 57 | }); 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /projenrc/update-guard.ts: -------------------------------------------------------------------------------- 1 | import * as fs from 'fs'; 2 | import * as path from 'path'; 3 | import { Endpoints } from '@octokit/types'; 4 | import { getOctokit, getReleaseId } from './utils'; 5 | 6 | type Release = Endpoints['GET /repos/{owner}/{repo}/releases/latest']['response']; 7 | 8 | /** 9 | * Query GitHub for the latest release 10 | */ 11 | async function queryLatestRelease(): Promise { 12 | const octokit = getOctokit(); 13 | const release = await octokit.octo.request('GET /repos/{owner}/{repo}/releases/latest', { 14 | owner: octokit.owner, 15 | repo: octokit.repo, 16 | headers: octokit.headers, 17 | }); 18 | 19 | return release; 20 | } 21 | /** 22 | * Get the latest release of cfn-guard from GitHub 23 | * and update the guard-version.json file 24 | */ 25 | export async function main() { 26 | const release = await queryLatestRelease(); 27 | const version = getReleaseId(); 28 | if (!version || release.data.id !== version) { 29 | fs.writeFileSync( 30 | path.join(__dirname, '..', 'guard-version.json'), 31 | JSON.stringify({ 32 | release_id: release.data.id, 33 | version: release.data.tag_name, 34 | }, undefined, 2), 35 | { encoding: 'utf-8' }, 36 | ); 37 | } 38 | } 39 | 40 | main().catch(e => { 41 | console.log(e); 42 | }); 43 | -------------------------------------------------------------------------------- /projenrc/utils.ts: -------------------------------------------------------------------------------- 1 | import * as fs from 'fs'; 2 | import * as path from 'path'; 3 | import { Octokit } from '@octokit/rest'; 4 | import { RequestHeaders, Endpoints } from '@octokit/types'; 5 | export interface Octo { 6 | readonly token: string; 7 | readonly octo: Octokit; 8 | readonly owner: string; 9 | readonly repo: string; 10 | readonly headers: RequestHeaders; 11 | } 12 | export type Release = Endpoints['GET /repos/{owner}/{repo}/releases/{release_id}']['response']; 13 | export type ReleaseAsset = Endpoints['GET /repos/{owner}/{repo}/releases/latest']['response']['data']['assets'][0]; 14 | 15 | export function getReleaseId(): number | undefined { 16 | const filePath = path.join(__dirname, '../guard-version.json'); 17 | if (fs.existsSync(filePath)) { 18 | const guardVersion = fs.readFileSync(filePath).toString('utf-8').trim(); 19 | return JSON.parse(guardVersion).release_id; 20 | } 21 | return; 22 | } 23 | 24 | export function getOctokit(): Octo { 25 | if (!process.env.GITHUB_TOKEN) { 26 | throw new Error('GITHUB_TOKEN needs to be set'); 27 | } 28 | return { 29 | token: process.env.GITHUB_TOKEN, 30 | octo: new Octokit({ auth: process.env.GITHUB_TOKEN }), 31 | owner: 'aws-cloudformation', 32 | repo: 'cloudformation-guard', 33 | headers: { 34 | 'X-GitHub-Api-Version': '2022-11-28', 35 | }, 36 | }; 37 | } 38 | -------------------------------------------------------------------------------- /rosetta/default.ts-fixture: -------------------------------------------------------------------------------- 1 | // Fixture with packages imported, but nothing else 2 | import { Construct } from 'constructs'; 3 | import { CfnGuardValidator } from '@cdklabs/cdk-validator-cfnguard'; 4 | import { 5 | Stack, 6 | App, 7 | } from 'aws-cdk-lib'; 8 | 9 | class Fixture extends Stack { 10 | constructor(scope: Construct, id: string) { 11 | super(scope, id); 12 | 13 | /// here 14 | } 15 | } -------------------------------------------------------------------------------- /rules/control-tower/cfn-guard/ec2/ct-ec2-pr-13.guard: -------------------------------------------------------------------------------- 1 | # ################################### 2 | ## Rule Specification ## 3 | ##################################### 4 | # 5 | # Rule Identifier: 6 | # ec2_instance_detailed_monitoring_enabled_check 7 | # 8 | # Description: 9 | # This control checks whether an Amazon EC2 instance has detailed monitoring enabled. 10 | # 11 | # Reports on: 12 | # AWS::EC2::Instance 13 | # 14 | # Evaluates: 15 | # AWS CloudFormation, AWS CloudFormation hook 16 | # 17 | # Rule Parameters: 18 | # None 19 | # 20 | # Scenarios: 21 | # Scenario: 1 22 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 23 | # And: The input document does not contain any EC2 instance resources 24 | # Then: SKIP 25 | # Scenario: 2 26 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 27 | # And: The input document contains an EC2 instance resource 28 | # And: 'Monitoring' has not been provided 29 | # Then: FAIL 30 | # Scenario: 3 31 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 32 | # And: The input document contains an EC2 instance resource 33 | # And: 'Monitoring' has been provided and set to a value other than bool(true) 34 | # Then: FAIL 35 | # Scenario: 4 36 | # Given: The input document is an AWS CloudFormation or CloudFormation Hook Document 37 | # And: The input document contains an EC2 instance resource 38 | # And: 'Monitoring' has been provided and set to bool(true) 39 | # Then: PASS 40 | 41 | # 42 | # Constants 43 | # 44 | let EC2_INSTANCE_TYPE = "AWS::EC2::Instance" 45 | let INPUT_DOCUMENT = this 46 | 47 | # 48 | # Assignments 49 | # 50 | let ec2_instances = Resources.*[ Type == %EC2_INSTANCE_TYPE ] 51 | 52 | # 53 | # Primary Rules 54 | # 55 | rule ec2_instance_detailed_monitoring_enabled_check when is_cfn_template(%INPUT_DOCUMENT) 56 | %ec2_instances not empty { 57 | check(%ec2_instances.Properties) 58 | << 59 | [CT.EC2.PR.13]: Require an Amazon EC2 instance to have detailed monitoring enabled 60 | [FIX]: Set 'Monitoring' to 'true'. 61 | >> 62 | 63 | } 64 | 65 | rule ec2_instance_detailed_monitoring_enabled_check when is_cfn_hook(%INPUT_DOCUMENT, %EC2_INSTANCE_TYPE) { 66 | check(%INPUT_DOCUMENT.%EC2_INSTANCE_TYPE.resourceProperties) 67 | << 68 | [CT.EC2.PR.13]: Require an Amazon EC2 instance to have detailed monitoring enabled 69 | [FIX]: Set 'Monitoring' to 'true'. 70 | >> 71 | } 72 | 73 | # 74 | # Parameterized Rules 75 | # 76 | rule check(ec2_instance) { 77 | %ec2_instance { 78 | # Scenario 2 79 | Monitoring exists 80 | # Scenarios 3 and 4 81 | Monitoring == true 82 | } 83 | } 84 | 85 | # 86 | # Utility Rules 87 | # 88 | rule is_cfn_template(doc) { 89 | %doc { 90 | AWSTemplateFormatVersion exists or 91 | Resources exists 92 | } 93 | } 94 | 95 | rule is_cfn_hook(doc, RESOURCE_TYPE) { 96 | %doc.%RESOURCE_TYPE.resourceProperties exists 97 | } 98 | -------------------------------------------------------------------------------- /rules/control-tower/cfn-guard/rds/ct-rds-pr-26.guard: -------------------------------------------------------------------------------- 1 | # ################################### 2 | ## Rule Specification ## 3 | ##################################### 4 | # 5 | # Rule Identifier: 6 | # rds_proxy_tls_check 7 | # 8 | # Description: 9 | # This control checks whether an RDS DB Proxy is configured to require Transport Layer Security (TLS) for connections to the proxy. 10 | # 11 | # Reports on: 12 | # AWS::RDS::DBProxy 13 | # 14 | # Evaluates: 15 | # AWS CloudFormation, AWS CloudFormation hook 16 | # 17 | # Rule Parameters: 18 | # None 19 | # 20 | # Scenarios: 21 | # Scenario: 1 22 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 23 | # And: The input document does not contain any RDS DB proxy resources 24 | # Then: SKIP 25 | # Scenario: 2 26 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 27 | # And: The input document contains an RDS DB proxy resource 28 | # And: 'RequireTLS' has not been provided 29 | # Then: FAIL 30 | # Scenario: 3 31 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 32 | # And: The input document contains an RDS DB proxy resource 33 | # And: 'RequireTLS' has been provided and set to a value other than bool(true) 34 | # Then: FAIL 35 | # Scenario: 4 36 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 37 | # And: The input document contains an RDS DB proxy resource 38 | # And: 'RequireTLS' has been provided and set to bool(true) 39 | # Then: PASS 40 | 41 | # 42 | # Constants 43 | # 44 | let INPUT_DOCUMENT = this 45 | let RDS_DB_PROXY_TYPE = "AWS::RDS::DBProxy" 46 | 47 | # 48 | # Assignments 49 | # 50 | let rds_db_proxies = Resources.*[ Type == %RDS_DB_PROXY_TYPE ] 51 | 52 | # 53 | # Primary Rules 54 | # 55 | rule rds_proxy_tls_check when is_cfn_template(%INPUT_DOCUMENT) 56 | %rds_db_proxies not empty { 57 | check(%rds_db_proxies.Properties) 58 | << 59 | [CT.RDS.PR.26]: Require an Amazon RDS DB Proxy to require Transport Layer Security (TLS) connections 60 | [FIX]: Set the value of the RequireTLS property to true. 61 | >> 62 | } 63 | 64 | rule rds_proxy_tls_check when is_cfn_hook(%INPUT_DOCUMENT, %RDS_DB_PROXY_TYPE) { 65 | check(%INPUT_DOCUMENT.%RDS_DB_PROXY_TYPE.resourceProperties) 66 | << 67 | [CT.RDS.PR.26]: Require an Amazon RDS DB Proxy to require Transport Layer Security (TLS) connections 68 | [FIX]: Set the value of the RequireTLS property to true. 69 | >> 70 | } 71 | 72 | # 73 | # Parameterized Rules 74 | # 75 | rule check(rds_db_proxy) { 76 | %rds_db_proxy { 77 | # Scenarios 2 78 | RequireTLS exists 79 | # Scenarios 3 and 4 80 | RequireTLS == true 81 | } 82 | } 83 | 84 | # 85 | # Utility Rules 86 | # 87 | rule is_cfn_template(doc) { 88 | %doc { 89 | AWSTemplateFormatVersion exists or 90 | Resources exists 91 | } 92 | } 93 | 94 | rule is_cfn_hook(doc, RESOURCE_TYPE) { 95 | %doc.%RESOURCE_TYPE.resourceProperties exists 96 | } 97 | -------------------------------------------------------------------------------- /rules/control-tower/cfn-guard/redshift/ct-redshift-pr-8.guard: -------------------------------------------------------------------------------- 1 | # ################################### 2 | ## Rule Specification ## 3 | ##################################### 4 | # 5 | # Rule Identifier: 6 | # redshift_cluster_encrypted_check 7 | # 8 | # Description: 9 | # This control checks whether an Amazon Redshift cluster is encrypted. 10 | # 11 | # Reports on: 12 | # AWS::Redshift::Cluster 13 | # 14 | # Evaluates: 15 | # AWS CloudFormation, AWS CloudFormation hook 16 | # 17 | # Rule Parameters: 18 | # None 19 | # 20 | # Scenarios: 21 | # Scenario: 1 22 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 23 | # And: The input document does not contain any Amazon Redshift cluster resources 24 | # Then: SKIP 25 | # Scenario: 2 26 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 27 | # And: The input document contains an Amazon Redshift cluster resource 28 | # And: 'Encrypted' has not been provided 29 | # Then: FAIL 30 | # Scenario: 3 31 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 32 | # And: The input document contains an Amazon Redshift cluster resource 33 | # And: 'Encrypted' has been provided and set to a value other than bool(true) 34 | # Then: FAIL 35 | # Scenario: 4 36 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 37 | # And: The input document contains an Amazon Redshift cluster resource 38 | # And: 'Encrypted' has been provided and set to bool(true) 39 | # Then: PASS 40 | 41 | # 42 | # Constants 43 | # 44 | let RESOURCE_TYPE = "AWS::Redshift::Cluster" 45 | let INPUT_DOCUMENT = this 46 | 47 | # 48 | # Assignments 49 | # 50 | let redshift_clusters = Resources.*[ Type == %RESOURCE_TYPE ] 51 | 52 | # 53 | # Primary Rules 54 | # 55 | rule redshift_cluster_encrypted_check when is_cfn_template(%INPUT_DOCUMENT) 56 | %redshift_clusters not empty { 57 | check(%redshift_clusters.Properties) 58 | << 59 | [CT.REDSHIFT.PR.8]: Require an Amazon Redshift cluster to be encrypted 60 | [FIX]: Set the value of the 'Encrypted' property to true. 61 | >> 62 | } 63 | 64 | rule redshift_cluster_encrypted_check when is_cfn_hook(%INPUT_DOCUMENT, %RESOURCE_TYPE) { 65 | check(%INPUT_DOCUMENT.%RESOURCE_TYPE.resourceProperties) 66 | << 67 | [CT.REDSHIFT.PR.8]: Require an Amazon Redshift cluster to be encrypted 68 | [FIX]: Set the value of the 'Encrypted' property to true. 69 | >> 70 | } 71 | 72 | # 73 | # Parameterized Rules 74 | # 75 | rule check(redshift_cluster) { 76 | %redshift_cluster { 77 | # Scenario 2 78 | Encrypted exists 79 | 80 | # Scenario 3 and 4 81 | Encrypted == true 82 | } 83 | } 84 | 85 | # 86 | # Utility Rules 87 | # 88 | rule is_cfn_template(doc) { 89 | %doc { 90 | AWSTemplateFormatVersion exists or 91 | Resources exists 92 | } 93 | } 94 | 95 | rule is_cfn_hook(doc, RESOURCE_TYPE) { 96 | %doc.%RESOURCE_TYPE.resourceProperties exists 97 | } 98 | -------------------------------------------------------------------------------- /rules/control-tower/cfn-guard/s3/ct-s3-pr-5.guard: -------------------------------------------------------------------------------- 1 | # ################################### 2 | ## Rule Specification ## 3 | ##################################### 4 | # 5 | # Rule Identifier: 6 | # s3_bucket_acl_prohibited_check 7 | # 8 | # Description: 9 | # This control checks whether your Amazon Simple Storage Service (Amazon S3) bucket allows user permissions through access control lists. 10 | # 11 | # Reports on: 12 | # AWS::S3::Bucket 13 | # 14 | # Evaluates: 15 | # AWS CloudFormation, AWS CloudFormation hook 16 | # 17 | # Rule Parameters: 18 | # None 19 | # 20 | # Scenarios: 21 | # Scenario: 1 22 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 23 | # And: The input document does not contain any Amazon S3 bucket resources 24 | # Then: SKIP 25 | # Scenario: 2 26 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 27 | # And: The input document contains an Amazon S3 bucket resource 28 | # And: 'AccessControl' has been provided on the S3 bucket resource 29 | # Then: FAIL 30 | # Scenario: 3 31 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 32 | # And: The input document contains an Amazon S3 bucket resource 33 | # And: 'AccessControl' has not been provided on the S3 bucket resource 34 | # Then: PASS 35 | 36 | # 37 | # Constants 38 | # 39 | let S3_BUCKET_TYPE = "AWS::S3::Bucket" 40 | let INPUT_DOCUMENT = this 41 | 42 | # 43 | # Assignments 44 | # 45 | let s3_buckets = Resources.*[ Type == %S3_BUCKET_TYPE ] 46 | 47 | # 48 | # Primary Rules 49 | # 50 | rule s3_bucket_acl_prohibited_check when is_cfn_template(%INPUT_DOCUMENT) 51 | %s3_buckets not empty { 52 | check(%s3_buckets.Properties) 53 | << 54 | [CT.S3.PR.5]: Require that an Amazon S3 bucket does not manage user access with an access control list (ACL) 55 | [FIX]: Manage access to Amazon S3 buckets with bucket resource policies and IAM identity policies instead. 56 | >> 57 | } 58 | 59 | rule s3_bucket_acl_prohibited_check when is_cfn_hook(%INPUT_DOCUMENT, %S3_BUCKET_TYPE) { 60 | check(this.%S3_BUCKET_TYPE.resourceProperties) 61 | << 62 | [CT.S3.PR.5]: Require that an Amazon S3 bucket does not manage user access with an access control list (ACL) 63 | [FIX]: Manage access to Amazon S3 buckets with bucket resource policies and IAM identity policies instead. 64 | >> 65 | } 66 | 67 | # 68 | # Parameterized Rules 69 | # 70 | rule check(s3_bucket) { 71 | %s3_bucket { 72 | # Scenario 2 and 3 73 | AccessControl not exists 74 | } 75 | } 76 | 77 | # 78 | # Utility Rules 79 | # 80 | rule is_cfn_template(doc) { 81 | %doc { 82 | AWSTemplateFormatVersion exists or 83 | Resources exists 84 | } 85 | } 86 | 87 | rule is_cfn_hook(doc, RESOURCE_TYPE) { 88 | %doc.%RESOURCE_TYPE.resourceProperties exists 89 | } 90 | -------------------------------------------------------------------------------- /rules/control-tower/cfn-guard/s3/ct-s3-pr-9.guard: -------------------------------------------------------------------------------- 1 | # ################################### 2 | ## Rule Specification ## 3 | ##################################### 4 | # 5 | # Rule Identifier: 6 | # s3_bucket_object_lock_enabled_check 7 | # 8 | # Description: 9 | # This control checks whether an Amazon Simple Storage Service (Amazon S3) bucket has been configured to use S3 Object Lock. 10 | # 11 | # Reports on: 12 | # AWS::S3::Bucket 13 | # 14 | # Evaluates: 15 | # AWS CloudFormation, AWS CloudFormation hook 16 | # 17 | # Rule Parameters: 18 | # None 19 | # 20 | # Scenarios: 21 | # Scenario: 1 22 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 23 | # And: The input document does not contain any S3 bucket resources 24 | # Then: SKIP 25 | # Scenario: 2 26 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 27 | # And: The input document contains an S3 bucket resource 28 | # And: 'ObjectLockEnabled' has not been provided 29 | # Then: FAIL 30 | # Scenario: 3 31 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 32 | # And: The input document contains an S3 bucket resource 33 | # And: 'ObjectLockEnabled' has been provided and set to a value other than bool(true) 34 | # Then: FAIL 35 | # Scenario: 4 36 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 37 | # And: The input document contains an S3 bucket resource 38 | # And: 'ObjectLockEnabled' has been provided and set to bool(true) 39 | # Then: PASS 40 | 41 | # 42 | # Constants 43 | # 44 | let S3_BUCKET_TYPE = "AWS::S3::Bucket" 45 | let INPUT_DOCUMENT = this 46 | 47 | # 48 | # Assignments 49 | # 50 | let s3_buckets = Resources.*[ Type == %S3_BUCKET_TYPE ] 51 | 52 | # 53 | # Primary Rules 54 | # 55 | rule s3_bucket_object_lock_enabled_check when is_cfn_template(%INPUT_DOCUMENT) 56 | %s3_buckets not empty { 57 | check(%s3_buckets.Properties) 58 | << 59 | [CT.S3.PR.9]: Require that an Amazon S3 bucket has S3 Object Lock activated 60 | [FIX]: Set 'ObjectLockEnabled' to 'true'. 61 | >> 62 | } 63 | 64 | rule s3_bucket_object_lock_enabled_check when is_cfn_hook(%INPUT_DOCUMENT, %S3_BUCKET_TYPE) { 65 | check(this.%S3_BUCKET_TYPE.resourceProperties) 66 | << 67 | [CT.S3.PR.9]: Require that an Amazon S3 bucket has S3 Object Lock activated 68 | [FIX]: Set 'ObjectLockEnabled' to 'true'. 69 | >> 70 | } 71 | 72 | # 73 | # Parameterized Rules 74 | # 75 | rule check(s3_bucket) { 76 | %s3_bucket { 77 | # Scenario 2 78 | ObjectLockEnabled exists 79 | # Scenarios 3 and 4 80 | ObjectLockEnabled == true 81 | } 82 | } 83 | 84 | # 85 | # Utility Rules 86 | # 87 | rule is_cfn_template(doc) { 88 | %doc { 89 | AWSTemplateFormatVersion exists or 90 | Resources exists 91 | } 92 | } 93 | 94 | rule is_cfn_hook(doc, RESOURCE_TYPE) { 95 | %doc.%RESOURCE_TYPE.resourceProperties exists 96 | } 97 | -------------------------------------------------------------------------------- /rules/control-tower/cfn-guard/waf/ct-wafv2-pr-1.guard: -------------------------------------------------------------------------------- 1 | # ################################### 2 | ## Rule Specification ## 3 | ##################################### 4 | # 5 | # Rule Identifier: 6 | # wafv2_webacl_not_empty_check 7 | # 8 | # Description: 9 | # This control checks whether an AWS WAF web ACL contains any WAF rules or WAF rule groups. 10 | # 11 | # Reports on: 12 | # AWS::WAFv2::WebACL 13 | # 14 | # Evaluates: 15 | # AWS CloudFormation, AWS CloudFormation hook 16 | # 17 | # Rule Parameters: 18 | # None 19 | # 20 | # Scenarios: 21 | # Scenario: 1 22 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 23 | # And: The input document does not contain any WAF web ACL resources 24 | # Then: SKIP 25 | # Scenario: 2 26 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 27 | # And: The input document contains an WAF web ACL resource 28 | # And: 'Rules' has not been provided 29 | # Then: FAIL 30 | # Scenario: 3 31 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 32 | # And: The input document contains an WAF web ACL resource 33 | # And: 'Rules' has been provided as an empty list 34 | # Then: FAIL 35 | # Scenario: 4 36 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 37 | # And: The input document contains an WAF web ACL resource 38 | # And: 'Rules' has been provided as a non-empty list 39 | # Then: PASS 40 | 41 | # 42 | # Constants 43 | # 44 | let WAFV2_WEB_ACL_TYPE = "AWS::WAFv2::WebACL" 45 | let INPUT_DOCUMENT = this 46 | 47 | # 48 | # Assignments 49 | # 50 | let wafv2_web_acls = Resources.*[ Type == %WAFV2_WEB_ACL_TYPE ] 51 | 52 | # 53 | # Primary Rules 54 | # 55 | rule wafv2_webacl_not_empty_check when is_cfn_template(%INPUT_DOCUMENT) 56 | %wafv2_web_acls not empty { 57 | check(%wafv2_web_acls.Properties) 58 | << 59 | [CT.WAFV2.PR.1]: Require an AWS WAF web ACL to be non-empty 60 | [FIX]: Provide one or more AWS WAF rules within the 'Rules' property. 61 | >> 62 | } 63 | 64 | rule wafv2_webacl_not_empty_check when is_cfn_hook(%INPUT_DOCUMENT, %WAFV2_WEB_ACL_TYPE) { 65 | check(%INPUT_DOCUMENT.%WAFV2_WEB_ACL_TYPE.resourceProperties) 66 | << 67 | [CT.WAFV2.PR.1]: Require an AWS WAF web ACL to be non-empty 68 | [FIX]: Provide one or more AWS WAF rules within the 'Rules' property. 69 | >> 70 | } 71 | 72 | # 73 | # Parameterized Rules 74 | # 75 | rule check(wafv2_web_acl) { 76 | %wafv2_web_acl { 77 | # Scenario 2, 3 and 4 78 | Rules exists 79 | Rules is_list 80 | Rules not empty 81 | } 82 | } 83 | 84 | # 85 | # Utility Rules 86 | # 87 | rule is_cfn_template(doc) { 88 | %doc { 89 | AWSTemplateFormatVersion exists or 90 | Resources exists 91 | } 92 | } 93 | 94 | rule is_cfn_hook(doc, RESOURCE_TYPE) { 95 | %doc.%RESOURCE_TYPE.resourceProperties exists 96 | } 97 | -------------------------------------------------------------------------------- /rules/control-tower/cfn-guard/waf/ct-wafv2-pr-2.guard: -------------------------------------------------------------------------------- 1 | # ################################### 2 | ## Rule Specification ## 3 | ##################################### 4 | # 5 | # Rule Identifier: 6 | # wafv2_rulegroup_not_empty_check 7 | # 8 | # Description: 9 | # This control checks whether AWS WAF rule groups contain rules. 10 | # 11 | # Reports on: 12 | # AWS::WAFv2::RuleGroup 13 | # 14 | # Evaluates: 15 | # AWS CloudFormation, AWS CloudFormation hook 16 | # 17 | # Rule Parameters: 18 | # None 19 | # 20 | # Scenarios: 21 | # Scenario: 1 22 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 23 | # And: The input document does not contain any WAF rule group resources 24 | # Then: SKIP 25 | # Scenario: 2 26 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 27 | # And: The input document contains an WAF rule group resource 28 | # And: 'Rules' has not been provided 29 | # Then: FAIL 30 | # Scenario: 3 31 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 32 | # And: The input document contains an WAF rule group resource 33 | # And: 'Rules' has been provided as an empty list 34 | # Then: FAIL 35 | # Scenario: 4 36 | # Given: The input document is an AWS CloudFormation or CloudFormation hook document 37 | # And: The input document contains an WAF rule group resource 38 | # And: 'Rules' has been provided as a non-empty list 39 | # Then: PASS 40 | 41 | # 42 | # Constants 43 | # 44 | let WAFV2_RULE_GROUP_TYPE = "AWS::WAFv2::RuleGroup" 45 | let INPUT_DOCUMENT = this 46 | 47 | # 48 | # Assignments 49 | # 50 | let wafv2_rule_groups = Resources.*[ Type == %WAFV2_RULE_GROUP_TYPE ] 51 | 52 | # 53 | # Primary Rules 54 | # 55 | rule wafv2_rulegroup_not_empty_check when is_cfn_template(%INPUT_DOCUMENT) 56 | %wafv2_rule_groups not empty { 57 | check(%wafv2_rule_groups.Properties) 58 | << 59 | [CT.WAFV2.PR.2]: Require an AWS WAF rule group to be non-empty 60 | [FIX]: Provide one or more AWS WAF rules within the 'Rules' property. 61 | >> 62 | } 63 | 64 | rule wafv2_rulegroup_not_empty_check when is_cfn_hook(%INPUT_DOCUMENT, %WAFV2_RULE_GROUP_TYPE) { 65 | check(%INPUT_DOCUMENT.%WAFV2_RULE_GROUP_TYPE.resourceProperties) 66 | << 67 | [CT.WAFV2.PR.2]: Require an AWS WAF rule group to be non-empty 68 | [FIX]: Provide one or more AWS WAF rules within the 'Rules' property. 69 | >> 70 | } 71 | 72 | # 73 | # Parameterized Rules 74 | # 75 | rule check(wafv2_rule_group) { 76 | %wafv2_rule_group { 77 | # Scenario 2, 3 and 4 78 | Rules exists 79 | Rules is_list 80 | Rules not empty 81 | } 82 | } 83 | 84 | # 85 | # Utility Rules 86 | # 87 | rule is_cfn_template(doc) { 88 | %doc { 89 | AWSTemplateFormatVersion exists or 90 | Resources exists 91 | } 92 | } 93 | 94 | rule is_cfn_hook(doc, RESOURCE_TYPE) { 95 | %doc.%RESOURCE_TYPE.resourceProperties exists 96 | } 97 | -------------------------------------------------------------------------------- /rules/control-tower/metadata/appsync/ct-appsync-pr-3.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-2(1)", 8 | "AC-3", 9 | "AC-3(15)", 10 | "AC-3(7)", 11 | "AC-6" 12 | ] 13 | }, 14 | { 15 | "ComplianceFramework": "PCI DSS version 3.2.1", 16 | "Ids": [ 17 | "7.1.1", 18 | "7.2.1", 19 | "7.2.2" 20 | ] 21 | } 22 | ], 23 | "ControlOwner": "AWS Control Tower", 24 | "DeploymentMechanism": "AWS CloudFormation Hook", 25 | "DeploymentOwner": "AWS Control Tower", 26 | "Description": "This control checks that an AWS AppSync GraphQL API has been configured with an authentication type other than API_KEY authentication.", 27 | "DisplayName": "Require that an AWS AppSync GraphQL API is not authenticated with API keys", 28 | "DocumentationReferences": [ 29 | { 30 | "DisplayName": "Authorization and authentication", 31 | "Type": "AWS Documentation", 32 | "Url": "https://docs.aws.amazon.com/appsync/latest/devguide/security-authz.html" 33 | } 34 | ], 35 | "EvaluatedResourceTypes": [ 36 | "AWS::AppSync::GraphQLApi" 37 | ], 38 | "EvaluatedServices": [ 39 | "AWS AppSync" 40 | ], 41 | "Groups": [ 42 | "digital-sovereignty" 43 | ], 44 | "Guidance": "Elective", 45 | "Id": "CT.APPSYNC.PR.3", 46 | "ImplementationType": "CloudFormation guard rule", 47 | "MinimumSupportedRuntimeVersion": "2.1", 48 | "Objectives": [ 49 | { 50 | "Id": "CO.5", 51 | "Name": "Enforce least privilege" 52 | } 53 | ], 54 | "RegionalPreference": "REGIONAL", 55 | "ReleaseDate": "2023-11-27", 56 | "RemediationMessage": "Set the AuthenticationType property to a value other than API_KEY, and ensure no entry in the AdditionalAuthenticationProviders property has an AuthenticationType value of API_KEY.", 57 | "Severity": "HIGH", 58 | "SupportedRegions": [ 59 | "af-south-1", 60 | "ap-east-1", 61 | "ap-northeast-1", 62 | "ap-northeast-2", 63 | "ap-northeast-3", 64 | "ap-south-1", 65 | "ap-south-2", 66 | "ap-southeast-1", 67 | "ap-southeast-2", 68 | "ap-southeast-3", 69 | "ap-southeast-4", 70 | "ca-central-1", 71 | "eu-central-1", 72 | "eu-central-2", 73 | "eu-north-1", 74 | "eu-south-1", 75 | "eu-south-2", 76 | "eu-west-1", 77 | "eu-west-2", 78 | "eu-west-3", 79 | "il-central-1", 80 | "me-central-1", 81 | "me-south-1", 82 | "sa-east-1", 83 | "us-east-1", 84 | "us-east-2", 85 | "us-west-1", 86 | "us-west-2" 87 | ], 88 | "TargetOuType": "CUSTOM", 89 | "Version": "1", 90 | "Visibility": "PUBLIC" 91 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/appsync/ct-appsync-pr-4.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-17(2)", 8 | "AC-4", 9 | "IA-5(1)", 10 | "SC-12(3)", 11 | "SC-13", 12 | "SC-23", 13 | "SC-23(3)", 14 | "SC-7(4)", 15 | "SC-8", 16 | "SC-8(1)", 17 | "SC-8(2)", 18 | "SI-7(6)" 19 | ] 20 | }, 21 | { 22 | "ComplianceFramework": "PCI DSS version 3.2.1", 23 | "Ids": [ 24 | "2.3", 25 | "4.1", 26 | "8.2.1" 27 | ] 28 | } 29 | ], 30 | "ControlOwner": "AWS Control Tower", 31 | "DeploymentMechanism": "AWS CloudFormation Hook", 32 | "DeploymentOwner": "AWS Control Tower", 33 | "Description": "This control checks whether an AWS AppSync API cache has encryption in transit enabled.", 34 | "DisplayName": "Require an AWS AppSync GraphQL API cache to have encryption in transit enabled.", 35 | "DocumentationReferences": [ 36 | { 37 | "DisplayName": "Cache encryption", 38 | "Type": "AWS Documentation", 39 | "Url": "https://docs.aws.amazon.com/appsync/latest/devguide/enabling-caching.html#caching-encryption" 40 | } 41 | ], 42 | "EvaluatedResourceTypes": [ 43 | "AWS::AppSync::ApiCache" 44 | ], 45 | "EvaluatedServices": [ 46 | "AWS AppSync" 47 | ], 48 | "Groups": [ 49 | "digital-sovereignty" 50 | ], 51 | "Guidance": "Elective", 52 | "Id": "CT.APPSYNC.PR.4", 53 | "ImplementationType": "CloudFormation guard rule", 54 | "MinimumSupportedRuntimeVersion": "2.1", 55 | "Objectives": [ 56 | { 57 | "Id": "CO.3", 58 | "Name": "Encrypt data in transit" 59 | } 60 | ], 61 | "RegionalPreference": "REGIONAL", 62 | "ReleaseDate": "2023-11-27", 63 | "RemediationMessage": "Set the value of the TransitEncryptionEnabled property to true.", 64 | "Severity": "MEDIUM", 65 | "SupportedRegions": [ 66 | "af-south-1", 67 | "ap-east-1", 68 | "ap-northeast-1", 69 | "ap-northeast-2", 70 | "ap-northeast-3", 71 | "ap-south-1", 72 | "ap-south-2", 73 | "ap-southeast-1", 74 | "ap-southeast-2", 75 | "ap-southeast-3", 76 | "ap-southeast-4", 77 | "ca-central-1", 78 | "eu-central-1", 79 | "eu-central-2", 80 | "eu-north-1", 81 | "eu-south-1", 82 | "eu-south-2", 83 | "eu-west-1", 84 | "eu-west-2", 85 | "eu-west-3", 86 | "il-central-1", 87 | "me-central-1", 88 | "me-south-1", 89 | "sa-east-1", 90 | "us-east-1", 91 | "us-east-2", 92 | "us-west-1", 93 | "us-west-2" 94 | ], 95 | "TargetOuType": "CUSTOM", 96 | "Version": "1", 97 | "Visibility": "PUBLIC" 98 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/appsync/ct-appsync-pr-5.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-3(6)", 9 | "SC-13", 10 | "SC-28", 11 | "SC-28(1)", 12 | "SC-7(10)", 13 | "SI-7(6)" 14 | ] 15 | }, 16 | { 17 | "ComplianceFramework": "PCI DSS version 3.2.1", 18 | "Ids": [ 19 | "3.4", 20 | "8.2.1" 21 | ] 22 | } 23 | ], 24 | "ControlOwner": "AWS Control Tower", 25 | "DeploymentMechanism": "AWS CloudFormation Hook", 26 | "DeploymentOwner": "AWS Control Tower", 27 | "Description": "This control checks whether an AWS AppSync API cache has encryption at rest enabled.", 28 | "DisplayName": "Require an AWS AppSync GraphQL API cache to have encryption at rest enabled.", 29 | "DocumentationReferences": [ 30 | { 31 | "DisplayName": "Cache encryption", 32 | "Type": "AWS Documentation", 33 | "Url": "https://docs.aws.amazon.com/appsync/latest/devguide/enabling-caching.html#caching-encryption" 34 | } 35 | ], 36 | "EvaluatedResourceTypes": [ 37 | "AWS::AppSync::ApiCache" 38 | ], 39 | "EvaluatedServices": [ 40 | "AWS AppSync" 41 | ], 42 | "Groups": [ 43 | "digital-sovereignty" 44 | ], 45 | "Guidance": "Elective", 46 | "Id": "CT.APPSYNC.PR.5", 47 | "ImplementationType": "CloudFormation guard rule", 48 | "MinimumSupportedRuntimeVersion": "2.1", 49 | "Objectives": [ 50 | { 51 | "Id": "CO.2", 52 | "Name": "Encrypt data at rest" 53 | } 54 | ], 55 | "RegionalPreference": "REGIONAL", 56 | "ReleaseDate": "2023-11-27", 57 | "RemediationMessage": "Set the value of the AtRestEncryptionEnabled property to true.", 58 | "Severity": "MEDIUM", 59 | "SupportedRegions": [ 60 | "af-south-1", 61 | "ap-east-1", 62 | "ap-northeast-1", 63 | "ap-northeast-2", 64 | "ap-northeast-3", 65 | "ap-south-1", 66 | "ap-south-2", 67 | "ap-southeast-1", 68 | "ap-southeast-2", 69 | "ap-southeast-3", 70 | "ap-southeast-4", 71 | "ca-central-1", 72 | "eu-central-1", 73 | "eu-central-2", 74 | "eu-north-1", 75 | "eu-south-1", 76 | "eu-south-2", 77 | "eu-west-1", 78 | "eu-west-2", 79 | "eu-west-3", 80 | "il-central-1", 81 | "me-central-1", 82 | "me-south-1", 83 | "sa-east-1", 84 | "us-east-1", 85 | "us-east-2", 86 | "us-west-1", 87 | "us-west-2" 88 | ], 89 | "TargetOuType": "CUSTOM", 90 | "Version": "1", 91 | "Visibility": "PUBLIC" 92 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/certificatemanager/ct-acm-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ControlOwner": "AWS Control Tower", 4 | "DeploymentMechanism": "AWS CloudFormation Hook", 5 | "DeploymentOwner": "AWS Control Tower", 6 | "Description": "This control checks whether any AWS Certificate Manager (ACM) Private CA certificates have wildcard domain names instead of single domain names.", 7 | "DisplayName": "Require an AWS Private CA certificate to have a single domain name", 8 | "DocumentationReferences": [ 9 | { 10 | "DisplayName": "Requesting a public certificate", 11 | "Type": "AWS Documentation", 12 | "Url": "https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html" 13 | } 14 | ], 15 | "EvaluatedResourceTypes": [ 16 | "AWS::CertificateManager::Certificate" 17 | ], 18 | "EvaluatedServices": [ 19 | "AWS Certificate Manager" 20 | ], 21 | "Guidance": "Elective", 22 | "Id": "CT.ACM.PR.1", 23 | "ImplementationType": "CloudFormation guard rule", 24 | "MinimumSupportedRuntimeVersion": "2.1", 25 | "Objectives": [ 26 | { 27 | "Id": "CO.10", 28 | "Name": "Protect configurations" 29 | } 30 | ], 31 | "RegionalPreference": "REGIONAL", 32 | "ReleaseDate": "2022-11-28", 33 | "RemediationMessage": "Set 'DomainName' and each entry within 'SubjectAlternativeNames' to a fully qualified domain name (FQDN) that does not contain a wildcard (*).", 34 | "Severity": "MEDIUM", 35 | "SupportedRegions": [ 36 | "af-south-1", 37 | "ap-east-1", 38 | "ap-northeast-1", 39 | "ap-northeast-2", 40 | "ap-northeast-3", 41 | "ap-south-1", 42 | "ap-south-2", 43 | "ap-southeast-1", 44 | "ap-southeast-2", 45 | "ap-southeast-3", 46 | "ap-southeast-4", 47 | "ca-central-1", 48 | "eu-central-1", 49 | "eu-central-2", 50 | "eu-north-1", 51 | "eu-south-1", 52 | "eu-south-2", 53 | "eu-west-1", 54 | "eu-west-2", 55 | "eu-west-3", 56 | "il-central-1", 57 | "me-central-1", 58 | "me-south-1", 59 | "sa-east-1", 60 | "us-east-1", 61 | "us-east-2", 62 | "us-west-1", 63 | "us-west-2" 64 | ], 65 | "TargetOuType": "CUSTOM", 66 | "Version": "1", 67 | "Visibility": "PUBLIC" 68 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/cloudfront/ct-cloudfront-pr-4.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CP-10", 8 | "SC-36", 9 | "SC-5(2)", 10 | "SI-13(5)" 11 | ] 12 | } 13 | ], 14 | "ConfigRuleIdentifier": "CLOUDFRONT_ORIGIN_FAILOVER_ENABLED", 15 | "ControlOwner": "AWS Control Tower", 16 | "DeploymentMechanism": "AWS CloudFormation Hook", 17 | "DeploymentOwner": "AWS Control Tower", 18 | "Description": "This control checks whether your Amazon CloudFront distribution is configured with an origin group that contains two origin group members.", 19 | "DisplayName": "Require an Amazon CloudFront distribution to have origin failover configured", 20 | "DocumentationReferences": [ 21 | { 22 | "DisplayName": "Creating an origin group.", 23 | "Type": "AWS Documentation", 24 | "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html#concept_origin_groups.creating" 25 | } 26 | ], 27 | "EvaluatedResourceTypes": [ 28 | "AWS::CloudFront::Distribution" 29 | ], 30 | "EvaluatedServices": [ 31 | "Amazon CloudFront" 32 | ], 33 | "Guidance": "Elective", 34 | "Id": "CT.CLOUDFRONT.PR.4", 35 | "ImplementationType": "CloudFormation guard rule", 36 | "MinimumSupportedRuntimeVersion": "2.1", 37 | "Objectives": [ 38 | { 39 | "Id": "CO.9", 40 | "Name": "Improve availability" 41 | } 42 | ], 43 | "RegionalPreference": "REGIONAL", 44 | "ReleaseDate": "2022-11-28", 45 | "RemediationMessage": "Configure an origin group on the Amazon CloudFront Distribution with two origin group members.", 46 | "Severity": "LOW", 47 | "SupportedRegions": [ 48 | "af-south-1", 49 | "ap-east-1", 50 | "ap-northeast-1", 51 | "ap-northeast-2", 52 | "ap-northeast-3", 53 | "ap-south-1", 54 | "ap-south-2", 55 | "ap-southeast-1", 56 | "ap-southeast-2", 57 | "ap-southeast-3", 58 | "ap-southeast-4", 59 | "ca-central-1", 60 | "eu-central-1", 61 | "eu-central-2", 62 | "eu-north-1", 63 | "eu-south-1", 64 | "eu-south-2", 65 | "eu-west-1", 66 | "eu-west-2", 67 | "eu-west-3", 68 | "il-central-1", 69 | "me-central-1", 70 | "me-south-1", 71 | "sa-east-1", 72 | "us-east-1", 73 | "us-east-2", 74 | "us-west-1", 75 | "us-west-2" 76 | ], 77 | "TargetOuType": "CUSTOM", 78 | "Version": "1", 79 | "Visibility": "PUBLIC" 80 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/cloudfront/ct-cloudfront-pr-7.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2" 9 | ] 10 | }, 11 | { 12 | "ComplianceFramework": "PCI DSS version 3.2.1", 13 | "Ids": [ 14 | "4.1" 15 | ] 16 | } 17 | ], 18 | "ConfigRuleIdentifier": "CLOUDFRONT_SNI_ENABLED", 19 | "ControlOwner": "AWS Control Tower", 20 | "DeploymentMechanism": "AWS CloudFormation Hook", 21 | "DeploymentOwner": "AWS Control Tower", 22 | "Description": "This control checks whether your Amazon CloudFront distributions are configured to use SNI to serve HTTPS requests.", 23 | "DisplayName": "Require an Amazon CloudFront distribution to use SNI to serve HTTPS requests", 24 | "DocumentationReferences": [ 25 | { 26 | "DisplayName": "Using SNI to serve HTTPS requests (works for most clients)", 27 | "Type": "AWS Documentation", 28 | "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-https-dedicated-ip-or-sni.html#cnames-https-sni" 29 | } 30 | ], 31 | "EvaluatedResourceTypes": [ 32 | "AWS::CloudFront::Distribution" 33 | ], 34 | "EvaluatedServices": [ 35 | "Amazon CloudFront" 36 | ], 37 | "Guidance": "Elective", 38 | "Id": "CT.CLOUDFRONT.PR.7", 39 | "ImplementationType": "CloudFormation guard rule", 40 | "MinimumSupportedRuntimeVersion": "2.1", 41 | "Objectives": [ 42 | { 43 | "Id": "CO.3", 44 | "Name": "Encrypt data in transit" 45 | }, 46 | { 47 | "Id": "CO.9", 48 | "Name": "Improve availability" 49 | } 50 | ], 51 | "RegionalPreference": "REGIONAL", 52 | "ReleaseDate": "2022-11-28", 53 | "RemediationMessage": "Within 'ViewerCertificate', set 'SslSupportMethod' to 'sni-only', 'MinimumProtocolVersion' to a protocol that supports SNI ('TLSv1' or greater), and 'AcmCertificateArn' to the ARN of an AWS ACM certificate.", 54 | "Severity": "LOW", 55 | "SupportedRegions": [ 56 | "af-south-1", 57 | "ap-east-1", 58 | "ap-northeast-1", 59 | "ap-northeast-2", 60 | "ap-northeast-3", 61 | "ap-south-1", 62 | "ap-south-2", 63 | "ap-southeast-1", 64 | "ap-southeast-2", 65 | "ap-southeast-3", 66 | "ap-southeast-4", 67 | "ca-central-1", 68 | "eu-central-1", 69 | "eu-central-2", 70 | "eu-north-1", 71 | "eu-south-1", 72 | "eu-south-2", 73 | "eu-west-1", 74 | "eu-west-2", 75 | "eu-west-3", 76 | "il-central-1", 77 | "me-central-1", 78 | "me-south-1", 79 | "sa-east-1", 80 | "us-east-1", 81 | "us-east-2", 82 | "us-west-1", 83 | "us-west-2" 84 | ], 85 | "TargetOuType": "CUSTOM", 86 | "Version": "1", 87 | "Visibility": "PUBLIC" 88 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/cloudwatch/ct-cloudwatch-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AU-6(1)", 8 | "AU-6(5)", 9 | "CA-7", 10 | "IR-4(1)", 11 | "IR-4(5)", 12 | "SI-2", 13 | "SI-20", 14 | "SI-4(12)", 15 | "SI-4(5)" 16 | ] 17 | } 18 | ], 19 | "ConfigRuleIdentifier": "CLOUDWATCH_ALARM_ACTION_CHECK", 20 | "ControlOwner": "AWS Control Tower", 21 | "DeploymentMechanism": "AWS CloudFormation Hook", 22 | "DeploymentOwner": "AWS Control Tower", 23 | "Description": "This control checks whether an Amazon CloudWatch alarm has at least one action configured for the alarm state.", 24 | "DisplayName": "Require an Amazon CloudWatch alarm to have an action configured for the alarm state", 25 | "DocumentationReferences": [ 26 | { 27 | "DisplayName": "Alarm actions", 28 | "Type": "AWS Documentation", 29 | "Url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-actions" 30 | } 31 | ], 32 | "EvaluatedResourceTypes": [ 33 | "AWS::CloudWatch::Alarm" 34 | ], 35 | "EvaluatedServices": [ 36 | "Amazon CloudWatch" 37 | ], 38 | "Guidance": "Elective", 39 | "Id": "CT.CLOUDWATCH.PR.1", 40 | "ImplementationType": "CloudFormation guard rule", 41 | "MinimumSupportedRuntimeVersion": "2.1", 42 | "Objectives": [ 43 | { 44 | "Id": "CO.1", 45 | "Name": "Establish logging and monitoring" 46 | } 47 | ], 48 | "RegionalPreference": "REGIONAL", 49 | "ReleaseDate": "2023-07-24", 50 | "RemediationMessage": "Set 'AlarmActions' to a list with one or more alarm action values.", 51 | "Severity": "HIGH", 52 | "SupportedRegions": [ 53 | "af-south-1", 54 | "ap-east-1", 55 | "ap-northeast-1", 56 | "ap-northeast-2", 57 | "ap-northeast-3", 58 | "ap-south-1", 59 | "ap-south-2", 60 | "ap-southeast-1", 61 | "ap-southeast-2", 62 | "ap-southeast-3", 63 | "ap-southeast-4", 64 | "ca-central-1", 65 | "eu-central-1", 66 | "eu-central-2", 67 | "eu-north-1", 68 | "eu-south-1", 69 | "eu-south-2", 70 | "eu-west-1", 71 | "eu-west-2", 72 | "eu-west-3", 73 | "il-central-1", 74 | "me-central-1", 75 | "me-south-1", 76 | "sa-east-1", 77 | "us-east-1", 78 | "us-east-2", 79 | "us-west-1", 80 | "us-west-2" 81 | ], 82 | "TargetOuType": "CUSTOM", 83 | "Version": "1", 84 | "Visibility": "PUBLIC" 85 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/cloudwatch/ct-cloudwatch-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AU-10", 8 | "AU-11", 9 | "AU-6(3)", 10 | "AU-6(4)", 11 | "CA-7", 12 | "SI-12" 13 | ] 14 | }, 15 | { 16 | "ComplianceFramework": "PCI DSS version 3.2.1", 17 | "Ids": [ 18 | "10.7", 19 | "3.1" 20 | ] 21 | } 22 | ], 23 | "ConfigRuleIdentifier": "CW_LOGGROUP_RETENTION_PERIOD_CHECK", 24 | "ControlOwner": "AWS Control Tower", 25 | "DeploymentMechanism": "AWS CloudFormation Hook", 26 | "DeploymentOwner": "AWS Control Tower", 27 | "Description": "This control checks whether an Amazon CloudWatch Log Group retention period is set to a value greater than or equal to 365 days.", 28 | "DisplayName": "Require an Amazon CloudWatch log group to be retained for at least one year", 29 | "DocumentationReferences": [ 30 | { 31 | "DisplayName": "Change log data retention in CloudWatch Logs", 32 | "Type": "AWS Documentation", 33 | "Url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html#SettingLogRetention" 34 | } 35 | ], 36 | "EvaluatedResourceTypes": [ 37 | "AWS::Logs::LogGroup" 38 | ], 39 | "EvaluatedServices": [ 40 | "Amazon CloudWatch" 41 | ], 42 | "Guidance": "Elective", 43 | "Id": "CT.CLOUDWATCH.PR.2", 44 | "ImplementationType": "CloudFormation guard rule", 45 | "MinimumSupportedRuntimeVersion": "2.1", 46 | "Objectives": [ 47 | { 48 | "Id": "CO.1", 49 | "Name": "Establish logging and monitoring" 50 | } 51 | ], 52 | "RegionalPreference": "REGIONAL", 53 | "ReleaseDate": "2023-07-24", 54 | "RemediationMessage": "Omit the field value of 'RetentionInDays' to adopt the default retention setting of 'Never expire', or set 'RetentionInDays' to an integer value greater than or equal to 365.", 55 | "Severity": "MEDIUM", 56 | "SupportedRegions": [ 57 | "af-south-1", 58 | "ap-east-1", 59 | "ap-northeast-1", 60 | "ap-northeast-2", 61 | "ap-northeast-3", 62 | "ap-south-1", 63 | "ap-south-2", 64 | "ap-southeast-1", 65 | "ap-southeast-2", 66 | "ap-southeast-3", 67 | "ap-southeast-4", 68 | "ca-central-1", 69 | "eu-central-1", 70 | "eu-central-2", 71 | "eu-north-1", 72 | "eu-south-1", 73 | "eu-south-2", 74 | "eu-west-1", 75 | "eu-west-2", 76 | "eu-west-3", 77 | "il-central-1", 78 | "me-central-1", 79 | "me-south-1", 80 | "sa-east-1", 81 | "us-east-1", 82 | "us-east-2", 83 | "us-west-1", 84 | "us-west-2" 85 | ], 86 | "TargetOuType": "CUSTOM", 87 | "Version": "1", 88 | "Visibility": "PUBLIC" 89 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/cloudwatch/ct-cloudwatch-pr-4.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AU-6(1)", 8 | "AU-6(5)", 9 | "CA-7", 10 | "SI-2", 11 | "SI-4(12)" 12 | ] 13 | } 14 | ], 15 | "ConfigRuleIdentifier": "CLOUDWATCH_ALARM_ACTION_ENABLED_CHECK", 16 | "ControlOwner": "AWS Control Tower", 17 | "DeploymentMechanism": "AWS CloudFormation Hook", 18 | "DeploymentOwner": "AWS Control Tower", 19 | "Description": "This control checks whether an Amazon CloudWatch alarm has actions enabled.", 20 | "DisplayName": "Require an Amazon CloudWatch alarm to have actions activated", 21 | "DocumentationReferences": [ 22 | { 23 | "DisplayName": "Alarm actions", 24 | "Type": "AWS Documentation", 25 | "Url": "https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html#alarms-and-actions" 26 | } 27 | ], 28 | "EvaluatedResourceTypes": [ 29 | "AWS::CloudWatch::Alarm" 30 | ], 31 | "EvaluatedServices": [ 32 | "Amazon CloudWatch" 33 | ], 34 | "Guidance": "Elective", 35 | "Id": "CT.CLOUDWATCH.PR.4", 36 | "ImplementationType": "CloudFormation guard rule", 37 | "MinimumSupportedRuntimeVersion": "2.1", 38 | "Objectives": [ 39 | { 40 | "Id": "CO.1", 41 | "Name": "Establish logging and monitoring" 42 | } 43 | ], 44 | "RegionalPreference": "REGIONAL", 45 | "ReleaseDate": "2023-07-24", 46 | "RemediationMessage": "Set 'ActionsEnabled' to 'true' or do not provide the 'ActionsEnabled' property.", 47 | "Severity": "MEDIUM", 48 | "SupportedRegions": [ 49 | "af-south-1", 50 | "ap-east-1", 51 | "ap-northeast-1", 52 | "ap-northeast-2", 53 | "ap-northeast-3", 54 | "ap-south-1", 55 | "ap-south-2", 56 | "ap-southeast-1", 57 | "ap-southeast-2", 58 | "ap-southeast-3", 59 | "ap-southeast-4", 60 | "ca-central-1", 61 | "eu-central-1", 62 | "eu-central-2", 63 | "eu-north-1", 64 | "eu-south-1", 65 | "eu-south-2", 66 | "eu-west-1", 67 | "eu-west-2", 68 | "eu-west-3", 69 | "il-central-1", 70 | "me-central-1", 71 | "me-south-1", 72 | "sa-east-1", 73 | "us-east-1", 74 | "us-east-2", 75 | "us-west-1", 76 | "us-west-2" 77 | ], 78 | "TargetOuType": "CUSTOM", 79 | "Version": "1", 80 | "Visibility": "PUBLIC" 81 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/documentdb/ct-documentdb-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-3(6)", 9 | "SC-13", 10 | "SC-28", 11 | "SC-28(1)", 12 | "SC-7(10)", 13 | "SI-7(6)" 14 | ] 15 | }, 16 | { 17 | "ComplianceFramework": "PCI DSS version 3.2.1", 18 | "Ids": [ 19 | "3.4", 20 | "8.2.1" 21 | ] 22 | } 23 | ], 24 | "ConfigRuleIdentifier": "DOCDB_CLUSTER_ENCRYPTED", 25 | "ControlOwner": "AWS Control Tower", 26 | "DeploymentMechanism": "AWS CloudFormation Hook", 27 | "DeploymentOwner": "AWS Control Tower", 28 | "Description": "This control checks whether storage encryption is enabled for an Amazon DocumentDB (with MongoDB compatibility) cluster.", 29 | "DisplayName": "Require an Amazon DocumentDB cluster to be encrypted at rest", 30 | "DocumentationReferences": [ 31 | { 32 | "DisplayName": "Encrypting Amazon DocumentDB Data at Rest", 33 | "Type": "AWS Documentation", 34 | "Url": "https://docs.aws.amazon.com/documentdb/latest/developerguide/encryption-at-rest.html" 35 | } 36 | ], 37 | "EvaluatedResourceTypes": [ 38 | "AWS::DocDB::DBCluster" 39 | ], 40 | "EvaluatedServices": [ 41 | "Amazon DocumentDB" 42 | ], 43 | "Groups": [ 44 | "digital-sovereignty" 45 | ], 46 | "Guidance": "Elective", 47 | "Id": "CT.DOCUMENTDB.PR.1", 48 | "ImplementationType": "CloudFormation guard rule", 49 | "Objectives": [ 50 | { 51 | "Id": "CO.2", 52 | "Name": "Encrypt data at rest" 53 | } 54 | ], 55 | "RegionalPreference": "REGIONAL", 56 | "ReleaseDate": "2023-07-24", 57 | "RemediationMessage": "Set the value of the 'StorageEncrypted' parameter to true.", 58 | "Severity": "MEDIUM", 59 | "SupportedRegions": [ 60 | "af-south-1", 61 | "ap-east-1", 62 | "ap-northeast-1", 63 | "ap-northeast-2", 64 | "ap-northeast-3", 65 | "ap-south-1", 66 | "ap-south-2", 67 | "ap-southeast-1", 68 | "ap-southeast-2", 69 | "ap-southeast-3", 70 | "ap-southeast-4", 71 | "ca-central-1", 72 | "eu-central-1", 73 | "eu-central-2", 74 | "eu-north-1", 75 | "eu-south-1", 76 | "eu-south-2", 77 | "eu-west-1", 78 | "eu-west-2", 79 | "eu-west-3", 80 | "il-central-1", 81 | "me-central-1", 82 | "me-south-1", 83 | "sa-east-1", 84 | "us-east-1", 85 | "us-east-2", 86 | "us-west-1", 87 | "us-west-2" 88 | ], 89 | "TargetOuType": "CUSTOM", 90 | "Version": "1", 91 | "Visibility": "PUBLIC" 92 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/documentdb/ct-documentdb-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "SI-12" 8 | ] 9 | }, 10 | { 11 | "ComplianceFramework": "PCI DSS version 3.2.1", 12 | "Ids": [ 13 | "3.1" 14 | ] 15 | } 16 | ], 17 | "ConfigRuleIdentifier": "DOCDB_CLUSTER_BACKUP_RETENTION_CHECK", 18 | "ControlOwner": "AWS Control Tower", 19 | "DeploymentMechanism": "AWS CloudFormation Hook", 20 | "DeploymentOwner": "AWS Control Tower", 21 | "Description": "This control checks whether an Amazon DocumentDB cluster retention period is set to seven or more days (>=7). The default retention period is one day.", 22 | "DisplayName": "Require an Amazon DocumentDB cluster to have a backup retention period greater than or equal to seven days", 23 | "DocumentationReferences": [ 24 | { 25 | "DisplayName": "Backing Up and Restoring in Amazon DocumentDB", 26 | "Type": "AWS Documentation", 27 | "Url": "https://docs.aws.amazon.com/documentdb/latest/developerguide/backup_restore.html" 28 | } 29 | ], 30 | "EvaluatedResourceTypes": [ 31 | "AWS::DocDB::DBCluster" 32 | ], 33 | "EvaluatedServices": [ 34 | "Amazon DocumentDB" 35 | ], 36 | "Guidance": "Elective", 37 | "Id": "CT.DOCUMENTDB.PR.2", 38 | "ImplementationType": "CloudFormation guard rule", 39 | "Objectives": [ 40 | { 41 | "Id": "CO.8", 42 | "Name": "Improve resiliency" 43 | } 44 | ], 45 | "RegionalPreference": "REGIONAL", 46 | "ReleaseDate": "2023-07-24", 47 | "RemediationMessage": "Set the value of the 'BackupRetentionPeriod' parameter to an integer value between 7 and 35 days (inclusive).", 48 | "Severity": "MEDIUM", 49 | "SupportedRegions": [ 50 | "af-south-1", 51 | "ap-east-1", 52 | "ap-northeast-1", 53 | "ap-northeast-2", 54 | "ap-northeast-3", 55 | "ap-south-1", 56 | "ap-south-2", 57 | "ap-southeast-1", 58 | "ap-southeast-2", 59 | "ap-southeast-3", 60 | "ap-southeast-4", 61 | "ca-central-1", 62 | "eu-central-1", 63 | "eu-central-2", 64 | "eu-north-1", 65 | "eu-south-1", 66 | "eu-south-2", 67 | "eu-west-1", 68 | "eu-west-2", 69 | "eu-west-3", 70 | "il-central-1", 71 | "me-central-1", 72 | "me-south-1", 73 | "sa-east-1", 74 | "us-east-1", 75 | "us-east-2", 76 | "us-west-1", 77 | "us-west-2" 78 | ], 79 | "TargetOuType": "CUSTOM", 80 | "Version": "1", 81 | "Visibility": "PUBLIC" 82 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/dynamodb/ct-dax-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CP-10", 8 | "CP-2(2)", 9 | "CP-6(2)", 10 | "SC-36", 11 | "SC-5(2)", 12 | "SI-13(5)" 13 | ] 14 | } 15 | ], 16 | "ControlOwner": "AWS Control Tower", 17 | "DeploymentMechanism": "AWS CloudFormation Hook", 18 | "DeploymentOwner": "AWS Control Tower", 19 | "Description": "This control checks whether an Amazon DAX cluster is configured to deploy cluster nodes to at least three Availability Zones.", 20 | "DisplayName": "Require an Amazon DAX cluster to deploy nodes to at least three Availability Zones", 21 | "DocumentationReferences": [ 22 | { 23 | "DisplayName": "Scaling a DAX cluster", 24 | "Type": "AWS Documentation", 25 | "Url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DAX.cluster-management.html#DAX.cluster-management.scaling" 26 | } 27 | ], 28 | "EvaluatedResourceTypes": [ 29 | "AWS::DAX::Cluster" 30 | ], 31 | "EvaluatedServices": [ 32 | "Amazon DynamoDB" 33 | ], 34 | "Groups": [ 35 | "digital-sovereignty" 36 | ], 37 | "Guidance": "Elective", 38 | "Id": "CT.DAX.PR.2", 39 | "ImplementationType": "CloudFormation guard rule", 40 | "MinimumSupportedRuntimeVersion": "2.1", 41 | "Objectives": [ 42 | { 43 | "Id": "CO.8", 44 | "Name": "Improve resiliency" 45 | }, 46 | { 47 | "Id": "CO.9", 48 | "Name": "Improve availability" 49 | } 50 | ], 51 | "RegionalPreference": "REGIONAL", 52 | "ReleaseDate": "2023-10-05", 53 | "RemediationMessage": "Set the 'ReplicationFactor' parameter to an integer value greater than or equal to three (>= 3), and set the 'AvailabilityZones' parameter to a list containing three unique Availability Zone entries.", 54 | "Severity": "MEDIUM", 55 | "SupportedRegions": [ 56 | "af-south-1", 57 | "ap-east-1", 58 | "ap-northeast-1", 59 | "ap-northeast-2", 60 | "ap-northeast-3", 61 | "ap-south-1", 62 | "ap-south-2", 63 | "ap-southeast-1", 64 | "ap-southeast-2", 65 | "ap-southeast-3", 66 | "ap-southeast-4", 67 | "ca-central-1", 68 | "eu-central-1", 69 | "eu-central-2", 70 | "eu-north-1", 71 | "eu-south-1", 72 | "eu-south-2", 73 | "eu-west-1", 74 | "eu-west-2", 75 | "eu-west-3", 76 | "il-central-1", 77 | "me-central-1", 78 | "me-south-1", 79 | "sa-east-1", 80 | "us-east-1", 81 | "us-east-2", 82 | "us-west-1", 83 | "us-west-2" 84 | ], 85 | "TargetOuType": "CUSTOM", 86 | "Version": "1", 87 | "Visibility": "PUBLIC" 88 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/dynamodb/ct-dynamodb-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-3(6)", 9 | "SC-13", 10 | "SC-28", 11 | "SC-28(1)", 12 | "SC-7(10)", 13 | "SI-7(6)" 14 | ] 15 | }, 16 | { 17 | "ComplianceFramework": "PCI DSS version 3.2.1", 18 | "Ids": [ 19 | "3.4", 20 | "3.5.3", 21 | "8.2.1" 22 | ] 23 | } 24 | ], 25 | "ConfigRuleIdentifier": "DYNAMODB_TABLE_ENCRYPTED_KMS", 26 | "ControlOwner": "AWS Control Tower", 27 | "DeploymentMechanism": "AWS CloudFormation Hook", 28 | "DeploymentOwner": "AWS Control Tower", 29 | "Description": "This control checks whether your Amazon DynamoDB table is encrypted with an AWS Key Management Service (KMS) key.", 30 | "DisplayName": "Require an Amazon DynamoDB table to be encrypted at rest using an AWS KMS key", 31 | "DocumentationReferences": [ 32 | { 33 | "DisplayName": "DynamoDB encryption at rest", 34 | "Type": "AWS Documentation", 35 | "Url": "https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html" 36 | } 37 | ], 38 | "EvaluatedResourceTypes": [ 39 | "AWS::DynamoDB::Table" 40 | ], 41 | "EvaluatedServices": [ 42 | "Amazon DynamoDB" 43 | ], 44 | "Groups": [ 45 | "digital-sovereignty" 46 | ], 47 | "Guidance": "Elective", 48 | "Id": "CT.DYNAMODB.PR.2", 49 | "ImplementationType": "CloudFormation guard rule", 50 | "MinimumSupportedRuntimeVersion": "2.1", 51 | "Objectives": [ 52 | { 53 | "Id": "CO.2", 54 | "Name": "Encrypt data at rest" 55 | } 56 | ], 57 | "RegionalPreference": "REGIONAL", 58 | "ReleaseDate": "2023-07-24", 59 | "RemediationMessage": "Provide a 'SSESpecification' configuration and set 'SSEEnabled' to 'true'.", 60 | "Severity": "MEDIUM", 61 | "SupportedRegions": [ 62 | "af-south-1", 63 | "ap-east-1", 64 | "ap-northeast-1", 65 | "ap-northeast-2", 66 | "ap-northeast-3", 67 | "ap-south-1", 68 | "ap-south-2", 69 | "ap-southeast-1", 70 | "ap-southeast-2", 71 | "ap-southeast-3", 72 | "ap-southeast-4", 73 | "ca-central-1", 74 | "eu-central-1", 75 | "eu-central-2", 76 | "eu-north-1", 77 | "eu-south-1", 78 | "eu-south-2", 79 | "eu-west-1", 80 | "eu-west-2", 81 | "eu-west-3", 82 | "il-central-1", 83 | "me-central-1", 84 | "me-south-1", 85 | "sa-east-1", 86 | "us-east-1", 87 | "us-east-2", 88 | "us-west-1", 89 | "us-west-2" 90 | ], 91 | "TargetOuType": "CUSTOM", 92 | "Version": "1", 93 | "Visibility": "PUBLIC" 94 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/ec2/ct-ec2-pr-10.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ControlOwner": "AWS Control Tower", 4 | "DeploymentMechanism": "AWS CloudFormation Hook", 5 | "DeploymentOwner": "AWS Control Tower", 6 | "Description": "This control checks whether the Amazon EC2 launch template has detailed monitoring enabled.", 7 | "DisplayName": "Require Amazon EC2 launch templates to have Amazon CloudWatch detailed monitoring activated", 8 | "DocumentationReferences": [ 9 | { 10 | "DisplayName": "Configure monitoring for Auto Scaling instances", 11 | "Type": "AWS Documentation", 12 | "Url": "https://docs.aws.amazon.com/autoscaling/ec2/userguide/enable-as-instance-metrics.html" 13 | } 14 | ], 15 | "EvaluatedResourceTypes": [ 16 | "AWS::EC2::LaunchTemplate" 17 | ], 18 | "EvaluatedServices": [ 19 | "Amazon EC2" 20 | ], 21 | "Guidance": "Elective", 22 | "Id": "CT.EC2.PR.10", 23 | "ImplementationType": "CloudFormation guard rule", 24 | "MinimumSupportedRuntimeVersion": "2.1", 25 | "Objectives": [ 26 | { 27 | "Id": "CO.1", 28 | "Name": "Establish logging and monitoring" 29 | } 30 | ], 31 | "RegionalPreference": "REGIONAL", 32 | "Relationships": [], 33 | "ReleaseDate": "2022-11-28", 34 | "RemediationMessage": "In 'LaunchTemplateData', provide a 'Monitoring' configuration with 'Enabled' set to 'true'.", 35 | "Severity": "LOW", 36 | "SupportedRegions": [ 37 | "af-south-1", 38 | "ap-east-1", 39 | "ap-northeast-1", 40 | "ap-northeast-2", 41 | "ap-northeast-3", 42 | "ap-south-1", 43 | "ap-south-2", 44 | "ap-southeast-1", 45 | "ap-southeast-2", 46 | "ap-southeast-3", 47 | "ap-southeast-4", 48 | "ca-central-1", 49 | "eu-central-1", 50 | "eu-central-2", 51 | "eu-north-1", 52 | "eu-south-1", 53 | "eu-south-2", 54 | "eu-west-1", 55 | "eu-west-2", 56 | "eu-west-3", 57 | "il-central-1", 58 | "me-central-1", 59 | "me-south-1", 60 | "sa-east-1", 61 | "us-east-1", 62 | "us-east-2", 63 | "us-west-1", 64 | "us-west-2" 65 | ], 66 | "TargetOuType": "CUSTOM", 67 | "Version": "1", 68 | "Visibility": "PUBLIC" 69 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/ec2/ct-ec2-pr-12.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-4(21)" 8 | ] 9 | }, 10 | { 11 | "ComplianceFramework": "PCI DSS version 3.2.1", 12 | "Ids": [ 13 | "2.2" 14 | ] 15 | } 16 | ], 17 | "ConfigRuleIdentifier": "EC2_INSTANCE_MULTIPLE_ENI_CHECK", 18 | "ControlOwner": "AWS Control Tower", 19 | "DeploymentMechanism": "AWS CloudFormation Hook", 20 | "DeploymentOwner": "AWS Control Tower", 21 | "Description": "This control checks whether an AWS::EC2::Instance resource specifies multiple ENIs (Elastic Network Interfaces) in the NetworkInterfaces property.", 22 | "DisplayName": "Require an Amazon EC2 instance to specify at most one network interface by means of the NetworkInterfaces property in the AWS::EC2::Instance resource", 23 | "DocumentationReferences": [ 24 | { 25 | "DisplayName": "Amazon EC2 instance IP addressing", 26 | "Type": "AWS Documentation", 27 | "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses" 28 | } 29 | ], 30 | "EvaluatedResourceTypes": [ 31 | "AWS::EC2::Instance" 32 | ], 33 | "EvaluatedServices": [ 34 | "Amazon EC2" 35 | ], 36 | "Guidance": "Elective", 37 | "Id": "CT.EC2.PR.12", 38 | "ImplementationType": "CloudFormation guard rule", 39 | "MinimumSupportedRuntimeVersion": "2.1", 40 | "Objectives": [ 41 | { 42 | "Id": "CO.6", 43 | "Name": "Limit network access" 44 | } 45 | ], 46 | "RegionalPreference": "REGIONAL", 47 | "Relationships": [ 48 | { 49 | "ControlId": "SH.EC2.17", 50 | "ControlOwner": "AWS Security Hub", 51 | "RelationshipType": "Can be used with (Inclusive)" 52 | } 53 | ], 54 | "ReleaseDate": "2022-11-28", 55 | "RemediationMessage": "Configure Amazon EC2 instances with only one ENI.", 56 | "Severity": "LOW", 57 | "SupportedRegions": [ 58 | "af-south-1", 59 | "ap-east-1", 60 | "ap-northeast-1", 61 | "ap-northeast-2", 62 | "ap-northeast-3", 63 | "ap-south-1", 64 | "ap-south-2", 65 | "ap-southeast-1", 66 | "ap-southeast-2", 67 | "ap-southeast-3", 68 | "ap-southeast-4", 69 | "ca-central-1", 70 | "eu-central-1", 71 | "eu-central-2", 72 | "eu-north-1", 73 | "eu-south-1", 74 | "eu-south-2", 75 | "eu-west-1", 76 | "eu-west-2", 77 | "eu-west-3", 78 | "il-central-1", 79 | "me-central-1", 80 | "me-south-1", 81 | "sa-east-1", 82 | "us-east-1", 83 | "us-east-2", 84 | "us-west-1", 85 | "us-west-2" 86 | ], 87 | "TargetOuType": "CUSTOM", 88 | "Version": "2", 89 | "Visibility": "PUBLIC" 90 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/ec2/ct-ec2-pr-13.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-7", 8 | "SI-2" 9 | ] 10 | } 11 | ], 12 | "ConfigRuleIdentifier": "EC2_INSTANCE_DETAILED_MONITORING_ENABLED", 13 | "ControlOwner": "AWS Control Tower", 14 | "DeploymentMechanism": "AWS CloudFormation Hook", 15 | "DeploymentOwner": "AWS Control Tower", 16 | "Description": "This control checks whether an Amazon EC2 instance has detailed monitoring enabled.", 17 | "DisplayName": "Require an Amazon EC2 instance to have detailed monitoring enabled", 18 | "DocumentationReferences": [ 19 | { 20 | "DisplayName": "Enable or turn off detailed monitoring for your instances", 21 | "Type": "AWS Documentation", 22 | "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch-new.html" 23 | } 24 | ], 25 | "EvaluatedResourceTypes": [ 26 | "AWS::EC2::Instance" 27 | ], 28 | "EvaluatedServices": [ 29 | "Amazon EC2" 30 | ], 31 | "Guidance": "Elective", 32 | "Id": "CT.EC2.PR.13", 33 | "ImplementationType": "CloudFormation guard rule", 34 | "MinimumSupportedRuntimeVersion": "2.1", 35 | "Objectives": [ 36 | { 37 | "Id": "CO.1", 38 | "Name": "Establish logging and monitoring" 39 | } 40 | ], 41 | "RegionalPreference": "REGIONAL", 42 | "ReleaseDate": "2023-07-24", 43 | "RemediationMessage": "Set 'Monitoring' to 'true'.", 44 | "Severity": "MEDIUM", 45 | "SupportedRegions": [ 46 | "af-south-1", 47 | "ap-east-1", 48 | "ap-northeast-1", 49 | "ap-northeast-2", 50 | "ap-northeast-3", 51 | "ap-south-1", 52 | "ap-south-2", 53 | "ap-southeast-1", 54 | "ap-southeast-2", 55 | "ap-southeast-3", 56 | "ap-southeast-4", 57 | "ca-central-1", 58 | "eu-central-1", 59 | "eu-central-2", 60 | "eu-north-1", 61 | "eu-south-1", 62 | "eu-south-2", 63 | "eu-west-1", 64 | "eu-west-2", 65 | "eu-west-3", 66 | "il-central-1", 67 | "me-central-1", 68 | "me-south-1", 69 | "sa-east-1", 70 | "us-east-1", 71 | "us-east-2", 72 | "us-west-1", 73 | "us-west-2" 74 | ], 75 | "TargetOuType": "CUSTOM", 76 | "Version": "1", 77 | "Visibility": "PUBLIC" 78 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/ec2/ct-ec2-pr-16.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2" 9 | ] 10 | }, 11 | { 12 | "ComplianceFramework": "PCI DSS version 3.2.1", 13 | "Ids": [ 14 | "2.2" 15 | ] 16 | } 17 | ], 18 | "ControlOwner": "AWS Control Tower", 19 | "DeploymentMechanism": "AWS CloudFormation Hook", 20 | "DeploymentOwner": "AWS Control Tower", 21 | "Description": "This control checks whether an EC2 instance is configured to run using an AWS Nitro instance type.", 22 | "DisplayName": "Require an Amazon EC2 instance to use an AWS Nitro instance type when created using the 'AWS::EC2::Instance' resource type", 23 | "DocumentationReferences": [ 24 | { 25 | "DisplayName": "Instances built on the Nitro System", 26 | "Type": "AWS Documentation", 27 | "Url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances" 28 | } 29 | ], 30 | "EvaluatedResourceTypes": [ 31 | "AWS::EC2::Instance" 32 | ], 33 | "EvaluatedServices": [ 34 | "Amazon EC2" 35 | ], 36 | "Groups": [ 37 | "digital-sovereignty" 38 | ], 39 | "Guidance": "Elective", 40 | "Id": "CT.EC2.PR.16", 41 | "ImplementationType": "CloudFormation guard rule", 42 | "MinimumSupportedRuntimeVersion": "2.1", 43 | "Objectives": [ 44 | { 45 | "Id": "CO.4", 46 | "Name": "Protect data integrity" 47 | }, 48 | { 49 | "Id": "CO.5", 50 | "Name": "Enforce least privilege" 51 | } 52 | ], 53 | "RegionalPreference": "REGIONAL", 54 | "Relationships": [], 55 | "ReleaseDate": "2023-11-27", 56 | "RemediationMessage": "Set the value of the InstanceType property to an EC2 instance type based on the AWS Nitro system.", 57 | "Severity": "MEDIUM", 58 | "SupportedRegions": [ 59 | "af-south-1", 60 | "ap-east-1", 61 | "ap-northeast-1", 62 | "ap-northeast-2", 63 | "ap-northeast-3", 64 | "ap-south-1", 65 | "ap-south-2", 66 | "ap-southeast-1", 67 | "ap-southeast-2", 68 | "ap-southeast-3", 69 | "ap-southeast-4", 70 | "ca-central-1", 71 | "eu-central-1", 72 | "eu-central-2", 73 | "eu-north-1", 74 | "eu-south-1", 75 | "eu-south-2", 76 | "eu-west-1", 77 | "eu-west-2", 78 | "eu-west-3", 79 | "il-central-1", 80 | "me-central-1", 81 | "me-south-1", 82 | "sa-east-1", 83 | "us-east-1", 84 | "us-east-2", 85 | "us-west-1", 86 | "us-west-2" 87 | ], 88 | "TargetOuType": "CUSTOM", 89 | "Version": "1", 90 | "Visibility": "PUBLIC" 91 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/ec2/ct-ec2-pr-6.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-4(21)", 8 | "CA-9(1)", 9 | "CM-2" 10 | ] 11 | }, 12 | { 13 | "ComplianceFramework": "PCI DSS version 3.2.1", 14 | "Ids": [ 15 | "1.2.1", 16 | "1.3", 17 | "1.3.2", 18 | "1.3.4" 19 | ] 20 | } 21 | ], 22 | "ConfigRuleIdentifier": "EC2_TRANSIT_GATEWAY_AUTO_VPC_ATTACH_DISABLED", 23 | "ControlOwner": "AWS Control Tower", 24 | "DeploymentMechanism": "AWS CloudFormation Hook", 25 | "DeploymentOwner": "AWS Control Tower", 26 | "Description": "This control checks whether Amazon EC2 transit gateways are configured to accept Amazon VPC attachment requests automatically.", 27 | "DisplayName": "Require that Amazon EC2 transit gateways refuse automatic Amazon VPC attachment requests", 28 | "DocumentationReferences": [ 29 | { 30 | "DisplayName": "Transit gateways - Accept a shared attachment", 31 | "Type": "AWS Documentation", 32 | "Url": "https://docs.aws.amazon.com/vpc/latest/tgw/tgw-transit-gateways.html#tgw-accept-shared-attachment" 33 | } 34 | ], 35 | "EvaluatedResourceTypes": [ 36 | "AWS::EC2::TransitGateway" 37 | ], 38 | "EvaluatedServices": [ 39 | "Amazon EC2" 40 | ], 41 | "Groups": [ 42 | "digital-sovereignty" 43 | ], 44 | "Guidance": "Elective", 45 | "Id": "CT.EC2.PR.6", 46 | "ImplementationType": "CloudFormation guard rule", 47 | "MinimumSupportedRuntimeVersion": "2.1", 48 | "Objectives": [ 49 | { 50 | "Id": "CO.6", 51 | "Name": "Limit network access" 52 | } 53 | ], 54 | "RegionalPreference": "REGIONAL", 55 | "ReleaseDate": "2022-11-28", 56 | "RemediationMessage": "Omit the 'AutoAcceptSharedAttachments' property or set the property to 'disable'.", 57 | "Severity": "HIGH", 58 | "SupportedRegions": [ 59 | "af-south-1", 60 | "ap-east-1", 61 | "ap-northeast-1", 62 | "ap-northeast-2", 63 | "ap-northeast-3", 64 | "ap-south-1", 65 | "ap-south-2", 66 | "ap-southeast-1", 67 | "ap-southeast-2", 68 | "ap-southeast-3", 69 | "ap-southeast-4", 70 | "ca-central-1", 71 | "eu-central-1", 72 | "eu-central-2", 73 | "eu-north-1", 74 | "eu-south-1", 75 | "eu-south-2", 76 | "eu-west-1", 77 | "eu-west-2", 78 | "eu-west-3", 79 | "il-central-1", 80 | "me-central-1", 81 | "me-south-1", 82 | "sa-east-1", 83 | "us-east-1", 84 | "us-east-2", 85 | "us-west-1", 86 | "us-west-2" 87 | ], 88 | "TargetOuType": "CUSTOM", 89 | "Version": "1", 90 | "Visibility": "PUBLIC" 91 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/ecr/ct-ecr-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "RA-5" 8 | ] 9 | }, 10 | { 11 | "ComplianceFramework": "PCI DSS version 3.2.1", 12 | "Ids": [ 13 | "11.2.3", 14 | "6.3.2" 15 | ] 16 | } 17 | ], 18 | "ConfigRuleIdentifier": "ECR_PRIVATE_IMAGE_SCANNING_ENABLED", 19 | "ControlOwner": "AWS Control Tower", 20 | "DeploymentMechanism": "AWS CloudFormation Hook", 21 | "DeploymentOwner": "AWS Control Tower", 22 | "Description": "This control checks whether a private Amazon ECR repository has image scanning enabled.", 23 | "DisplayName": "Require Amazon ECR private repositories to have image scanning enabled", 24 | "DocumentationReferences": [ 25 | { 26 | "DisplayName": "Image scanning", 27 | "Type": "AWS Documentation", 28 | "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html" 29 | } 30 | ], 31 | "EvaluatedResourceTypes": [ 32 | "AWS::ECR::Repository" 33 | ], 34 | "EvaluatedServices": [ 35 | "Amazon ECR" 36 | ], 37 | "Guidance": "Elective", 38 | "Id": "CT.ECR.PR.2", 39 | "ImplementationType": "CloudFormation guard rule", 40 | "MinimumSupportedRuntimeVersion": "2.1", 41 | "Objectives": [ 42 | { 43 | "Id": "CO.12", 44 | "Name": "Manage vulnerabilities" 45 | } 46 | ], 47 | "RegionalPreference": "REGIONAL", 48 | "Relationships": [ 49 | { 50 | "ControlId": "SH.ECR.1", 51 | "ControlOwner": "AWS Security Hub", 52 | "RelationshipType": "Can be used with (Inclusive)" 53 | } 54 | ], 55 | "ReleaseDate": "2022-11-28", 56 | "RemediationMessage": "Set 'ScanOnPush' in 'ImageScanningConfiguration' to 'true'.", 57 | "Severity": "HIGH", 58 | "SupportedRegions": [ 59 | "af-south-1", 60 | "ap-east-1", 61 | "ap-northeast-1", 62 | "ap-northeast-2", 63 | "ap-northeast-3", 64 | "ap-south-1", 65 | "ap-south-2", 66 | "ap-southeast-1", 67 | "ap-southeast-2", 68 | "ap-southeast-3", 69 | "ap-southeast-4", 70 | "ca-central-1", 71 | "eu-central-1", 72 | "eu-central-2", 73 | "eu-north-1", 74 | "eu-south-1", 75 | "eu-south-2", 76 | "eu-west-1", 77 | "eu-west-2", 78 | "eu-west-3", 79 | "il-central-1", 80 | "me-central-1", 81 | "me-south-1", 82 | "sa-east-1", 83 | "us-east-1", 84 | "us-east-2", 85 | "us-west-1", 86 | "us-west-2" 87 | ], 88 | "TargetOuType": "CUSTOM", 89 | "Version": "1", 90 | "Visibility": "PUBLIC" 91 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/ecr/ct-ecr-pr-3.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2", 9 | "CM-8(1)" 10 | ] 11 | }, 12 | { 13 | "ComplianceFramework": "PCI DSS version 3.2.1", 14 | "Ids": [ 15 | "2.2", 16 | "2.4" 17 | ] 18 | } 19 | ], 20 | "ConfigRuleIdentifier": "ECR_PRIVATE_TAG_IMMUTABILITY_ENABLED", 21 | "ControlOwner": "AWS Control Tower", 22 | "DeploymentMechanism": "AWS CloudFormation Hook", 23 | "DeploymentOwner": "AWS Control Tower", 24 | "Description": "This control checks whether a private Amazon ECR repository has tag immutability enabled.", 25 | "DisplayName": "Require Amazon ECR private repositories to have tag immutability enabled", 26 | "DocumentationReferences": [ 27 | { 28 | "DisplayName": "Image tag mutability", 29 | "Type": "AWS Documentation", 30 | "Url": "https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-tag-mutability.html" 31 | } 32 | ], 33 | "EvaluatedResourceTypes": [ 34 | "AWS::ECR::Repository" 35 | ], 36 | "EvaluatedServices": [ 37 | "Amazon ECR" 38 | ], 39 | "Guidance": "Elective", 40 | "Id": "CT.ECR.PR.3", 41 | "ImplementationType": "CloudFormation guard rule", 42 | "MinimumSupportedRuntimeVersion": "2.1", 43 | "Objectives": [ 44 | { 45 | "Id": "CO.10", 46 | "Name": "Protect configurations" 47 | } 48 | ], 49 | "RegionalPreference": "REGIONAL", 50 | "Relationships": [ 51 | { 52 | "ControlId": "SH.ECR.2", 53 | "ControlOwner": "AWS Security Hub", 54 | "RelationshipType": "Can be used with (Inclusive)" 55 | } 56 | ], 57 | "ReleaseDate": "2022-11-28", 58 | "RemediationMessage": "Set 'ImageTagMutability' to 'IMMUTABLE'.", 59 | "Severity": "MEDIUM", 60 | "SupportedRegions": [ 61 | "af-south-1", 62 | "ap-east-1", 63 | "ap-northeast-1", 64 | "ap-northeast-2", 65 | "ap-northeast-3", 66 | "ap-south-1", 67 | "ap-south-2", 68 | "ap-southeast-1", 69 | "ap-southeast-2", 70 | "ap-southeast-3", 71 | "ap-southeast-4", 72 | "ca-central-1", 73 | "eu-central-1", 74 | "eu-central-2", 75 | "eu-north-1", 76 | "eu-south-1", 77 | "eu-south-2", 78 | "eu-west-1", 79 | "eu-west-2", 80 | "eu-west-3", 81 | "il-central-1", 82 | "me-central-1", 83 | "me-south-1", 84 | "sa-east-1", 85 | "us-east-1", 86 | "us-east-2", 87 | "us-west-1", 88 | "us-west-2" 89 | ], 90 | "TargetOuType": "CUSTOM", 91 | "Version": "1", 92 | "Visibility": "PUBLIC" 93 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/ecs/ct-ecs-pr-3.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-2(1)", 8 | "AC-3", 9 | "AC-3(15)", 10 | "AC-3(7)", 11 | "AC-5", 12 | "AC-6" 13 | ] 14 | }, 15 | { 16 | "ComplianceFramework": "PCI DSS version 3.2.1", 17 | "Ids": [ 18 | "7.1.1" 19 | ] 20 | } 21 | ], 22 | "ConfigRuleIdentifier": "ECS_TASK_DEFINITION_NONROOT_USER", 23 | "ControlOwner": "AWS Control Tower", 24 | "DeploymentMechanism": "AWS CloudFormation Hook", 25 | "DeploymentOwner": "AWS Control Tower", 26 | "Description": "This control checks whether Amazon Elastic Container Service (ECS) task definitions run as a non-root user within Amazon ECS containers.", 27 | "DisplayName": "Require any Amazon ECS task definition to specify a user that is not the root", 28 | "DocumentationReferences": [ 29 | { 30 | "DisplayName": "ECS Task Definitions", 31 | "Type": "AWS Documentation", 32 | "Url": "https://docs.aws.amazon.com/config/latest/developerguide/ecs-task-definition-nonroot-user.html" 33 | } 34 | ], 35 | "EvaluatedResourceTypes": [ 36 | "AWS::ECS::TaskDefinition" 37 | ], 38 | "EvaluatedServices": [ 39 | "Amazon ECS" 40 | ], 41 | "Guidance": "Elective", 42 | "Id": "CT.ECS.PR.3", 43 | "ImplementationType": "CloudFormation guard rule", 44 | "MinimumSupportedRuntimeVersion": "2.1", 45 | "Objectives": [ 46 | { 47 | "Id": "CO.5", 48 | "Name": "Enforce least privilege" 49 | }, 50 | { 51 | "Id": "CO.12", 52 | "Name": "Manage vulnerabilities" 53 | } 54 | ], 55 | "RegionalPreference": "REGIONAL", 56 | "ReleaseDate": "2022-11-28", 57 | "RemediationMessage": "Set the 'User' property to a non-root user.", 58 | "Severity": "HIGH", 59 | "SupportedRegions": [ 60 | "af-south-1", 61 | "ap-east-1", 62 | "ap-northeast-1", 63 | "ap-northeast-2", 64 | "ap-northeast-3", 65 | "ap-south-1", 66 | "ap-south-2", 67 | "ap-southeast-1", 68 | "ap-southeast-2", 69 | "ap-southeast-3", 70 | "ap-southeast-4", 71 | "ca-central-1", 72 | "eu-central-1", 73 | "eu-central-2", 74 | "eu-north-1", 75 | "eu-south-1", 76 | "eu-south-2", 77 | "eu-west-1", 78 | "eu-west-2", 79 | "eu-west-3", 80 | "il-central-1", 81 | "me-central-1", 82 | "me-south-1", 83 | "sa-east-1", 84 | "us-east-1", 85 | "us-east-2", 86 | "us-west-1", 87 | "us-west-2" 88 | ], 89 | "TargetOuType": "CUSTOM", 90 | "Version": "1", 91 | "Visibility": "PUBLIC" 92 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/ecs/ct-ecs-pr-7.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2" 9 | ] 10 | }, 11 | { 12 | "ComplianceFramework": "PCI DSS version 3.2.1", 13 | "Ids": [ 14 | "2.2" 15 | ] 16 | } 17 | ], 18 | "ConfigRuleIdentifier": "ECS_TASK_DEFINITION_MEMORY_HARD_LIMIT", 19 | "ControlOwner": "AWS Control Tower", 20 | "DeploymentMechanism": "AWS CloudFormation Hook", 21 | "DeploymentOwner": "AWS Control Tower", 22 | "Description": "This control checks whether Amazon Elastic Container Service (ECS) task definitions have specified a memory limit for container definitions.", 23 | "DisplayName": "Require an Amazon ECS task definition to have a specific memory usage limit", 24 | "DocumentationReferences": [ 25 | { 26 | "DisplayName": "Container definition parameters", 27 | "Type": "AWS Documentation", 28 | "Url": "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_memory" 29 | } 30 | ], 31 | "EvaluatedResourceTypes": [ 32 | "AWS::ECS::TaskDefinition" 33 | ], 34 | "EvaluatedServices": [ 35 | "Amazon ECS" 36 | ], 37 | "Guidance": "Elective", 38 | "Id": "CT.ECS.PR.7", 39 | "ImplementationType": "CloudFormation guard rule", 40 | "MinimumSupportedRuntimeVersion": "2.1", 41 | "Objectives": [ 42 | { 43 | "Id": "CO.9", 44 | "Name": "Improve availability" 45 | } 46 | ], 47 | "RegionalPreference": "REGIONAL", 48 | "ReleaseDate": "2022-11-28", 49 | "RemediationMessage": "Set the 'Memory' property in 'ContainerDefinitions' for Amazon ECS task definitions.", 50 | "Severity": "HIGH", 51 | "SupportedRegions": [ 52 | "af-south-1", 53 | "ap-east-1", 54 | "ap-northeast-1", 55 | "ap-northeast-2", 56 | "ap-northeast-3", 57 | "ap-south-1", 58 | "ap-south-2", 59 | "ap-southeast-1", 60 | "ap-southeast-2", 61 | "ap-southeast-3", 62 | "ap-southeast-4", 63 | "ca-central-1", 64 | "eu-central-1", 65 | "eu-central-2", 66 | "eu-north-1", 67 | "eu-south-1", 68 | "eu-south-2", 69 | "eu-west-1", 70 | "eu-west-2", 71 | "eu-west-3", 72 | "il-central-1", 73 | "me-central-1", 74 | "me-south-1", 75 | "sa-east-1", 76 | "us-east-1", 77 | "us-east-2", 78 | "us-west-1", 79 | "us-west-2" 80 | ], 81 | "TargetOuType": "CUSTOM", 82 | "Version": "1", 83 | "Visibility": "PUBLIC" 84 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/efs/ct-elasticfilesysystem-pr-3.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-6(10)" 8 | ] 9 | }, 10 | { 11 | "ComplianceFramework": "PCI DSS version 3.2.1", 12 | "Ids": [ 13 | "7.1.1", 14 | "7.2.1", 15 | "7.2.2" 16 | ] 17 | } 18 | ], 19 | "ConfigRuleIdentifier": "EFS_ACCESS_POINT_ENFORCE_ROOT_DIRECTORY", 20 | "ControlOwner": "AWS Control Tower", 21 | "DeploymentMechanism": "AWS CloudFormation Hook", 22 | "DeploymentOwner": "AWS Control Tower", 23 | "Description": "This control checks whether your Amazon EFS access points are configured to enforce a root directory.", 24 | "DisplayName": "Require Amazon EFS access points to have a root directory", 25 | "DocumentationReferences": [ 26 | { 27 | "DisplayName": "Enforcing a root directory with an access point", 28 | "Type": "AWS Documentation", 29 | "Url": "https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-root-directory-access-point" 30 | } 31 | ], 32 | "EvaluatedResourceTypes": [ 33 | "AWS::EFS::AccessPoint" 34 | ], 35 | "EvaluatedServices": [ 36 | "Amazon EFS" 37 | ], 38 | "Guidance": "Elective", 39 | "Id": "CT.ELASTICFILESYSYSTEM.PR.3", 40 | "ImplementationType": "CloudFormation guard rule", 41 | "MinimumSupportedRuntimeVersion": "2.1", 42 | "Objectives": [ 43 | { 44 | "Id": "CO.5", 45 | "Name": "Enforce least privilege" 46 | } 47 | ], 48 | "RegionalPreference": "REGIONAL", 49 | "Relationships": [ 50 | { 51 | "ControlId": "SH.EFS.3", 52 | "ControlOwner": "AWS Security Hub", 53 | "RelationshipType": "Can be used with (Inclusive)" 54 | } 55 | ], 56 | "ReleaseDate": "2022-11-28", 57 | "RemediationMessage": "Provide a 'RootDirectory.Path' configuration with a value for 'Path' that does not equal '/'.", 58 | "Severity": "MEDIUM", 59 | "SupportedRegions": [ 60 | "af-south-1", 61 | "ap-east-1", 62 | "ap-northeast-1", 63 | "ap-northeast-2", 64 | "ap-northeast-3", 65 | "ap-south-1", 66 | "ap-south-2", 67 | "ap-southeast-1", 68 | "ap-southeast-2", 69 | "ap-southeast-3", 70 | "ap-southeast-4", 71 | "ca-central-1", 72 | "eu-central-1", 73 | "eu-central-2", 74 | "eu-north-1", 75 | "eu-south-1", 76 | "eu-south-2", 77 | "eu-west-1", 78 | "eu-west-2", 79 | "eu-west-3", 80 | "il-central-1", 81 | "me-central-1", 82 | "me-south-1", 83 | "sa-east-1", 84 | "us-east-1", 85 | "us-east-2", 86 | "us-west-1", 87 | "us-west-2" 88 | ], 89 | "TargetOuType": "CUSTOM", 90 | "Version": "1", 91 | "Visibility": "PUBLIC" 92 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/efs/ct-elasticfilesysystem-pr-4.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-6(2)" 8 | ] 9 | }, 10 | { 11 | "ComplianceFramework": "PCI DSS version 3.2.1", 12 | "Ids": [ 13 | "7.1.1", 14 | "7.2.1", 15 | "7.2.2" 16 | ] 17 | } 18 | ], 19 | "ConfigRuleIdentifier": "EFS_ACCESS_POINT_ENFORCE_USER_IDENTITY", 20 | "ControlOwner": "AWS Control Tower", 21 | "DeploymentMechanism": "AWS CloudFormation Hook", 22 | "DeploymentOwner": "AWS Control Tower", 23 | "Description": "This control checks whether your Amazon EFS access points are configured to enforce a user identity.", 24 | "DisplayName": "Require Amazon EFS access points to enforce a user identity", 25 | "DocumentationReferences": [ 26 | { 27 | "DisplayName": "Enforcing a user identity using an access point", 28 | "Type": "AWS Documentation", 29 | "Url": "https://docs.aws.amazon.com/efs/latest/ug/efs-access-points.html#enforce-identity-access-points" 30 | } 31 | ], 32 | "EvaluatedResourceTypes": [ 33 | "AWS::EFS::AccessPoint" 34 | ], 35 | "EvaluatedServices": [ 36 | "Amazon EFS" 37 | ], 38 | "Guidance": "Elective", 39 | "Id": "CT.ELASTICFILESYSYSTEM.PR.4", 40 | "ImplementationType": "CloudFormation guard rule", 41 | "MinimumSupportedRuntimeVersion": "2.1", 42 | "Objectives": [ 43 | { 44 | "Id": "CO.5", 45 | "Name": "Enforce least privilege" 46 | } 47 | ], 48 | "RegionalPreference": "REGIONAL", 49 | "Relationships": [ 50 | { 51 | "ControlId": "SH.EFS.4", 52 | "ControlOwner": "AWS Security Hub", 53 | "RelationshipType": "Can be used with (Inclusive)" 54 | } 55 | ], 56 | "ReleaseDate": "2022-11-28", 57 | "RemediationMessage": "Provide a 'PosixUser' configuration with a POSIX user ID ('Uid') and POSIX group ID ('Gid').", 58 | "Severity": "MEDIUM", 59 | "SupportedRegions": [ 60 | "af-south-1", 61 | "ap-east-1", 62 | "ap-northeast-1", 63 | "ap-northeast-2", 64 | "ap-northeast-3", 65 | "ap-south-1", 66 | "ap-south-2", 67 | "ap-southeast-1", 68 | "ap-southeast-2", 69 | "ap-southeast-3", 70 | "ap-southeast-4", 71 | "ca-central-1", 72 | "eu-central-1", 73 | "eu-central-2", 74 | "eu-north-1", 75 | "eu-south-1", 76 | "eu-south-2", 77 | "eu-west-1", 78 | "eu-west-2", 79 | "eu-west-3", 80 | "il-central-1", 81 | "me-central-1", 82 | "me-south-1", 83 | "sa-east-1", 84 | "us-east-1", 85 | "us-east-2", 86 | "us-west-1", 87 | "us-west-2" 88 | ], 89 | "TargetOuType": "CUSTOM", 90 | "Version": "1", 91 | "Visibility": "PUBLIC" 92 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/eks/ct-eks-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-3(6)", 9 | "SC-13", 10 | "SC-28", 11 | "SC-28(1)", 12 | "SI-7(6)" 13 | ] 14 | }, 15 | { 16 | "ComplianceFramework": "PCI DSS version 3.2.1", 17 | "Ids": [ 18 | "8.2.1" 19 | ] 20 | } 21 | ], 22 | "ConfigRuleIdentifier": "EKS_SECRETS_ENCRYPTED", 23 | "ControlOwner": "AWS Control Tower", 24 | "DeploymentMechanism": "AWS CloudFormation Hook", 25 | "DeploymentOwner": "AWS Control Tower", 26 | "Description": "This control checks whether Amazon Elastic Kubernetes Service (Amazon EKS) clusters are configured to use Kubernetes secrets encrypted with AWS Key Management Service (KMS) keys.", 27 | "DisplayName": "Require an Amazon EKS cluster to be configured with secret encryption using AWS Key Management Service (KMS) keys", 28 | "DocumentationReferences": [ 29 | { 30 | "DisplayName": "Enabling secret encryption on an existing cluster", 31 | "Type": "AWS Documentation", 32 | "Url": "https://docs.aws.amazon.com/eks/latest/userguide/enable-kms.html" 33 | } 34 | ], 35 | "EvaluatedResourceTypes": [ 36 | "AWS::EKS::Cluster" 37 | ], 38 | "EvaluatedServices": [ 39 | "Amazon EKS" 40 | ], 41 | "Groups": [ 42 | "digital-sovereignty" 43 | ], 44 | "Guidance": "Elective", 45 | "Id": "CT.EKS.PR.2", 46 | "ImplementationType": "CloudFormation guard rule", 47 | "Objectives": [ 48 | { 49 | "Id": "CO.2", 50 | "Name": "Encrypt data at rest" 51 | } 52 | ], 53 | "RegionalPreference": "REGIONAL", 54 | "ReleaseDate": "2023-10-05", 55 | "RemediationMessage": "Provide an 'EncryptionConfig' configuration with a list of 'Resources' that contains 'secrets' and a 'Provider' configuration containing a 'KeyArn'.", 56 | "Severity": "MEDIUM", 57 | "SupportedRegions": [ 58 | "af-south-1", 59 | "ap-east-1", 60 | "ap-northeast-1", 61 | "ap-northeast-2", 62 | "ap-northeast-3", 63 | "ap-south-1", 64 | "ap-south-2", 65 | "ap-southeast-1", 66 | "ap-southeast-2", 67 | "ap-southeast-3", 68 | "ap-southeast-4", 69 | "ca-central-1", 70 | "eu-central-1", 71 | "eu-central-2", 72 | "eu-north-1", 73 | "eu-south-1", 74 | "eu-south-2", 75 | "eu-west-1", 76 | "eu-west-2", 77 | "eu-west-3", 78 | "il-central-1", 79 | "me-central-1", 80 | "me-south-1", 81 | "sa-east-1", 82 | "us-east-1", 83 | "us-east-2", 84 | "us-west-1", 85 | "us-west-2" 86 | ], 87 | "TargetOuType": "CUSTOM", 88 | "Version": "1", 89 | "Visibility": "PUBLIC" 90 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/elasticache/ct-elasticache-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CP-10", 8 | "CP-6", 9 | "CP-6(1)", 10 | "CP-6(2)", 11 | "CP-9", 12 | "SC-5(2)", 13 | "SI-12", 14 | "SI-13(5)" 15 | ] 16 | }, 17 | { 18 | "ComplianceFramework": "PCI DSS version 3.2.1", 19 | "Ids": [ 20 | "3.1" 21 | ] 22 | } 23 | ], 24 | "ConfigRuleIdentifier": "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK", 25 | "ControlOwner": "AWS Control Tower", 26 | "DeploymentMechanism": "AWS CloudFormation Hook", 27 | "DeploymentOwner": "AWS Control Tower", 28 | "Description": "This control checks whether an Amazon ElastiCache Redis cluster has automatic backups enabled.", 29 | "DisplayName": "Require an Amazon ElastiCache for Redis cluster to have automatic backups activated", 30 | "DocumentationReferences": [ 31 | { 32 | "DisplayName": "Scheduling automatic backups", 33 | "Type": "AWS Documentation", 34 | "Url": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/backups-automatic.html" 35 | } 36 | ], 37 | "EvaluatedResourceTypes": [ 38 | "AWS::ElastiCache::CacheCluster" 39 | ], 40 | "EvaluatedServices": [ 41 | "Amazon ElastiCache" 42 | ], 43 | "Guidance": "Elective", 44 | "Id": "CT.ELASTICACHE.PR.1", 45 | "ImplementationType": "CloudFormation guard rule", 46 | "MinimumSupportedRuntimeVersion": "2.1", 47 | "Objectives": [ 48 | { 49 | "Id": "CO.8", 50 | "Name": "Improve resiliency" 51 | } 52 | ], 53 | "RegionalPreference": "REGIONAL", 54 | "ReleaseDate": "2023-07-24", 55 | "RemediationMessage": "Set the value of the 'SnapshotRetentionLimit' parameter to an integer value greater than 0.", 56 | "Severity": "MEDIUM", 57 | "SupportedRegions": [ 58 | "af-south-1", 59 | "ap-east-1", 60 | "ap-northeast-1", 61 | "ap-northeast-2", 62 | "ap-northeast-3", 63 | "ap-south-1", 64 | "ap-south-2", 65 | "ap-southeast-1", 66 | "ap-southeast-2", 67 | "ap-southeast-3", 68 | "ap-southeast-4", 69 | "ca-central-1", 70 | "eu-central-1", 71 | "eu-central-2", 72 | "eu-north-1", 73 | "eu-south-1", 74 | "eu-south-2", 75 | "eu-west-1", 76 | "eu-west-2", 77 | "eu-west-3", 78 | "il-central-1", 79 | "me-central-1", 80 | "me-south-1", 81 | "sa-east-1", 82 | "us-east-1", 83 | "us-east-2", 84 | "us-west-1", 85 | "us-west-2" 86 | ], 87 | "TargetOuType": "CUSTOM", 88 | "Version": "1", 89 | "Visibility": "PUBLIC" 90 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/elasticache/ct-elasticache-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "SI-2", 8 | "SI-2(2)", 9 | "SI-2(4)", 10 | "SI-2(5)" 11 | ] 12 | }, 13 | { 14 | "ComplianceFramework": "PCI DSS version 3.2.1", 15 | "Ids": [ 16 | "6.2" 17 | ] 18 | } 19 | ], 20 | "ConfigRuleIdentifier": "ELASTICACHE_AUTO_MINOR_VERSION_UPGRADE_CHECK", 21 | "ControlOwner": "AWS Control Tower", 22 | "DeploymentMechanism": "AWS CloudFormation Hook", 23 | "DeploymentOwner": "AWS Control Tower", 24 | "Description": "This control checks whether an Amazon ElastiCache for Redis cluster has automatic minor version upgrades enabled.", 25 | "DisplayName": "Require an Amazon ElastiCache for Redis cluster to have automatic minor version upgrades activated", 26 | "DocumentationReferences": [ 27 | { 28 | "DisplayName": "Upgrading engine versions", 29 | "Type": "AWS Documentation", 30 | "Url": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/VersionManagement.html" 31 | } 32 | ], 33 | "EvaluatedResourceTypes": [ 34 | "AWS::ElastiCache::CacheCluster" 35 | ], 36 | "EvaluatedServices": [ 37 | "Amazon ElastiCache" 38 | ], 39 | "Guidance": "Elective", 40 | "Id": "CT.ELASTICACHE.PR.2", 41 | "ImplementationType": "CloudFormation guard rule", 42 | "MinimumSupportedRuntimeVersion": "2.1", 43 | "Objectives": [ 44 | { 45 | "Id": "CO.12", 46 | "Name": "Manage vulnerabilities" 47 | } 48 | ], 49 | "RegionalPreference": "REGIONAL", 50 | "ReleaseDate": "2023-07-24", 51 | "RemediationMessage": "Set the value of the 'AutoMinorVersionUpgrade' parameter to true.", 52 | "Severity": "HIGH", 53 | "SupportedRegions": [ 54 | "af-south-1", 55 | "ap-east-1", 56 | "ap-northeast-1", 57 | "ap-northeast-2", 58 | "ap-northeast-3", 59 | "ap-south-1", 60 | "ap-south-2", 61 | "ap-southeast-1", 62 | "ap-southeast-2", 63 | "ap-southeast-3", 64 | "ap-southeast-4", 65 | "ca-central-1", 66 | "eu-central-1", 67 | "eu-central-2", 68 | "eu-north-1", 69 | "eu-south-1", 70 | "eu-south-2", 71 | "eu-west-1", 72 | "eu-west-2", 73 | "eu-west-3", 74 | "il-central-1", 75 | "me-central-1", 76 | "me-south-1", 77 | "sa-east-1", 78 | "us-east-1", 79 | "us-east-2", 80 | "us-west-1", 81 | "us-west-2" 82 | ], 83 | "TargetOuType": "CUSTOM", 84 | "Version": "1", 85 | "Visibility": "PUBLIC" 86 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/elasticache/ct-elasticache-pr-3.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CP-10", 8 | "SC-36", 9 | "SC-5(2)", 10 | "SI-13(5)" 11 | ] 12 | } 13 | ], 14 | "ConfigRuleIdentifier": "ELASTICACHE_REPL_GRP_AUTO_FAILOVER_ENABLED", 15 | "ControlOwner": "AWS Control Tower", 16 | "DeploymentMechanism": "AWS CloudFormation Hook", 17 | "DeploymentOwner": "AWS Control Tower", 18 | "Description": "This control checks whether an Amazon ElastiCache Redis replication group has automatic failover enabled.", 19 | "DisplayName": "Require an Amazon ElastiCache for Redis replication group to have automatic failover activated", 20 | "DocumentationReferences": [ 21 | { 22 | "DisplayName": "Testing automatic failover", 23 | "Type": "AWS Documentation", 24 | "Url": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/AutoFailover.html#auto-failover-test" 25 | } 26 | ], 27 | "EvaluatedResourceTypes": [ 28 | "AWS::ElastiCache::ReplicationGroup" 29 | ], 30 | "EvaluatedServices": [ 31 | "Amazon ElastiCache" 32 | ], 33 | "Guidance": "Elective", 34 | "Id": "CT.ELASTICACHE.PR.3", 35 | "ImplementationType": "CloudFormation guard rule", 36 | "MinimumSupportedRuntimeVersion": "2.1", 37 | "Objectives": [ 38 | { 39 | "Id": "CO.8", 40 | "Name": "Improve resiliency" 41 | } 42 | ], 43 | "RegionalPreference": "REGIONAL", 44 | "Relationships": [ 45 | { 46 | "ControlId": "SH.ElastiCache.3", 47 | "ControlOwner": "AWS Security Hub", 48 | "RelationshipType": "Can be used with (Inclusive)" 49 | } 50 | ], 51 | "ReleaseDate": "2023-07-24", 52 | "RemediationMessage": "Set the value of the 'AutomaticFailoverEnabled' parameter to true.", 53 | "Severity": "MEDIUM", 54 | "SupportedRegions": [ 55 | "af-south-1", 56 | "ap-east-1", 57 | "ap-northeast-1", 58 | "ap-northeast-2", 59 | "ap-northeast-3", 60 | "ap-south-1", 61 | "ap-south-2", 62 | "ap-southeast-1", 63 | "ap-southeast-2", 64 | "ap-southeast-3", 65 | "ap-southeast-4", 66 | "ca-central-1", 67 | "eu-central-1", 68 | "eu-central-2", 69 | "eu-north-1", 70 | "eu-south-1", 71 | "eu-south-2", 72 | "eu-west-1", 73 | "eu-west-2", 74 | "eu-west-3", 75 | "il-central-1", 76 | "me-central-1", 77 | "me-south-1", 78 | "sa-east-1", 79 | "us-east-1", 80 | "us-east-2", 81 | "us-west-1", 82 | "us-west-2" 83 | ], 84 | "TargetOuType": "CUSTOM", 85 | "Version": "1", 86 | "Visibility": "PUBLIC" 87 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/elasticache/ct-elasticache-pr-8.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-2(1)", 8 | "AC-3", 9 | "AC-3(15)", 10 | "AC-3(7)", 11 | "AC-6" 12 | ] 13 | }, 14 | { 15 | "ComplianceFramework": "PCI DSS version 3.2.1", 16 | "Ids": [ 17 | "7.1.1", 18 | "7.2.1", 19 | "7.2.2" 20 | ] 21 | } 22 | ], 23 | "ControlOwner": "AWS Control Tower", 24 | "DeploymentMechanism": "AWS CloudFormation Hook", 25 | "DeploymentOwner": "AWS Control Tower", 26 | "Description": "This control checks whether Amazon ElastiCache replication groups with an engine version greater than or equal to 6.0 have RBAC authentication enabled.", 27 | "DisplayName": "Require an Amazon ElastiCache replication group of later Redis versions to have RBAC authentication activated", 28 | "DocumentationReferences": [ 29 | { 30 | "DisplayName": "Role-Based Access Control (RBAC)", 31 | "Type": "AWS Documentation", 32 | "Url": "https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Clusters.RBAC.html" 33 | } 34 | ], 35 | "EvaluatedResourceTypes": [ 36 | "AWS::ElastiCache::ReplicationGroup" 37 | ], 38 | "EvaluatedServices": [ 39 | "Amazon ElastiCache" 40 | ], 41 | "Groups": [ 42 | "digital-sovereignty" 43 | ], 44 | "Guidance": "Elective", 45 | "Id": "CT.ELASTICACHE.PR.8", 46 | "ImplementationType": "CloudFormation guard rule", 47 | "MinimumSupportedRuntimeVersion": "2.1", 48 | "Objectives": [ 49 | { 50 | "Id": "CO.5", 51 | "Name": "Enforce least privilege" 52 | } 53 | ], 54 | "RegionalPreference": "REGIONAL", 55 | "ReleaseDate": "2023-11-27", 56 | "RemediationMessage": "Set the value of the UserGroupIds property to a list that contains at least one Amazon ElastiCache user group identifier.", 57 | "Severity": "MEDIUM", 58 | "SupportedRegions": [ 59 | "af-south-1", 60 | "ap-east-1", 61 | "ap-northeast-1", 62 | "ap-northeast-2", 63 | "ap-northeast-3", 64 | "ap-south-1", 65 | "ap-south-2", 66 | "ap-southeast-1", 67 | "ap-southeast-2", 68 | "ap-southeast-3", 69 | "ap-southeast-4", 70 | "ca-central-1", 71 | "eu-central-1", 72 | "eu-central-2", 73 | "eu-north-1", 74 | "eu-south-1", 75 | "eu-south-2", 76 | "eu-west-1", 77 | "eu-west-2", 78 | "eu-west-3", 79 | "il-central-1", 80 | "me-central-1", 81 | "me-south-1", 82 | "sa-east-1", 83 | "us-east-1", 84 | "us-east-2", 85 | "us-west-1", 86 | "us-west-2" 87 | ], 88 | "TargetOuType": "CUSTOM", 89 | "Version": "1", 90 | "Visibility": "PUBLIC" 91 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/elasticloadbalancing/ct-elasticloadbalancing-pr-11.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2" 9 | ] 10 | } 11 | ], 12 | "ConfigRuleIdentifier": "ELB_CONNECTION_DRAINING_ENABLED", 13 | "ControlOwner": "AWS Control Tower", 14 | "DeploymentMechanism": "AWS CloudFormation Hook", 15 | "DeploymentOwner": "AWS Control Tower", 16 | "Description": "This control checks whether ELB classic load balancers have connection draining configured.", 17 | "DisplayName": "Require any ELB classic load balancer to have connection draining activated", 18 | "DocumentationReferences": [ 19 | { 20 | "DisplayName": "Configure connection draining for your Classic Load Balancer", 21 | "Type": "AWS Documentation", 22 | "Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html" 23 | } 24 | ], 25 | "EvaluatedResourceTypes": [ 26 | "AWS::ElasticLoadBalancing::LoadBalancer" 27 | ], 28 | "EvaluatedServices": [ 29 | "Elastic Load Balancing" 30 | ], 31 | "Guidance": "Elective", 32 | "Id": "CT.ELASTICLOADBALANCING.PR.11", 33 | "ImplementationType": "CloudFormation guard rule", 34 | "MinimumSupportedRuntimeVersion": "2.1", 35 | "Objectives": [ 36 | { 37 | "Id": "CO.8", 38 | "Name": "Improve resiliency" 39 | } 40 | ], 41 | "RegionalPreference": "REGIONAL", 42 | "Relationships": [ 43 | { 44 | "ControlId": "SH.ELB.7", 45 | "ControlOwner": "AWS Security Hub", 46 | "RelationshipType": "Can be used with (Inclusive)" 47 | } 48 | ], 49 | "ReleaseDate": "2022-11-28", 50 | "RemediationMessage": "Configure a 'ConnectionDrainingPolicy' on ELB classic load balancers.", 51 | "Severity": "MEDIUM", 52 | "SupportedRegions": [ 53 | "af-south-1", 54 | "ap-east-1", 55 | "ap-northeast-1", 56 | "ap-northeast-2", 57 | "ap-northeast-3", 58 | "ap-south-1", 59 | "ap-south-2", 60 | "ap-southeast-1", 61 | "ap-southeast-2", 62 | "ap-southeast-3", 63 | "ap-southeast-4", 64 | "ca-central-1", 65 | "eu-central-1", 66 | "eu-central-2", 67 | "eu-north-1", 68 | "eu-south-1", 69 | "eu-south-2", 70 | "eu-west-1", 71 | "eu-west-2", 72 | "eu-west-3", 73 | "il-central-1", 74 | "me-central-1", 75 | "me-south-1", 76 | "sa-east-1", 77 | "us-east-1", 78 | "us-east-2", 79 | "us-west-1", 80 | "us-west-2" 81 | ], 82 | "TargetOuType": "CUSTOM", 83 | "Version": "1", 84 | "Visibility": "PUBLIC" 85 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/elasticloadbalancing/ct-elasticloadbalancing-pr-13.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CP-10", 8 | "CP-6(2)", 9 | "SC-36", 10 | "SC-5(2)", 11 | "SI-13(5)" 12 | ] 13 | } 14 | ], 15 | "ConfigRuleIdentifier": "ELB_CROSS_ZONE_LOAD_BALANCING_ENABLED", 16 | "ControlOwner": "AWS Control Tower", 17 | "DeploymentMechanism": "AWS CloudFormation Hook", 18 | "DeploymentOwner": "AWS Control Tower", 19 | "Description": "This control checks whether cross-zone load balancing is configured for your classic load balancer.", 20 | "DisplayName": "Require any ELB classic load balancer to have cross-zone load balancing activated", 21 | "DocumentationReferences": [ 22 | { 23 | "DisplayName": "Configure cross-zone load balancing for your Classic Load Balancer", 24 | "Type": "AWS Documentation", 25 | "Url": "https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-disable-crosszone-lb.html#enable-cross-zone" 26 | } 27 | ], 28 | "EvaluatedResourceTypes": [ 29 | "AWS::ElasticLoadBalancing::LoadBalancer" 30 | ], 31 | "EvaluatedServices": [ 32 | "Elastic Load Balancing" 33 | ], 34 | "Groups": [ 35 | "digital-sovereignty" 36 | ], 37 | "Guidance": "Elective", 38 | "Id": "CT.ELASTICLOADBALANCING.PR.13", 39 | "ImplementationType": "CloudFormation guard rule", 40 | "MinimumSupportedRuntimeVersion": "2.1", 41 | "Objectives": [ 42 | { 43 | "Id": "CO.9", 44 | "Name": "Improve availability" 45 | } 46 | ], 47 | "RegionalPreference": "REGIONAL", 48 | "Relationships": [ 49 | { 50 | "ControlId": "SH.ELB.9", 51 | "ControlOwner": "AWS Security Hub", 52 | "RelationshipType": "Can be used with (Inclusive)" 53 | } 54 | ], 55 | "ReleaseDate": "2022-11-28", 56 | "RemediationMessage": "Set 'CrossZone' to 'true' on classic load balancers.", 57 | "Severity": "MEDIUM", 58 | "SupportedRegions": [ 59 | "af-south-1", 60 | "ap-east-1", 61 | "ap-northeast-1", 62 | "ap-northeast-2", 63 | "ap-northeast-3", 64 | "ap-south-1", 65 | "ap-south-2", 66 | "ap-southeast-1", 67 | "ap-southeast-2", 68 | "ap-southeast-3", 69 | "ap-southeast-4", 70 | "ca-central-1", 71 | "eu-central-1", 72 | "eu-central-2", 73 | "eu-north-1", 74 | "eu-south-1", 75 | "eu-south-2", 76 | "eu-west-1", 77 | "eu-west-2", 78 | "eu-west-3", 79 | "il-central-1", 80 | "me-central-1", 81 | "me-south-1", 82 | "sa-east-1", 83 | "us-east-1", 84 | "us-east-2", 85 | "us-west-1", 86 | "us-west-2" 87 | ], 88 | "TargetOuType": "CUSTOM", 89 | "Version": "1", 90 | "Visibility": "PUBLIC" 91 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/glue/ct-glue-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-3(6)", 9 | "SC-13", 10 | "SC-28", 11 | "SC-28(1)", 12 | "SC-7(10)", 13 | "SI-7(6)" 14 | ] 15 | }, 16 | { 17 | "ComplianceFramework": "PCI DSS version 3.2.1", 18 | "Ids": [ 19 | "10.5", 20 | "10.5.2", 21 | "2.2", 22 | "3.4" 23 | ] 24 | } 25 | ], 26 | "ControlOwner": "AWS Control Tower", 27 | "DeploymentMechanism": "AWS CloudFormation Hook", 28 | "DeploymentOwner": "AWS Control Tower", 29 | "Description": "This control checks whether an AWS Glue job has an associated security configuration.", 30 | "DisplayName": "Require an AWS Glue job to have an associated security configuration", 31 | "DocumentationReferences": [ 32 | { 33 | "DisplayName": "Working with security configurations on the AWS Glue console", 34 | "Type": "AWS Documentation", 35 | "Url": "https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html" 36 | } 37 | ], 38 | "EvaluatedResourceTypes": [ 39 | "AWS::Glue::Job" 40 | ], 41 | "EvaluatedServices": [ 42 | "AWS Glue" 43 | ], 44 | "Groups": [ 45 | "digital-sovereignty" 46 | ], 47 | "Guidance": "Elective", 48 | "Id": "CT.GLUE.PR.1", 49 | "ImplementationType": "CloudFormation guard rule", 50 | "MinimumSupportedRuntimeVersion": "2.1", 51 | "Objectives": [ 52 | { 53 | "Id": "CO.2", 54 | "Name": "Encrypt data at rest" 55 | } 56 | ], 57 | "RegionalPreference": "REGIONAL", 58 | "ReleaseDate": "2023-10-05", 59 | "RemediationMessage": "Set the 'SecurityConfiguration' parameter to the name of an AWS Glue security configuration.", 60 | "Severity": "MEDIUM", 61 | "SupportedRegions": [ 62 | "af-south-1", 63 | "ap-east-1", 64 | "ap-northeast-1", 65 | "ap-northeast-2", 66 | "ap-northeast-3", 67 | "ap-south-1", 68 | "ap-south-2", 69 | "ap-southeast-1", 70 | "ap-southeast-2", 71 | "ap-southeast-3", 72 | "ap-southeast-4", 73 | "ca-central-1", 74 | "eu-central-1", 75 | "eu-central-2", 76 | "eu-north-1", 77 | "eu-south-1", 78 | "eu-south-2", 79 | "eu-west-1", 80 | "eu-west-2", 81 | "eu-west-3", 82 | "il-central-1", 83 | "me-central-1", 84 | "me-south-1", 85 | "sa-east-1", 86 | "us-east-1", 87 | "us-east-2", 88 | "us-west-1", 89 | "us-west-2" 90 | ], 91 | "TargetOuType": "CUSTOM", 92 | "Version": "1", 93 | "Visibility": "PUBLIC" 94 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/guardduty/ct-guardduty-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-2(12)", 8 | "AU-6(1)", 9 | "AU-6(5)", 10 | "CA-7", 11 | "RA-3(4)", 12 | "SC-7(10)", 13 | "SI-4", 14 | "SI-4(13)", 15 | "SI-4(2)", 16 | "SI-4(4)" 17 | ] 18 | }, 19 | { 20 | "ComplianceFramework": "PCI DSS version 3.2.1", 21 | "Ids": [ 22 | "11.4" 23 | ] 24 | } 25 | ], 26 | "ConfigRuleIdentifier": "GUARDDUTY_S3_PROTECTION_ENABLED", 27 | "ControlOwner": "AWS Control Tower", 28 | "DeploymentMechanism": "AWS CloudFormation Hook", 29 | "DeploymentOwner": "AWS Control Tower", 30 | "Description": "This control checks whether Amazon S3 protection is enabled on an Amazon GuardDuty detector.", 31 | "DisplayName": "Require an Amazon GuardDuty detector to have Amazon S3 protection activated", 32 | "DocumentationReferences": [ 33 | { 34 | "DisplayName": "Amazon S3 Protection in Amazon GuardDuty", 35 | "Type": "AWS Documentation", 36 | "Url": "https://docs.aws.amazon.com/guardduty/latest/ug/s3-protection.html" 37 | } 38 | ], 39 | "EvaluatedResourceTypes": [ 40 | "AWS::GuardDuty::Detector" 41 | ], 42 | "EvaluatedServices": [ 43 | "Amazon GuardDuty" 44 | ], 45 | "Guidance": "Elective", 46 | "Id": "CT.GUARDDUTY.PR.1", 47 | "ImplementationType": "CloudFormation guard rule", 48 | "MinimumSupportedRuntimeVersion": "2.1", 49 | "Objectives": [ 50 | { 51 | "Id": "CO.10", 52 | "Name": "Protect configurations" 53 | }, 54 | { 55 | "Id": "CO.11", 56 | "Name": "Prepare for incident response" 57 | } 58 | ], 59 | "RegionalPreference": "REGIONAL", 60 | "ReleaseDate": "2022-11-28", 61 | "RemediationMessage": "Set 'DataSources.S3Logs' to true.", 62 | "Severity": "HIGH", 63 | "SupportedRegions": [ 64 | "af-south-1", 65 | "ap-east-1", 66 | "ap-northeast-1", 67 | "ap-northeast-2", 68 | "ap-northeast-3", 69 | "ap-south-1", 70 | "ap-south-2", 71 | "ap-southeast-1", 72 | "ap-southeast-2", 73 | "ap-southeast-3", 74 | "ap-southeast-4", 75 | "ca-central-1", 76 | "eu-central-1", 77 | "eu-central-2", 78 | "eu-north-1", 79 | "eu-south-1", 80 | "eu-south-2", 81 | "eu-west-1", 82 | "eu-west-2", 83 | "eu-west-3", 84 | "il-central-1", 85 | "me-central-1", 86 | "me-south-1", 87 | "sa-east-1", 88 | "us-east-1", 89 | "us-east-2", 90 | "us-west-1", 91 | "us-west-2" 92 | ], 93 | "TargetOuType": "CUSTOM", 94 | "Version": "1", 95 | "Visibility": "PUBLIC" 96 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/keymanagementservice/ct-kms-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "CIS AWS Benchmark 1.4", 6 | "Ids": [ 7 | "3.8" 8 | ] 9 | }, 10 | { 11 | "ComplianceFramework": "NIST 800-53 Rev 5", 12 | "Ids": [ 13 | "SC-12", 14 | "SC-12(2)", 15 | "SC-28(3)" 16 | ] 17 | }, 18 | { 19 | "ComplianceFramework": "PCI DSS version 3.2.1", 20 | "Ids": [ 21 | "2.2", 22 | "3.6.4" 23 | ] 24 | } 25 | ], 26 | "ConfigRuleIdentifier": "KMS_KEY_ROTATION_ENABLED", 27 | "ControlOwner": "AWS Control Tower", 28 | "DeploymentMechanism": "AWS CloudFormation Hook", 29 | "DeploymentOwner": "AWS Control Tower", 30 | "Description": "This control checks whether key rotation is enabled for AWS KMS customer-managed keys.", 31 | "DisplayName": "Require any AWS KMS key to have rotation configured", 32 | "DocumentationReferences": [ 33 | { 34 | "DisplayName": "Rotating AWS KMS keys", 35 | "Type": "AWS Documentation", 36 | "Url": "https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html" 37 | } 38 | ], 39 | "EvaluatedResourceTypes": [ 40 | "AWS::KMS::Key" 41 | ], 42 | "EvaluatedServices": [ 43 | "AWS Key Management Service (AWS KMS)" 44 | ], 45 | "Groups": [ 46 | "digital-sovereignty" 47 | ], 48 | "Guidance": "Elective", 49 | "Id": "CT.KMS.PR.1", 50 | "ImplementationType": "CloudFormation guard rule", 51 | "MinimumSupportedRuntimeVersion": "2.1", 52 | "Objectives": [ 53 | { 54 | "Id": "CO.2", 55 | "Name": "Encrypt data at rest" 56 | } 57 | ], 58 | "RegionalPreference": "REGIONAL", 59 | "ReleaseDate": "2022-11-28", 60 | "RemediationMessage": "Set 'EnableKeyRotation' to 'true' for AWS KMS symmetric-encryption keys.", 61 | "Severity": "MEDIUM", 62 | "SupportedRegions": [ 63 | "af-south-1", 64 | "ap-east-1", 65 | "ap-northeast-1", 66 | "ap-northeast-2", 67 | "ap-northeast-3", 68 | "ap-south-1", 69 | "ap-south-2", 70 | "ap-southeast-1", 71 | "ap-southeast-2", 72 | "ap-southeast-3", 73 | "ap-southeast-4", 74 | "ca-central-1", 75 | "eu-central-1", 76 | "eu-central-2", 77 | "eu-north-1", 78 | "eu-south-1", 79 | "eu-south-2", 80 | "eu-west-1", 81 | "eu-west-2", 82 | "eu-west-3", 83 | "il-central-1", 84 | "me-central-1", 85 | "me-south-1", 86 | "sa-east-1", 87 | "us-east-1", 88 | "us-east-2", 89 | "us-west-1", 90 | "us-west-2" 91 | ], 92 | "TargetOuType": "CUSTOM", 93 | "Version": "1", 94 | "Visibility": "PUBLIC" 95 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/keymanagementservice/ct-kms-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CM-8", 8 | "SC-13" 9 | ] 10 | }, 11 | { 12 | "ComplianceFramework": "PCI DSS version 3.2.1", 13 | "Ids": [ 14 | "2.2", 15 | "3.4" 16 | ] 17 | } 18 | ], 19 | "ControlOwner": "AWS Control Tower", 20 | "DeploymentMechanism": "AWS CloudFormation Hook", 21 | "DeploymentOwner": "AWS Control Tower", 22 | "Description": "This control checks whether an AWS KMS asymmetric key with RSA key material, which is used for encryption and decryption, to use a key spec with a key length greater than 2048 bits (that is, a key spec other than 'RSA_2048').", 23 | "DisplayName": "Require that an AWS KMS asymmetric key with RSA key material used for encryption has a key length greater than 2048 bits", 24 | "DocumentationReferences": [ 25 | { 26 | "DisplayName": "Creating asymmetric KMS keys", 27 | "Type": "AWS Documentation", 28 | "Url": "https://docs.aws.amazon.com/kms/latest/developerguide/asymm-create-key.html" 29 | } 30 | ], 31 | "EvaluatedResourceTypes": [ 32 | "AWS::KMS::Key" 33 | ], 34 | "EvaluatedServices": [ 35 | "AWS Key Management Service (AWS KMS)" 36 | ], 37 | "Groups": [ 38 | "digital-sovereignty" 39 | ], 40 | "Guidance": "Elective", 41 | "Id": "CT.KMS.PR.2", 42 | "ImplementationType": "CloudFormation guard rule", 43 | "MinimumSupportedRuntimeVersion": "2.1", 44 | "Objectives": [ 45 | { 46 | "Id": "CO.2", 47 | "Name": "Encrypt data at rest" 48 | } 49 | ], 50 | "RegionalPreference": "REGIONAL", 51 | "ReleaseDate": "2023-10-05", 52 | "RemediationMessage": "For KMS keys with an RSA keyspec, which are configured for encryption and decryption ('KeyUsage' of 'ENCRYPT_DECRYPT'), set the 'KeySpec' parameter to a key spec other than 'RSA_2048'.", 53 | "Severity": "MEDIUM", 54 | "SupportedRegions": [ 55 | "af-south-1", 56 | "ap-east-1", 57 | "ap-northeast-1", 58 | "ap-northeast-2", 59 | "ap-northeast-3", 60 | "ap-south-1", 61 | "ap-south-2", 62 | "ap-southeast-1", 63 | "ap-southeast-2", 64 | "ap-southeast-3", 65 | "ap-southeast-4", 66 | "ca-central-1", 67 | "eu-central-1", 68 | "eu-central-2", 69 | "eu-north-1", 70 | "eu-south-1", 71 | "eu-south-2", 72 | "eu-west-1", 73 | "eu-west-2", 74 | "eu-west-3", 75 | "il-central-1", 76 | "me-central-1", 77 | "me-south-1", 78 | "sa-east-1", 79 | "us-east-1", 80 | "us-east-2", 81 | "us-west-1", 82 | "us-west-2" 83 | ], 84 | "TargetOuType": "CUSTOM", 85 | "Version": "1", 86 | "Visibility": "PUBLIC" 87 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/lambda/ct-lambda-pr-5.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-2(1)", 8 | "AC-3", 9 | "AC-3(15)", 10 | "AC-3(7)", 11 | "AC-6" 12 | ] 13 | }, 14 | { 15 | "ComplianceFramework": "PCI DSS version 3.2.1", 16 | "Ids": [ 17 | "7.1.1", 18 | "7.2.1", 19 | "7.2.2" 20 | ] 21 | } 22 | ], 23 | "ControlOwner": "AWS Control Tower", 24 | "DeploymentMechanism": "AWS CloudFormation Hook", 25 | "DeploymentOwner": "AWS Control Tower", 26 | "Description": "This control checks whether an AWS Lambda function URL is configured to use authentication that's based on AWS IAM.", 27 | "DisplayName": "Require an AWS Lambda function URL to use AWS IAM-based authentication", 28 | "DocumentationReferences": [ 29 | { 30 | "DisplayName": "Security and auth model for Lambda function URLs", 31 | "Type": "AWS Documentation", 32 | "Url": "https://docs.aws.amazon.com/lambda/latest/dg/urls-auth.html" 33 | } 34 | ], 35 | "EvaluatedResourceTypes": [ 36 | "AWS::Lambda::Url" 37 | ], 38 | "EvaluatedServices": [ 39 | "AWS Lambda" 40 | ], 41 | "Groups": [ 42 | "digital-sovereignty" 43 | ], 44 | "Guidance": "Elective", 45 | "Id": "CT.LAMBDA.PR.5", 46 | "ImplementationType": "CloudFormation guard rule", 47 | "MinimumSupportedRuntimeVersion": "2.1", 48 | "Objectives": [ 49 | { 50 | "Id": "CO.5", 51 | "Name": "Enforce least privilege" 52 | } 53 | ], 54 | "RegionalPreference": "REGIONAL", 55 | "ReleaseDate": "2023-10-05", 56 | "RemediationMessage": "Set the 'AuthType' parameter to 'AWS_IAM'", 57 | "Severity": "CRITICAL", 58 | "SupportedRegions": [ 59 | "af-south-1", 60 | "ap-east-1", 61 | "ap-northeast-1", 62 | "ap-northeast-2", 63 | "ap-northeast-3", 64 | "ap-south-1", 65 | "ap-south-2", 66 | "ap-southeast-1", 67 | "ap-southeast-2", 68 | "ap-southeast-3", 69 | "ap-southeast-4", 70 | "ca-central-1", 71 | "eu-central-1", 72 | "eu-central-2", 73 | "eu-north-1", 74 | "eu-south-1", 75 | "eu-south-2", 76 | "eu-west-1", 77 | "eu-west-2", 78 | "eu-west-3", 79 | "il-central-1", 80 | "me-central-1", 81 | "me-south-1", 82 | "sa-east-1", 83 | "us-east-1", 84 | "us-east-2", 85 | "us-west-1", 86 | "us-west-2" 87 | ], 88 | "TargetOuType": "CUSTOM", 89 | "Version": "1", 90 | "Visibility": "PUBLIC" 91 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/mq/ct-mq-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CP-10", 8 | "CP-6(2)", 9 | "SC-36", 10 | "SC-5(2)", 11 | "SI-13(5)" 12 | ] 13 | } 14 | ], 15 | "ControlOwner": "AWS Control Tower", 16 | "DeploymentMechanism": "AWS CloudFormation Hook", 17 | "DeploymentOwner": "AWS Control Tower", 18 | "Description": "This control checks whether an Amazon MQ ActiveMQ broker is configured in an active/standby deployment mode.", 19 | "DisplayName": "Require an Amazon MQ ActiveMQ broker to use use active/standby deployment mode for high availability", 20 | "DocumentationReferences": [ 21 | { 22 | "DisplayName": "Amazon MQ active/standby broker for high availability", 23 | "Type": "AWS Documentation", 24 | "Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/active-standby-broker-deployment.html" 25 | } 26 | ], 27 | "EvaluatedResourceTypes": [ 28 | "AWS::AmazonMQ::Broker" 29 | ], 30 | "EvaluatedServices": [ 31 | "Amazon MQ" 32 | ], 33 | "Groups": [ 34 | "digital-sovereignty" 35 | ], 36 | "Guidance": "Elective", 37 | "Id": "CT.MQ.PR.1", 38 | "ImplementationType": "CloudFormation guard rule", 39 | "Objectives": [ 40 | { 41 | "Id": "CO.8", 42 | "Name": "Improve resiliency" 43 | }, 44 | { 45 | "Id": "CO.9", 46 | "Name": "Improve availability" 47 | } 48 | ], 49 | "RegionalPreference": "REGIONAL", 50 | "ReleaseDate": "2023-11-27", 51 | "RemediationMessage": "For Amazon MQ brokers with an engine type of ACTIVEMQ, set the DeploymentMode property to ACTIVE_STANDBY_MULTI_AZ.", 52 | "Severity": "LOW", 53 | "SupportedRegions": [ 54 | "af-south-1", 55 | "ap-east-1", 56 | "ap-northeast-1", 57 | "ap-northeast-2", 58 | "ap-northeast-3", 59 | "ap-south-1", 60 | "ap-south-2", 61 | "ap-southeast-1", 62 | "ap-southeast-2", 63 | "ap-southeast-3", 64 | "ap-southeast-4", 65 | "ca-central-1", 66 | "eu-central-1", 67 | "eu-central-2", 68 | "eu-north-1", 69 | "eu-south-1", 70 | "eu-south-2", 71 | "eu-west-1", 72 | "eu-west-2", 73 | "eu-west-3", 74 | "il-central-1", 75 | "me-central-1", 76 | "me-south-1", 77 | "sa-east-1", 78 | "us-east-1", 79 | "us-east-2", 80 | "us-west-1", 81 | "us-west-2" 82 | ], 83 | "TargetOuType": "CUSTOM", 84 | "Version": "1", 85 | "Visibility": "PUBLIC" 86 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/mq/ct-mq-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CP-10", 8 | "CP-6(2)", 9 | "SC-36", 10 | "SC-5(2)", 11 | "SI-13(5)" 12 | ] 13 | } 14 | ], 15 | "ControlOwner": "AWS Control Tower", 16 | "DeploymentMechanism": "AWS CloudFormation Hook", 17 | "DeploymentOwner": "AWS Control Tower", 18 | "Description": "This control checks whether an Amazon MQ RabbitMQ broker is configured in a cluster deployment mode, to allow for high availability.", 19 | "DisplayName": "Require an Amazon MQ Rabbit MQ broker to use Multi-AZ cluster mode for high availability", 20 | "DocumentationReferences": [ 21 | { 22 | "DisplayName": "Cluster deployment for high availability", 23 | "Type": "AWS Documentation", 24 | "Url": "https://docs.aws.amazon.com/amazon-mq/latest/developer-guide/rabbitmq-broker-architecture-cluster.html" 25 | } 26 | ], 27 | "EvaluatedResourceTypes": [ 28 | "AWS::AmazonMQ::Broker" 29 | ], 30 | "EvaluatedServices": [ 31 | "Amazon MQ" 32 | ], 33 | "Groups": [ 34 | "digital-sovereignty" 35 | ], 36 | "Guidance": "Elective", 37 | "Id": "CT.MQ.PR.2", 38 | "ImplementationType": "CloudFormation guard rule", 39 | "Objectives": [ 40 | { 41 | "Id": "CO.8", 42 | "Name": "Improve resiliency" 43 | }, 44 | { 45 | "Id": "CO.9", 46 | "Name": "Improve availability" 47 | } 48 | ], 49 | "RegionalPreference": "REGIONAL", 50 | "ReleaseDate": "2023-11-27", 51 | "RemediationMessage": "For Amazon MQ brokers with an engine type of RABBITMQ, set the DeploymentMode property to CLUSTER_MULTI_AZ.", 52 | "Severity": "LOW", 53 | "SupportedRegions": [ 54 | "af-south-1", 55 | "ap-east-1", 56 | "ap-northeast-1", 57 | "ap-northeast-2", 58 | "ap-northeast-3", 59 | "ap-south-1", 60 | "ap-south-2", 61 | "ap-southeast-1", 62 | "ap-southeast-2", 63 | "ap-southeast-3", 64 | "ap-southeast-4", 65 | "ca-central-1", 66 | "eu-central-1", 67 | "eu-central-2", 68 | "eu-north-1", 69 | "eu-south-1", 70 | "eu-south-2", 71 | "eu-west-1", 72 | "eu-west-2", 73 | "eu-west-3", 74 | "il-central-1", 75 | "me-central-1", 76 | "me-south-1", 77 | "sa-east-1", 78 | "us-east-1", 79 | "us-east-2", 80 | "us-west-1", 81 | "us-west-2" 82 | ], 83 | "TargetOuType": "CUSTOM", 84 | "Version": "1", 85 | "Visibility": "PUBLIC" 86 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/networkfirewall/ct-network-firewall-pr-5.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CP-10", 8 | "CP-6(2)", 9 | "SC-36", 10 | "SC-5(2)", 11 | "SI-13(5)" 12 | ] 13 | } 14 | ], 15 | "ControlOwner": "AWS Control Tower", 16 | "DeploymentMechanism": "AWS CloudFormation Hook", 17 | "DeploymentOwner": "AWS Control Tower", 18 | "Description": "This control checks whether an AWS Network Firewall firewall is deployed across multiple Availability Zones (AZs), to permit automatic failover between AZs.", 19 | "DisplayName": "Require an AWS Network Firewall firewall to be deployed across multiple Availability Zones", 20 | "DocumentationReferences": [ 21 | { 22 | "DisplayName": "Configuring your VPC and other components for AWS Network Firewall", 23 | "Type": "AWS Documentation", 24 | "Url": "https://docs.aws.amazon.com/network-firewall/latest/developerguide/vpc-config.html" 25 | } 26 | ], 27 | "EvaluatedResourceTypes": [ 28 | "AWS::NetworkFirewall::Firewall" 29 | ], 30 | "EvaluatedServices": [ 31 | "AWS Network Firewall" 32 | ], 33 | "Groups": [ 34 | "digital-sovereignty" 35 | ], 36 | "Guidance": "Elective", 37 | "Id": "CT.NETWORK-FIREWALL.PR.5", 38 | "ImplementationType": "CloudFormation guard rule", 39 | "MinimumSupportedRuntimeVersion": "2.1", 40 | "Objectives": [ 41 | { 42 | "Id": "CO.8", 43 | "Name": "Improve resiliency" 44 | } 45 | ], 46 | "RegionalPreference": "REGIONAL", 47 | "ReleaseDate": "2023-11-27", 48 | "RemediationMessage": "In the SubnetMappings parameter, provide at least two entries that refer to subnets in different Availability Zones.", 49 | "Severity": "MEDIUM", 50 | "SupportedRegions": [ 51 | "af-south-1", 52 | "ap-east-1", 53 | "ap-northeast-1", 54 | "ap-northeast-2", 55 | "ap-northeast-3", 56 | "ap-south-1", 57 | "ap-south-2", 58 | "ap-southeast-1", 59 | "ap-southeast-2", 60 | "ap-southeast-3", 61 | "ap-southeast-4", 62 | "ca-central-1", 63 | "eu-central-1", 64 | "eu-central-2", 65 | "eu-north-1", 66 | "eu-south-1", 67 | "eu-south-2", 68 | "eu-west-1", 69 | "eu-west-2", 70 | "eu-west-3", 71 | "il-central-1", 72 | "me-central-1", 73 | "me-south-1", 74 | "sa-east-1", 75 | "us-east-1", 76 | "us-east-2", 77 | "us-west-1", 78 | "us-west-2" 79 | ], 80 | "TargetOuType": "CUSTOM", 81 | "Version": "1", 82 | "Visibility": "PUBLIC" 83 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/rds/ct-rds-pr-10.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2", 9 | "CM-2(2)" 10 | ] 11 | }, 12 | { 13 | "ComplianceFramework": "PCI DSS version 3.2.1", 14 | "Ids": [ 15 | "2.2", 16 | "2.4" 17 | ] 18 | } 19 | ], 20 | "ConfigRuleIdentifier": "RDS_INSTANCE_COPY_TAGS_TO_SNAPSHOTS_ENABLED", 21 | "ControlOwner": "AWS Control Tower", 22 | "DeploymentMechanism": "AWS CloudFormation Hook", 23 | "DeploymentOwner": "AWS Control Tower", 24 | "Description": "This control checks whether Amazon RDS DB instances are configured to copy all tags to snapshots created.", 25 | "DisplayName": "Require an Amazon RDS database instance to copy tags to snapshots", 26 | "DocumentationReferences": [ 27 | { 28 | "DisplayName": "Copying tags to DB instance snapshots", 29 | "Type": "AWS Documentation", 30 | "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Tagging.html#USER_Tagging.CopyTags" 31 | } 32 | ], 33 | "EvaluatedResourceTypes": [ 34 | "AWS::RDS::DBInstance" 35 | ], 36 | "EvaluatedServices": [ 37 | "Amazon RDS" 38 | ], 39 | "Guidance": "Elective", 40 | "Id": "CT.RDS.PR.10", 41 | "ImplementationType": "CloudFormation guard rule", 42 | "MinimumSupportedRuntimeVersion": "2.1", 43 | "Objectives": [ 44 | { 45 | "Id": "CO.10", 46 | "Name": "Protect configurations" 47 | } 48 | ], 49 | "RegionalPreference": "REGIONAL", 50 | "Relationships": [ 51 | { 52 | "ControlId": "SH.RDS.17", 53 | "ControlOwner": "AWS Security Hub", 54 | "RelationshipType": "Can be used with (Inclusive)" 55 | } 56 | ], 57 | "ReleaseDate": "2022-11-28", 58 | "RemediationMessage": "Set 'CopyTagsToSnapshot' to 'true'.", 59 | "Severity": "LOW", 60 | "SupportedRegions": [ 61 | "af-south-1", 62 | "ap-east-1", 63 | "ap-northeast-1", 64 | "ap-northeast-2", 65 | "ap-northeast-3", 66 | "ap-south-1", 67 | "ap-south-2", 68 | "ap-southeast-1", 69 | "ap-southeast-2", 70 | "ap-southeast-3", 71 | "ap-southeast-4", 72 | "ca-central-1", 73 | "eu-central-1", 74 | "eu-central-2", 75 | "eu-north-1", 76 | "eu-south-1", 77 | "eu-south-2", 78 | "eu-west-1", 79 | "eu-west-2", 80 | "eu-west-3", 81 | "il-central-1", 82 | "me-central-1", 83 | "me-south-1", 84 | "sa-east-1", 85 | "us-east-1", 86 | "us-east-2", 87 | "us-west-1", 88 | "us-west-2" 89 | ], 90 | "TargetOuType": "CUSTOM", 91 | "Version": "1", 92 | "Visibility": "PUBLIC" 93 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/rds/ct-rds-pr-13.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2", 9 | "CM-2(2)", 10 | "CM-3", 11 | "SC-5(2)" 12 | ] 13 | }, 14 | { 15 | "ComplianceFramework": "PCI DSS version 3.2.1", 16 | "Ids": [ 17 | "2.2" 18 | ] 19 | } 20 | ], 21 | "ConfigRuleIdentifier": "RDS_INSTANCE_DELETION_PROTECTION_ENABLED", 22 | "ControlOwner": "AWS Control Tower", 23 | "DeploymentMechanism": "AWS CloudFormation Hook", 24 | "DeploymentOwner": "AWS Control Tower", 25 | "Description": "This control checks whether an Amazon Relational Database Service (Amazon RDS) instance has deletion protection activated.", 26 | "DisplayName": "Require any Amazon RDS instance to have deletion protection configured", 27 | "DocumentationReferences": [ 28 | { 29 | "DisplayName": "Deleting Aurora DB clusters and DB instances", 30 | "Type": "AWS Documentation", 31 | "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_DeleteCluster.html" 32 | } 33 | ], 34 | "EvaluatedResourceTypes": [ 35 | "AWS::RDS::DBInstance" 36 | ], 37 | "EvaluatedServices": [ 38 | "Amazon RDS" 39 | ], 40 | "Guidance": "Elective", 41 | "Id": "CT.RDS.PR.13", 42 | "ImplementationType": "CloudFormation guard rule", 43 | "MinimumSupportedRuntimeVersion": "2.1", 44 | "Objectives": [ 45 | { 46 | "Id": "CO.9", 47 | "Name": "Improve availability" 48 | } 49 | ], 50 | "RegionalPreference": "REGIONAL", 51 | "Relationships": [ 52 | { 53 | "ControlId": "SH.RDS.8", 54 | "ControlOwner": "AWS Security Hub", 55 | "RelationshipType": "Can be used with (Inclusive)" 56 | } 57 | ], 58 | "ReleaseDate": "2022-11-28", 59 | "RemediationMessage": "Set 'DeletionProtection' to 'true'.", 60 | "Severity": "LOW", 61 | "SupportedRegions": [ 62 | "af-south-1", 63 | "ap-east-1", 64 | "ap-northeast-1", 65 | "ap-northeast-2", 66 | "ap-northeast-3", 67 | "ap-south-1", 68 | "ap-south-2", 69 | "ap-southeast-1", 70 | "ap-southeast-2", 71 | "ap-southeast-3", 72 | "ap-southeast-4", 73 | "ca-central-1", 74 | "eu-central-1", 75 | "eu-central-2", 76 | "eu-north-1", 77 | "eu-south-1", 78 | "eu-south-2", 79 | "eu-west-1", 80 | "eu-west-2", 81 | "eu-west-3", 82 | "il-central-1", 83 | "me-central-1", 84 | "me-south-1", 85 | "sa-east-1", 86 | "us-east-1", 87 | "us-east-2", 88 | "us-west-1", 89 | "us-west-2" 90 | ], 91 | "TargetOuType": "CUSTOM", 92 | "Version": "1", 93 | "Visibility": "PUBLIC" 94 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/rds/ct-rds-pr-21.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2" 9 | ] 10 | }, 11 | { 12 | "ComplianceFramework": "PCI DSS version 3.2.1", 13 | "Ids": [ 14 | "2.1" 15 | ] 16 | } 17 | ], 18 | "ConfigRuleIdentifier": "RDS_CLUSTER_DEFAULT_ADMIN_CHECK", 19 | "ControlOwner": "AWS Control Tower", 20 | "DeploymentMechanism": "AWS CloudFormation Hook", 21 | "DeploymentOwner": "AWS Control Tower", 22 | "Description": "This control checks whether an Amazon Relational Database Service (RDS) database (DB) cluster has changed the administrator username from its default value.", 23 | "DisplayName": "Require an Amazon RDS DB cluster to have a unique administrator username", 24 | "DocumentationReferences": [ 25 | { 26 | "DisplayName": "Creating an Amazon Aurora DB cluster", 27 | "Type": "AWS Documentation", 28 | "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.CreateInstance.html" 29 | } 30 | ], 31 | "EvaluatedResourceTypes": [ 32 | "AWS::RDS::DBCluster" 33 | ], 34 | "EvaluatedServices": [ 35 | "Amazon RDS" 36 | ], 37 | "Guidance": "Elective", 38 | "Id": "CT.RDS.PR.21", 39 | "ImplementationType": "CloudFormation guard rule", 40 | "MinimumSupportedRuntimeVersion": "2.1", 41 | "Objectives": [ 42 | { 43 | "Id": "CO.10", 44 | "Name": "Protect configurations" 45 | } 46 | ], 47 | "RegionalPreference": "REGIONAL", 48 | "ReleaseDate": "2022-11-28", 49 | "RemediationMessage": "Set 'MasterUsername' to a value other than 'admin' or 'postgres'.", 50 | "Severity": "MEDIUM", 51 | "SupportedRegions": [ 52 | "af-south-1", 53 | "ap-east-1", 54 | "ap-northeast-1", 55 | "ap-northeast-2", 56 | "ap-northeast-3", 57 | "ap-south-1", 58 | "ap-south-2", 59 | "ap-southeast-1", 60 | "ap-southeast-2", 61 | "ap-southeast-3", 62 | "ap-southeast-4", 63 | "ca-central-1", 64 | "eu-central-1", 65 | "eu-central-2", 66 | "eu-north-1", 67 | "eu-south-1", 68 | "eu-south-2", 69 | "eu-west-1", 70 | "eu-west-2", 71 | "eu-west-3", 72 | "il-central-1", 73 | "me-central-1", 74 | "me-south-1", 75 | "sa-east-1", 76 | "us-east-1", 77 | "us-east-2", 78 | "us-west-1", 79 | "us-west-2" 80 | ], 81 | "TargetOuType": "CUSTOM", 82 | "Version": "1", 83 | "Visibility": "PUBLIC" 84 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/rds/ct-rds-pr-5.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "SI-2", 8 | "SI-2(2)", 9 | "SI-2(4)", 10 | "SI-2(5)" 11 | ] 12 | }, 13 | { 14 | "ComplianceFramework": "PCI DSS version 3.2.1", 15 | "Ids": [ 16 | "6.2" 17 | ] 18 | } 19 | ], 20 | "ConfigRuleIdentifier": "RDS_AUTOMATIC_MINOR_VERSION_UPGRADE_ENABLED", 21 | "ControlOwner": "AWS Control Tower", 22 | "DeploymentMechanism": "AWS CloudFormation Hook", 23 | "DeploymentOwner": "AWS Control Tower", 24 | "Description": "This control checks whether automatic minor version upgrades are enabled for an Amazon RDS database instance.", 25 | "DisplayName": "Require an Amazon RDS database instance to have minor version upgrades configured", 26 | "DocumentationReferences": [ 27 | { 28 | "DisplayName": "Upgrading a DB instance engine version", 29 | "Type": "AWS Documentation", 30 | "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_UpgradeDBInstance.Upgrading.html" 31 | } 32 | ], 33 | "EvaluatedResourceTypes": [ 34 | "AWS::RDS::DBInstance" 35 | ], 36 | "EvaluatedServices": [ 37 | "Amazon RDS" 38 | ], 39 | "Guidance": "Elective", 40 | "Id": "CT.RDS.PR.5", 41 | "ImplementationType": "CloudFormation guard rule", 42 | "MinimumSupportedRuntimeVersion": "2.1", 43 | "Objectives": [ 44 | { 45 | "Id": "CO.12", 46 | "Name": "Manage vulnerabilities" 47 | } 48 | ], 49 | "RegionalPreference": "REGIONAL", 50 | "Relationships": [ 51 | { 52 | "ControlId": "SH.RDS.13", 53 | "ControlOwner": "AWS Security Hub", 54 | "RelationshipType": "Can be used with (Inclusive)" 55 | } 56 | ], 57 | "ReleaseDate": "2022-11-28", 58 | "RemediationMessage": "Omit the 'AutoMinorVersionUpgrade' property or set it to 'true'.", 59 | "Severity": "HIGH", 60 | "SupportedRegions": [ 61 | "af-south-1", 62 | "ap-east-1", 63 | "ap-northeast-1", 64 | "ap-northeast-2", 65 | "ap-northeast-3", 66 | "ap-south-1", 67 | "ap-south-2", 68 | "ap-southeast-1", 69 | "ap-southeast-2", 70 | "ap-southeast-3", 71 | "ap-southeast-4", 72 | "ca-central-1", 73 | "eu-central-1", 74 | "eu-central-2", 75 | "eu-north-1", 76 | "eu-south-1", 77 | "eu-south-2", 78 | "eu-west-1", 79 | "eu-west-2", 80 | "eu-west-3", 81 | "il-central-1", 82 | "me-central-1", 83 | "me-south-1", 84 | "sa-east-1", 85 | "us-east-1", 86 | "us-east-2", 87 | "us-west-1", 88 | "us-west-2" 89 | ], 90 | "TargetOuType": "CUSTOM", 91 | "Version": "1", 92 | "Visibility": "PUBLIC" 93 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/rds/ct-rds-pr-6.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CP-10", 8 | "CP-6", 9 | "CP-6(1)", 10 | "CP-6(2)", 11 | "CP-9", 12 | "SI-13(5)" 13 | ] 14 | }, 15 | { 16 | "ComplianceFramework": "PCI DSS version 3.2.1", 17 | "Ids": [ 18 | "3.1" 19 | ] 20 | } 21 | ], 22 | "ConfigRuleIdentifier": "AURORA_MYSQL_BACKTRACKING_ENABLED", 23 | "ControlOwner": "AWS Control Tower", 24 | "DeploymentMechanism": "AWS CloudFormation Hook", 25 | "DeploymentOwner": "AWS Control Tower", 26 | "Description": "This control checks whether an Amazon Relational Database Service (RDS) database (DB) cluster has backtracking enabled.", 27 | "DisplayName": "Require an Amazon RDS database cluster to have backtracking configured", 28 | "DocumentationReferences": [ 29 | { 30 | "DisplayName": "Backtracking an Aurora DB cluster", 31 | "Type": "AWS Documentation", 32 | "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Managing.Backtrack.html" 33 | } 34 | ], 35 | "EvaluatedResourceTypes": [ 36 | "AWS::RDS::DBCluster" 37 | ], 38 | "EvaluatedServices": [ 39 | "Amazon RDS" 40 | ], 41 | "Guidance": "Elective", 42 | "Id": "CT.RDS.PR.6", 43 | "ImplementationType": "CloudFormation guard rule", 44 | "MinimumSupportedRuntimeVersion": "2.1", 45 | "Objectives": [ 46 | { 47 | "Id": "CO.8", 48 | "Name": "Improve resiliency" 49 | } 50 | ], 51 | "RegionalPreference": "REGIONAL", 52 | "ReleaseDate": "2022-11-28", 53 | "RemediationMessage": "Set 'BacktrackWindow' to a number between '1' and '259200'.", 54 | "Severity": "MEDIUM", 55 | "SupportedRegions": [ 56 | "af-south-1", 57 | "ap-east-1", 58 | "ap-northeast-1", 59 | "ap-northeast-2", 60 | "ap-northeast-3", 61 | "ap-south-1", 62 | "ap-south-2", 63 | "ap-southeast-1", 64 | "ap-southeast-2", 65 | "ap-southeast-3", 66 | "ap-southeast-4", 67 | "ca-central-1", 68 | "eu-central-1", 69 | "eu-central-2", 70 | "eu-north-1", 71 | "eu-south-1", 72 | "eu-south-2", 73 | "eu-west-1", 74 | "eu-west-2", 75 | "eu-west-3", 76 | "il-central-1", 77 | "me-central-1", 78 | "me-south-1", 79 | "sa-east-1", 80 | "us-east-1", 81 | "us-east-2", 82 | "us-west-1", 83 | "us-west-2" 84 | ], 85 | "TargetOuType": "CUSTOM", 86 | "Version": "1", 87 | "Visibility": "PUBLIC" 88 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/rds/ct-rds-pr-9.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2", 9 | "CM-2(2)" 10 | ] 11 | }, 12 | { 13 | "ComplianceFramework": "PCI DSS version 3.2.1", 14 | "Ids": [ 15 | "2.2", 16 | "2.4" 17 | ] 18 | } 19 | ], 20 | "ConfigRuleIdentifier": "RDS_CLUSTER_COPY_TAGS_TO_SNAPSHOTS_ENABLED", 21 | "ControlOwner": "AWS Control Tower", 22 | "DeploymentMechanism": "AWS CloudFormation Hook", 23 | "DeploymentOwner": "AWS Control Tower", 24 | "Description": "This control checks whether an Amazon RDS DB cluster is configured to copy all tags to snapshots created.", 25 | "DisplayName": "Require an Amazon RDS database cluster to copy tags to snapshots", 26 | "DocumentationReferences": [ 27 | { 28 | "DisplayName": "Copying tags to DB cluster snapshots", 29 | "Type": "AWS Documentation", 30 | "Url": "https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/USER_Tagging.html#USER_Tagging.CopyTagsCluster" 31 | } 32 | ], 33 | "EvaluatedResourceTypes": [ 34 | "AWS::RDS::DBCluster" 35 | ], 36 | "EvaluatedServices": [ 37 | "Amazon RDS" 38 | ], 39 | "Guidance": "Elective", 40 | "Id": "CT.RDS.PR.9", 41 | "ImplementationType": "CloudFormation guard rule", 42 | "MinimumSupportedRuntimeVersion": "2.1", 43 | "Objectives": [ 44 | { 45 | "Id": "CO.10", 46 | "Name": "Protect configurations" 47 | } 48 | ], 49 | "RegionalPreference": "REGIONAL", 50 | "ReleaseDate": "2022-11-28", 51 | "RemediationMessage": "Set 'CopyTagsToSnapshot' to 'true'.", 52 | "Severity": "LOW", 53 | "SupportedRegions": [ 54 | "af-south-1", 55 | "ap-east-1", 56 | "ap-northeast-1", 57 | "ap-northeast-2", 58 | "ap-northeast-3", 59 | "ap-south-1", 60 | "ap-south-2", 61 | "ap-southeast-1", 62 | "ap-southeast-2", 63 | "ap-southeast-3", 64 | "ap-southeast-4", 65 | "ca-central-1", 66 | "eu-central-1", 67 | "eu-central-2", 68 | "eu-north-1", 69 | "eu-south-1", 70 | "eu-south-2", 71 | "eu-west-1", 72 | "eu-west-2", 73 | "eu-west-3", 74 | "il-central-1", 75 | "me-central-1", 76 | "me-south-1", 77 | "sa-east-1", 78 | "us-east-1", 79 | "us-east-2", 80 | "us-west-1", 81 | "us-west-2" 82 | ], 83 | "TargetOuType": "CUSTOM", 84 | "Version": "1", 85 | "Visibility": "PUBLIC" 86 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/redshift/ct-redshift-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CP-10", 8 | "CP-6", 9 | "CP-6(1)", 10 | "CP-6(2)", 11 | "CP-9", 12 | "SC-5(2)", 13 | "SC-7(10)", 14 | "SI-13(5)" 15 | ] 16 | }, 17 | { 18 | "ComplianceFramework": "PCI DSS version 3.2.1", 19 | "Ids": [ 20 | "3.1" 21 | ] 22 | } 23 | ], 24 | "ConfigRuleIdentifier": "REDSHIFT_BACKUP_ENABLED", 25 | "ControlOwner": "AWS Control Tower", 26 | "DeploymentMechanism": "AWS CloudFormation Hook", 27 | "DeploymentOwner": "AWS Control Tower", 28 | "Description": "This control checks whether Amazon Redshift clusters have automated snapshots enabled, and set with an automated snapshot retention period greater than or equal to seven (7) days.", 29 | "DisplayName": "Require an Amazon Redshift cluster to have automatic snapshots configured", 30 | "DocumentationReferences": [ 31 | { 32 | "DisplayName": "Configuring Amazon Redshift snapshots", 33 | "Type": "AWS Documentation", 34 | "Url": "https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-snapshots.html" 35 | } 36 | ], 37 | "EvaluatedResourceTypes": [ 38 | "AWS::Redshift::Cluster" 39 | ], 40 | "EvaluatedServices": [ 41 | "Amazon Redshift" 42 | ], 43 | "Guidance": "Elective", 44 | "Id": "CT.REDSHIFT.PR.2", 45 | "ImplementationType": "CloudFormation guard rule", 46 | "MinimumSupportedRuntimeVersion": "2.1", 47 | "Objectives": [ 48 | { 49 | "Id": "CO.8", 50 | "Name": "Improve resiliency" 51 | } 52 | ], 53 | "RegionalPreference": "REGIONAL", 54 | "ReleaseDate": "2022-11-28", 55 | "RemediationMessage": "Set 'AutomatedSnapshotRetentionPeriod' to an integer value greater than or equal to 7 days.", 56 | "Severity": "MEDIUM", 57 | "SupportedRegions": [ 58 | "af-south-1", 59 | "ap-east-1", 60 | "ap-northeast-1", 61 | "ap-northeast-2", 62 | "ap-northeast-3", 63 | "ap-south-1", 64 | "ap-south-2", 65 | "ap-southeast-1", 66 | "ap-southeast-2", 67 | "ap-southeast-3", 68 | "ap-southeast-4", 69 | "ca-central-1", 70 | "eu-central-1", 71 | "eu-central-2", 72 | "eu-north-1", 73 | "eu-south-1", 74 | "eu-south-2", 75 | "eu-west-1", 76 | "eu-west-2", 77 | "eu-west-3", 78 | "il-central-1", 79 | "me-central-1", 80 | "me-south-1", 81 | "sa-east-1", 82 | "us-east-1", 83 | "us-east-2", 84 | "us-west-1", 85 | "us-west-2" 86 | ], 87 | "TargetOuType": "CUSTOM", 88 | "Version": "1", 89 | "Visibility": "PUBLIC" 90 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/redshift/ct-redshift-pr-6.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2" 9 | ] 10 | }, 11 | { 12 | "ComplianceFramework": "PCI DSS version 3.2.1", 13 | "Ids": [ 14 | "2.1" 15 | ] 16 | } 17 | ], 18 | "ConfigRuleIdentifier": "REDSHIFT_DEFAULT_ADMIN_CHECK", 19 | "ControlOwner": "AWS Control Tower", 20 | "DeploymentMechanism": "AWS CloudFormation Hook", 21 | "DeploymentOwner": "AWS Control Tower", 22 | "Description": "This control checks whether an Amazon Redshift cluster has changed the administrator username from its default value.", 23 | "DisplayName": "Require an Amazon Redshift cluster to have a unique administrator username", 24 | "DocumentationReferences": [ 25 | { 26 | "DisplayName": "Managing database security", 27 | "Type": "AWS Documentation", 28 | "Url": "https://docs.aws.amazon.com/redshift/latest/dg/r_Database_objects.html" 29 | } 30 | ], 31 | "EvaluatedResourceTypes": [ 32 | "AWS::Redshift::Cluster" 33 | ], 34 | "EvaluatedServices": [ 35 | "Amazon Redshift" 36 | ], 37 | "Guidance": "Elective", 38 | "Id": "CT.REDSHIFT.PR.6", 39 | "ImplementationType": "CloudFormation guard rule", 40 | "MinimumSupportedRuntimeVersion": "2.1", 41 | "Objectives": [ 42 | { 43 | "Id": "CO.10", 44 | "Name": "Protect configurations" 45 | } 46 | ], 47 | "RegionalPreference": "REGIONAL", 48 | "Relationships": [ 49 | { 50 | "ControlId": "SH.Redshift.8", 51 | "ControlOwner": "AWS Security Hub", 52 | "RelationshipType": "Can be used with (Inclusive)" 53 | } 54 | ], 55 | "ReleaseDate": "2022-11-28", 56 | "RemediationMessage": "Set 'MasterUsername' to a value other than 'awsuser'.", 57 | "Severity": "MEDIUM", 58 | "SupportedRegions": [ 59 | "af-south-1", 60 | "ap-east-1", 61 | "ap-northeast-1", 62 | "ap-northeast-2", 63 | "ap-northeast-3", 64 | "ap-south-1", 65 | "ap-south-2", 66 | "ap-southeast-1", 67 | "ap-southeast-2", 68 | "ap-southeast-3", 69 | "ap-southeast-4", 70 | "ca-central-1", 71 | "eu-central-1", 72 | "eu-central-2", 73 | "eu-north-1", 74 | "eu-south-1", 75 | "eu-south-2", 76 | "eu-west-1", 77 | "eu-west-2", 78 | "eu-west-3", 79 | "il-central-1", 80 | "me-central-1", 81 | "me-south-1", 82 | "sa-east-1", 83 | "us-east-1", 84 | "us-east-2", 85 | "us-west-1", 86 | "us-west-2" 87 | ], 88 | "TargetOuType": "CUSTOM", 89 | "Version": "1", 90 | "Visibility": "PUBLIC" 91 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/redshift/ct-redshift-pr-7.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2" 9 | ] 10 | }, 11 | { 12 | "ComplianceFramework": "PCI DSS version 3.2.1", 13 | "Ids": [ 14 | "2.1" 15 | ] 16 | } 17 | ], 18 | "ConfigRuleIdentifier": "REDSHIFT_DEFAULT_DB_NAME", 19 | "ControlOwner": "AWS Control Tower", 20 | "DeploymentMechanism": "AWS CloudFormation Hook", 21 | "DeploymentOwner": "AWS Control Tower", 22 | "Description": "This control checks whether an Amazon Redshift cluster has changed its database name from the default value.", 23 | "DisplayName": "Require an Amazon Redshift cluster to have a unique database name", 24 | "DocumentationReferences": [ 25 | { 26 | "DisplayName": "Getting started with Amazon Redshift", 27 | "Type": "AWS Documentation", 28 | "Url": "https://docs.aws.amazon.com/redshift/latest/gsg/getting-started.html" 29 | } 30 | ], 31 | "EvaluatedResourceTypes": [ 32 | "AWS::Redshift::Cluster" 33 | ], 34 | "EvaluatedServices": [ 35 | "Amazon Redshift" 36 | ], 37 | "Guidance": "Elective", 38 | "Id": "CT.REDSHIFT.PR.7", 39 | "ImplementationType": "CloudFormation guard rule", 40 | "MinimumSupportedRuntimeVersion": "2.1", 41 | "Objectives": [ 42 | { 43 | "Id": "CO.10", 44 | "Name": "Protect configurations" 45 | } 46 | ], 47 | "RegionalPreference": "REGIONAL", 48 | "Relationships": [ 49 | { 50 | "ControlId": "SH.Redshift.9", 51 | "ControlOwner": "AWS Security Hub", 52 | "RelationshipType": "Can be used with (Inclusive)" 53 | } 54 | ], 55 | "ReleaseDate": "2022-11-28", 56 | "RemediationMessage": "Set 'DBName' to a database name that is different from the default value of 'dev'.", 57 | "Severity": "MEDIUM", 58 | "SupportedRegions": [ 59 | "af-south-1", 60 | "ap-east-1", 61 | "ap-northeast-1", 62 | "ap-northeast-2", 63 | "ap-northeast-3", 64 | "ap-south-1", 65 | "ap-south-2", 66 | "ap-southeast-1", 67 | "ap-southeast-2", 68 | "ap-southeast-3", 69 | "ap-southeast-4", 70 | "ca-central-1", 71 | "eu-central-1", 72 | "eu-central-2", 73 | "eu-north-1", 74 | "eu-south-1", 75 | "eu-south-2", 76 | "eu-west-1", 77 | "eu-west-2", 78 | "eu-west-3", 79 | "il-central-1", 80 | "me-central-1", 81 | "me-south-1", 82 | "sa-east-1", 83 | "us-east-1", 84 | "us-east-2", 85 | "us-west-1", 86 | "us-west-2" 87 | ], 88 | "TargetOuType": "CUSTOM", 89 | "Version": "1", 90 | "Visibility": "PUBLIC" 91 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/s3/ct-s3-pr-11.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "CIS AWS Benchmark 1.4", 6 | "Ids": [ 7 | "2.1.3" 8 | ] 9 | }, 10 | { 11 | "ComplianceFramework": "NIST 800-53 Rev 5", 12 | "Ids": [ 13 | "AU-9(2)", 14 | "CP-10", 15 | "CP-6", 16 | "CP-6(1)", 17 | "CP-6(2)", 18 | "CP-9", 19 | "SC-5(2)", 20 | "SI-12", 21 | "SI-13(5)" 22 | ] 23 | }, 24 | { 25 | "ComplianceFramework": "PCI DSS version 3.2.1", 26 | "Ids": [ 27 | "10.5.5" 28 | ] 29 | } 30 | ], 31 | "ConfigRuleIdentifier": "S3_BUCKET_VERSIONING_ENABLED", 32 | "ControlOwner": "AWS Control Tower", 33 | "DeploymentMechanism": "AWS CloudFormation Hook", 34 | "DeploymentOwner": "AWS Control Tower", 35 | "Description": "This control checks whether an Amazon Simple Storage Service (Amazon S3) bucket has versioning enabled.", 36 | "DisplayName": "Require an Amazon S3 bucket to have versioning enabled", 37 | "DocumentationReferences": [ 38 | { 39 | "DisplayName": "Using versioning in S3 buckets", 40 | "Type": "AWS Documentation", 41 | "Url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html" 42 | } 43 | ], 44 | "EvaluatedResourceTypes": [ 45 | "AWS::S3::Bucket" 46 | ], 47 | "EvaluatedServices": [ 48 | "Amazon S3" 49 | ], 50 | "Guidance": "Elective", 51 | "Id": "CT.S3.PR.11", 52 | "ImplementationType": "CloudFormation guard rule", 53 | "MinimumSupportedRuntimeVersion": "2.1", 54 | "Objectives": [ 55 | { 56 | "Id": "CO.9", 57 | "Name": "Improve availability" 58 | } 59 | ], 60 | "RegionalPreference": "REGIONAL", 61 | "ReleaseDate": "2023-07-24", 62 | "RemediationMessage": "Set the 'Status' in 'VersioningConfiguration' to Enabled.", 63 | "Severity": "LOW", 64 | "SupportedRegions": [ 65 | "af-south-1", 66 | "ap-east-1", 67 | "ap-northeast-1", 68 | "ap-northeast-2", 69 | "ap-northeast-3", 70 | "ap-south-1", 71 | "ap-south-2", 72 | "ap-southeast-1", 73 | "ap-southeast-2", 74 | "ap-southeast-3", 75 | "ap-southeast-4", 76 | "ca-central-1", 77 | "eu-central-1", 78 | "eu-central-2", 79 | "eu-north-1", 80 | "eu-south-1", 81 | "eu-south-2", 82 | "eu-west-1", 83 | "eu-west-2", 84 | "eu-west-3", 85 | "il-central-1", 86 | "me-central-1", 87 | "me-south-1", 88 | "sa-east-1", 89 | "us-east-1", 90 | "us-east-2", 91 | "us-west-1", 92 | "us-west-2" 93 | ], 94 | "TargetOuType": "CUSTOM", 95 | "Version": "1", 96 | "Visibility": "PUBLIC" 97 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/s3/ct-s3-pr-4.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-7", 8 | "SI-3(8)", 9 | "SI-4", 10 | "SI-4(4)" 11 | ] 12 | }, 13 | { 14 | "ComplianceFramework": "PCI DSS version 3.2.1", 15 | "Ids": [ 16 | "11.5" 17 | ] 18 | } 19 | ], 20 | "ConfigRuleIdentifier": "S3_EVENT_NOTIFICATIONS_ENABLED", 21 | "ControlOwner": "AWS Control Tower", 22 | "DeploymentMechanism": "AWS CloudFormation Hook", 23 | "DeploymentOwner": "AWS Control Tower", 24 | "Description": "This control checks whether Amazon S3 events notifications are enabled on your Amazon S3 bucket.", 25 | "DisplayName": "Require an Amazon S3 bucket to have event notifications configured", 26 | "DocumentationReferences": [ 27 | { 28 | "DisplayName": "Amazon S3 Event Notifications", 29 | "Type": "AWS Documentation", 30 | "Url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/NotificationHowTo.html" 31 | } 32 | ], 33 | "EvaluatedResourceTypes": [ 34 | "AWS::S3::Bucket" 35 | ], 36 | "EvaluatedServices": [ 37 | "Amazon S3" 38 | ], 39 | "Guidance": "Elective", 40 | "Id": "CT.S3.PR.4", 41 | "ImplementationType": "CloudFormation guard rule", 42 | "MinimumSupportedRuntimeVersion": "2.1", 43 | "Objectives": [ 44 | { 45 | "Id": "CO.1", 46 | "Name": "Establish logging and monitoring" 47 | } 48 | ], 49 | "RegionalPreference": "REGIONAL", 50 | "Relationships": [ 51 | { 52 | "ControlId": "SH.S3.11", 53 | "ControlOwner": "AWS Security Hub", 54 | "RelationshipType": "Can be used with (Inclusive)" 55 | } 56 | ], 57 | "ReleaseDate": "2022-11-28", 58 | "RemediationMessage": "Set a 'NotificationConfiguration' parameter on your bucket with one of 'EventBridgeConfiguration', 'LambdaConfigurations', 'QueueConfigurations' or 'TopicConfigurations.'", 59 | "Severity": "MEDIUM", 60 | "SupportedRegions": [ 61 | "af-south-1", 62 | "ap-east-1", 63 | "ap-northeast-1", 64 | "ap-northeast-2", 65 | "ap-northeast-3", 66 | "ap-south-1", 67 | "ap-south-2", 68 | "ap-southeast-1", 69 | "ap-southeast-2", 70 | "ap-southeast-3", 71 | "ap-southeast-4", 72 | "ca-central-1", 73 | "eu-central-1", 74 | "eu-central-2", 75 | "eu-north-1", 76 | "eu-south-1", 77 | "eu-south-2", 78 | "eu-west-1", 79 | "eu-west-2", 80 | "eu-west-3", 81 | "il-central-1", 82 | "me-central-1", 83 | "me-south-1", 84 | "sa-east-1", 85 | "us-east-1", 86 | "us-east-2", 87 | "us-west-1", 88 | "us-west-2" 89 | ], 90 | "TargetOuType": "CUSTOM", 91 | "Version": "1", 92 | "Visibility": "PUBLIC" 93 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/s3/ct-s3-pr-9.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CP-6(2)" 8 | ] 9 | } 10 | ], 11 | "ConfigRuleIdentifier": "S3_BUCKET_DEFAULT_LOCK_ENABLED", 12 | "ControlOwner": "AWS Control Tower", 13 | "DeploymentMechanism": "AWS CloudFormation Hook", 14 | "DeploymentOwner": "AWS Control Tower", 15 | "Description": "This control checks whether an Amazon Simple Storage Service (Amazon S3) bucket has been configured to use S3 Object Lock.", 16 | "DisplayName": "Require that an Amazon S3 bucket has S3 Object Lock activated", 17 | "DocumentationReferences": [ 18 | { 19 | "DisplayName": "How S3 Object Lock works", 20 | "Type": "AWS Documentation", 21 | "Url": "https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lock-overview.html" 22 | } 23 | ], 24 | "EvaluatedResourceTypes": [ 25 | "AWS::S3::Bucket" 26 | ], 27 | "EvaluatedServices": [ 28 | "Amazon S3" 29 | ], 30 | "Guidance": "Elective", 31 | "Id": "CT.S3.PR.9", 32 | "ImplementationType": "CloudFormation guard rule", 33 | "MinimumSupportedRuntimeVersion": "2.1", 34 | "Objectives": [ 35 | { 36 | "Id": "CO.4", 37 | "Name": "Protect data integrity" 38 | } 39 | ], 40 | "RegionalPreference": "REGIONAL", 41 | "ReleaseDate": "2023-07-24", 42 | "RemediationMessage": "Set 'ObjectLockEnabled' to 'true'.", 43 | "Severity": "MEDIUM", 44 | "SupportedRegions": [ 45 | "af-south-1", 46 | "ap-east-1", 47 | "ap-northeast-1", 48 | "ap-northeast-2", 49 | "ap-northeast-3", 50 | "ap-south-1", 51 | "ap-south-2", 52 | "ap-southeast-1", 53 | "ap-southeast-2", 54 | "ap-southeast-3", 55 | "ap-southeast-4", 56 | "ca-central-1", 57 | "eu-central-1", 58 | "eu-central-2", 59 | "eu-north-1", 60 | "eu-south-1", 61 | "eu-south-2", 62 | "eu-west-1", 63 | "eu-west-2", 64 | "eu-west-3", 65 | "il-central-1", 66 | "me-central-1", 67 | "me-south-1", 68 | "sa-east-1", 69 | "us-east-1", 70 | "us-east-2", 71 | "us-west-1", 72 | "us-west-2" 73 | ], 74 | "TargetOuType": "CUSTOM", 75 | "Version": "1", 76 | "Visibility": "PUBLIC" 77 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/sqs/ct-sqs-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ControlOwner": "AWS Control Tower", 4 | "DeploymentMechanism": "AWS CloudFormation Hook", 5 | "DeploymentOwner": "AWS Control Tower", 6 | "Description": "This control checks whether an Amazon SQS queue is configured with a dead-letter queue.", 7 | "DisplayName": "Require any Amazon SQS queue to have a dead-letter queue configured", 8 | "DocumentationReferences": [ 9 | { 10 | "DisplayName": "Amazon SQS dead-letter queues", 11 | "Type": "AWS Documentation", 12 | "Url": "https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.html#sqs-dead-letter-queues-how-they-work" 13 | } 14 | ], 15 | "EvaluatedResourceTypes": [ 16 | "AWS::SQS::Queue" 17 | ], 18 | "EvaluatedServices": [ 19 | "Amazon SQS" 20 | ], 21 | "Guidance": "Elective", 22 | "Id": "CT.SQS.PR.1", 23 | "ImplementationType": "CloudFormation guard rule", 24 | "MinimumSupportedRuntimeVersion": "2.1", 25 | "Objectives": [ 26 | { 27 | "Id": "CO.8", 28 | "Name": "Improve resiliency" 29 | } 30 | ], 31 | "RegionalPreference": "REGIONAL", 32 | "ReleaseDate": "2022-11-28", 33 | "RemediationMessage": "Create a 'RedrivePolicy' with a 'deadLetterTargetArn' value that's set to the ARN of an Amazon SQS dead-letter queue. For Amazon SQS dead-letter queues, instead provide a redrive configuration in the 'RedriveAllowPolicy' property.", 34 | "Severity": "HIGH", 35 | "SupportedRegions": [ 36 | "af-south-1", 37 | "ap-east-1", 38 | "ap-northeast-1", 39 | "ap-northeast-2", 40 | "ap-northeast-3", 41 | "ap-south-1", 42 | "ap-south-2", 43 | "ap-southeast-1", 44 | "ap-southeast-2", 45 | "ap-southeast-3", 46 | "ap-southeast-4", 47 | "ca-central-1", 48 | "eu-central-1", 49 | "eu-central-2", 50 | "eu-north-1", 51 | "eu-south-1", 52 | "eu-south-2", 53 | "eu-west-1", 54 | "eu-west-2", 55 | "eu-west-3", 56 | "il-central-1", 57 | "me-central-1", 58 | "me-south-1", 59 | "sa-east-1", 60 | "us-east-1", 61 | "us-east-2", 62 | "us-west-1", 63 | "us-west-2" 64 | ], 65 | "TargetOuType": "CUSTOM", 66 | "Version": "1", 67 | "Visibility": "PUBLIC" 68 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/waf/ct-waf-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2" 9 | ] 10 | }, 11 | { 12 | "ComplianceFramework": "PCI DSS version 3.2.1", 13 | "Ids": [ 14 | "6.6" 15 | ] 16 | } 17 | ], 18 | "ConfigRuleIdentifier": "WAF_GLOBAL_RULE_NOT_EMPTY", 19 | "ControlOwner": "AWS Control Tower", 20 | "DeploymentMechanism": "AWS CloudFormation Hook", 21 | "DeploymentOwner": "AWS Control Tower", 22 | "Description": "This control checks whether an AWS WAF Classic global rule contains any conditions.", 23 | "DisplayName": "Require any AWS WAF Classic global rule to have a condition", 24 | "DocumentationReferences": [ 25 | { 26 | "DisplayName": "Creating a rule and adding conditions", 27 | "Type": "AWS Documentation", 28 | "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-rules-creating.html" 29 | } 30 | ], 31 | "EvaluatedResourceTypes": [ 32 | "AWS::WAF::Rule" 33 | ], 34 | "EvaluatedServices": [ 35 | "AWS WAF" 36 | ], 37 | "Guidance": "Elective", 38 | "Id": "CT.WAF.PR.1", 39 | "ImplementationType": "CloudFormation guard rule", 40 | "MinimumSupportedRuntimeVersion": "2.1", 41 | "Objectives": [ 42 | { 43 | "Id": "CO.6", 44 | "Name": "Limit network access" 45 | } 46 | ], 47 | "RegionalPreference": "REGIONAL", 48 | "ReleaseDate": "2022-11-28", 49 | "RemediationMessage": "Provide one or more AWS WAF Classic rule conditions within the 'Predicates' property.", 50 | "Severity": "MEDIUM", 51 | "SupportedRegions": [ 52 | "af-south-1", 53 | "ap-east-1", 54 | "ap-northeast-1", 55 | "ap-northeast-2", 56 | "ap-northeast-3", 57 | "ap-south-1", 58 | "ap-south-2", 59 | "ap-southeast-1", 60 | "ap-southeast-2", 61 | "ap-southeast-3", 62 | "ap-southeast-4", 63 | "ca-central-1", 64 | "eu-central-1", 65 | "eu-central-2", 66 | "eu-north-1", 67 | "eu-south-1", 68 | "eu-south-2", 69 | "eu-west-1", 70 | "eu-west-2", 71 | "eu-west-3", 72 | "il-central-1", 73 | "me-central-1", 74 | "me-south-1", 75 | "sa-east-1", 76 | "us-east-1", 77 | "us-east-2", 78 | "us-west-1", 79 | "us-west-2" 80 | ], 81 | "TargetOuType": "CUSTOM", 82 | "Version": "1", 83 | "Visibility": "PUBLIC" 84 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/waf/ct-waf-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-4(21)", 8 | "SC-7", 9 | "SC-7(11)", 10 | "SC-7(16)", 11 | "SC-7(21)" 12 | ] 13 | }, 14 | { 15 | "ComplianceFramework": "PCI DSS version 3.2.1", 16 | "Ids": [ 17 | "6.6" 18 | ] 19 | } 20 | ], 21 | "ConfigRuleIdentifier": "WAF_GLOBAL_WEBACL_NOT_EMPTY", 22 | "ControlOwner": "AWS Control Tower", 23 | "DeploymentMechanism": "AWS CloudFormation Hook", 24 | "DeploymentOwner": "AWS Control Tower", 25 | "Description": "This control checks whether an AWS WAF Classic global web ACL contains any WAF rules or rule groups.", 26 | "DisplayName": "Require any AWS WAF Classic global web ACL to have a rule or rule group", 27 | "DocumentationReferences": [ 28 | { 29 | "DisplayName": "Creating and configuring a Web Access Control List (Web ACL)", 30 | "Type": "AWS Documentation", 31 | "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl.html" 32 | } 33 | ], 34 | "EvaluatedResourceTypes": [ 35 | "AWS::WAF::WebACL" 36 | ], 37 | "EvaluatedServices": [ 38 | "AWS WAF" 39 | ], 40 | "Guidance": "Elective", 41 | "Id": "CT.WAF.PR.2", 42 | "ImplementationType": "CloudFormation guard rule", 43 | "MinimumSupportedRuntimeVersion": "2.1", 44 | "Objectives": [ 45 | { 46 | "Id": "CO.6", 47 | "Name": "Limit network access" 48 | } 49 | ], 50 | "RegionalPreference": "REGIONAL", 51 | "ReleaseDate": "2022-11-28", 52 | "RemediationMessage": "Provide one or more AWS WAF Classic rules within the 'Rules' property.", 53 | "Severity": "MEDIUM", 54 | "SupportedRegions": [ 55 | "af-south-1", 56 | "ap-east-1", 57 | "ap-northeast-1", 58 | "ap-northeast-2", 59 | "ap-northeast-3", 60 | "ap-south-1", 61 | "ap-south-2", 62 | "ap-southeast-1", 63 | "ap-southeast-2", 64 | "ap-southeast-3", 65 | "ap-southeast-4", 66 | "ca-central-1", 67 | "eu-central-1", 68 | "eu-central-2", 69 | "eu-north-1", 70 | "eu-south-1", 71 | "eu-south-2", 72 | "eu-west-1", 73 | "eu-west-2", 74 | "eu-west-3", 75 | "il-central-1", 76 | "me-central-1", 77 | "me-south-1", 78 | "sa-east-1", 79 | "us-east-1", 80 | "us-east-2", 81 | "us-west-1", 82 | "us-west-2" 83 | ], 84 | "TargetOuType": "CUSTOM", 85 | "Version": "1", 86 | "Visibility": "PUBLIC" 87 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/waf/ct-waf-regional-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-4(21)", 8 | "SC-7", 9 | "SC-7(11)", 10 | "SC-7(16)", 11 | "SC-7(21)" 12 | ] 13 | }, 14 | { 15 | "ComplianceFramework": "PCI DSS version 3.2.1", 16 | "Ids": [ 17 | "6.6" 18 | ] 19 | } 20 | ], 21 | "ConfigRuleIdentifier": "WAF_REGIONAL_RULE_NOT_EMPTY", 22 | "ControlOwner": "AWS Control Tower", 23 | "DeploymentMechanism": "AWS CloudFormation Hook", 24 | "DeploymentOwner": "AWS Control Tower", 25 | "Description": "This control checks whether an AWS WAF Classic regional rule contains any conditions.", 26 | "DisplayName": "Require any AWS WAF Classic regional rule to have a condition", 27 | "DocumentationReferences": [ 28 | { 29 | "DisplayName": "Creating a rule and adding conditions", 30 | "Type": "AWS Documentation", 31 | "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-rules-creating.html" 32 | } 33 | ], 34 | "EvaluatedResourceTypes": [ 35 | "AWS::WAFRegional::Rule" 36 | ], 37 | "EvaluatedServices": [ 38 | "AWS WAF" 39 | ], 40 | "Guidance": "Elective", 41 | "Id": "CT.WAF-REGIONAL.PR.1", 42 | "ImplementationType": "CloudFormation guard rule", 43 | "MinimumSupportedRuntimeVersion": "2.1", 44 | "Objectives": [ 45 | { 46 | "Id": "CO.6", 47 | "Name": "Limit network access" 48 | } 49 | ], 50 | "RegionalPreference": "REGIONAL", 51 | "Relationships": [ 52 | { 53 | "ControlId": "SH.WAF.2", 54 | "ControlOwner": "AWS Security Hub", 55 | "RelationshipType": "Can be used with (Inclusive)" 56 | } 57 | ], 58 | "ReleaseDate": "2022-11-28", 59 | "RemediationMessage": "Provide one or more AWS WAF Classic regional rule conditions within the 'Predicates' property.", 60 | "Severity": "MEDIUM", 61 | "SupportedRegions": [ 62 | "af-south-1", 63 | "ap-east-1", 64 | "ap-northeast-1", 65 | "ap-northeast-2", 66 | "ap-northeast-3", 67 | "ap-south-1", 68 | "ap-south-2", 69 | "ap-southeast-1", 70 | "ap-southeast-2", 71 | "ap-southeast-3", 72 | "ap-southeast-4", 73 | "ca-central-1", 74 | "eu-central-1", 75 | "eu-central-2", 76 | "eu-north-1", 77 | "eu-south-1", 78 | "eu-south-2", 79 | "eu-west-1", 80 | "eu-west-2", 81 | "eu-west-3", 82 | "il-central-1", 83 | "me-central-1", 84 | "me-south-1", 85 | "sa-east-1", 86 | "us-east-1", 87 | "us-east-2", 88 | "us-west-1", 89 | "us-west-2" 90 | ], 91 | "TargetOuType": "CUSTOM", 92 | "Version": "1", 93 | "Visibility": "PUBLIC" 94 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/waf/ct-waf-regional-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2" 9 | ] 10 | }, 11 | { 12 | "ComplianceFramework": "PCI DSS version 3.2.1", 13 | "Ids": [ 14 | "6.6" 15 | ] 16 | } 17 | ], 18 | "ConfigRuleIdentifier": "WAF_REGIONAL_WEBACL_NOT_EMPTY", 19 | "ControlOwner": "AWS Control Tower", 20 | "DeploymentMechanism": "AWS CloudFormation Hook", 21 | "DeploymentOwner": "AWS Control Tower", 22 | "Description": "This control checks whether an AWS WAF Classic regional web ACL contains any WAF rules or rule groups.", 23 | "DisplayName": "Require any AWS WAF Classic regional web access control list (ACL) to have a rule or rule group", 24 | "DocumentationReferences": [ 25 | { 26 | "DisplayName": "Creating and configuring a Web Access Control List (Web ACL)", 27 | "Type": "AWS Documentation", 28 | "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl.html" 29 | } 30 | ], 31 | "EvaluatedResourceTypes": [ 32 | "AWS::WAFRegional::WebACL" 33 | ], 34 | "EvaluatedServices": [ 35 | "AWS WAF" 36 | ], 37 | "Guidance": "Elective", 38 | "Id": "CT.WAF-REGIONAL.PR.2", 39 | "ImplementationType": "CloudFormation guard rule", 40 | "MinimumSupportedRuntimeVersion": "2.1", 41 | "Objectives": [ 42 | { 43 | "Id": "CO.6", 44 | "Name": "Limit network access" 45 | } 46 | ], 47 | "RegionalPreference": "REGIONAL", 48 | "Relationships": [ 49 | { 50 | "ControlId": "SH.WAF.4", 51 | "ControlOwner": "AWS Security Hub", 52 | "RelationshipType": "Can be used with (Inclusive)" 53 | } 54 | ], 55 | "ReleaseDate": "2022-11-28", 56 | "RemediationMessage": "Provide one or more AWS WAF Classic rules within the 'Rules' property.", 57 | "Severity": "MEDIUM", 58 | "SupportedRegions": [ 59 | "af-south-1", 60 | "ap-east-1", 61 | "ap-northeast-1", 62 | "ap-northeast-2", 63 | "ap-northeast-3", 64 | "ap-south-1", 65 | "ap-south-2", 66 | "ap-southeast-1", 67 | "ap-southeast-2", 68 | "ap-southeast-3", 69 | "ap-southeast-4", 70 | "ca-central-1", 71 | "eu-central-1", 72 | "eu-central-2", 73 | "eu-north-1", 74 | "eu-south-1", 75 | "eu-south-2", 76 | "eu-west-1", 77 | "eu-west-2", 78 | "eu-west-3", 79 | "il-central-1", 80 | "me-central-1", 81 | "me-south-1", 82 | "sa-east-1", 83 | "us-east-1", 84 | "us-east-2", 85 | "us-west-1", 86 | "us-west-2" 87 | ], 88 | "TargetOuType": "CUSTOM", 89 | "Version": "1", 90 | "Visibility": "PUBLIC" 91 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/waf/ct-wafv2-pr-1.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "AC-4(21)", 8 | "SC-7", 9 | "SC-7(11)", 10 | "SC-7(16)", 11 | "SC-7(21)" 12 | ] 13 | }, 14 | { 15 | "ComplianceFramework": "PCI DSS version 3.2.1", 16 | "Ids": [ 17 | "6.6" 18 | ] 19 | } 20 | ], 21 | "ConfigRuleIdentifier": "WAF_GLOBAL_WEBACL_NOT_EMPTY", 22 | "ControlOwner": "AWS Control Tower", 23 | "DeploymentMechanism": "AWS CloudFormation Hook", 24 | "DeploymentOwner": "AWS Control Tower", 25 | "Description": "This control checks whether an AWS WAF web ACL contains any WAF rules or WAF rule groups.", 26 | "DisplayName": "Require an AWS WAF web ACL to be non-empty", 27 | "DocumentationReferences": [ 28 | { 29 | "DisplayName": "Working with web ACLs", 30 | "Type": "AWS Documentation", 31 | "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-working-with.html" 32 | } 33 | ], 34 | "EvaluatedResourceTypes": [ 35 | "AWS::WAFv2::WebACL" 36 | ], 37 | "EvaluatedServices": [ 38 | "AWS WAF" 39 | ], 40 | "Guidance": "Elective", 41 | "Id": "CT.WAFV2.PR.1", 42 | "ImplementationType": "CloudFormation guard rule", 43 | "MinimumSupportedRuntimeVersion": "2.1", 44 | "Objectives": [ 45 | { 46 | "Id": "CO.6", 47 | "Name": "Limit network access" 48 | } 49 | ], 50 | "RegionalPreference": "REGIONAL", 51 | "Relationships": [ 52 | { 53 | "ControlId": "SH.WAF.10", 54 | "ControlOwner": "AWS Security Hub", 55 | "RelationshipType": "Can be used with (Inclusive)" 56 | } 57 | ], 58 | "ReleaseDate": "2022-11-28", 59 | "RemediationMessage": "Provide one or more AWS WAF rules within the 'Rules' property.", 60 | "Severity": "MEDIUM", 61 | "SupportedRegions": [ 62 | "af-south-1", 63 | "ap-east-1", 64 | "ap-northeast-1", 65 | "ap-northeast-2", 66 | "ap-northeast-3", 67 | "ap-south-1", 68 | "ap-south-2", 69 | "ap-southeast-1", 70 | "ap-southeast-2", 71 | "ap-southeast-3", 72 | "ap-southeast-4", 73 | "ca-central-1", 74 | "eu-central-1", 75 | "eu-central-2", 76 | "eu-north-1", 77 | "eu-south-1", 78 | "eu-south-2", 79 | "eu-west-1", 80 | "eu-west-2", 81 | "eu-west-3", 82 | "il-central-1", 83 | "me-central-1", 84 | "me-south-1", 85 | "sa-east-1", 86 | "us-east-1", 87 | "us-east-2", 88 | "us-west-1", 89 | "us-west-2" 90 | ], 91 | "TargetOuType": "CUSTOM", 92 | "Version": "1", 93 | "Visibility": "PUBLIC" 94 | } -------------------------------------------------------------------------------- /rules/control-tower/metadata/waf/ct-wafv2-pr-2.metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "Behavior": "PROACTIVE", 3 | "ComplianceFrameworkMappings": [ 4 | { 5 | "ComplianceFramework": "NIST 800-53 Rev 5", 6 | "Ids": [ 7 | "CA-9(1)", 8 | "CM-2" 9 | ] 10 | }, 11 | { 12 | "ComplianceFramework": "PCI DSS version 3.2.1", 13 | "Ids": [ 14 | "6.6" 15 | ] 16 | } 17 | ], 18 | "ConfigRuleIdentifier": "WAF_GLOBAL_RULEGROUP_NOT_EMPTY", 19 | "ControlOwner": "AWS Control Tower", 20 | "DeploymentMechanism": "AWS CloudFormation Hook", 21 | "DeploymentOwner": "AWS Control Tower", 22 | "Description": "This control checks whether AWS WAF rule groups contain rules.", 23 | "DisplayName": "Require an AWS WAF rule group to be non-empty", 24 | "DocumentationReferences": [ 25 | { 26 | "DisplayName": "Rule groups", 27 | "Type": "AWS Documentation", 28 | "Url": "https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-groups.html" 29 | } 30 | ], 31 | "EvaluatedResourceTypes": [ 32 | "AWS::WAFv2::RuleGroup" 33 | ], 34 | "EvaluatedServices": [ 35 | "AWS WAF" 36 | ], 37 | "Guidance": "Elective", 38 | "Id": "CT.WAFV2.PR.2", 39 | "ImplementationType": "CloudFormation guard rule", 40 | "MinimumSupportedRuntimeVersion": "2.1", 41 | "Objectives": [ 42 | { 43 | "Id": "CO.6", 44 | "Name": "Limit network access" 45 | } 46 | ], 47 | "RegionalPreference": "REGIONAL", 48 | "ReleaseDate": "2022-11-28", 49 | "RemediationMessage": "Provide one or more AWS WAF rules within the 'Rules' property.", 50 | "Severity": "MEDIUM", 51 | "SupportedRegions": [ 52 | "af-south-1", 53 | "ap-east-1", 54 | "ap-northeast-1", 55 | "ap-northeast-2", 56 | "ap-northeast-3", 57 | "ap-south-1", 58 | "ap-south-2", 59 | "ap-southeast-1", 60 | "ap-southeast-2", 61 | "ap-southeast-3", 62 | "ap-southeast-4", 63 | "ca-central-1", 64 | "eu-central-1", 65 | "eu-central-2", 66 | "eu-north-1", 67 | "eu-south-1", 68 | "eu-south-2", 69 | "eu-west-1", 70 | "eu-west-2", 71 | "eu-west-3", 72 | "il-central-1", 73 | "me-central-1", 74 | "me-south-1", 75 | "sa-east-1", 76 | "us-east-1", 77 | "us-east-2", 78 | "us-west-1", 79 | "us-west-2" 80 | ], 81 | "TargetOuType": "CUSTOM", 82 | "Version": "1", 83 | "Visibility": "PUBLIC" 84 | } -------------------------------------------------------------------------------- /src/index.ts: -------------------------------------------------------------------------------- 1 | export * from './plugin'; 2 | -------------------------------------------------------------------------------- /src/utils.ts: -------------------------------------------------------------------------------- 1 | import { spawnSync } from 'child_process'; 2 | /** 3 | * Our own execute function which doesn't use shells and strings. 4 | */ 5 | export function exec(commandLine: string[], options: { cwd?: string; json?: boolean; verbose?: boolean; env?: any } = { }): any { 6 | const proc = spawnSync(commandLine[0], commandLine.slice(1), { 7 | stdio: ['ignore', 'pipe', options.verbose ? 'inherit' : 'pipe'], // inherit STDERR in verbose mode 8 | env: { 9 | ...process.env, 10 | ...options.env, 11 | }, 12 | cwd: options.cwd, 13 | }); 14 | 15 | if (proc.error) { throw proc.error; } 16 | // cfn-guard uses 5 & 19 when there are policy validation failures 17 | if (proc.status !== 0 && proc.status !== 5 && proc.status !== 19) { 18 | if (process.stderr) { // will be 'null' in verbose mode 19 | process.stderr.write(proc.stderr); 20 | } 21 | throw new Error(`Command exited with ${proc.status ? `status ${proc.status}` : `signal ${proc.signal}`}`); 22 | } 23 | 24 | const output = proc.stdout.toString('utf-8').trim(); 25 | 26 | try { 27 | if (options.json) { 28 | if (output.length === 0) { return {}; } 29 | 30 | return JSON.parse(output); 31 | } 32 | return output; 33 | } catch (e) { 34 | // eslint-disable-next-line no-console 35 | console.error('Not JSON: ' + output); 36 | throw new Error('Command output is not JSON'); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /test/constants.ts: -------------------------------------------------------------------------------- 1 | export const GUARD_RULE_VALIDATION_FAILED_MESSAGE_PATTERN = /Validation failed. See the validation report above for details/i; -------------------------------------------------------------------------------- /test/integ.plugin.ts: -------------------------------------------------------------------------------- 1 | import { App, Stack, StackProps, aws_s3 as s3 } from 'aws-cdk-lib'; 2 | // eslint-disable-next-line import/no-extraneous-dependencies 3 | import { Construct } from 'constructs'; 4 | import { CfnGuardValidator } from '../src'; 5 | 6 | /** 7 | * This is not a real integ test since we are not deploying anything 8 | * This can be used to manually test the plugin and view the output 9 | */ 10 | 11 | const app = new App({ 12 | policyValidationBeta1: [new CfnGuardValidator({ 13 | disabledRules: [ 14 | 'ct-s3-pr-6', 15 | 'ct-s3-pr-4', 16 | 'ct-s3-pr-2', 17 | ], 18 | })], 19 | context: { 20 | '@aws-cdk/aws-lambda:recognizeLayerVersion': 'true', 21 | '@aws-cdk/core:checkSecretUsage': 'true', 22 | '@aws-cdk-containers/ecs-service-extensions:enableDefaultLogDriver': 'true', 23 | '@aws-cdk/aws-ec2:uniqueImdsv2TemplateName': 'true', 24 | '@aws-cdk/aws-ecs:arnFormatIncludesClusterName': 'true', 25 | '@aws-cdk/aws-iam:minimizePolicies': 'true', 26 | '@aws-cdk/core:validateSnapshotRemovalPolicy': 'true', 27 | '@aws-cdk/aws-codepipeline:crossAccountKeyAliasStackSafeResourceName': 'true', 28 | '@aws-cdk/aws-s3:createDefaultLoggingPolicy': 'true', 29 | '@aws-cdk/aws-sns-subscriptions:restrictSqsDescryption': 'true', 30 | '@aws-cdk/aws-apigateway:disableCloudWatchRole': 'true', 31 | '@aws-cdk/core:enablePartitionLiterals': 'true', 32 | '@aws-cdk/aws-events:eventsTargetQueueSameAccount': 'true', 33 | '@aws-cdk/aws-iam:standardizedServicePrincipals': 'true', 34 | '@aws-cdk/aws-ecs:disableExplicitDeploymentControllerForCircuitBreaker': 'true', 35 | '@aws-cdk/aws-iam:importedRoleStackSafeDefaultPolicyName': 'true', 36 | '@aws-cdk/aws-s3:serverAccessLogsUseBucketPolicy': 'true', 37 | }, 38 | }); 39 | 40 | 41 | class MyConstruct extends Construct { 42 | constructor(scope: Construct, id: string) { 43 | super(scope, id); 44 | new s3.Bucket(this as any, 'Bucket', { 45 | blockPublicAccess: { 46 | blockPublicAcls: true, 47 | blockPublicPolicy: true, 48 | ignorePublicAcls: true, 49 | restrictPublicBuckets: true, 50 | }, 51 | }); 52 | } 53 | } 54 | 55 | export class MyStack extends Stack { 56 | constructor(scope: Construct, id: string, props?: StackProps) { 57 | super(scope as any, id, props); 58 | new MyConstruct(this as any, 'MyConstruct'); 59 | } 60 | } 61 | 62 | new MyStack(app as any, 'MyStack'); 63 | -------------------------------------------------------------------------------- /test/rules/control-tower/metadata.test.ts: -------------------------------------------------------------------------------- 1 | import { join } from 'path'; 2 | import { pathExists } from 'fs-extra'; 3 | import klaw from 'klaw'; 4 | 5 | describe('Metadata files', () => { 6 | test('a metadata file exists for each rule file', async () => { 7 | for await (const ruleFile of klaw(join(__dirname, '../../../rules/control-tower/cfn-guard'))) { 8 | if (ruleFile.stats.isDirectory()) { continue; } 9 | const metadataPath = ruleFile.path 10 | .replace('/control-tower/cfn-guard/', '/control-tower/metadata/') 11 | .replace('.guard', '.metadata.json'); 12 | console.log(metadataPath); 13 | expect(await pathExists(metadataPath)).toBe(true); 14 | } 15 | }); 16 | 17 | test('a guard file exists for each metadata file', async () => { 18 | for await (const metadataFile of klaw(join(__dirname, '../../../rules/control-tower/metadata'))) { 19 | if (metadataFile.stats.isDirectory()) { continue; } 20 | const ruleFilePath = metadataFile.path 21 | .replace('/control-tower/metadata/', '/control-tower/cfn-guard/') 22 | .replace('.metadata.json', '.guard'); 23 | console.log(ruleFilePath); 24 | expect(await pathExists(ruleFilePath)).toBe(true); 25 | } 26 | }); 27 | }); -------------------------------------------------------------------------------- /test/rules/control-tower/rds/ct-rds-pr-16.test.ts: -------------------------------------------------------------------------------- 1 | import * as fs from 'fs'; 2 | import * as path from 'path'; 3 | import { join } from 'path'; 4 | import { 5 | App, 6 | Stack, 7 | } from 'aws-cdk-lib'; 8 | import { 9 | Vpc, 10 | } from 'aws-cdk-lib/aws-ec2'; 11 | import { DatabaseCluster, DatabaseClusterEngine } from 'aws-cdk-lib/aws-rds'; 12 | import { CfnGuardValidator } from '../../../../src'; 13 | 14 | beforeEach(() => { 15 | jest.spyOn(console, 'error').mockImplementation(() => { }); 16 | jest.spyOn(console, 'log').mockImplementation(() => { }); 17 | }); 18 | 19 | const GUARD_RULE_CHECK_NAME = 'rds_cluster_storage_encrypted_check'; 20 | const GUARD_RULE_PATH = join(__dirname, '../../../../rules/control-tower/cfn-guard/rds/ct-rds-pr-16.guard'); 21 | const VALIDATOR_CONFIG = { rules: [GUARD_RULE_PATH], controlTowerRulesEnabled: false }; 22 | 23 | describe('CT.RDS.PR.16', () => { 24 | test('Scenario 5a validation succeeds', () => { 25 | // GIVEN 26 | const app = new App({ 27 | policyValidationBeta1: [ 28 | new CfnGuardValidator(VALIDATOR_CONFIG), 29 | ], 30 | context: { 31 | '@aws-cdk/core:validationReportJson': true, 32 | }, 33 | }); 34 | 35 | // WHEN 36 | const stack = new Stack(app, 'Stack'); 37 | new DatabaseCluster(stack, 'DbCluster', { 38 | engine: DatabaseClusterEngine.AURORA, 39 | instanceProps: { vpc: new Vpc(stack, 'Vpc') }, 40 | storageEncrypted: true, 41 | }); 42 | 43 | // THEN 44 | expect(() => { 45 | app.synth(); 46 | }).not.toThrow(); 47 | 48 | const report = JSON.parse(fs.readFileSync(path.join(app.outdir, 'policy-validation-report.json')).toString('utf-8').trim()); 49 | const rules = report.pluginReports.flatMap((r: any) => r.violations.flatMap((v: any) => v.ruleName)); 50 | expect(rules).not.toContain( 51 | GUARD_RULE_CHECK_NAME, 52 | ); 53 | }); 54 | 55 | test('Scenario 4a validation fails', () => { 56 | // GIVEN 57 | const app = new App({ 58 | policyValidationBeta1: [ 59 | new CfnGuardValidator(VALIDATOR_CONFIG), 60 | ], 61 | context: { 62 | '@aws-cdk/core:validationReportJson': true, 63 | }, 64 | }); 65 | 66 | // WHEN 67 | const stack = new Stack(app, 'Stack'); 68 | new DatabaseCluster(stack, 'DbCluster', { 69 | engine: DatabaseClusterEngine.AURORA, 70 | instanceProps: { vpc: new Vpc(stack, 'Vpc') }, 71 | storageEncrypted: false, 72 | }); 73 | 74 | // THEN 75 | app.synth(); 76 | expect(process.exitCode).toEqual(1); 77 | 78 | const report = JSON.parse(fs.readFileSync(path.join(app.outdir, 'policy-validation-report.json')).toString('utf-8').trim()); 79 | const rules = report.pluginReports.flatMap((r: any) => r.violations.flatMap((v: any) => v.ruleName)); 80 | expect(rules).toContain( 81 | GUARD_RULE_CHECK_NAME, 82 | ); 83 | }); 84 | }); 85 | -------------------------------------------------------------------------------- /test/rules/control-tower/s3/ct-s3-pr-2.test.ts: -------------------------------------------------------------------------------- 1 | import * as fs from 'fs'; 2 | import * as path from 'path'; 3 | import { join } from 'path'; 4 | import { 5 | App, 6 | Stack, 7 | aws_s3 as s3, 8 | } from 'aws-cdk-lib'; 9 | import { CfnGuardValidator } from '../../../../src'; 10 | 11 | const GUARD_RULE_CHECK_NAME = 's3_bucket_logging_enabled_check'; 12 | const GUARD_RULE_PATH = join(__dirname, '../../../../rules/control-tower/cfn-guard/s3/ct-s3-pr-2.guard'); 13 | const VALIDATOR_CONFIG = { rules: [GUARD_RULE_PATH], controlTowerRulesEnabled: false }; 14 | 15 | beforeEach(() => { 16 | jest.spyOn(console, 'error').mockImplementation(() => { }); 17 | jest.spyOn(console, 'log').mockImplementation(() => { }); 18 | }); 19 | describe('CT.S3.PR.2', () => { 20 | test('Scenario 5 validation succeeds', () => { 21 | // GIVEN 22 | const app = new App({ 23 | policyValidationBeta1: [ 24 | new CfnGuardValidator(VALIDATOR_CONFIG), 25 | ], 26 | context: { 27 | '@aws-cdk/core:validationReportJson': true, 28 | }, 29 | }); 30 | // WHEN 31 | const stack = new Stack(app, 'Stack'); 32 | new s3.Bucket(stack, 'access-bucket', { serverAccessLogsBucket: s3.Bucket.fromBucketName(stack, 'loggingbucket', 'inceptionbucket') }); 33 | 34 | // THEN 35 | expect(() => { 36 | app.synth(); 37 | }).not.toThrow(); 38 | 39 | const report = JSON.parse(fs.readFileSync(path.join(app.outdir, 'policy-validation-report.json')).toString('utf-8').trim()); 40 | const rules = report.pluginReports.flatMap((r: any) => r.violations.flatMap((v: any) => v.ruleName)); 41 | expect(rules).not.toContain( 42 | GUARD_RULE_CHECK_NAME, 43 | ); 44 | }); 45 | 46 | test('Scenario 2 validation fails', () => { 47 | // GIVEN 48 | const app = new App({ 49 | policyValidationBeta1: [ 50 | new CfnGuardValidator(VALIDATOR_CONFIG), 51 | ], 52 | context: { 53 | '@aws-cdk/core:validationReportJson': true, 54 | }, 55 | }); 56 | 57 | // WHEN 58 | const stack = new Stack(app, 'Stack'); 59 | new s3.Bucket(stack, 'Bucket'); 60 | // THEN 61 | app.synth(); 62 | expect(process.exitCode).toEqual(1); 63 | const report = JSON.parse(fs.readFileSync(path.join(app.outdir, 'policy-validation-report.json')).toString('utf-8').trim()); 64 | const rules = report.pluginReports.flatMap((r: any) => r.violations.flatMap((v: any) => v.ruleName)); 65 | expect(rules).toContain( 66 | GUARD_RULE_CHECK_NAME, 67 | ); 68 | }); 69 | }); 70 | -------------------------------------------------------------------------------- /test/test-data/guard-unresolved-rule-check.json: -------------------------------------------------------------------------------- 1 | [{ 2 | "name": "mytemplate.json", 3 | "metadata": {}, 4 | "status": "FAIL", 5 | "not_compliant": [ 6 | { 7 | "Rule": { 8 | "name": "s3_bucket_level_public_access_prohibited_check", 9 | "metadata": {}, 10 | "messages": { 11 | "custom_message": null, 12 | "error_message": null 13 | }, 14 | "checks": [ 15 | { 16 | "Rule": { 17 | "name": "check", 18 | "metadata": {}, 19 | "messages": { 20 | "custom_message": "\n [CT.S3.PR.1]: Require an Amazon S3 bucket to have block public access settings configured\n [FIX]: The parameters 'BlockPublicAcls', 'BlockPublicPolicy', 'IgnorePublicAcls', 'RestrictPublicBuckets' must be set to true under the bucket-level 'PublicAccessBlockConfiguration'.\n ", 21 | "error_message": null 22 | }, 23 | "checks": [ 24 | { 25 | "Block": { 26 | "context": "GuardBlockAccessClause#Location[file:ct-s3-pr-1.guard, line:89, column:5]", 27 | "messages": { 28 | "custom_message": "", 29 | "error_message": "Check was not compliant as property [Properties] is missing. Value traversed to [Path=/Resources/MyCustomL3ConstructBucket8C61BCA7[L:2,C:39] Value={\"Type\":\"AWS::S3::Bucket\",\"UpdateReplacePolicy\":\"Retain\",\"DeletionPolicy\":\"Retain\",\"Metadata\":{\"aws:cdk:path\":\"CdkTestAppStack/MyCustomL3Construct/Bucket/Resource\"}}]" 30 | }, 31 | "unresolved": { 32 | "traversed_to": { 33 | "path": "/Resources/MyCustomL3ConstructBucket8C61BCA7", 34 | "value": { 35 | "Type": "AWS::S3::Bucket", 36 | "UpdateReplacePolicy": "Retain", 37 | "DeletionPolicy": "Retain", 38 | "Metadata": { 39 | "aws:cdk:path": "CdkTestAppStack/MyCustomL3Construct/Bucket/Resource" 40 | } 41 | } 42 | }, 43 | "remaining_query": "Properties", 44 | "reason": "Could not find key Properties inside struct at path /Resources/MyCustomL3ConstructBucket8C61BCA7[L:2,C:39]" 45 | } 46 | } 47 | } 48 | ] 49 | } 50 | } 51 | ] 52 | } 53 | } 54 | ], 55 | "not_applicable": [ 56 | "s3_bucket_level_public_access_prohibited_check" 57 | ], 58 | "compliant": [] 59 | }] 60 | -------------------------------------------------------------------------------- /tsconfig.dev.json: -------------------------------------------------------------------------------- 1 | // ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". 2 | { 3 | "compilerOptions": { 4 | "alwaysStrict": true, 5 | "declaration": true, 6 | "esModuleInterop": true, 7 | "experimentalDecorators": true, 8 | "inlineSourceMap": true, 9 | "inlineSources": true, 10 | "lib": [ 11 | "es2020" 12 | ], 13 | "module": "CommonJS", 14 | "noEmitOnError": false, 15 | "noFallthroughCasesInSwitch": true, 16 | "noImplicitAny": true, 17 | "noImplicitReturns": true, 18 | "noImplicitThis": true, 19 | "noUnusedLocals": true, 20 | "noUnusedParameters": true, 21 | "resolveJsonModule": true, 22 | "strict": true, 23 | "strictNullChecks": true, 24 | "strictPropertyInitialization": true, 25 | "stripInternal": true, 26 | "target": "ES2020" 27 | }, 28 | "include": [ 29 | "src/**/*.ts", 30 | "test/**/*.ts", 31 | ".projenrc.ts", 32 | "projenrc/**/*.ts" 33 | ], 34 | "exclude": [ 35 | "node_modules" 36 | ] 37 | } 38 | --------------------------------------------------------------------------------