forked from eijikominami/aws-cloudformation-templates
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurity-standards.ruleset
57 lines (41 loc) · 3.28 KB
/
security-standards.ruleset
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# AWS CloudFormation Guard Rules.
# https://github.com/aws-cloudformation/cloudformation-guard
#
# CIS AWS Foundations Benchmark controls
# AWS Foundational Security Best Practices controls
# [CIS 2.1] Ensure CloudTrail is enabled in all Regions
# [CloudTrail.1] CloudTrail should be enabled and configured with at least one multi-Region trail
AWS::CloudTrail::Trail IsMultiRegionTrail == true << CloudTrail trails should cover all regions
# [CIS 2.2] Ensure CloudTrail log file validation is enabled
AWS::CloudTrail::Trail IsLogging == true << CloudTrail logging should be enabled
AWS::CloudTrail::Trail EnableLogFileValidation == true << CloudTrail file validation should be enabled
# [CIS 2.4] Ensure CloudTrail trails are integrated with Amazon CloudWatch Logs
AWS::CloudTrail::Trail CloudWatchLogsLogGroupArn == /.*/ << CloudTrail trails should be integrated with Amazon CloudWatch Logs
# [CloudTrail.2] CloudTrail should have encryption at-rest enabled
AWS::CloudTrail::Trail KMSKeyId == /.*/ << CloudTrail trails should encrypt the logs delivered by it.
# [DMS.1] Database Migration Service replication instances should not be public
AWS::DMS::ReplicationInstance PubliclyAccessible == false << DMS instance should not be publicly accessible
# [EC2.3] Attached EBS volumes should be encrypted at-rest
AWS::EC2::Volume Encrypted == true << EC2 volumes should be encrypted
AWS::EC2::Instance BlockDeviceMappings.*.Ebs.Encrypted == true << EC2 volumes should be encrypted
# [CIS 4.1] Ensure no security groups allow ingress from 0.0.0.0/0 to port 22
AWS::EC2::SecurityGroup WHEN SecurityGroupIngress.*.ToPort == 22 CHECK SecurityGroupIngress.*.CidrIp != 0.0.0.0/0
# [CIS 4.2] Ensure no security groups allow ingress from 0.0.0.0/0 to port 3389
AWS::EC2::SecurityGroup WHEN SecurityGroupIngress.*.ToPort == 3389 CHECK SecurityGroupIngress.*.CidrIp != 0.0.0.0/0
# [ES.1] Elasticsearch domains should have encryption at-rest enabled
AWS::Elasticsearch::Domain EncryptionAtRestOptions.Enabled == true << Domain encryption should be enabled
# [GuardDuty.1] GuardDuty should be enabled
AWS::GuardDuty::Detector Enable == true << Detector should be enabled
# [CIS 1.22] Ensure IAM policies that allow full "*:*" administrative privileges are not created
# [IAM.1] IAM policies should not allow full "*" administrative privileges
AWS::IAM::Role Policies.*.PolicyDocument.Statement.*.Action.* != \* << IAM Role should not allow full "*" administrative privileges
# [CIS 2.8] Ensure rotation for customer-created CMKs is enabled
AWS::KMS::Key EnableKeyRotation == true << Key rotation should be enabled
# [RDS.2] RDS DB instances should prohibit public access, determined by the PubliclyAccessible configuration
AWS::RDS::DBInstance PubliclyAccessible == false << Databasae should not be publicly accessible
# [RDS.3] RDS DB instances should have encryption at-rest enabled
AWS::RDS::DBInstance StorageEncrypted == true << Storage encryption should be enabled
# [S3.4] S3 buckets should have server-side encryption enabled
AWS::S3::Bucket BucketEncryption.ServerSideEncryptionConfiguration == /.*/ << S3 bucket encryption should be enabled
# [SageMaker.1] SageMaker notebook instances should not have direct internet access
AWS::SageMaker::NotebookInstance DirectInternetAccess == Disabled << Notebooks should not have direct internet access