io.github.cdklabs.cdkvalidatorcfnguard.package-info Maven / Gradle / Ivy
Show all versions of cdk-validator-cfnguard Show documentation
/**
* CDK CFN Guard Validator Plugin
*
* ---
*
* 
*
*
*
* The APIs of higher level constructs in this module are experimental and under active development.
* They are subject to non-backward compatible changes or removal in any future version. These are
* not subject to the Semantic Versioning model and breaking changes will be
* announced in the release notes. This means that while you may use them, you may need to update
* your source code when upgrading to a newer version of this package.
*
*
*
*
*
*
*
*
Installing
*
*
TypeScript/JavaScript
*
*
* npm install @cdklabs/cdk-validator-cfnguard
*
*
*
Python
*
*
* pip install cdklabs.cdk-validator-cfnguard
*
*
*
Java
*
*
* // add this to your pom.xml
* <dependency>
* <groupId>io.github.cdklabs</groupId>
* <artifactId>cdk-validator-cfnguard</artifactId>
* <version>0.0.0</version> // replace with version
* </dependency>
*
*
*
.NET
*
*
* dotnet add package Cdklabs.CdkValidatorCfnGuard --version X.X.X
*
*
*
Usage
*
* To use this plugin in your CDK application add it to the CDK App.
*
*
* App.Builder.create()
* .policyValidationBeta1(List.of(
* new CfnGuardValidator()))
* .build();
*
*
* By default the CfnGuardValidator plugin comes with the Control Tower
* proactive
* controls
* enabled. In order to disable these rules you can use the
* controlTowerRulesEnabled: false property.
*
*
* CfnGuardValidator.Builder.create()
* .controlTowerRulesEnabled(false)
* .build();
*
*
* It is also possible to disable individual rules.
*
*
* CfnGuardValidator.Builder.create()
* .disabledRules(List.of("ct-s3-pr-1"))
* .build();
*
*
*
Additional rules
*
* To provide additional rules to the plugin, provide a list of local
* file or directory paths.
*
*
* CfnGuardValidator.Builder.create()
* .rules(List.of("path/to/local-rules-directory", "path/to/s3/local-rules/my-rule.guard"))
* .build();
*
*
* If the path provided is a directory then the directory must only
* contain guard rule files, and all rules within the directory will be used.
*
*
Using the bundled Control Tower proactive controls in CDK
*
* The bundled Control Tower proactive controls use CloudFormation Guard
* policies that are also used in managed controls from the Control Tower
* service. You can use these CDK bundled controls without having a Control
* Tower environment in AWS, but there are many benefits to using the two together.
*
* When you enable Control Tower proactive controls in your Control Tower environment,
* the controls can stop the deployment of non-compliant resources deployed via
* CloudFormation. For more information about managed proactive controls and how they work,
* see the Control Tower documentation.
*
* These CDK bundled controls and managed Control Tower proactive controls are best used together.
* In this scenario you can configure this validation plugin with the same proactive controls that
* are active in your Control Tower cloud environment. You can then quickly gain confidence
* that your CDK application will pass the Control Tower controls by running cdk synth locally
* or in a pipeline as described above.
*
* Regardless of whether you or your organization use Control Tower, however, you should
* understand the following things about these bundled controls when run locally using this plugin:
*
*
* - These CloudFormation guard policies accept a limited subset of CloudFormation syntax
* for the properties they evaluate. For instance, a property called EncryptionEnabled may
* pass if it is specified with the literal value true, but it may fail if it is specified with
* a reference to a CloudFormation stack parameter instead. Similarly, if a rule checks for a string
* value, it may fail for Fn::Join objects. If you discover that a rule can be bypassed with a
* particular configuration of a resource, please file an issue.
* - Some rules may check references to other resources, but this reference checking is limited.
* For instance, a rule may require that an access logging bucket is specified for each S3 bucket.
* In this case, the rule can check whether you have passed a reference to a bucket in the same
* template, but it cannot verify that a hardcoded bucket name like "examplebucket" actually refers
* to a real bucket or a bucket you own.
*
*
* You can add a layer of security protection by enabling the same proactive controls in your Control Tower
* cloud environment. There are different considerations for using these controls since they operate in a
* different way. For more information, see the Control Tower proactive controls documentation.
*
* If you do not yet have a Control Tower environment, see What is AWS Control Tower?.
*
*
Bundled Control Tower Rules
*
* | ID | Name | Evaluated Resource Types |
* | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- |
* | CT.ACM.PR.1 | Require an AWS Private CA certificate to have a single domain name | AWS::CertificateManager::Certificate
|
* | CT.APIGATEWAY.PR.1 | Require an Amazon API Gateway REST and WebSocket API to have logging activated | AWS::ApiGateway::Stage
|
* | CT.APIGATEWAY.PR.2 | Require an Amazon API Gateway REST API stage to have AWS X-Ray tracing activated | AWS::ApiGateway::Stage
|
* | CT.APIGATEWAY.PR.3 | Require that an Amazon API Gateway REST API stage has encryption at rest configured for cache data | AWS::ApiGateway::Stage
|
* | CT.APIGATEWAY.PR.4 | Require an Amazon API Gateway V2 stage to have access logging activated | AWS::ApiGatewayV2::Stage
|
* | CT.APIGATEWAY.PR.5 | Require Amazon API Gateway V2 Websocket and HTTP routes to specify an authorization type | AWS::ApiGatewayV2::Route
AWS::ApiGatewayV2::ApiGatewayManagedOverrides
|
* | CT.APIGATEWAY.PR.6 | Require an Amazon API Gateway REST domain to use a security policy that specifies a minimum TLS protocol version of TLSv1.2 | AWS::ApiGateway::DomainName
|
* | CT.APPSYNC.PR.1 | Require an AWS AppSync GraphQL API to have logging enabled | AWS::AppSync::GraphQLApi
|
* | CT.APPSYNC.PR.2 | Require an AWS AppSync GraphQL API to be configured with private visibility | AWS::AppSync::GraphQLApi
|
* | CT.APPSYNC.PR.3 | Require that an AWS AppSync GraphQL API is not authenticated with API keys | AWS::AppSync::GraphQLApi
|
* | CT.APPSYNC.PR.4 | Require an AWS AppSync GraphQL API cache to have encryption in transit enabled. | AWS::AppSync::ApiCache
|
* | CT.APPSYNC.PR.5 | Require an AWS AppSync GraphQL API cache to have encryption at rest enabled. | AWS::AppSync::ApiCache
|
* | CT.ATHENA.PR.1 | Require an Amazon Athena workgroup to encrypt Athena query results at rest | AWS::Athena::WorkGroup
|
* | CT.ATHENA.PR.2 | Require an Amazon Athena workgroup to encrypt Athena query results at rest with an AWS Key Management Service (KMS) key | AWS::Athena::WorkGroup
|
* | CT.AUTOSCALING.PR.1 | Require an Amazon EC2 Auto Scaling group to have multiple Availability Zones | AWS::AutoScaling::AutoScalingGroup
|
* | CT.AUTOSCALING.PR.2 | Require an Amazon EC2 Auto Scaling group launch configuration to configure Amazon EC2 instances for IMDSv2 | AWS::AutoScaling::LaunchConfiguration
|
* | CT.AUTOSCALING.PR.3 | Require an Amazon EC2 Auto Scaling launch configuration to have a single-hop metadata response limit | AWS::AutoScaling::LaunchConfiguration
|
* | CT.AUTOSCALING.PR.4 | Require an Amazon EC2 Auto Scaling group associated with an AWS Elastic Load Balancer (ELB) to have ELB health checks activated | AWS::AutoScaling::AutoScalingGroup
|
* | CT.AUTOSCALING.PR.5 | Require that an Amazon EC2 Auto Scaling group launch configuration does not have Amazon EC2 instances with public IP addresses | AWS::AutoScaling::LaunchConfiguration
|
* | CT.AUTOSCALING.PR.6 | Require any Amazon EC2 Auto Scaling groups to use multiple instance types | AWS::AutoScaling::AutoScalingGroup
|
* | CT.AUTOSCALING.PR.8 | Require an Amazon EC2 Auto Scaling group to have EC2 launch templates configured | AWS::AutoScaling::AutoScalingGroup
|
* | CT.AUTOSCALING.PR.9 | Require an Amazon EBS volume configured through an Amazon EC2 Auto Scaling launch configuration to encrypt data at rest | AWS::AutoScaling::LaunchConfiguration
|
* | CT.AUTOSCALING.PR.10 | Require an Amazon EC2 Auto Scaling group to use only AWS Nitro instance types when overriding a launch template | AWS::AutoScaling::AutoScalingGroup
|
* | CT.AUTOSCALING.PR.11 | Require only AWS Nitro instance types that support network traffic encryption between instances to be added to an Amazon EC2 Auto Scaling group, when overriding a launch template | AWS::AutoScaling::AutoScalingGroup
|
* | CT.CLOUDFRONT.PR.1 | Require an Amazon CloudFront distribution to have a default root object configured | AWS::CloudFront::Distribution
|
* | CT.CLOUDFRONT.PR.3 | Require an Amazon CloudFront distribution to have encryption in transit configured | AWS::CloudFront::Distribution
|
* | CT.CLOUDFRONT.PR.4 | Require an Amazon CloudFront distribution to have origin failover configured | AWS::CloudFront::Distribution
|
* | CT.CLOUDFRONT.PR.5 | Require any Amazon CloudFront distribution to have logging enabled | AWS::CloudFront::Distribution
|
* | CT.CLOUDFRONT.PR.6 | Require an Amazon CloudFront distribution to use custom SSL/TLS certificates | AWS::CloudFront::Distribution
|
* | CT.CLOUDFRONT.PR.7 | Require an Amazon CloudFront distribution to use SNI to serve HTTPS requests | AWS::CloudFront::Distribution
|
* | CT.CLOUDFRONT.PR.8 | Require an Amazon CloudFront distribution to encrypt traffic to custom origins | AWS::CloudFront::Distribution
|
* | CT.CLOUDFRONT.PR.9 | Require an Amazon CloudFront distribution to have a security policy of TLSv1.2 as a minimum | AWS::CloudFront::Distribution
|
* | CT.CLOUDFRONT.PR.10 | Require any Amazon CloudFront distributions with Amazon S3 backed origins to have origin access control configured | AWS::CloudFront::Distribution
|
* | CT.CLOUDFRONT.PR.11 | Require an Amazon CloudFront distribution to use updated SSL protocols between edge locations and custom origins | AWS::CloudFront::Distribution
|
* | CT.CLOUDTRAIL.PR.1 | Require an AWS CloudTrail trail to have encryption at rest activated | AWS::CloudTrail::Trail
|
* | CT.CLOUDTRAIL.PR.2 | Require an AWS CloudTrail trail to have log file validation activated | AWS::CloudTrail::Trail
|
* | CT.CLOUDTRAIL.PR.3 | Require an AWS CloudTrail trail to have an Amazon CloudWatch log group configuration | AWS::CloudTrail::Trail
|
* | CT.CLOUDTRAIL.PR.4 | Require an AWS CloudTrail Lake event data store to enable encryption at rest with an AWS KMS key | AWS::CloudTrail::EventDataStore
|
* | CT.CLOUDWATCH.PR.1 | Require an Amazon CloudWatch alarm to have an action configured for the alarm state | AWS::CloudWatch::Alarm
|
* | CT.CLOUDWATCH.PR.2 | Require an Amazon CloudWatch log group to be retained for at least one year | AWS::Logs::LogGroup
|
* | CT.CLOUDWATCH.PR.3 | Require an Amazon CloudWatch log group to be encrypted at rest with an AWS KMS key | AWS::Logs::LogGroup
|
* | CT.CLOUDWATCH.PR.4 | Require an Amazon CloudWatch alarm to have actions activated | AWS::CloudWatch::Alarm
|
* | CT.CODEBUILD.PR.1 | Require OAuth on GitHub or Bitbucket source repository URLs for AWS CodeBuild projects | AWS::CodeBuild::Project
|
* | CT.CODEBUILD.PR.2 | Require any AWS CodeBuild project environment variable to encrypt credentials in environment variables | AWS::CodeBuild::Project
|
* | CT.CODEBUILD.PR.3 | Require any AWS CodeBuild project environment to have logging configured | AWS::CodeBuild::Project
|
* | CT.CODEBUILD.PR.4 | Require any AWS CodeBuild project to deactivate privileged mode when running | AWS::CodeBuild::Project
|
* | CT.CODEBUILD.PR.5 | Require encryption on all AWS CodeBuild project artifacts | AWS::CodeBuild::Project
|
* | CT.CODEBUILD.PR.6 | Require encryption on all Amazon S3 logs for AWS CodeBuild projects | AWS::CodeBuild::Project
|
* | CT.DAX.PR.1 | Require encryption at rest for all Amazon DynamoDB Accelerator (DAX) clusters | AWS::DAX::Cluster
|
* | CT.DAX.PR.2 | Require an Amazon DAX cluster to deploy nodes to at least three Availability Zones | AWS::DAX::Cluster
|
* | CT.DAX.PR.3 | Require an Amazon DAX cluster to encrypt data in transit with Transport Layer Security (TLS) | AWS::DAX::Cluster
|
* | CT.DMS.PR.1 | Require that a public AWS DMS replication instance is not public | AWS::DMS::ReplicationInstance
|
* | CT.DMS.PR.2 | Require an AWS Database Migration Service (DMS) Endpoint to encrypt connections for source and target endpoints | AWS::DMS::Endpoint
|
* | CT.DOCUMENTDB.PR.1 | Require an Amazon DocumentDB cluster to be encrypted at rest | AWS::DocDB::DBCluster
|
* | CT.DOCUMENTDB.PR.2 | Require an Amazon DocumentDB cluster to have a backup retention period greater than or equal to seven days | AWS::DocDB::DBCluster
|
* | CT.DYNAMODB.PR.1 | Require that point-in-time recovery for an Amazon DynamoDB table is activated | AWS::DynamoDB::Table
|
* | CT.DYNAMODB.PR.2 | Require an Amazon DynamoDB table to be encrypted at rest using an AWS KMS key | AWS::DynamoDB::Table
|
* | CT.EC2.PR.1 | Require an Amazon EC2 launch template to have IMDSv2 configured | AWS::EC2::LaunchTemplate
|
* | CT.EC2.PR.2 | Require that Amazon EC2 launch templates restrict the token hop limit to a maximum of one | AWS::EC2::LaunchTemplate
|
* | CT.EC2.PR.3 | Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for ports other than 80 and 443 | AWS::EC2::SecurityGroup
AWS::EC2::SecurityGroupIngress
|
* | CT.EC2.PR.4 | Require that any Amazon EC2 security group rule does not use the source IP range 0.0.0.0/0 or ::/0 for specific high-risk ports | AWS::EC2::SecurityGroup
AWS::EC2::SecurityGroupIngress
|
* | CT.EC2.PR.5 | Require any Amazon EC2 network ACL to prevent ingress from 0.0.0.0/0 to port 22 or port 3389 | AWS::EC2::NetworkAclEntry
|
* | CT.EC2.PR.6 | Require that Amazon EC2 transit gateways refuse automatic Amazon VPC attachment requests | AWS::EC2::TransitGateway
|
* | CT.EC2.PR.7 | Require an Amazon EBS volume resource to be encrypted at rest when defined by means of the AWS::EC2::Instance BlockDeviceMappings property or AWS::EC2::Volume resource type | AWS::EC2::Instance
AWS::EC2::Volume
|
* | CT.EC2.PR.8 | Require an Amazon EC2 instance to set AssociatePublicIpAddress to false on a new network interface created by means of the NetworkInterfaces property in the AWS::EC2::Instance resource | AWS::EC2::Instance
|
* | CT.EC2.PR.9 | Require any Amazon EC2 launch template not to auto-assign public IP addresses to network interfaces | AWS::EC2::LaunchTemplate
|
* | CT.EC2.PR.10 | Require Amazon EC2 launch templates to have Amazon CloudWatch detailed monitoring activated | AWS::EC2::LaunchTemplate
|
* | CT.EC2.PR.11 | Require that an Amazon EC2 subnet does not automatically assign public IP addresses | AWS::EC2::Subnet
|
* | CT.EC2.PR.12 | Require an Amazon EC2 instance to specify at most one network interface by means of the NetworkInterfaces property in the AWS::EC2::Instance resource | AWS::EC2::Instance
|
* | CT.EC2.PR.13 | Require an Amazon EC2 instance to have detailed monitoring enabled | AWS::EC2::Instance
|
* | CT.EC2.PR.14 | Require an Amazon EBS volume configured through an Amazon EC2 launch template to encrypt data at rest | AWS::EC2::LaunchTemplate
|
* | CT.EC2.PR.15 | Require an Amazon EC2 instance to use an AWS Nitro instance type when creating from the 'AWS::EC2::LaunchTemplate' resource type | AWS::EC2::LaunchTemplate
|
* | CT.EC2.PR.16 | Require an Amazon EC2 instance to use an AWS Nitro instance type when created using the 'AWS::EC2::Instance' resource type | AWS::EC2::Instance
|
* | CT.EC2.PR.17 | Require an Amazon EC2 dedicated host to use an AWS Nitro instance type | AWS::EC2::Host
|
* | CT.EC2.PR.18 | Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance types | AWS::EC2::EC2Fleet
|
* | CT.EC2.PR.19 | Require an EC2 instance to use an AWS Nitro instance type that supports encryption in-transit between instances when created using the AWS::EC2::Instance resource type | AWS::EC2::Instance
|
* | CT.EC2.PR.20 | Require an Amazon EC2 fleet to override only those launch templates with AWS Nitro instance types that support encryption in transit between instances | AWS::EC2::EC2Fleet
|
* | CT.ECR.PR.1 | Require Amazon ECR repositories to have a lifecycle policy configured | AWS::ECR::Repository
|
* | CT.ECR.PR.2 | Require Amazon ECR private repositories to have image scanning enabled | AWS::ECR::Repository
|
* | CT.ECR.PR.3 | Require Amazon ECR private repositories to have tag immutability enabled | AWS::ECR::Repository
|
* | CT.ECS.PR.1 | Require AWS ECS Fargate Services to run on the latest Fargate platform version | AWS::ECS::Service
|
* | CT.ECS.PR.2 | Require any Amazon ECS cluster to have container insights activated | AWS::ECS::Cluster
|
* | CT.ECS.PR.3 | Require any Amazon ECS task definition to specify a user that is not the root | AWS::ECS::TaskDefinition
|
* | CT.ECS.PR.4 | Require Amazon ECS tasks to use 'awsvpc' networking mode | AWS::ECS::TaskDefinition
|
* | CT.ECS.PR.5 | Require an active Amazon ECS task definition to have a logging configuration | AWS::ECS::TaskDefinition
|
* | CT.ECS.PR.6 | Require Amazon ECS containers to allow read-only access to the root filesystem | AWS::ECS::TaskDefinition
|
* | CT.ECS.PR.7 | Require an Amazon ECS task definition to have a specific memory usage limit | AWS::ECS::TaskDefinition
|
* | CT.ECS.PR.8 | Require Amazon ECS task definitions to have secure networking modes and user definitions | AWS::ECS::TaskDefinition
|
* | CT.ECS.PR.9 | Require Amazon ECS services not to assign public IP addresses automatically | AWS::ECS::Service
|
* | CT.ECS.PR.10 | Require that Amazon ECS task definitions do not share the host's process namespace | AWS::ECS::TaskDefinition
|
* | CT.ECS.PR.11 | Require an Amazon ECS container to run as non-privileged | AWS::ECS::TaskDefinition
|
* | CT.ECS.PR.12 | Require that Amazon ECS task definitions do not pass secrets as container environment variables | AWS::ECS::TaskDefinition
|
* | CT.EKS.PR.1 | Require an Amazon EKS cluster to be configured with public access disabled to the cluster Kubernetes API server endpoint. | AWS::EKS::Cluster
|
* | CT.EKS.PR.2 | Require an Amazon EKS cluster to be configured with secret encryption using AWS Key Management Service (KMS) keys | AWS::EKS::Cluster
|
* | CT.ELASTICACHE.PR.1 | Require an Amazon ElastiCache for Redis cluster to have automatic backups activated | AWS::ElastiCache::CacheCluster
|
* | CT.ELASTICACHE.PR.2 | Require an Amazon ElastiCache for Redis cluster to have automatic minor version upgrades activated | AWS::ElastiCache::CacheCluster
|
* | CT.ELASTICACHE.PR.3 | Require an Amazon ElastiCache for Redis replication group to have automatic failover activated | AWS::ElastiCache::ReplicationGroup
|
* | CT.ELASTICACHE.PR.4 | Require an Amazon ElastiCache replication group to have encryption at rest activated | AWS::ElastiCache::ReplicationGroup
|
* | CT.ELASTICACHE.PR.5 | Require an Amazon ElastiCache for Redis replication group to have encryption in transit activated | AWS::ElastiCache::ReplicationGroup
|
* | CT.ELASTICACHE.PR.6 | Require an Amazon ElastiCache cache cluster to use a custom subnet group | AWS::ElastiCache::CacheCluster
|
* | CT.ELASTICACHE.PR.7 | Require an Amazon ElastiCache replication group of earlier Redis versions to have Redis AUTH activated | AWS::ElastiCache::ReplicationGroup
|
* | CT.ELASTICACHE.PR.8 | Require an Amazon ElastiCache replication group of later Redis versions to have RBAC authentication activated | AWS::ElastiCache::ReplicationGroup
|
* | CT.ELASTICBEANSTALK.PR.1 | Require AWS Elastic Beanstalk environments to have enhanced health reporting enabled | AWS::ElasticBeanstalk::Environment
AWS::ElasticBeanstalk::ConfigurationTemplate
|
* | CT.ELASTICBEANSTALK.PR.2 | Require an AWS Elastic Beanstalk environment to have managed platform updates configured | AWS::ElasticBeanstalk::Environment
AWS::ElasticBeanstalk::ConfigurationTemplate
|
* | CT.ELASTICBEANSTALK.PR.3 | Require an AWS Elastic Beanstalk environment to have a logging configuration | AWS::ElasticBeanstalk::Environment
AWS::ElasticBeanstalk::ConfigurationTemplate
|
* | CT.ELASTICFILESYSYSTEM.PR.1 | Require an Amazon EFS file system to encrypt file data at rest using AWS KMS | AWS::EFS::FileSystem
|
* | CT.ELASTICFILESYSYSTEM.PR.2 | Require an Amazon EFS volume to have an automated backup plan | AWS::EFS::FileSystem
|
* | CT.ELASTICFILESYSYSTEM.PR.3 | Require Amazon EFS access points to have a root directory | AWS::EFS::AccessPoint
|
* | CT.ELASTICFILESYSYSTEM.PR.4 | Require Amazon EFS access points to enforce a user identity | AWS::EFS::AccessPoint
|
* | CT.ELASTICLOADBALANCING.PR.1 | Require any application load balancer listener default actions to redirect all HTTP requests to HTTPS | AWS::ElasticLoadBalancingV2::Listener
|
* | CT.ELASTICLOADBALANCING.PR.2 | Require any Amazon ELB application or network load balancer to have an AWS Certificate Manager certificate | AWS::ElasticLoadBalancingV2::Listener
AWS::ElasticLoadBalancingV2::ListenerCertificate
|
* | CT.ELASTICLOADBALANCING.PR.3 | Require any application load balancer to have defensive or strictest desync mitigation mode activated | AWS::ElasticLoadBalancingV2::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.4 | Require that any application load balancer must be configured to drop HTTP headers | AWS::ElasticLoadBalancingV2::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.5 | Require that application load balancer deletion protection is activated | AWS::ElasticLoadBalancingV2::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.6 | Require that application and network load balancer access logging is activated | AWS::ElasticLoadBalancingV2::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.7 | Require any classic load balancer to have multiple Availability Zones configured | AWS::ElasticLoadBalancing::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.8 | Require any classic load balancer SSL/HTTPS listener to have a certificate provided by AWS Certificate Manager | AWS::ElasticLoadBalancing::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.9 | Require that an AWS ELB application or classic load balancer listener is configured with HTTPS or TLS termination | AWS::ElasticLoadBalancing::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.10 | Require an ELB application or classic load balancer to have logging activated | AWS::ElasticLoadBalancing::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.11 | Require any ELB classic load balancer to have connection draining activated | AWS::ElasticLoadBalancing::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.12 | Require any ELB classic load balancer SSL/HTTPS listener to have a predefined security policy with a strong configuration | AWS::ElasticLoadBalancing::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.13 | Require any ELB classic load balancer to have cross-zone load balancing activated | AWS::ElasticLoadBalancing::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.14 | Require a Network Load Balancer to have cross-zone load balancing activated | AWS::ElasticLoadBalancingV2::LoadBalancer
|
* | CT.ELASTICLOADBALANCING.PR.15 | Require that an Elastic Load Balancing v2 target group does not explicitly disable cross-zone load balancing | AWS::ElasticLoadBalancingV2::TargetGroup
|
* | CT.EMR.PR.1 | Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3 | AWS::EMR::SecurityConfiguration
|
* | CT.EMR.PR.2 | Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data at rest in Amazon S3 with an AWS KMS key | AWS::EMR::SecurityConfiguration
|
* | CT.EMR.PR.3 | Require that an Amazon Elastic MapReduce (EMR) security configuration is configured with EBS volume local disk encryption using an AWS KMS key | AWS::EMR::SecurityConfiguration
|
* | CT.EMR.PR.4 | Require that an Amazon Elastic MapReduce (EMR) security configuration is configured to encrypt data in transit | AWS::EMR::SecurityConfiguration
|
* | CT.GLUE.PR.1 | Require an AWS Glue job to have an associated security configuration | AWS::Glue::Job
|
* | CT.GUARDDUTY.PR.1 | Require an Amazon GuardDuty detector to have Amazon S3 protection activated | AWS::GuardDuty::Detector
|
* | CT.IAM.PR.1 | Require that an AWS Identity and Access Management (IAM) inline policy does not have a statement that includes "" in the Action and Resource elements | AWS::IAM::Policy
AWS::IAM::Role
AWS::IAM::User
AWS::IAM::Group
|
* | CT.IAM.PR.2 | Require that AWS Identity and Access Management (IAM) customer-managed policies do not contain a statement that includes "" in the Action and Resource elements | AWS::IAM::ManagedPolicy
|
* | CT.IAM.PR.3 | Require that AWS Identity and Access Management (IAM) customer-managed policies do not have wildcard service actions | AWS::IAM::ManagedPolicy
|
* | CT.IAM.PR.4 | Require that an AWS Identity and Access Management (IAM) user does not have an inline or managed policy attached attached | AWS::IAM::User
AWS::IAM::Policy
AWS::IAM::ManagedPolicy
|
* | CT.IAM.PR.5 | Require that AWS Identity and Access Management (IAM) inline policies do not have wildcard service actions | AWS::IAM::Policy
AWS::IAM::Role
AWS::IAM::User
AWS::IAM::Group
|
* | CT.KINESIS.PR.1 | Require any Amazon Kinesis data stream to have encryption at rest configured | AWS::Kinesis::Stream
|
* | CT.KMS.PR.1 | Require any AWS KMS key to have rotation configured | AWS::KMS::Key
|
* | CT.KMS.PR.2 | Require that an AWS KMS asymmetric key with RSA key material used for encryption has a key length greater than 2048 bits | AWS::KMS::Key
|
* | CT.KMS.PR.3 | Require an AWS KMS key policy to have a statement that limits creation of AWS KMS grants to AWS services | AWS::KMS::Key
|
* | CT.LAMBDA.PR.2 | Require AWS Lambda function policies to prohibit public access | AWS::Lambda::Permission
|
* | CT.LAMBDA.PR.3 | Require an AWS Lambda function to be in a customer-managed Amazon Virtual Private Cloud (VPC) | AWS::Lambda::Function
|
* | CT.LAMBDA.PR.4 | Require an AWS Lambda layer permission to grant access to an AWS organization or specific AWS account | AWS::Lambda::LayerVersionPermission
|
* | CT.LAMBDA.PR.5 | Require an AWS Lambda function URL to use AWS IAM-based authentication | AWS::Lambda::Url
|
* | CT.LAMBDA.PR.6 | Require an AWS Lambda function URL CORS policy to restrict access to specific origins | AWS::Lambda::Url
|
* | CT.MQ.PR.1 | Require an Amazon MQ ActiveMQ broker to use use active/standby deployment mode for high availability | AWS::AmazonMQ::Broker
|
* | CT.MQ.PR.2 | Require an Amazon MQ Rabbit MQ broker to use Multi-AZ cluster mode for high availability | AWS::AmazonMQ::Broker
|
* | CT.MSK.PR.1 | Require an Amazon Managed Streaming for Apache Kafka (MSK) cluster to enforce encryption in transit between cluster broker nodes | AWS::MSK::Cluster
|
* | CT.MSK.PR.2 | Require an Amazon Managed Streaming for Apache Kafka (MSK) cluster to be configured with PublicAccess disabled | AWS::MSK::Cluster
|
* | CT.NEPTUNE.PR.1 | Require an Amazon Neptune DB cluster to have AWS Identity and Access Management (IAM) database authentication enabled | AWS::Neptune::DBCluster
|
* | CT.NEPTUNE.PR.2 | Require an Amazon Neptune DB cluster to have deletion protection enabled | AWS::Neptune::DBCluster
|
* | CT.NEPTUNE.PR.3 | Require an Amazon Neptune DB cluster to have storage encryption enabled | AWS::Neptune::DBCluster
|
* | CT.NEPTUNE.PR.4 | Require an Amazon Neptune DB cluster to enable Amazon CloudWatch log export for audit logs | AWS::Neptune::DBCluster
|
* | CT.NEPTUNE.PR.5 | Require an Amazon Neptune DB cluster to set a backup retention period greater than or equal to seven days | AWS::Neptune::DBCluster
|
* | CT.NETWORK-FIREWALL.PR.1 | Require any AWS Network Firewall firewall policy to have an associated rule group | AWS::NetworkFirewall::FirewallPolicy
|
* | CT.NETWORK-FIREWALL.PR.2 | Require any AWS Network Firewall firewall policy to drop or forward stateless full packets by default when they do not match a rule | AWS::NetworkFirewall::FirewallPolicy
|
* | CT.NETWORK-FIREWALL.PR.3 | Require any AWS Network Firewall firewall policy to drop or forward fragmented packets by default when they do not match a stateless rule | AWS::NetworkFirewall::FirewallPolicy
|
* | CT.NETWORK-FIREWALL.PR.4 | Require any AWS Network Firewall rule group to contain at least one rule | AWS::NetworkFirewall::RuleGroup
|
* | CT.NETWORK-FIREWALL.PR.5 | Require an AWS Network Firewall firewall to be deployed across multiple Availability Zones | AWS::NetworkFirewall::Firewall
|
* | CT.OPENSEARCH.PR.1 | Require an Elasticsearch domain to encrypt data at rest | AWS::Elasticsearch::Domain
|
* | CT.OPENSEARCH.PR.2 | Require an Elasticsearch domain to be created in a user-specified Amazon VPC | AWS::Elasticsearch::Domain
|
* | CT.OPENSEARCH.PR.3 | Require an Elasticsearch domain to encrypt data sent between nodes | AWS::Elasticsearch::Domain
|
* | CT.OPENSEARCH.PR.4 | Require an Elasticsearch domain to send error logs to Amazon CloudWatch Logs | AWS::Elasticsearch::Domain
|
* | CT.OPENSEARCH.PR.5 | Require an Elasticsearch domain to send audit logs to Amazon CloudWatch Logs | AWS::Elasticsearch::Domain
|
* | CT.OPENSEARCH.PR.6 | Require an Elasticsearch domain to have zone awareness and at least three data nodes | AWS::Elasticsearch::Domain
|
* | CT.OPENSEARCH.PR.7 | Require an Elasticsearch domain to have at least three dedicated master nodes | AWS::Elasticsearch::Domain
|
* | CT.OPENSEARCH.PR.8 | Require an Elasticsearch Service domain to use TLSv1.2 | AWS::Elasticsearch::Domain
|
* | CT.OPENSEARCH.PR.9 | Require an Amazon OpenSearch Service domain to encrypt data at rest | AWS::OpenSearchService::Domain
|
* | CT.OPENSEARCH.PR.10 | Require an Amazon OpenSearch Service domain to be created in a user-specified Amazon VPC | AWS::OpenSearchService::Domain
|
* | CT.OPENSEARCH.PR.11 | Require an Amazon OpenSearch Service domain to encrypt data sent between nodes | AWS::OpenSearchService::Domain
|
* | CT.OPENSEARCH.PR.12 | Require an Amazon OpenSearch Service domain to send error logs to Amazon CloudWatch Logs | AWS::OpenSearchService::Domain
|
* | CT.OPENSEARCH.PR.13 | Require an Amazon OpenSearch Service domain to send audit logs to Amazon CloudWatch Logs | AWS::OpenSearchService::Domain
|
* | CT.OPENSEARCH.PR.14 | Require an Amazon OpenSearch Service domain to have zone awareness and at least three data nodes | AWS::OpenSearchService::Domain
|
* | CT.OPENSEARCH.PR.15 | Require an Amazon OpenSearch Service domain to use fine-grained access control | AWS::OpenSearchService::Domain
|
* | CT.OPENSEARCH.PR.16 | Require an Amazon OpenSearch Service domain to use TLSv1.2 | AWS::OpenSearchService::Domain
|
* | CT.RDS.PR.1 | Require that an Amazon RDS database instance is configured with multiple Availability Zones | AWS::RDS::DBInstance
|
* | CT.RDS.PR.2 | Require an Amazon RDS database instance or cluster to have enhanced monitoring configured | AWS::RDS::DBInstance
|
* | CT.RDS.PR.3 | Require an Amazon RDS cluster to have deletion protection configured | AWS::RDS::DBCluster
|
* | CT.RDS.PR.4 | Require an Amazon RDS database cluster to have AWS IAM database authentication configured | AWS::RDS::DBCluster
|
* | CT.RDS.PR.5 | Require an Amazon RDS database instance to have minor version upgrades configured | AWS::RDS::DBInstance
|
* | CT.RDS.PR.6 | Require an Amazon RDS database cluster to have backtracking configured | AWS::RDS::DBCluster
|
* | CT.RDS.PR.7 | Require Amazon RDS database instances to have AWS IAM authentication configured | AWS::RDS::DBInstance
|
* | CT.RDS.PR.8 | Require an Amazon RDS database instance to have automatic backups configured | AWS::RDS::DBInstance
|
* | CT.RDS.PR.9 | Require an Amazon RDS database cluster to copy tags to snapshots | AWS::RDS::DBCluster
|
* | CT.RDS.PR.10 | Require an Amazon RDS database instance to copy tags to snapshots | AWS::RDS::DBInstance
|
* | CT.RDS.PR.11 | Require an Amazon RDS database instance to have a VPC configuration | AWS::RDS::DBInstance
|
* | CT.RDS.PR.12 | Require an Amazon RDS event subscription to have critical cluster events configured | AWS::RDS::EventSubscription
|
* | CT.RDS.PR.13 | Require any Amazon RDS instance to have deletion protection configured | AWS::RDS::DBInstance
|
* | CT.RDS.PR.14 | Require an Amazon RDS database instance to export logs to Amazon CloudWatch Logs by means of the EnableCloudwatchLogsExports property | AWS::RDS::DBInstance
|
* | CT.RDS.PR.15 | Require that an Amazon RDS instance does not create DB security groups | AWS::RDS::DBInstance
AWS::RDS::DBSecurityGroup
|
* | CT.RDS.PR.16 | Require an Amazon RDS database cluster to have encryption at rest configured | AWS::RDS::DBCluster
|
* | CT.RDS.PR.17 | Require an Amazon RDS event notification subscription to have critical database instance events configured | AWS::RDS::EventSubscription
|
* | CT.RDS.PR.18 | Require an Amazon RDS event notification subscription to have critical database parameter group events configured | AWS::RDS::EventSubscription
|
* | CT.RDS.PR.19 | Require an Amazon RDS event notifications subscription to have critical database security group events configured | AWS::RDS::EventSubscription
|
* | CT.RDS.PR.20 | Require an Amazon RDS database instance not to use a database engine default port | AWS::RDS::DBInstance
|
* | CT.RDS.PR.21 | Require an Amazon RDS DB cluster to have a unique administrator username | AWS::RDS::DBCluster
|
* | CT.RDS.PR.22 | Require an Amazon RDS database instance to have a unique administrator username | AWS::RDS::DBInstance
|
* | CT.RDS.PR.23 | Require an Amazon RDS database instance to not be publicly accessible | AWS::RDS::DBInstance
|
* | CT.RDS.PR.24 | Require an Amazon RDS database instance to have encryption at rest configured | AWS::RDS::DBInstance
|
* | CT.RDS.PR.25 | Require an Amazon RDS database cluster to export logs to Amazon CloudWatch Logs by means of the EnableCloudwatchLogsExports property | AWS::RDS::DBCluster
|
* | CT.RDS.PR.26 | Require an Amazon RDS DB Proxy to require Transport Layer Security (TLS) connections | AWS::RDS::DBProxy
|
* | CT.RDS.PR.27 | Require an Amazon RDS DB cluster parameter group to require Transport Layer Security (TLS) connections for supported engine types | AWS::RDS::DBClusterParameterGroup
|
* | CT.RDS.PR.28 | Require an Amazon RDS DB parameter group to require Transport Layer Security (TLS) connections for supported engine types | AWS::RDS::DBParameterGroup
|
* | CT.RDS.PR.29 | Require an Amazon RDS cluster not be configured to be publicly accessible by means of the 'PubliclyAccessible' property | AWS::RDS::DBCluster
|
* | CT.RDS.PR.30 | Require that an Amazon RDS database instance has encryption at rest configured to use a KMS key that you specify for supported engine types | AWS::RDS::DBInstance
|
* | CT.REDSHIFT.PR.1 | Require an Amazon Redshift cluster to prohibit public access | AWS::Redshift::Cluster
|
* | CT.REDSHIFT.PR.2 | Require an Amazon Redshift cluster to have automatic snapshots configured | AWS::Redshift::Cluster
|
* | CT.REDSHIFT.PR.3 | Require an Amazon Redshift cluster to have audit logging configured | AWS::Redshift::Cluster
|
* | CT.REDSHIFT.PR.4 | Require an Amazon Redshift cluster to have automatic upgrades to major versions configured | AWS::Redshift::Cluster
|
* | CT.REDSHIFT.PR.5 | Require an Amazon Redshift cluster to have enhanced VPC routing | AWS::Redshift::Cluster
|
* | CT.REDSHIFT.PR.6 | Require an Amazon Redshift cluster to have a unique administrator username | AWS::Redshift::Cluster
|
* | CT.REDSHIFT.PR.7 | Require an Amazon Redshift cluster to have a unique database name | AWS::Redshift::Cluster
|
* | CT.REDSHIFT.PR.8 | Require an Amazon Redshift cluster to be encrypted | AWS::Redshift::Cluster
|
* | CT.REDSHIFT.PR.9 | Require that an Amazon Redshift cluster parameter group is configured to use Secure Sockets Layer (SSL) for encryption of data in transit | AWS::Redshift::ClusterParameterGroup
|
* | CT.S3.PR.1 | Require an Amazon S3 bucket to have block public access settings configured | AWS::S3::Bucket
|
* | CT.S3.PR.2 | Require an Amazon S3 bucket to have server access logging configured | AWS::S3::Bucket
|
* | CT.S3.PR.3 | Require an Amazon S3 buckets to have versioning configured and a lifecycle policy | AWS::S3::Bucket
|
* | CT.S3.PR.4 | Require an Amazon S3 bucket to have event notifications configured | AWS::S3::Bucket
|
* | CT.S3.PR.5 | Require that an Amazon S3 bucket does not manage user access with an access control list (ACL) | AWS::S3::Bucket
|
* | CT.S3.PR.6 | Require an Amazon S3 bucket to have lifecycle policies configured | AWS::S3::Bucket
|
* | CT.S3.PR.8 | Require that Amazon S3 bucket requests use Secure Sockets Layer | AWS::S3::BucketPolicy
|
* | CT.S3.PR.9 | Require that an Amazon S3 bucket has S3 Object Lock activated | AWS::S3::Bucket
|
* | CT.S3.PR.10 | Require an Amazon S3 bucket to have server-side encryption configured using an AWS KMS key | AWS::S3::Bucket
|
* | CT.S3.PR.11 | Require an Amazon S3 bucket to have versioning enabled | AWS::S3::Bucket
|
* | CT.S3.PR.12 | Require an Amazon S3 access point to have a Block Public Access (BPA) configuration with all options set to true | AWS::S3::AccessPoint
|
* | CT.SAGEMAKER.PR.1 | Require an Amazon SageMaker notebook instance to prevent direct internet access | AWS::SageMaker::NotebookInstance
|
* | CT.SAGEMAKER.PR.2 | Require Amazon SageMaker notebook instances to be deployed within a custom Amazon VPC | AWS::SageMaker::NotebookInstance
|
* | CT.SAGEMAKER.PR.3 | Require Amazon SageMaker notebook instances to have root access disallowed | AWS::SageMaker::NotebookInstance
|
* | CT.SQS.PR.1 | Require any Amazon SQS queue to have a dead-letter queue configured | AWS::SQS::Queue
|
* | CT.SQS.PR.2 | Require any Amazon SQS queue to have encryption at rest configured | AWS::SQS::Queue
|
* | CT.STEPFUNCTIONS.PR.1 | Require an AWS Step Functions state machine to have logging activated | AWS::StepFunctions::StateMachine
|
* | CT.STEPFUNCTIONS.PR.2 | Require an AWS Step Functions state machine to have AWS X-Ray tracing activated | AWS::StepFunctions::StateMachine
|
* | CT.WAF-REGIONAL.PR.1 | Require any AWS WAF Classic regional rule to have a condition | AWS::WAFRegional::Rule
|
* | CT.WAF-REGIONAL.PR.2 | Require any AWS WAF Classic regional web access control list (ACL) to have a rule or rule group | AWS::WAFRegional::WebACL
|
* | CT.WAF.PR.1 | Require any AWS WAF Classic global rule to have a condition | AWS::WAF::Rule
|
* | CT.WAF.PR.2 | Require any AWS WAF Classic global web ACL to have a rule or rule group | AWS::WAF::WebACL
|
* | CT.WAFV2.PR.1 | Require an AWS WAF web ACL to be non-empty | AWS::WAFv2::WebACL
|
* | CT.WAFV2.PR.2 | Require an AWS WAF rule group to be non-empty | AWS::WAFv2::RuleGroup
*/
@software.amazon.jsii.Stability(software.amazon.jsii.Stability.Level.Stable)
package io.github.cdklabs.cdkvalidatorcfnguard;