Skip to main content
Pulumi logo Pulumi logo
  1. Docs
  2. Reference
  3. Pre-built Policy Packs
  4. CMMC
  5. AWS

CMMC 2.0 - AWS

    This page lists all 54 policies in the CMMC 2.0 pack for AWS, as published in cmmc-aws version 1.0.2.

    Policies by control

    AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

    AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.

    AC.L2-3.1.3 Control the flow of CUI — Control the flow of CUI in accordance with approved authorizations.

    AC.L2-3.1.4 Separate the duties of individuals — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

    AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.

    AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions — Use non-privileged accounts or roles when accessing nonsecurity functions.

    AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

    AC.L2-3.1.11 Terminate user sessions after inactivity — Terminate (automatically) a user session after a defined condition.

    AC.L2-3.1.12 Monitor and control remote access sessions — Monitor and control remote access sessions.

    AC.L2-3.1.13 Employ cryptographic mechanisms for remote access — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

    AC.L2-3.1.15 Authorize remote execution of privileged commands — Authorize remote execution of privileged commands and remote access to security-relevant information.

    AC.L2-3.1.22 Control CUI on publicly accessible systems — Control CUI posted or processed on publicly accessible systems.

    AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

    AU.L2-3.3.9 Limit audit logging management to privileged users — Limit management of audit logging functionality to a subset of privileged users.

    CM.L1-3.4.2 Establish and enforce security configuration settings — Establish and enforce security configuration settings for information technology products employed in organizational systems.

    CM.L2-3.4.3 Track and log configuration changes — Track, review, approve or disapprove, and log changes to organizational systems.

    CM.L2-3.4.5 Define access restrictions for system changes — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

    CM.L2-3.4.6 Employ principle of least functionality — Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

    CM.L2-3.4.7 Restrict nonessential programs and services — Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

    IA.L1-3.5.1 Identify system users and devices — Identify system users, processes acting on behalf of users, and devices.

    IA.L1-3.5.2 Authenticate identities of users and devices — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

    IA.L2-3.5.3 Use multifactor authentication — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

    IA.L2-3.5.7 Enforce minimum password complexity — Enforce a minimum password complexity and change of characters when new passwords are created.

    IA.L2-3.5.8 Prohibit password reuse — Prohibit password reuse for a specified number of generations.

    MA.L1-3.7.1 Perform system maintenance — Perform maintenance on organizational systems.

    MA.L1-3.7.2 Provide controls on maintenance tools and personnel — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.

    MA.L2-3.7.5 Require MFA for nonlocal maintenance — Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.

    MP.L1-3.8.1 Protect system media containing CUI — Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.

    MP.L1-3.8.2 Limit access to CUI on system media — Limit access to CUI on system media to authorized users.

    MP.L1-3.8.3 Sanitize or destroy system media before disposal — Sanitize or destroy system media containing CUI before disposal or release for reuse.

    MP.L2-3.8.4 Mark media with CUI markings — Mark media with necessary CUI markings and distribution limitations.

    MP.L2-3.8.9 Protect confidentiality of backup CUI — Protect the confidentiality of backup CUI at storage locations.

    RA.L2-3.11.2 Scan for vulnerabilities — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

    RA.L2-3.11.3 Remediate vulnerabilities — Remediate vulnerabilities in accordance with risk assessments.

    SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.

    SC.L1-3.13.2 Employ architectural designs promoting security — Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.

    SC.L2-3.13.5 Implement subnetworks for publicly accessible components — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

    SC.L2-3.13.6 Deny network traffic by default — Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).

    SC.L2-3.13.8 Implement cryptographic mechanisms for transmission — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.

    SC.L2-3.13.10 Establish and manage cryptographic keys — Establish and manage cryptographic keys for cryptography employed in organizational systems.

    SC.L2-3.13.11 Employ FIPS-validated cryptography — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.

    SC.L2-3.13.15 Protect authenticity of communications sessions — Protect the authenticity of communications sessions.

    SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.

    SI.L1-3.14.1 Identify and correct system flaws — Identify, report, and correct system flaws in a timely manner.

    SI.L1-3.14.2 Provide protection from malicious code — Provide protection from malicious code at designated locations within organizational systems.

    SI.L2-3.14.5 Perform periodic and real-time scans — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.

    SI.L2-3.14.6 Monitor systems to detect attacks — Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.

    Policy details

    anti-malware-edr

    Severity: high · Enforcement: advisory

    Ensures EC2 instances have anti-malware/EDR agents deployed

    • SI.L1-3.14.2 Provide protection from malicious code — Provide protection from malicious code at designated locations within organizational systems.
    Remediation
    Fix: Deploy Anti-Malware/EDR Agent via User Data

    Include anti-malware or EDR agent installation commands in the instance’s userData:

    const instance = new aws.ec2.Instance("protected-instance", {
        instanceType: "t3.medium",
        ami: "ami-0c55b159cbfafe1f0",
        userData: "#!/bin/bash\nyum install -y amazon-ssm-agent\nsystemctl enable amazon-ssm-agent\nsystemctl start amazon-ssm-agent", // Install SSM agent
        subnetId: subnet.id,
    });
    

    api-gateway-access-logging

    Severity: medium · Enforcement: advisory

    Ensures API Gateway stages have access logging enabled

    • AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
    Remediation
    Fix: Enable Access Logging for API Gateway Stage

    Configure the accessLogSettings property with a CloudWatch Log Group ARN to enable comprehensive audit logging:

    const logGroup = new aws.cloudwatch.LogGroup("api-logs", {
        retentionInDays: 30,
    });
    
    const stage = new aws.apigateway.Stage("my-stage", {
        restApi: api.id,
        stageName: "prod",
        deployment: deployment.id,
        accessLogSettings: { // Enable access logging
            destinationArn: logGroup.arn, // Specify CloudWatch Log Group
            format: "$context.requestId",
        },
    });
    

    api-gateway-authorization

    Severity: high · Enforcement: advisory

    Ensures API Gateway methods use strong authorization instead of NONE

    • SC.L2-3.13.15 Protect authenticity of communications sessions — Protect the authenticity of communications sessions.
    Remediation
    Fix: Enable Strong Authorization for API Gateway Method

    Set the authorization property to a strong authorization type (AWS_IAM, COGNITO_USER_POOLS, CUSTOM, or JWT) instead of “NONE”:

    const method = new aws.apigateway.Method("my-method", {
        restApi: api.id,
        resourceId: resource.id,
        httpMethod: "GET",
        authorization: "AWS_IAM", // Use strong authorization instead of "NONE"
        // For CUSTOM authorization, also specify the authorizer:
        // authorizerId: authorizer.id,
    });
    

    api-gateway-v2-access-logging

    Severity: medium · Enforcement: advisory

    Ensures API Gateway V2 stages have access logging enabled

    • AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
    Remediation
    Fix: Enable Access Logging for API Gateway V2 Stage

    Configure the accessLogSettings property with a CloudWatch Log Group ARN to enable comprehensive audit logging:

    const logGroup = new aws.cloudwatch.LogGroup("api-v2-logs", {
        retentionInDays: 30,
    });
    
    const stage = new aws.apigatewayv2.Stage("my-stage", {
        apiId: api.id,
        name: "prod",
        accessLogSettings: { // Enable access logging
            destinationArn: logGroup.arn, // Specify CloudWatch Log Group
            format: "$context.requestId",
        },
    });
    

    api-gateway-waf-association

    Severity: critical · Enforcement: advisory

    Ensures public-facing API Gateways have WAF associations

    • SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
    Remediation
    Fix: Associate WAF Web ACL with API Gateway Stage

    Create a WAF Web ACL association for your API Gateway stage:

    // Create a WAF Web ACL association for the API Gateway stage
    const wafAssociation = new aws.wafv2.WebAclAssociation("api-waf-association", {
        resourceArn: pulumi.interpolate`arn:aws:apigateway:${region}::/restapis/${restApi.id}/stages/${stage.stageName}`, // Stage ARN
        webAclArn: webAcl.arn, // Reference the WAF Web ACL ARN
    });
    

    appsync-waf-association

    Severity: critical · Enforcement: advisory

    Ensures public-facing AppSync GraphQL APIs have WAF associations

    • SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
    Remediation
    Fix: Associate WAF Web ACL with AppSync GraphQL API

    Create a WAF Web ACL association to protect your AppSync GraphQL API:

    // Create a WAF Web ACL association for the AppSync GraphQL API
    const wafAssociation = new aws.wafv2.WebAclAssociation("appsync-waf-association", {
        resourceArn: graphqlApi.arn, // Reference the GraphQL API ARN
        webAclArn: webAcl.arn, // Reference the WAF Web ACL ARN
    });
    

    cloudfront-distribution-disallow-unencrypted-traffic

    Severity: critical · Enforcement: advisory

    Checks that CloudFront distributions only allow encypted ingress traffic.

    • SC.L2-3.13.8 Implement cryptographic mechanisms for transmission — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
    Remediation
    Fix: Enforce HTTPS for CloudFront Distribution

    Set the viewerProtocolPolicy to “redirect-to-https” or “https-only” for both default and ordered cache behaviors to ensure all traffic is encrypted:

    const distribution = new cloudfront.Distribution("my-distribution", {
        enabled: true,
        defaultCacheBehavior: {
            targetOriginId: origin.originId,
            viewerProtocolPolicy: "redirect-to-https", // Enforce HTTPS for all traffic
            allowedMethods: ["GET", "HEAD"],
            cachedMethods: ["GET", "HEAD"],
            forwardedValues: {
                queryString: false,
                cookies: { forward: "none" },
            },
        },
        orderedCacheBehaviors: [{
            pathPattern: "/api/*",
            targetOriginId: origin.originId,
            viewerProtocolPolicy: "https-only", // Enforce HTTPS-only for API paths
            allowedMethods: ["GET", "HEAD", "OPTIONS"],
            cachedMethods: ["GET", "HEAD"],
            forwardedValues: {
                queryString: true,
                cookies: { forward: "none" },
            },
        }],
        origins: [origin],
        viewerCertificate: {
            cloudfrontDefaultCertificate: true,
        },
    });
    

    cloudfront-waf-association

    Severity: critical · Enforcement: advisory

    Ensures CloudFront distributions have WAF associations

    • SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
    Remediation
    Fix: Associate WAF Web ACL with CloudFront Distribution

    Set the webAclId property to associate your CloudFront distribution with a WAF Web ACL:

    const distribution = new aws.cloudfront.Distribution("my-distribution", {
        enabled: true,
        webAclId: webAcl.arn, // Associate the WAF Web ACL with the distribution
        origins: [{
            domainName: bucket.bucketRegionalDomainName,
            originId: "S3Origin",
        }],
        defaultCacheBehavior: {
            targetOriginId: "S3Origin",
            viewerProtocolPolicy: "redirect-to-https",
            allowedMethods: ["GET", "HEAD"],
            cachedMethods: ["GET", "HEAD"],
            forwardedValues: {
                queryString: false,
                cookies: { forward: "none" },
            },
        },
    });
    

    docdb-clusterinstance-managed-service-patching

    Severity: medium · Enforcement: advisory

    Ensures DocumentDB cluster instances have automated minor version upgrades enabled

    • CM.L1-3.4.2 Establish and enforce security configuration settings — Establish and enforce security configuration settings for information technology products employed in organizational systems.
    • MA.L1-3.7.1 Perform system maintenance — Perform maintenance on organizational systems.
    • RA.L2-3.11.3 Remediate vulnerabilities — Remediate vulnerabilities in accordance with risk assessments.
    Remediation
    Fix: Enable Automatic Minor Version Upgrades for DocumentDB Cluster Instance

    Set the autoMinorVersionUpgrade property to true to enable automated patching for managed service security updates:

    const clusterInstance = new aws.docdb.ClusterInstance("my-cluster-instance", {
        clusterIdentifier: cluster.id,
        instanceClass: "db.r5.large",
        autoMinorVersionUpgrade: true, // Enable automatic minor version upgrades
    });
    

    dynamodb-streams-enabled

    Severity: medium · Enforcement: advisory

    Enforces that all DynamoDB tables have Stream settings enabled to capture all changes

    • AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
    • CM.L2-3.4.3 Track and log configuration changes — Track, review, approve or disapprove, and log changes to organizational systems.
    Remediation
    Fix: Enable DynamoDB Streams

    Set the streamEnabled property to true on your DynamoDB table:

    const table = new aws.dynamodb.Table("my-table", {
        name: "my-table",
        attributes: [
            { name: "id", type: "S" },
        ],
        hashKey: "id",
        streamEnabled: true, // Enable DynamoDB Streams
        billingMode: "PAY_PER_REQUEST",
    });
    

    ebs-volume-disallow-unencrypted-volume

    Severity: high · Enforcement: advisory

    Checks that EBS volumes are encrypted.

    • MP.L1-3.8.1 Protect system media containing CUI — Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
    • SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
    Remediation
    Fix: Enable EBS Volume Encryption

    Set the encrypted property to true on the EBS volume:

    const volume = new aws.ebs.Volume("my-volume", {
        availabilityZone: "us-west-2a",
        size: 100,
        encrypted: true, // Enable encryption for the volume
    });
    

    ec2-instance-disallow-public-ip

    Severity: high · Enforcement: advisory

    Checks that EC2 instances do not have a public IP address.

    • AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
    • AC.L2-3.1.22 Control CUI on publicly accessible systems — Control CUI posted or processed on publicly accessible systems.
    Remediation
    Fix: Disable Public IP Address Assignment

    Set associatePublicIpAddress to false to prevent the instance from receiving a public IP address:

    const instance = new ec2.Instance("my-instance", {
        instanceType: "t3.micro",
        ami: "ami-12345678",
        associatePublicIpAddress: false, // Disable public IP assignment
        subnetId: privateSubnet.id,
    });
    

    ec2-security-group-disallow-inbound-http-traffic

    Severity: medium · Enforcement: advisory

    Check that EC2 Security Groups do not allow inbound HTTP traffic.

    • CM.L2-3.4.7 Restrict nonessential programs and services — Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
    Remediation
    Fix: Remove HTTP Inbound Traffic Rules

    Remove any ingress rules that allow HTTP traffic on port 80, or use HTTPS (port 443) instead:

    const securityGroup = new ec2.SecurityGroup("my-sg", {
        vpcId: vpc.id,
        ingress: [
            {
                protocol: "tcp",
                fromPort: 443, // Use HTTPS instead of HTTP (port 80)
                toPort: 443,
                cidrBlocks: ["0.0.0.0/0"],
            },
            // Remove any rules with fromPort: 80 or toPort: 80
        ],
    });
    

    ecr-image-scanning

    Severity: high · Enforcement: advisory

    Ensures ECR repositories have image scanning enabled for vulnerability management

    • RA.L2-3.11.2 Scan for vulnerabilities — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
    • SI.L2-3.14.5 Perform periodic and real-time scans — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
    Remediation
    Fix: Enable Image Scanning for ECR Repository

    Set the imageScanningConfiguration with scanOnPush: true to automatically scan container images for vulnerabilities when they are pushed:

    const repository = new aws.ecr.Repository("my-repo", {
        name: "my-application",
        imageScanningConfiguration: {
            scanOnPush: true, // Enable automatic vulnerability scanning
        },
    });
    

    ecr-repository-enable-image-scan

    Severity: high · Enforcement: advisory

    Checks that ECR repositories have ‘scan-on-push’ enabled.

    • RA.L2-3.11.2 Scan for vulnerabilities — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
    • SI.L1-3.14.1 Identify and correct system flaws — Identify, report, and correct system flaws in a timely manner.
    • SI.L2-3.14.5 Perform periodic and real-time scans — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
    Remediation
    Fix: Enable Scan-on-Push for ECR Repository

    Set scanOnPush to true in the imageScanningConfiguration to automatically scan container images for vulnerabilities when pushed:

    const repository = new aws.ecr.Repository("my-repository", {
        imageScanningConfiguration: {
            scanOnPush: true, // Enable automatic vulnerability scanning
        },
    });
    

    ecs-task-definition-image-scanning

    Severity: high · Enforcement: advisory

    Ensures ECS task definitions use images from repositories with vulnerability scanning

    • RA.L2-3.11.2 Scan for vulnerabilities — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
    • SI.L2-3.14.5 Perform periodic and real-time scans — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
    Remediation
    Fix: Use ECR Images with Scanning Enabled

    Update your ECS task definition to use container images from ECR repositories that have vulnerability scanning enabled:

    const taskDefinition = new aws.ecs.TaskDefinition("my-task", {
        family: "my-app",
        containerDefinitions: JSON.stringify([{
            name: "app",
            image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-repo:latest", // Use ECR image with scanning
            memory: 512,
            cpu: 256,
        }]),
        requiresCompatibilities: ["FARGATE"],
        networkMode: "awsvpc",
        cpu: "256",
        memory: "512",
    });
    

    efs-file-system-disallow-unencrypted-file-system

    Severity: high · Enforcement: advisory

    Checks that EFS File Systems do not have an unencrypted file system.

    • SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
    Remediation
    Fix: Enable Encryption for EFS File System

    Set the encrypted property to true when creating an EFS file system:

    const fileSystem = new aws.efs.FileSystem("my-efs", {
        encrypted: true, // Enable encryption at rest
        kmsKeyId: kmsKey.arn, // Optional: specify a custom KMS key
    });
    

    elb-load-balancer-disallow-unencrypted-traffic

    Severity: critical · Enforcement: advisory

    Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic.

    • AC.L2-3.1.13 Employ cryptographic mechanisms for remote access — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
    • SC.L2-3.13.8 Implement cryptographic mechanisms for transmission — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
    • SC.L2-3.13.15 Protect authenticity of communications sessions — Protect the authenticity of communications sessions.
    Remediation
    Fix: Use HTTPS Instead of HTTP for Load Balancer Listeners

    Configure all listeners to use HTTPS (port 443) instead of HTTP (port 80) to ensure encrypted traffic:

    const lb = new aws.elb.LoadBalancer("my-lb", {
        availabilityZones: ["us-west-2a", "us-west-2b"],
        listeners: [{
            instancePort: 443,
            instanceProtocol: "https",
            lbPort: 443,
            lbProtocol: "https", // Use HTTPS instead of HTTP
            sslCertificateId: "arn:aws:iam::123456789012:server-certificate/my-cert",
        }],
    });
    

    environment-separation-tagging

    Severity: medium · Enforcement: advisory

    Ensures that resources are tagged to distinguish between production and non-production environments

    • MP.L2-3.8.4 Mark media with CUI markings — Mark media with necessary CUI markings and distribution limitations.
    Remediation
    Fix: Add Environment Tag to Resource

    Add an “Environment” tag to the resource with a valid environment value (e.g., production, development, staging, testing):

    const instance = new aws.ec2.Instance("web-server", {
        instanceType: "t3.micro",
        ami: "ami-12345678",
        tags: {
            "Environment": "production", // Add environment tag for proper separation
            "Name": "web-server",
        },
    });
    

    iam-password-policy-minimum-password-length

    Severity: high · Enforcement: advisory

    Ensure IAM password policy requires minimum length of 14 or greater.

    • IA.L2-3.5.7 Enforce minimum password complexity — Enforce a minimum password complexity and change of characters when new passwords are created.
    Remediation
    Fix: Set Minimum Password Length to 14 Characters

    Set the minimumPasswordLength to 14 or greater for the IAM Account Password Policy:

    const passwordPolicy = new aws.iam.AccountPasswordPolicy("account-password-policy", {
        minimumPasswordLength: 14, // Set minimum length to at least 14 characters
    });
    

    iam-password-policy-prevent-reuse

    Severity: high · Enforcement: advisory

    Ensure IAM password policy prevents password reuse.

    • IA.L2-3.5.8 Prohibit password reuse — Prohibit password reuse for a specified number of generations.
    Remediation
    Fix: Configure Password Reuse Prevention

    Set the passwordReusePrevention property to 24 to prevent users from reusing their previous 24 passwords:

    const accountPasswordPolicy = new aws.iam.AccountPasswordPolicy("password-policy", {
        minimumPasswordLength: 14,
        requireNumbers: true,
        requireSymbols: true,
        requireUppercaseCharacters: true,
        requireLowercaseCharacters: true,
        passwordReusePrevention: 24, // Prevent reuse of previous 24 passwords
    });
    

    iam-policy-least-privilege

    Severity: high · Enforcement: advisory

    Ensures IAM policies follow least privilege principles

    • AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
    • AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
    • AC.L2-3.1.4 Separate the duties of individuals — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
    • AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
    • AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions — Use non-privileged accounts or roles when accessing nonsecurity functions.
    • AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
    • AC.L2-3.1.15 Authorize remote execution of privileged commands — Authorize remote execution of privileged commands and remote access to security-relevant information.
    • AU.L2-3.3.9 Limit audit logging management to privileged users — Limit management of audit logging functionality to a subset of privileged users.
    • CM.L2-3.4.5 Define access restrictions for system changes — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
    • IA.L1-3.5.1 Identify system users and devices — Identify system users, processes acting on behalf of users, and devices.
    • MA.L1-3.7.2 Provide controls on maintenance tools and personnel — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
    Remediation
    Fix: Replace Wildcard Permissions with Specific Actions and Resources

    Replace wildcard actions and resources with explicit, scoped permissions that grant only the minimum required access:

    const policy = new aws.iam.Policy("my-policy", {
        policy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Action: [
                    "s3:GetObject",        // Specify exact actions needed
                    "s3:PutObject",
                ],
                Resource: [
                    "arn:aws:s3:::my-bucket/*",  // Scope to specific resources
                ],
            }],
        }),
    });
    

    iam-role-assume-role-mfa-enforcement

    Severity: high · Enforcement: advisory

    Ensures IAM roles require MFA when assumed by human users (not AWS services)

    • IA.L1-3.5.2 Authenticate identities of users and devices — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
    • IA.L2-3.5.3 Use multifactor authentication — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
    • MA.L2-3.7.5 Require MFA for nonlocal maintenance — Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
    Remediation
    Fix: Add MFA Condition to Role Trust Policy

    Add the aws:MultiFactorAuthPresent condition to any assume role statement that allows human principals to assume the role:

    const adminRole = new aws.iam.Role("admin-role", {
        assumeRolePolicy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Principal: {
                    AWS: "arn:aws:iam::123456789012:root" // Root account (human)
                },
                Action: "sts:AssumeRole",
                Condition: {
                    Bool: {
                        "aws:MultiFactorAuthPresent": "true" // Require MFA
                    }
                }
            }],
        }),
    });
    
    const userAssumeRole = new aws.iam.Role("user-role", {
        assumeRolePolicy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Principal: {
                    AWS: "arn:aws:iam::123456789012:user/john.doe" // IAM user (human)
                },
                Action: "sts:AssumeRole",
                Condition: {
                    Bool: {
                        "aws:MultiFactorAuthPresent": "true" // Require MFA
                    }
                }
            }],
        }),
    });
    
    // Service roles are automatically exempt (no MFA condition needed)
    const ecsTaskRole = new aws.iam.Role("ecs-task-role", {
        assumeRolePolicy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Principal: {
                    Service: "ecs-tasks.amazonaws.com" // Service principal - no MFA needed
                },
                Action: "sts:AssumeRole"
            }],
        }),
    });
    
    // Role principals are never flagged (could be cross-account service roles)
    const crossAccountRole = new aws.iam.Role("cross-account-role", {
        assumeRolePolicy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Principal: {
                    AWS: "arn:aws:iam::111111111111:role/service-role" // Role principal - not checked
                },
                Action: "sts:AssumeRole"
            }],
        }),
    });
    

    iam-role-least-privilege

    Severity: high · Enforcement: advisory

    Ensures IAM roles follow least privilege principles

    • AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
    • AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
    • AC.L2-3.1.4 Separate the duties of individuals — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
    • AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
    • AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions — Use non-privileged accounts or roles when accessing nonsecurity functions.
    • AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
    • AC.L2-3.1.15 Authorize remote execution of privileged commands — Authorize remote execution of privileged commands and remote access to security-relevant information.
    • AU.L2-3.3.9 Limit audit logging management to privileged users — Limit management of audit logging functionality to a subset of privileged users.
    • CM.L2-3.4.5 Define access restrictions for system changes — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
    • IA.L1-3.5.1 Identify system users and devices — Identify system users, processes acting on behalf of users, and devices.
    • MA.L1-3.7.2 Provide controls on maintenance tools and personnel — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
    Remediation
    Fix: Replace Wildcard Permissions with Specific Actions and Resources

    Replace wildcard actions and resources in inline policies with explicit, scoped permissions:

    const role = new aws.iam.Role("my-role", {
        assumeRolePolicy: assumePolicyDoc,
        inlinePolicies: [{
            name: "my-inline-policy",
            policy: JSON.stringify({
                Version: "2012-10-17",
                Statement: [{
                    Effect: "Allow",
                    Action: [
                        "dynamodb:GetItem",    // Specify exact actions needed
                        "dynamodb:PutItem",
                    ],
                    Resource: [
                        "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable",  // Scope to specific resources
                    ],
                }],
            }),
        }],
    });
    

    iam-role-policy-least-privilege

    Severity: high · Enforcement: advisory

    Ensures IAM role policies follow least privilege principles

    • AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
    • AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
    • AC.L2-3.1.4 Separate the duties of individuals — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
    • AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
    • AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions — Use non-privileged accounts or roles when accessing nonsecurity functions.
    • AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
    • AC.L2-3.1.15 Authorize remote execution of privileged commands — Authorize remote execution of privileged commands and remote access to security-relevant information.
    • AU.L2-3.3.9 Limit audit logging management to privileged users — Limit management of audit logging functionality to a subset of privileged users.
    • CM.L2-3.4.5 Define access restrictions for system changes — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
    • IA.L1-3.5.1 Identify system users and devices — Identify system users, processes acting on behalf of users, and devices.
    • MA.L1-3.7.2 Provide controls on maintenance tools and personnel — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
    Remediation
    Fix: Replace Wildcard Permissions with Specific Actions and Resources

    Replace wildcard actions and resources with explicit, scoped permissions:

    const rolePolicy = new aws.iam.RolePolicy("my-role-policy", {
        role: myRole.id,
        policy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Action: [
                    "ec2:DescribeInstances",   // Specify exact actions needed
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                ],
                Resource: [
                    "arn:aws:ec2:us-east-1:123456789012:instance/*",  // Scope to specific resources
                ],
            }],
        }),
    });
    

    iam-role-session-duration

    Severity: medium · Enforcement: advisory

    Enforces maximum session duration for IAM roles

    • AC.L2-3.1.11 Terminate user sessions after inactivity — Terminate (automatically) a user session after a defined condition.
    Remediation
    Fix: Set Appropriate Maximum Session Duration for IAM Role

    Configure the maxSessionDuration property based on the role type to limit credential exposure window:

    const appRole = new aws.iam.Role("app-role", {
        assumeRolePolicy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Principal: { Service: "ec2.amazonaws.com" },
                Action: "sts:AssumeRole",
            }],
        }),
        maxSessionDuration: 3600, // 1 hour for general roles (default)
    });
    
    const adminRole = new aws.iam.Role("admin-role", {
        name: "AdminRole",
        assumeRolePolicy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Principal: { AWS: "arn:aws:iam::123456789012:root" },
                Action: "sts:AssumeRole",
            }],
        }),
        maxSessionDuration: 7200, // 2 hours for administrative roles
    });
    

    iam-user-mfa-console-access

    Severity: high · Enforcement: advisory

    Ensures IAM users with console access have MFA devices

    • IA.L1-3.5.2 Authenticate identities of users and devices — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
    • IA.L2-3.5.3 Use multifactor authentication — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
    Remediation
    Fix: Enable MFA for IAM User Console Access

    Create a Virtual MFA Device for each IAM user with console access:

    const user = new aws.iam.User("example-user", {
        name: "example-user",
    });
    
    const loginProfile = new aws.iam.UserLoginProfile("example-login", {
        user: user.name,
    });
    
    // Create Virtual MFA Device for the user
    const mfaDevice = new aws.iam.VirtualMfaDevice("example-user-mfa", {
        virtualMfaDeviceName: "example-user-mfa", // Name must match pattern: <username>-mfa or <username>-mfa-device
        userName: user.name, // Associate MFA device with the user
    });
    

    iam-user-policy-least-privilege

    Severity: high · Enforcement: advisory

    Ensures IAM user policies follow least privilege principles

    • AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
    • AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
    • AC.L2-3.1.4 Separate the duties of individuals — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
    • AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
    • AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions — Use non-privileged accounts or roles when accessing nonsecurity functions.
    • AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
    • AC.L2-3.1.15 Authorize remote execution of privileged commands — Authorize remote execution of privileged commands and remote access to security-relevant information.
    • AU.L2-3.3.9 Limit audit logging management to privileged users — Limit management of audit logging functionality to a subset of privileged users.
    • CM.L2-3.4.5 Define access restrictions for system changes — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
    • IA.L1-3.5.1 Identify system users and devices — Identify system users, processes acting on behalf of users, and devices.
    • MA.L1-3.7.2 Provide controls on maintenance tools and personnel — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
    Remediation
    Fix: Replace Wildcard Permissions with Specific Actions and Resources

    Replace wildcard actions and resources with explicit, scoped permissions:

    const userPolicy = new aws.iam.UserPolicy("my-user-policy", {
        user: myUser.name,
        policy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Action: [
                    "s3:ListBucket",         // Specify exact actions needed
                ],
                Resource: [
                    "arn:aws:s3:::my-bucket",  // Scope to specific resources
                ],
            }],
        }),
    });
    

    kms-key-creation

    Severity: medium · Enforcement: advisory

    Validates KMS key creation with appropriate specifications and origins

    • SC.L2-3.13.10 Establish and manage cryptographic keys — Establish and manage cryptographic keys for cryptography employed in organizational systems.
    • SC.L2-3.13.11 Employ FIPS-validated cryptography — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
    Remediation
    Fix: Configure KMS Key with Proper Specifications

    Add a description, configure an appropriate deletion window (7-30 days), and ensure key specifications match your security requirements:

    const key = new aws.kms.Key("my-key", {
        description: "Key for encrypting application data", // Add clear description
        customerMasterKeySpec: "SYMMETRIC_DEFAULT", // Use approved key spec
        keyUsage: "ENCRYPT_DECRYPT", // Specify key usage
        deletionWindowInDays: 30, // Set deletion window between 7-30 days
        enableKeyRotation: true,
    });
    

    kms-key-deletion-lifecycle

    Severity: medium · Enforcement: advisory

    Validates KMS key deletion windows and lifecycle management

    • SC.L2-3.13.10 Establish and manage cryptographic keys — Establish and manage cryptographic keys for cryptography employed in organizational systems.
    Remediation
    Fix: Configure KMS Key Deletion Window and Lifecycle Management

    Set a deletionWindowInDays between 7 and 30 days, add descriptive tags, and provide a clear description for proper lifecycle management:

    const kmsKey = new aws.kms.Key("my-key", {
        description: "Encryption key for application data",
        deletionWindowInDays: 30, // Set deletion window between 7-30 days
        tags: {
            Environment: "production",
            Owner: "security-team",
            Purpose: "data-encryption",
        },
    });
    

    kms-key-enable-key-rotation

    Severity: medium · Enforcement: advisory

    Checks that KMS Keys have key rotation enabled.

    • SC.L2-3.13.10 Establish and manage cryptographic keys — Establish and manage cryptographic keys for cryptography employed in organizational systems.
    Remediation
    Fix: Enable Automatic Key Rotation for KMS Keys

    Set the enableKeyRotation property to true for all KMS keys to ensure cryptographic keys are automatically rotated annually:

    const key = new kms.Key("my-key", {
        description: "KMS key with automatic rotation",
        enableKeyRotation: true, // Enable automatic annual key rotation
    });
    

    lambda-environment-variables-encryption

    Severity: high · Enforcement: advisory

    Ensures that all Lambda functions have their environment variables encrypted using AWS KMS

    • SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
    Remediation
    Fix: Encrypt Lambda Environment Variables with KMS

    Configure a KMS key for Lambda function environment variable encryption by setting the kmsKeyArn property:

    const kmsKey = new aws.kms.Key("lambda-env-key", {
        description: "KMS key for Lambda environment variable encryption",
    });
    
    const lambdaFunction = new aws.lambda.Function("my-function", {
        runtime: "nodejs18.x",
        handler: "index.handler",
        role: role.arn,
        code: new pulumi.asset.AssetArchive({
            ".": new pulumi.asset.FileArchive("./function"),
        }),
        environment: {
            variables: {
                DATABASE_URL: "postgres://example.com/db",
            },
        },
        kmsKeyArn: kmsKey.arn, // Encrypt environment variables with KMS
    });
    

    lambda-function-logging

    Severity: medium · Enforcement: advisory

    Ensures that all AWS Lambda functions have logging enabled to track output data processing

    • AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
    Remediation
    Fix: Enable Lambda Function Logging Configuration

    Add the loggingConfig property to your Lambda function with an appropriate applicationLogLevel (DEBUG, INFO, or WARN):

    const myFunction = new aws.lambda.Function("my-function", {
        runtime: "nodejs18.x",
        handler: "index.handler",
        role: lambdaRole.arn,
        code: new pulumi.asset.AssetArchive({
            ".": new pulumi.asset.FileArchive("./app"),
        }),
        loggingConfig: {
            logFormat: "JSON",
            applicationLogLevel: "INFO", // Set log level to INFO or DEBUG for adequate logging
        },
    });
    

    load-balancer-waf-association

    Severity: critical · Enforcement: advisory

    Ensures public-facing Load Balancers have WAF associations

    • SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
    Remediation
    Fix: Associate WAF Web ACL with Load Balancer

    Create a WAF Web ACL association to protect your public-facing Load Balancer:

    // Create a WAF Web ACL association for the Load Balancer
    const wafAssociation = new aws.wafv2.WebAclAssociation("lb-waf-association", {
        resourceArn: loadBalancer.arn, // Reference the Load Balancer ARN
        webAclArn: webAcl.arn, // Reference the WAF Web ACL ARN
    });
    

    pubsub-least-privilege-iam

    Severity: medium · Enforcement: advisory

    Ensures IAM policies follow least privilege principles for Pub/Sub services (SNS, SQS, Kinesis)

    • AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
    Remediation
    Fix: Use Specific Pub/Sub IAM Actions and Resource ARNs

    Replace wildcard permissions with specific actions and resource ARNs for Pub/Sub services:

    const queuePolicy = new aws.iam.Policy("queue-policy", {
        policy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Action: [
                    "sqs:SendMessage",      // Use specific actions instead of sqs:*
                    "sqs:ReceiveMessage",
                    "sqs:DeleteMessage",
                ],
                Resource: "arn:aws:sqs:us-east-1:123456789012:my-queue", // Use specific ARN instead of *
            }],
        }),
    });
    

    rds-audit-logging

    Severity: medium · Enforcement: advisory

    Ensures RDS instances have audit logging enabled

    • AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
    Remediation
    Fix: Enable RDS Audit Logging to CloudWatch

    Configure enabledCloudwatchLogsExports with appropriate audit log types for your database engine:

    // For MySQL/MariaDB
    const db = new aws.rds.Instance("my-db", {
        engine: "mysql",
        instanceClass: "db.t3.micro",
        allocatedStorage: 20,
        enabledCloudwatchLogsExports: ["audit", "error", "general", "slowquery"], // Enable audit logs
        // ... other configuration
    });
    
    // For PostgreSQL
    const pgDb = new aws.rds.Instance("my-pg-db", {
        engine: "postgres",
        instanceClass: "db.t3.micro",
        allocatedStorage: 20,
        enabledCloudwatchLogsExports: ["postgresql"], // Enable PostgreSQL logs
        // ... other configuration
    });
    
    // For Aurora clusters
    const cluster = new aws.rds.Cluster("my-cluster", {
        engine: "aurora-mysql",
        enabledCloudwatchLogsExports: ["audit", "error", "general", "slowquery"], // Enable audit logs
        // ... other configuration
    });
    

    rds-clusterinstance-ssl-encryption

    Severity: high · Enforcement: advisory

    Ensures RDS cluster instances have SSL/TLS encryption enabled through parameter group configuration

    • AC.L2-3.1.13 Employ cryptographic mechanisms for remote access — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
    • SC.L2-3.13.8 Implement cryptographic mechanisms for transmission — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
    Remediation
    Fix: Configure SSL/TLS Encryption for Aurora Cluster Instance

    Configure a parameter group to enforce SSL/TLS connections for your Aurora cluster instance:

    const clusterParamGroup = new aws.rds.ParameterGroup("cluster-params", {
        family: "aurora-postgresql14",
        parameters: [
            {
                name: "rds.force_ssl",
                value: "1", // Enforce SSL/TLS for all connections
            },
        ],
    });
    
    const clusterInstance = new aws.rds.ClusterInstance("my-cluster-instance", {
        clusterIdentifier: cluster.id,
        instanceClass: "db.r5.large",
        engine: cluster.engine,
        dbParameterGroupName: clusterParamGroup.name, // Attach parameter group with SSL enforcement
    });
    

    rds-instance-disallow-public-access

    Severity: critical · Enforcement: advisory

    Checks that RDS Instance public access is not enabled.

    • AC.L2-3.1.22 Control CUI on publicly accessible systems — Control CUI posted or processed on publicly accessible systems.
    Remediation
    Fix: Disable Public Access for RDS Instance

    Set publiclyAccessible to false to prevent the RDS instance from being accessible from the internet:

    const dbInstance = new aws.rds.Instance("my-database", {
        allocatedStorage: 20,
        engine: "mysql",
        engineVersion: "8.0",
        instanceClass: "db.t3.micro",
        dbSubnetGroupName: privateSubnetGroup.name,
        vpcSecurityGroupIds: [dbSecurityGroup.id],
        publiclyAccessible: false, // Disable public access
        username: dbUsername,
        password: dbPassword,
    });
    

    rds-instance-disallow-unencrypted-storage

    Severity: high · Enforcement: advisory

    Checks that RDS instance storage is encrypted.

    • MP.L2-3.8.9 Protect confidentiality of backup CUI — Protect the confidentiality of backup CUI at storage locations.
    • SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
    Remediation
    Fix: Enable RDS Storage Encryption

    Set the storageEncrypted property to true to encrypt the RDS instance storage:

    const dbInstance = new aws.rds.Instance("my-db", {
        engine: "postgres",
        instanceClass: "db.t3.micro",
        allocatedStorage: 20,
        storageEncrypted: true, // Enable storage encryption
        username: "admin",
        password: adminPassword,
    });
    

    rds-instance-managed-service-patching

    Severity: medium · Enforcement: advisory

    Ensures RDS instances have automated minor version upgrades enabled

    • CM.L1-3.4.2 Establish and enforce security configuration settings — Establish and enforce security configuration settings for information technology products employed in organizational systems.
    • MA.L1-3.7.1 Perform system maintenance — Perform maintenance on organizational systems.
    • RA.L2-3.11.3 Remediate vulnerabilities — Remediate vulnerabilities in accordance with risk assessments.
    • SI.L1-3.14.1 Identify and correct system flaws — Identify, report, and correct system flaws in a timely manner.
    Remediation
    Fix: Enable Automatic Minor Version Upgrades for RDS

    Set the autoMinorVersionUpgrade property to true to enable automated patching for managed service security updates:

    const db = new aws.rds.Instance("my-database", {
        engine: "postgres",
        instanceClass: "db.t3.micro",
        allocatedStorage: 20,
        dbName: "mydb",
        username: "admin",
        password: dbPassword,
        autoMinorVersionUpgrade: true, // Enable automatic minor version upgrades
        skipFinalSnapshot: true,
    });
    

    resource-tagging

    Severity: medium · Enforcement: advisory

    Ensures all AWS resources must include tags for proper change tracking

    • MP.L2-3.8.4 Mark media with CUI markings — Mark media with necessary CUI markings and distribution limitations.
    Remediation
    Fix: Add Required Tags to AWS Resources

    Add a tags property with meaningful values to enable proper change tracking and documentation:

    const instance = new aws.ec2.Instance("my-instance", {
        ami: "ami-0c55b159cbfafe1f0",
        instanceType: "t3.micro",
        tags: {
            Environment: "production", // Add meaningful tags for change tracking
            Owner: "team-name",
            Application: "web-app",
        },
    });
    

    s3-bucket-access-logging

    Severity: medium · Enforcement: advisory

    Ensures each S3 bucket has access logging enabled

    • AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
    Remediation
    Fix: Enable S3 Bucket Access Logging

    Create a BucketLogging resource with a target bucket and prefix to enable access logging:

    const myBucket = new aws.s3.Bucket("my-bucket", {
        // Bucket configuration
    });
    
    const logBucket = new aws.s3.Bucket("log-bucket", {
        // Configure log bucket settings
    });
    
    const bucketLogging = new aws.s3.BucketLogging("my-bucket-logging", {
        bucket: myBucket.id,
        targetBucket: logBucket.id, // Specify target bucket for logs
        targetPrefix: "logs/my-bucket/", // Specify prefix for organization
    });
    

    s3-bucket-encryption

    Severity: high · Enforcement: advisory

    S3 buckets must have server-side encryption configured using BucketServerSideEncryptionConfiguration resource

    • MP.L1-3.8.1 Protect system media containing CUI — Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
    • MP.L2-3.8.9 Protect confidentiality of backup CUI — Protect the confidentiality of backup CUI at storage locations.
    • SC.L2-3.13.11 Employ FIPS-validated cryptography — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
    • SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
    Remediation
    Fix: Configure S3 Bucket Server-Side Encryption

    Create a separate BucketServerSideEncryptionConfigurationV2 resource for your S3 bucket with encryption rules. Use AES256 or KMS encryption:

    const bucket = new aws.s3.BucketV2("my-bucket", {
        bucket: "my-secure-bucket",
    });
    
    // Add encryption configuration resource
    const bucketEncryption = new aws.s3.BucketServerSideEncryptionConfiguration("my-bucket-encryption", {
        bucket: bucket.id,
        rules: [{
            applyServerSideEncryptionByDefault: {
                sseAlgorithm: "aws:kms", // Enable KMS encryption
                kmsMasterKeyId: kmsKey.arn, // Specify customer-managed key
            },
            bucketKeyEnabled: true, // Enable bucket key for cost optimization
        }],
    });
    

    s3-bucket-least-privilege

    Severity: critical · Enforcement: advisory

    Prevents overly permissive S3 bucket policies

    • AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
    • AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
    • MP.L1-3.8.2 Limit access to CUI on system media — Limit access to CUI on system media to authorized users.
    Remediation
    Fix: Use Specific Actions, Resources, and Principals

    Replace wildcard (*) values in S3 bucket policy statements with specific, scoped permissions:

    const bucketPolicy = new aws.s3.BucketPolicy("policy", {
        bucket: bucket.id,
        policy: bucket.arn.apply(arn => JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Principal: {
                    AWS: "arn:aws:iam::123456789012:role/specific-role" // Specify exact principal ARN
                },
                Action: ["s3:GetObject", "s3:PutObject"], // Use specific S3 actions
                Resource: `${arn}/*` // Scope to specific bucket
            }]
        }))
    });
    

    s3-bucket-lifecycle

    Severity: medium · Enforcement: advisory

    Ensures each S3 bucket has lifecycle rules configured for retention/disposal

    • MP.L1-3.8.3 Sanitize or destroy system media before disposal — Sanitize or destroy system media containing CUI before disposal or release for reuse.
    Remediation
    Fix: Configure Lifecycle Rules for S3 Bucket

    Create a BucketLifecycleConfiguration resource with at least one enabled rule:

    const myBucket = new aws.s3.Bucket("my-bucket", {
        // Bucket configuration
    });
    
    const lifecycleConfig = new aws.s3.BucketLifecycleConfiguration("my-bucket-lifecycle", {
        bucket: myBucket.id,
        rules: [
            {
                id: "delete-old-objects",
                status: "Enabled", // Rule must be enabled
                expiration: {
                    days: 90, // Define retention period (e.g., expire after 90 days)
                },
            },
        ],
    });
    

    s3-bucket-public-access-block

    Severity: critical · Enforcement: advisory

    Ensures each S3 bucket has a public access block with all settings enabled

    • AC.L2-3.1.22 Control CUI on publicly accessible systems — Control CUI posted or processed on publicly accessible systems.
    • MP.L1-3.8.2 Limit access to CUI on system media — Limit access to CUI on system media to authorized users.
    Remediation
    Fix: Enable All Public Access Block Settings

    Create a BucketPublicAccessBlock resource with all four settings set to true:

    const myBucket = new aws.s3.Bucket("my-bucket", {
        // Bucket configuration
    });
    
    const publicAccessBlock = new aws.s3.BucketPublicAccessBlock("my-bucket-public-access-block", {
        bucket: myBucket.id,
        blockPublicAcls: true,       // Blocks new public ACLs
        blockPublicPolicy: true,     // Blocks new public bucket policies
        ignorePublicAcls: true,      // Ignores existing public ACLs
        restrictPublicBuckets: true, // Restricts public access to buckets with public policies
    });
    

    secrets-manager-secret-configure-customer-managed-key

    Severity: low · Enforcement: advisory

    Check that Secrets Manager Secrets use a customer-manager KMS key.

    • SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
    Remediation
    Fix: Configure Customer-Managed KMS Key for Secrets Manager Secret

    Set the kmsKeyId property to reference a customer-managed KMS key for encrypting the secret:

    const secret = new aws.secretsmanager.Secret("my-secret", {
        name: "my-application-secret",
        kmsKeyId: kmsKey.arn, // Use customer-managed KMS key
        description: "Sensitive application credentials",
    });
    

    security-group-default-deny

    Severity: high · Enforcement: advisory

    Ensures Security Groups follow default deny with explicit allow principle

    • CM.L2-3.4.6 Employ principle of least functionality — Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
    • SC.L2-3.13.6 Deny network traffic by default — Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
    Remediation
    Fix: Replace Unrestricted CIDR Blocks with Specific IP Ranges

    Replace 0.0.0.0/0 in ingress and egress rules with specific CIDR blocks or security group references to follow the default deny with explicit allow principle:

    const webSecurityGroup = new aws.ec2.SecurityGroup("web-sg", {
        vpcId: vpc.id,
        ingress: [{
            protocol: "tcp",
            fromPort: 443,
            toPort: 443,
            cidrBlocks: ["10.0.0.0/16"], // Use specific CIDR block instead of 0.0.0.0/0
        }],
        egress: [{
            protocol: "tcp",
            fromPort: 443,
            toPort: 443,
            cidrBlocks: ["10.0.0.0/16"], // Use specific CIDR block instead of 0.0.0.0/0
        }],
    });
    

    security-group-strict

    Severity: high · Enforcement: advisory

    Ensures security groups follow strict firewall rules with default deny

    • AC.L2-3.1.3 Control the flow of CUI — Control the flow of CUI in accordance with approved authorizations.
    • CM.L2-3.4.6 Employ principle of least functionality — Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
    • CM.L2-3.4.7 Restrict nonessential programs and services — Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
    • SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
    • SC.L2-3.13.6 Deny network traffic by default — Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
    Remediation
    Fix: Configure Strict Security Group Rules

    Restrict ingress rules to specific CIDR blocks instead of allowing access from the entire internet (0.0.0.0/0). Use specific protocols and narrow port ranges:

    const securityGroup = new aws.ec2.SecurityGroup("my-sg", {
        vpcId: vpc.id,
        ingress: [
            {
                protocol: "tcp", // Use specific protocol, not "-1" (all)
                fromPort: 443,
                toPort: 443,
                cidrBlocks: ["10.0.0.0/8"], // Restrict to internal network, not "0.0.0.0/0"
            },
        ],
        egress: [
            {
                protocol: "-1",
                fromPort: 0,
                toPort: 0,
                cidrBlocks: ["0.0.0.0/0"],
            },
        ],
    });
    

    subnet-multi-az

    Severity: medium · Enforcement: advisory

    Ensures subnets are distributed across multiple availability zones

    • SC.L1-3.13.2 Employ architectural designs promoting security — Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
    Remediation
    Fix: Distribute Subnets Across Multiple Availability Zones

    Create subnets in at least 2 different availability zones to ensure high availability and fault tolerance:

    const subnet1 = new aws.ec2.Subnet("subnet-az1", {
        vpcId: vpc.id,
        cidrBlock: "10.0.1.0/24",
        availabilityZone: "us-east-1a", // Specify explicit AZ
    });
    
    const subnet2 = new aws.ec2.Subnet("subnet-az2", {
        vpcId: vpc.id,
        cidrBlock: "10.0.2.0/24",
        availabilityZone: "us-east-1b", // Use different AZ for redundancy
    });
    

    vpc-endpoint-security-policy

    Severity: medium · Enforcement: advisory

    Ensures that VPC endpoints are associated with security policies that limit access to specified resources

    • SC.L1-3.13.2 Employ architectural designs promoting security — Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
    Remediation
    Fix: Configure Restrictive VPC Endpoint Policy

    Add a policy to your VPC endpoint that specifies explicit principals and resources instead of wildcards:

    const vpcEndpoint = new aws.ec2.VpcEndpoint("my-endpoint", {
        vpcId: vpc.id,
        serviceName: "com.amazonaws.us-west-2.s3",
        policy: JSON.stringify({
            Version: "2012-10-17",
            Statement: [{
                Effect: "Allow",
                Principal: {
                    AWS: "arn:aws:iam::123456789012:role/MyRole" // Specify explicit principal ARN
                },
                Action: "s3:GetObject",
                Resource: "arn:aws:s3:::my-bucket/*" // Specify explicit resource ARN
            }]
        }),
    });
    

    vpc-flow-logs

    Severity: medium · Enforcement: advisory

    Ensures VPC flow logs use approved destinations for centralized monitoring

    • AC.L2-3.1.3 Control the flow of CUI — Control the flow of CUI in accordance with approved authorizations.
    • AC.L2-3.1.12 Monitor and control remote access sessions — Monitor and control remote access sessions.
    • AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
    • SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
    • SI.L2-3.14.6 Monitor systems to detect attacks — Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
    Remediation
    Fix: Configure VPC Flow Logs with Approved Destination

    Configure VPC Flow Logs to use one of the approved log destinations specified in the policy configuration:

    const flowLog = new aws.ec2.FlowLog("vpc-flow-log", {
        vpcId: vpc.id,
        trafficType: "ALL",
        logDestination: "arn:aws:s3:::approved-logging-bucket", // Use approved destination
        logDestinationType: "s3",
    });
    

    vpc-subnet-flow-logs

    Severity: medium · Enforcement: advisory

    Ensures all VPCs and subnets have flow logs enabled

    • SC.L2-3.13.5 Implement subnetworks for publicly accessible components — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
    • SI.L2-3.14.6 Monitor systems to detect attacks — Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
    Remediation
    Fix: Enable VPC Flow Logs for Network Monitoring

    Create a VPC Flow Log resource and associate it with your VPC or subnet to capture network traffic information:

    const vpc = new aws.ec2.Vpc("my-vpc", {
        cidrBlock: "10.0.0.0/16",
    });
    
    // Enable flow logs for the VPC
    const flowLog = new aws.ec2.FlowLog("vpc-flow-log", {
        vpcId: vpc.id, // Associate flow log with VPC
        trafficType: "ALL", // Capture all traffic (ACCEPT, REJECT, ALL)
        logDestinationType: "cloud-watch-logs",
        logDestination: logGroup.arn,
        iamRoleArn: flowLogRole.arn,
    });
    

    waf-association-validation

    Severity: critical · Enforcement: advisory

    Validates WAF Web ACL associations are properly configured

    • SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
    Remediation
    Fix: Configure WAF Web ACL Association Properties

    Ensure both resourceArn and webAclArn are specified in the WAF association:

    const wafAssociation = new aws.wafv2.WebAclAssociation("my-waf-association", {
        resourceArn: resource.arn, // Specify the resource ARN to protect
        webAclArn: webAcl.arn, // Specify the WAF Web ACL ARN
    });
    

      The infrastructure as code platform for any cloud.