CMMC 2.0 - AWS
This page lists all 54 policies in the CMMC 2.0 pack for AWS, as published in cmmc-aws version 1.0.2.
Policies by control
AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- ec2-instance-disallow-public-ip
- iam-policy-least-privilege
- iam-role-least-privilege
- iam-role-policy-least-privilege
- iam-user-policy-least-privilege
AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- iam-policy-least-privilege
- iam-role-least-privilege
- iam-role-policy-least-privilege
- iam-user-policy-least-privilege
- s3-bucket-least-privilege
AC.L2-3.1.3 Control the flow of CUI — Control the flow of CUI in accordance with approved authorizations.
AC.L2-3.1.4 Separate the duties of individuals — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- iam-policy-least-privilege
- iam-role-least-privilege
- iam-role-policy-least-privilege
- iam-user-policy-least-privilege
AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
- iam-policy-least-privilege
- iam-role-least-privilege
- iam-role-policy-least-privilege
- iam-user-policy-least-privilege
- pubsub-least-privilege-iam
- s3-bucket-least-privilege
AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions — Use non-privileged accounts or roles when accessing nonsecurity functions.
- iam-policy-least-privilege
- iam-role-least-privilege
- iam-role-policy-least-privilege
- iam-user-policy-least-privilege
AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- iam-policy-least-privilege
- iam-role-least-privilege
- iam-role-policy-least-privilege
- iam-user-policy-least-privilege
AC.L2-3.1.11 Terminate user sessions after inactivity — Terminate (automatically) a user session after a defined condition.
AC.L2-3.1.12 Monitor and control remote access sessions — Monitor and control remote access sessions.
AC.L2-3.1.13 Employ cryptographic mechanisms for remote access — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
AC.L2-3.1.15 Authorize remote execution of privileged commands — Authorize remote execution of privileged commands and remote access to security-relevant information.
- iam-policy-least-privilege
- iam-role-least-privilege
- iam-role-policy-least-privilege
- iam-user-policy-least-privilege
AC.L2-3.1.22 Control CUI on publicly accessible systems — Control CUI posted or processed on publicly accessible systems.
AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
- api-gateway-access-logging
- api-gateway-v2-access-logging
- dynamodb-streams-enabled
- lambda-function-logging
- rds-audit-logging
- s3-bucket-access-logging
- vpc-flow-logs
AU.L2-3.3.9 Limit audit logging management to privileged users — Limit management of audit logging functionality to a subset of privileged users.
- iam-policy-least-privilege
- iam-role-least-privilege
- iam-role-policy-least-privilege
- iam-user-policy-least-privilege
CM.L1-3.4.2 Establish and enforce security configuration settings — Establish and enforce security configuration settings for information technology products employed in organizational systems.
CM.L2-3.4.3 Track and log configuration changes — Track, review, approve or disapprove, and log changes to organizational systems.
CM.L2-3.4.5 Define access restrictions for system changes — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- iam-policy-least-privilege
- iam-role-least-privilege
- iam-role-policy-least-privilege
- iam-user-policy-least-privilege
CM.L2-3.4.6 Employ principle of least functionality — Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
CM.L2-3.4.7 Restrict nonessential programs and services — Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
IA.L1-3.5.1 Identify system users and devices — Identify system users, processes acting on behalf of users, and devices.
- iam-policy-least-privilege
- iam-role-least-privilege
- iam-role-policy-least-privilege
- iam-user-policy-least-privilege
IA.L1-3.5.2 Authenticate identities of users and devices — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
IA.L2-3.5.3 Use multifactor authentication — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
IA.L2-3.5.7 Enforce minimum password complexity — Enforce a minimum password complexity and change of characters when new passwords are created.
IA.L2-3.5.8 Prohibit password reuse — Prohibit password reuse for a specified number of generations.
MA.L1-3.7.1 Perform system maintenance — Perform maintenance on organizational systems.
MA.L1-3.7.2 Provide controls on maintenance tools and personnel — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
- iam-policy-least-privilege
- iam-role-least-privilege
- iam-role-policy-least-privilege
- iam-user-policy-least-privilege
MA.L2-3.7.5 Require MFA for nonlocal maintenance — Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
MP.L1-3.8.1 Protect system media containing CUI — Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
MP.L1-3.8.2 Limit access to CUI on system media — Limit access to CUI on system media to authorized users.
MP.L1-3.8.3 Sanitize or destroy system media before disposal — Sanitize or destroy system media containing CUI before disposal or release for reuse.
MP.L2-3.8.4 Mark media with CUI markings — Mark media with necessary CUI markings and distribution limitations.
MP.L2-3.8.9 Protect confidentiality of backup CUI — Protect the confidentiality of backup CUI at storage locations.
RA.L2-3.11.2 Scan for vulnerabilities — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
RA.L2-3.11.3 Remediate vulnerabilities — Remediate vulnerabilities in accordance with risk assessments.
SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
- api-gateway-waf-association
- appsync-waf-association
- cloudfront-waf-association
- load-balancer-waf-association
- security-group-strict
- vpc-flow-logs
- waf-association-validation
SC.L1-3.13.2 Employ architectural designs promoting security — Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
SC.L2-3.13.5 Implement subnetworks for publicly accessible components — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
SC.L2-3.13.6 Deny network traffic by default — Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
SC.L2-3.13.8 Implement cryptographic mechanisms for transmission — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
- cloudfront-distribution-disallow-unencrypted-traffic
- elb-load-balancer-disallow-unencrypted-traffic
- rds-clusterinstance-ssl-encryption
SC.L2-3.13.10 Establish and manage cryptographic keys — Establish and manage cryptographic keys for cryptography employed in organizational systems.
SC.L2-3.13.11 Employ FIPS-validated cryptography — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
SC.L2-3.13.15 Protect authenticity of communications sessions — Protect the authenticity of communications sessions.
SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
- ebs-volume-disallow-unencrypted-volume
- efs-file-system-disallow-unencrypted-file-system
- lambda-environment-variables-encryption
- rds-instance-disallow-unencrypted-storage
- s3-bucket-encryption
- secrets-manager-secret-configure-customer-managed-key
SI.L1-3.14.1 Identify and correct system flaws — Identify, report, and correct system flaws in a timely manner.
SI.L1-3.14.2 Provide protection from malicious code — Provide protection from malicious code at designated locations within organizational systems.
SI.L2-3.14.5 Perform periodic and real-time scans — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
SI.L2-3.14.6 Monitor systems to detect attacks — Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
Policy details
anti-malware-edr
Severity: high · Enforcement: advisory
Ensures EC2 instances have anti-malware/EDR agents deployed
- SI.L1-3.14.2 Provide protection from malicious code — Provide protection from malicious code at designated locations within organizational systems.
Remediation
Fix: Deploy Anti-Malware/EDR Agent via User Data
Include anti-malware or EDR agent installation commands in the instance’s userData:
const instance = new aws.ec2.Instance("protected-instance", {
instanceType: "t3.medium",
ami: "ami-0c55b159cbfafe1f0",
userData: "#!/bin/bash\nyum install -y amazon-ssm-agent\nsystemctl enable amazon-ssm-agent\nsystemctl start amazon-ssm-agent", // Install SSM agent
subnetId: subnet.id,
});
api-gateway-access-logging
Severity: medium · Enforcement: advisory
Ensures API Gateway stages have access logging enabled
- AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Remediation
Fix: Enable Access Logging for API Gateway Stage
Configure the accessLogSettings property with a CloudWatch Log Group ARN to enable comprehensive audit logging:
const logGroup = new aws.cloudwatch.LogGroup("api-logs", {
retentionInDays: 30,
});
const stage = new aws.apigateway.Stage("my-stage", {
restApi: api.id,
stageName: "prod",
deployment: deployment.id,
accessLogSettings: { // Enable access logging
destinationArn: logGroup.arn, // Specify CloudWatch Log Group
format: "$context.requestId",
},
});
api-gateway-authorization
Severity: high · Enforcement: advisory
Ensures API Gateway methods use strong authorization instead of NONE
- SC.L2-3.13.15 Protect authenticity of communications sessions — Protect the authenticity of communications sessions.
Remediation
Fix: Enable Strong Authorization for API Gateway Method
Set the authorization property to a strong authorization type (AWS_IAM, COGNITO_USER_POOLS, CUSTOM, or JWT) instead of “NONE”:
const method = new aws.apigateway.Method("my-method", {
restApi: api.id,
resourceId: resource.id,
httpMethod: "GET",
authorization: "AWS_IAM", // Use strong authorization instead of "NONE"
// For CUSTOM authorization, also specify the authorizer:
// authorizerId: authorizer.id,
});
api-gateway-v2-access-logging
Severity: medium · Enforcement: advisory
Ensures API Gateway V2 stages have access logging enabled
- AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Remediation
Fix: Enable Access Logging for API Gateway V2 Stage
Configure the accessLogSettings property with a CloudWatch Log Group ARN to enable comprehensive audit logging:
const logGroup = new aws.cloudwatch.LogGroup("api-v2-logs", {
retentionInDays: 30,
});
const stage = new aws.apigatewayv2.Stage("my-stage", {
apiId: api.id,
name: "prod",
accessLogSettings: { // Enable access logging
destinationArn: logGroup.arn, // Specify CloudWatch Log Group
format: "$context.requestId",
},
});
api-gateway-waf-association
Severity: critical · Enforcement: advisory
Ensures public-facing API Gateways have WAF associations
- SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
Remediation
Fix: Associate WAF Web ACL with API Gateway Stage
Create a WAF Web ACL association for your API Gateway stage:
// Create a WAF Web ACL association for the API Gateway stage
const wafAssociation = new aws.wafv2.WebAclAssociation("api-waf-association", {
resourceArn: pulumi.interpolate`arn:aws:apigateway:${region}::/restapis/${restApi.id}/stages/${stage.stageName}`, // Stage ARN
webAclArn: webAcl.arn, // Reference the WAF Web ACL ARN
});
appsync-waf-association
Severity: critical · Enforcement: advisory
Ensures public-facing AppSync GraphQL APIs have WAF associations
- SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
Remediation
Fix: Associate WAF Web ACL with AppSync GraphQL API
Create a WAF Web ACL association to protect your AppSync GraphQL API:
// Create a WAF Web ACL association for the AppSync GraphQL API
const wafAssociation = new aws.wafv2.WebAclAssociation("appsync-waf-association", {
resourceArn: graphqlApi.arn, // Reference the GraphQL API ARN
webAclArn: webAcl.arn, // Reference the WAF Web ACL ARN
});
cloudfront-distribution-disallow-unencrypted-traffic
Severity: critical · Enforcement: advisory
Checks that CloudFront distributions only allow encypted ingress traffic.
- SC.L2-3.13.8 Implement cryptographic mechanisms for transmission — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
Remediation
Fix: Enforce HTTPS for CloudFront Distribution
Set the viewerProtocolPolicy to “redirect-to-https” or “https-only” for both default and ordered cache behaviors to ensure all traffic is encrypted:
const distribution = new cloudfront.Distribution("my-distribution", {
enabled: true,
defaultCacheBehavior: {
targetOriginId: origin.originId,
viewerProtocolPolicy: "redirect-to-https", // Enforce HTTPS for all traffic
allowedMethods: ["GET", "HEAD"],
cachedMethods: ["GET", "HEAD"],
forwardedValues: {
queryString: false,
cookies: { forward: "none" },
},
},
orderedCacheBehaviors: [{
pathPattern: "/api/*",
targetOriginId: origin.originId,
viewerProtocolPolicy: "https-only", // Enforce HTTPS-only for API paths
allowedMethods: ["GET", "HEAD", "OPTIONS"],
cachedMethods: ["GET", "HEAD"],
forwardedValues: {
queryString: true,
cookies: { forward: "none" },
},
}],
origins: [origin],
viewerCertificate: {
cloudfrontDefaultCertificate: true,
},
});
cloudfront-waf-association
Severity: critical · Enforcement: advisory
Ensures CloudFront distributions have WAF associations
- SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
Remediation
Fix: Associate WAF Web ACL with CloudFront Distribution
Set the webAclId property to associate your CloudFront distribution with a WAF Web ACL:
const distribution = new aws.cloudfront.Distribution("my-distribution", {
enabled: true,
webAclId: webAcl.arn, // Associate the WAF Web ACL with the distribution
origins: [{
domainName: bucket.bucketRegionalDomainName,
originId: "S3Origin",
}],
defaultCacheBehavior: {
targetOriginId: "S3Origin",
viewerProtocolPolicy: "redirect-to-https",
allowedMethods: ["GET", "HEAD"],
cachedMethods: ["GET", "HEAD"],
forwardedValues: {
queryString: false,
cookies: { forward: "none" },
},
},
});
docdb-clusterinstance-managed-service-patching
Severity: medium · Enforcement: advisory
Ensures DocumentDB cluster instances have automated minor version upgrades enabled
- CM.L1-3.4.2 Establish and enforce security configuration settings — Establish and enforce security configuration settings for information technology products employed in organizational systems.
- MA.L1-3.7.1 Perform system maintenance — Perform maintenance on organizational systems.
- RA.L2-3.11.3 Remediate vulnerabilities — Remediate vulnerabilities in accordance with risk assessments.
Remediation
Fix: Enable Automatic Minor Version Upgrades for DocumentDB Cluster Instance
Set the autoMinorVersionUpgrade property to true to enable automated patching for managed service security updates:
const clusterInstance = new aws.docdb.ClusterInstance("my-cluster-instance", {
clusterIdentifier: cluster.id,
instanceClass: "db.r5.large",
autoMinorVersionUpgrade: true, // Enable automatic minor version upgrades
});
dynamodb-streams-enabled
Severity: medium · Enforcement: advisory
Enforces that all DynamoDB tables have Stream settings enabled to capture all changes
- AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
- CM.L2-3.4.3 Track and log configuration changes — Track, review, approve or disapprove, and log changes to organizational systems.
Remediation
Fix: Enable DynamoDB Streams
Set the streamEnabled property to true on your DynamoDB table:
const table = new aws.dynamodb.Table("my-table", {
name: "my-table",
attributes: [
{ name: "id", type: "S" },
],
hashKey: "id",
streamEnabled: true, // Enable DynamoDB Streams
billingMode: "PAY_PER_REQUEST",
});
ebs-volume-disallow-unencrypted-volume
Severity: high · Enforcement: advisory
Checks that EBS volumes are encrypted.
- MP.L1-3.8.1 Protect system media containing CUI — Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
- SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
Remediation
Fix: Enable EBS Volume Encryption
Set the encrypted property to true on the EBS volume:
const volume = new aws.ebs.Volume("my-volume", {
availabilityZone: "us-west-2a",
size: 100,
encrypted: true, // Enable encryption for the volume
});
ec2-instance-disallow-public-ip
Severity: high · Enforcement: advisory
Checks that EC2 instances do not have a public IP address.
- AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- AC.L2-3.1.22 Control CUI on publicly accessible systems — Control CUI posted or processed on publicly accessible systems.
Remediation
Fix: Disable Public IP Address Assignment
Set associatePublicIpAddress to false to prevent the instance from receiving a public IP address:
const instance = new ec2.Instance("my-instance", {
instanceType: "t3.micro",
ami: "ami-12345678",
associatePublicIpAddress: false, // Disable public IP assignment
subnetId: privateSubnet.id,
});
ec2-security-group-disallow-inbound-http-traffic
Severity: medium · Enforcement: advisory
Check that EC2 Security Groups do not allow inbound HTTP traffic.
- CM.L2-3.4.7 Restrict nonessential programs and services — Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
Remediation
Fix: Remove HTTP Inbound Traffic Rules
Remove any ingress rules that allow HTTP traffic on port 80, or use HTTPS (port 443) instead:
const securityGroup = new ec2.SecurityGroup("my-sg", {
vpcId: vpc.id,
ingress: [
{
protocol: "tcp",
fromPort: 443, // Use HTTPS instead of HTTP (port 80)
toPort: 443,
cidrBlocks: ["0.0.0.0/0"],
},
// Remove any rules with fromPort: 80 or toPort: 80
],
});
ecr-image-scanning
Severity: high · Enforcement: advisory
Ensures ECR repositories have image scanning enabled for vulnerability management
- RA.L2-3.11.2 Scan for vulnerabilities — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
- SI.L2-3.14.5 Perform periodic and real-time scans — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
Remediation
Fix: Enable Image Scanning for ECR Repository
Set the imageScanningConfiguration with scanOnPush: true to automatically scan container images for vulnerabilities when they are pushed:
const repository = new aws.ecr.Repository("my-repo", {
name: "my-application",
imageScanningConfiguration: {
scanOnPush: true, // Enable automatic vulnerability scanning
},
});
ecr-repository-enable-image-scan
Severity: high · Enforcement: advisory
Checks that ECR repositories have ‘scan-on-push’ enabled.
- RA.L2-3.11.2 Scan for vulnerabilities — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
- SI.L1-3.14.1 Identify and correct system flaws — Identify, report, and correct system flaws in a timely manner.
- SI.L2-3.14.5 Perform periodic and real-time scans — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
Remediation
Fix: Enable Scan-on-Push for ECR Repository
Set scanOnPush to true in the imageScanningConfiguration to automatically scan container images for vulnerabilities when pushed:
const repository = new aws.ecr.Repository("my-repository", {
imageScanningConfiguration: {
scanOnPush: true, // Enable automatic vulnerability scanning
},
});
ecs-task-definition-image-scanning
Severity: high · Enforcement: advisory
Ensures ECS task definitions use images from repositories with vulnerability scanning
- RA.L2-3.11.2 Scan for vulnerabilities — Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
- SI.L2-3.14.5 Perform periodic and real-time scans — Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
Remediation
Fix: Use ECR Images with Scanning Enabled
Update your ECS task definition to use container images from ECR repositories that have vulnerability scanning enabled:
const taskDefinition = new aws.ecs.TaskDefinition("my-task", {
family: "my-app",
containerDefinitions: JSON.stringify([{
name: "app",
image: "123456789012.dkr.ecr.us-east-1.amazonaws.com/my-repo:latest", // Use ECR image with scanning
memory: 512,
cpu: 256,
}]),
requiresCompatibilities: ["FARGATE"],
networkMode: "awsvpc",
cpu: "256",
memory: "512",
});
efs-file-system-disallow-unencrypted-file-system
Severity: high · Enforcement: advisory
Checks that EFS File Systems do not have an unencrypted file system.
- SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
Remediation
Fix: Enable Encryption for EFS File System
Set the encrypted property to true when creating an EFS file system:
const fileSystem = new aws.efs.FileSystem("my-efs", {
encrypted: true, // Enable encryption at rest
kmsKeyId: kmsKey.arn, // Optional: specify a custom KMS key
});
elb-load-balancer-disallow-unencrypted-traffic
Severity: critical · Enforcement: advisory
Check that ELB Load Balancers do not allow unencrypted (HTTP) traffic.
- AC.L2-3.1.13 Employ cryptographic mechanisms for remote access — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
- SC.L2-3.13.8 Implement cryptographic mechanisms for transmission — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
- SC.L2-3.13.15 Protect authenticity of communications sessions — Protect the authenticity of communications sessions.
Remediation
Fix: Use HTTPS Instead of HTTP for Load Balancer Listeners
Configure all listeners to use HTTPS (port 443) instead of HTTP (port 80) to ensure encrypted traffic:
const lb = new aws.elb.LoadBalancer("my-lb", {
availabilityZones: ["us-west-2a", "us-west-2b"],
listeners: [{
instancePort: 443,
instanceProtocol: "https",
lbPort: 443,
lbProtocol: "https", // Use HTTPS instead of HTTP
sslCertificateId: "arn:aws:iam::123456789012:server-certificate/my-cert",
}],
});
environment-separation-tagging
Severity: medium · Enforcement: advisory
Ensures that resources are tagged to distinguish between production and non-production environments
- MP.L2-3.8.4 Mark media with CUI markings — Mark media with necessary CUI markings and distribution limitations.
Remediation
Fix: Add Environment Tag to Resource
Add an “Environment” tag to the resource with a valid environment value (e.g., production, development, staging, testing):
const instance = new aws.ec2.Instance("web-server", {
instanceType: "t3.micro",
ami: "ami-12345678",
tags: {
"Environment": "production", // Add environment tag for proper separation
"Name": "web-server",
},
});
iam-password-policy-minimum-password-length
Severity: high · Enforcement: advisory
Ensure IAM password policy requires minimum length of 14 or greater.
- IA.L2-3.5.7 Enforce minimum password complexity — Enforce a minimum password complexity and change of characters when new passwords are created.
Remediation
Fix: Set Minimum Password Length to 14 Characters
Set the minimumPasswordLength to 14 or greater for the IAM Account Password Policy:
const passwordPolicy = new aws.iam.AccountPasswordPolicy("account-password-policy", {
minimumPasswordLength: 14, // Set minimum length to at least 14 characters
});
iam-password-policy-prevent-reuse
Severity: high · Enforcement: advisory
Ensure IAM password policy prevents password reuse.
- IA.L2-3.5.8 Prohibit password reuse — Prohibit password reuse for a specified number of generations.
Remediation
Fix: Configure Password Reuse Prevention
Set the passwordReusePrevention property to 24 to prevent users from reusing their previous 24 passwords:
const accountPasswordPolicy = new aws.iam.AccountPasswordPolicy("password-policy", {
minimumPasswordLength: 14,
requireNumbers: true,
requireSymbols: true,
requireUppercaseCharacters: true,
requireLowercaseCharacters: true,
passwordReusePrevention: 24, // Prevent reuse of previous 24 passwords
});
iam-policy-least-privilege
Severity: high · Enforcement: advisory
Ensures IAM policies follow least privilege principles
- AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- AC.L2-3.1.4 Separate the duties of individuals — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
- AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions — Use non-privileged accounts or roles when accessing nonsecurity functions.
- AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- AC.L2-3.1.15 Authorize remote execution of privileged commands — Authorize remote execution of privileged commands and remote access to security-relevant information.
- AU.L2-3.3.9 Limit audit logging management to privileged users — Limit management of audit logging functionality to a subset of privileged users.
- CM.L2-3.4.5 Define access restrictions for system changes — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- IA.L1-3.5.1 Identify system users and devices — Identify system users, processes acting on behalf of users, and devices.
- MA.L1-3.7.2 Provide controls on maintenance tools and personnel — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Remediation
Fix: Replace Wildcard Permissions with Specific Actions and Resources
Replace wildcard actions and resources with explicit, scoped permissions that grant only the minimum required access:
const policy = new aws.iam.Policy("my-policy", {
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:GetObject", // Specify exact actions needed
"s3:PutObject",
],
Resource: [
"arn:aws:s3:::my-bucket/*", // Scope to specific resources
],
}],
}),
});
iam-role-assume-role-mfa-enforcement
Severity: high · Enforcement: advisory
Ensures IAM roles require MFA when assumed by human users (not AWS services)
- IA.L1-3.5.2 Authenticate identities of users and devices — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
- IA.L2-3.5.3 Use multifactor authentication — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
- MA.L2-3.7.5 Require MFA for nonlocal maintenance — Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Remediation
Fix: Add MFA Condition to Role Trust Policy
Add the aws:MultiFactorAuthPresent condition to any assume role statement that allows human principals to assume the role:
const adminRole = new aws.iam.Role("admin-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: {
AWS: "arn:aws:iam::123456789012:root" // Root account (human)
},
Action: "sts:AssumeRole",
Condition: {
Bool: {
"aws:MultiFactorAuthPresent": "true" // Require MFA
}
}
}],
}),
});
const userAssumeRole = new aws.iam.Role("user-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: {
AWS: "arn:aws:iam::123456789012:user/john.doe" // IAM user (human)
},
Action: "sts:AssumeRole",
Condition: {
Bool: {
"aws:MultiFactorAuthPresent": "true" // Require MFA
}
}
}],
}),
});
// Service roles are automatically exempt (no MFA condition needed)
const ecsTaskRole = new aws.iam.Role("ecs-task-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: {
Service: "ecs-tasks.amazonaws.com" // Service principal - no MFA needed
},
Action: "sts:AssumeRole"
}],
}),
});
// Role principals are never flagged (could be cross-account service roles)
const crossAccountRole = new aws.iam.Role("cross-account-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: {
AWS: "arn:aws:iam::111111111111:role/service-role" // Role principal - not checked
},
Action: "sts:AssumeRole"
}],
}),
});
iam-role-least-privilege
Severity: high · Enforcement: advisory
Ensures IAM roles follow least privilege principles
- AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- AC.L2-3.1.4 Separate the duties of individuals — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
- AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions — Use non-privileged accounts or roles when accessing nonsecurity functions.
- AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- AC.L2-3.1.15 Authorize remote execution of privileged commands — Authorize remote execution of privileged commands and remote access to security-relevant information.
- AU.L2-3.3.9 Limit audit logging management to privileged users — Limit management of audit logging functionality to a subset of privileged users.
- CM.L2-3.4.5 Define access restrictions for system changes — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- IA.L1-3.5.1 Identify system users and devices — Identify system users, processes acting on behalf of users, and devices.
- MA.L1-3.7.2 Provide controls on maintenance tools and personnel — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Remediation
Fix: Replace Wildcard Permissions with Specific Actions and Resources
Replace wildcard actions and resources in inline policies with explicit, scoped permissions:
const role = new aws.iam.Role("my-role", {
assumeRolePolicy: assumePolicyDoc,
inlinePolicies: [{
name: "my-inline-policy",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"dynamodb:GetItem", // Specify exact actions needed
"dynamodb:PutItem",
],
Resource: [
"arn:aws:dynamodb:us-east-1:123456789012:table/MyTable", // Scope to specific resources
],
}],
}),
}],
});
iam-role-policy-least-privilege
Severity: high · Enforcement: advisory
Ensures IAM role policies follow least privilege principles
- AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- AC.L2-3.1.4 Separate the duties of individuals — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
- AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions — Use non-privileged accounts or roles when accessing nonsecurity functions.
- AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- AC.L2-3.1.15 Authorize remote execution of privileged commands — Authorize remote execution of privileged commands and remote access to security-relevant information.
- AU.L2-3.3.9 Limit audit logging management to privileged users — Limit management of audit logging functionality to a subset of privileged users.
- CM.L2-3.4.5 Define access restrictions for system changes — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- IA.L1-3.5.1 Identify system users and devices — Identify system users, processes acting on behalf of users, and devices.
- MA.L1-3.7.2 Provide controls on maintenance tools and personnel — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Remediation
Fix: Replace Wildcard Permissions with Specific Actions and Resources
Replace wildcard actions and resources with explicit, scoped permissions:
const rolePolicy = new aws.iam.RolePolicy("my-role-policy", {
role: myRole.id,
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"ec2:DescribeInstances", // Specify exact actions needed
"ec2:StartInstances",
"ec2:StopInstances",
],
Resource: [
"arn:aws:ec2:us-east-1:123456789012:instance/*", // Scope to specific resources
],
}],
}),
});
iam-role-session-duration
Severity: medium · Enforcement: advisory
Enforces maximum session duration for IAM roles
- AC.L2-3.1.11 Terminate user sessions after inactivity — Terminate (automatically) a user session after a defined condition.
Remediation
Fix: Set Appropriate Maximum Session Duration for IAM Role
Configure the maxSessionDuration property based on the role type to limit credential exposure window:
const appRole = new aws.iam.Role("app-role", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: { Service: "ec2.amazonaws.com" },
Action: "sts:AssumeRole",
}],
}),
maxSessionDuration: 3600, // 1 hour for general roles (default)
});
const adminRole = new aws.iam.Role("admin-role", {
name: "AdminRole",
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: { AWS: "arn:aws:iam::123456789012:root" },
Action: "sts:AssumeRole",
}],
}),
maxSessionDuration: 7200, // 2 hours for administrative roles
});
iam-user-mfa-console-access
Severity: high · Enforcement: advisory
Ensures IAM users with console access have MFA devices
- IA.L1-3.5.2 Authenticate identities of users and devices — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
- IA.L2-3.5.3 Use multifactor authentication — Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Remediation
Fix: Enable MFA for IAM User Console Access
Create a Virtual MFA Device for each IAM user with console access:
const user = new aws.iam.User("example-user", {
name: "example-user",
});
const loginProfile = new aws.iam.UserLoginProfile("example-login", {
user: user.name,
});
// Create Virtual MFA Device for the user
const mfaDevice = new aws.iam.VirtualMfaDevice("example-user-mfa", {
virtualMfaDeviceName: "example-user-mfa", // Name must match pattern: <username>-mfa or <username>-mfa-device
userName: user.name, // Associate MFA device with the user
});
iam-user-policy-least-privilege
Severity: high · Enforcement: advisory
Ensures IAM user policies follow least privilege principles
- AC.L1-3.1.1 Limit system access to authorized users — Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- AC.L2-3.1.4 Separate the duties of individuals — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
- AC.L2-3.1.6 Use non-privileged accounts for nonsecurity functions — Use non-privileged accounts or roles when accessing nonsecurity functions.
- AC.L2-3.1.7 Prevent non-privileged users from executing privileged functions — Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- AC.L2-3.1.15 Authorize remote execution of privileged commands — Authorize remote execution of privileged commands and remote access to security-relevant information.
- AU.L2-3.3.9 Limit audit logging management to privileged users — Limit management of audit logging functionality to a subset of privileged users.
- CM.L2-3.4.5 Define access restrictions for system changes — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
- IA.L1-3.5.1 Identify system users and devices — Identify system users, processes acting on behalf of users, and devices.
- MA.L1-3.7.2 Provide controls on maintenance tools and personnel — Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Remediation
Fix: Replace Wildcard Permissions with Specific Actions and Resources
Replace wildcard actions and resources with explicit, scoped permissions:
const userPolicy = new aws.iam.UserPolicy("my-user-policy", {
user: myUser.name,
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:ListBucket", // Specify exact actions needed
],
Resource: [
"arn:aws:s3:::my-bucket", // Scope to specific resources
],
}],
}),
});
kms-key-creation
Severity: medium · Enforcement: advisory
Validates KMS key creation with appropriate specifications and origins
- SC.L2-3.13.10 Establish and manage cryptographic keys — Establish and manage cryptographic keys for cryptography employed in organizational systems.
- SC.L2-3.13.11 Employ FIPS-validated cryptography — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
Remediation
Fix: Configure KMS Key with Proper Specifications
Add a description, configure an appropriate deletion window (7-30 days), and ensure key specifications match your security requirements:
const key = new aws.kms.Key("my-key", {
description: "Key for encrypting application data", // Add clear description
customerMasterKeySpec: "SYMMETRIC_DEFAULT", // Use approved key spec
keyUsage: "ENCRYPT_DECRYPT", // Specify key usage
deletionWindowInDays: 30, // Set deletion window between 7-30 days
enableKeyRotation: true,
});
kms-key-deletion-lifecycle
Severity: medium · Enforcement: advisory
Validates KMS key deletion windows and lifecycle management
- SC.L2-3.13.10 Establish and manage cryptographic keys — Establish and manage cryptographic keys for cryptography employed in organizational systems.
Remediation
Fix: Configure KMS Key Deletion Window and Lifecycle Management
Set a deletionWindowInDays between 7 and 30 days, add descriptive tags, and provide a clear description for proper lifecycle management:
const kmsKey = new aws.kms.Key("my-key", {
description: "Encryption key for application data",
deletionWindowInDays: 30, // Set deletion window between 7-30 days
tags: {
Environment: "production",
Owner: "security-team",
Purpose: "data-encryption",
},
});
kms-key-enable-key-rotation
Severity: medium · Enforcement: advisory
Checks that KMS Keys have key rotation enabled.
- SC.L2-3.13.10 Establish and manage cryptographic keys — Establish and manage cryptographic keys for cryptography employed in organizational systems.
Remediation
Fix: Enable Automatic Key Rotation for KMS Keys
Set the enableKeyRotation property to true for all KMS keys to ensure cryptographic keys are automatically rotated annually:
const key = new kms.Key("my-key", {
description: "KMS key with automatic rotation",
enableKeyRotation: true, // Enable automatic annual key rotation
});
lambda-environment-variables-encryption
Severity: high · Enforcement: advisory
Ensures that all Lambda functions have their environment variables encrypted using AWS KMS
- SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
Remediation
Fix: Encrypt Lambda Environment Variables with KMS
Configure a KMS key for Lambda function environment variable encryption by setting the kmsKeyArn property:
const kmsKey = new aws.kms.Key("lambda-env-key", {
description: "KMS key for Lambda environment variable encryption",
});
const lambdaFunction = new aws.lambda.Function("my-function", {
runtime: "nodejs18.x",
handler: "index.handler",
role: role.arn,
code: new pulumi.asset.AssetArchive({
".": new pulumi.asset.FileArchive("./function"),
}),
environment: {
variables: {
DATABASE_URL: "postgres://example.com/db",
},
},
kmsKeyArn: kmsKey.arn, // Encrypt environment variables with KMS
});
lambda-function-logging
Severity: medium · Enforcement: advisory
Ensures that all AWS Lambda functions have logging enabled to track output data processing
- AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Remediation
Fix: Enable Lambda Function Logging Configuration
Add the loggingConfig property to your Lambda function with an appropriate applicationLogLevel (DEBUG, INFO, or WARN):
const myFunction = new aws.lambda.Function("my-function", {
runtime: "nodejs18.x",
handler: "index.handler",
role: lambdaRole.arn,
code: new pulumi.asset.AssetArchive({
".": new pulumi.asset.FileArchive("./app"),
}),
loggingConfig: {
logFormat: "JSON",
applicationLogLevel: "INFO", // Set log level to INFO or DEBUG for adequate logging
},
});
load-balancer-waf-association
Severity: critical · Enforcement: advisory
Ensures public-facing Load Balancers have WAF associations
- SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
Remediation
Fix: Associate WAF Web ACL with Load Balancer
Create a WAF Web ACL association to protect your public-facing Load Balancer:
// Create a WAF Web ACL association for the Load Balancer
const wafAssociation = new aws.wafv2.WebAclAssociation("lb-waf-association", {
resourceArn: loadBalancer.arn, // Reference the Load Balancer ARN
webAclArn: webAcl.arn, // Reference the WAF Web ACL ARN
});
pubsub-least-privilege-iam
Severity: medium · Enforcement: advisory
Ensures IAM policies follow least privilege principles for Pub/Sub services (SNS, SQS, Kinesis)
- AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
Remediation
Fix: Use Specific Pub/Sub IAM Actions and Resource ARNs
Replace wildcard permissions with specific actions and resource ARNs for Pub/Sub services:
const queuePolicy = new aws.iam.Policy("queue-policy", {
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"sqs:SendMessage", // Use specific actions instead of sqs:*
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
],
Resource: "arn:aws:sqs:us-east-1:123456789012:my-queue", // Use specific ARN instead of *
}],
}),
});
rds-audit-logging
Severity: medium · Enforcement: advisory
Ensures RDS instances have audit logging enabled
- AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Remediation
Fix: Enable RDS Audit Logging to CloudWatch
Configure enabledCloudwatchLogsExports with appropriate audit log types for your database engine:
// For MySQL/MariaDB
const db = new aws.rds.Instance("my-db", {
engine: "mysql",
instanceClass: "db.t3.micro",
allocatedStorage: 20,
enabledCloudwatchLogsExports: ["audit", "error", "general", "slowquery"], // Enable audit logs
// ... other configuration
});
// For PostgreSQL
const pgDb = new aws.rds.Instance("my-pg-db", {
engine: "postgres",
instanceClass: "db.t3.micro",
allocatedStorage: 20,
enabledCloudwatchLogsExports: ["postgresql"], // Enable PostgreSQL logs
// ... other configuration
});
// For Aurora clusters
const cluster = new aws.rds.Cluster("my-cluster", {
engine: "aurora-mysql",
enabledCloudwatchLogsExports: ["audit", "error", "general", "slowquery"], // Enable audit logs
// ... other configuration
});
rds-clusterinstance-ssl-encryption
Severity: high · Enforcement: advisory
Ensures RDS cluster instances have SSL/TLS encryption enabled through parameter group configuration
- AC.L2-3.1.13 Employ cryptographic mechanisms for remote access — Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
- SC.L2-3.13.8 Implement cryptographic mechanisms for transmission — Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
Remediation
Fix: Configure SSL/TLS Encryption for Aurora Cluster Instance
Configure a parameter group to enforce SSL/TLS connections for your Aurora cluster instance:
const clusterParamGroup = new aws.rds.ParameterGroup("cluster-params", {
family: "aurora-postgresql14",
parameters: [
{
name: "rds.force_ssl",
value: "1", // Enforce SSL/TLS for all connections
},
],
});
const clusterInstance = new aws.rds.ClusterInstance("my-cluster-instance", {
clusterIdentifier: cluster.id,
instanceClass: "db.r5.large",
engine: cluster.engine,
dbParameterGroupName: clusterParamGroup.name, // Attach parameter group with SSL enforcement
});
rds-instance-disallow-public-access
Severity: critical · Enforcement: advisory
Checks that RDS Instance public access is not enabled.
- AC.L2-3.1.22 Control CUI on publicly accessible systems — Control CUI posted or processed on publicly accessible systems.
Remediation
Fix: Disable Public Access for RDS Instance
Set publiclyAccessible to false to prevent the RDS instance from being accessible from the internet:
const dbInstance = new aws.rds.Instance("my-database", {
allocatedStorage: 20,
engine: "mysql",
engineVersion: "8.0",
instanceClass: "db.t3.micro",
dbSubnetGroupName: privateSubnetGroup.name,
vpcSecurityGroupIds: [dbSecurityGroup.id],
publiclyAccessible: false, // Disable public access
username: dbUsername,
password: dbPassword,
});
rds-instance-disallow-unencrypted-storage
Severity: high · Enforcement: advisory
Checks that RDS instance storage is encrypted.
- MP.L2-3.8.9 Protect confidentiality of backup CUI — Protect the confidentiality of backup CUI at storage locations.
- SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
Remediation
Fix: Enable RDS Storage Encryption
Set the storageEncrypted property to true to encrypt the RDS instance storage:
const dbInstance = new aws.rds.Instance("my-db", {
engine: "postgres",
instanceClass: "db.t3.micro",
allocatedStorage: 20,
storageEncrypted: true, // Enable storage encryption
username: "admin",
password: adminPassword,
});
rds-instance-managed-service-patching
Severity: medium · Enforcement: advisory
Ensures RDS instances have automated minor version upgrades enabled
- CM.L1-3.4.2 Establish and enforce security configuration settings — Establish and enforce security configuration settings for information technology products employed in organizational systems.
- MA.L1-3.7.1 Perform system maintenance — Perform maintenance on organizational systems.
- RA.L2-3.11.3 Remediate vulnerabilities — Remediate vulnerabilities in accordance with risk assessments.
- SI.L1-3.14.1 Identify and correct system flaws — Identify, report, and correct system flaws in a timely manner.
Remediation
Fix: Enable Automatic Minor Version Upgrades for RDS
Set the autoMinorVersionUpgrade property to true to enable automated patching for managed service security updates:
const db = new aws.rds.Instance("my-database", {
engine: "postgres",
instanceClass: "db.t3.micro",
allocatedStorage: 20,
dbName: "mydb",
username: "admin",
password: dbPassword,
autoMinorVersionUpgrade: true, // Enable automatic minor version upgrades
skipFinalSnapshot: true,
});
resource-tagging
Severity: medium · Enforcement: advisory
Ensures all AWS resources must include tags for proper change tracking
- MP.L2-3.8.4 Mark media with CUI markings — Mark media with necessary CUI markings and distribution limitations.
Remediation
Fix: Add Required Tags to AWS Resources
Add a tags property with meaningful values to enable proper change tracking and documentation:
const instance = new aws.ec2.Instance("my-instance", {
ami: "ami-0c55b159cbfafe1f0",
instanceType: "t3.micro",
tags: {
Environment: "production", // Add meaningful tags for change tracking
Owner: "team-name",
Application: "web-app",
},
});
s3-bucket-access-logging
Severity: medium · Enforcement: advisory
Ensures each S3 bucket has access logging enabled
- AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Remediation
Fix: Enable S3 Bucket Access Logging
Create a BucketLogging resource with a target bucket and prefix to enable access logging:
const myBucket = new aws.s3.Bucket("my-bucket", {
// Bucket configuration
});
const logBucket = new aws.s3.Bucket("log-bucket", {
// Configure log bucket settings
});
const bucketLogging = new aws.s3.BucketLogging("my-bucket-logging", {
bucket: myBucket.id,
targetBucket: logBucket.id, // Specify target bucket for logs
targetPrefix: "logs/my-bucket/", // Specify prefix for organization
});
s3-bucket-encryption
Severity: high · Enforcement: advisory
S3 buckets must have server-side encryption configured using BucketServerSideEncryptionConfiguration resource
- MP.L1-3.8.1 Protect system media containing CUI — Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
- MP.L2-3.8.9 Protect confidentiality of backup CUI — Protect the confidentiality of backup CUI at storage locations.
- SC.L2-3.13.11 Employ FIPS-validated cryptography — Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
- SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
Remediation
Fix: Configure S3 Bucket Server-Side Encryption
Create a separate BucketServerSideEncryptionConfigurationV2 resource for your S3 bucket with encryption rules. Use AES256 or KMS encryption:
const bucket = new aws.s3.BucketV2("my-bucket", {
bucket: "my-secure-bucket",
});
// Add encryption configuration resource
const bucketEncryption = new aws.s3.BucketServerSideEncryptionConfiguration("my-bucket-encryption", {
bucket: bucket.id,
rules: [{
applyServerSideEncryptionByDefault: {
sseAlgorithm: "aws:kms", // Enable KMS encryption
kmsMasterKeyId: kmsKey.arn, // Specify customer-managed key
},
bucketKeyEnabled: true, // Enable bucket key for cost optimization
}],
});
s3-bucket-least-privilege
Severity: critical · Enforcement: advisory
Prevents overly permissive S3 bucket policies
- AC.L1-3.1.2 Limit system access to authorized transaction types — Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- AC.L2-3.1.5 Employ the principle of least privilege — Employ the principle of least privilege, including for specific security functions and privileged accounts.
- MP.L1-3.8.2 Limit access to CUI on system media — Limit access to CUI on system media to authorized users.
Remediation
Fix: Use Specific Actions, Resources, and Principals
Replace wildcard (*) values in S3 bucket policy statements with specific, scoped permissions:
const bucketPolicy = new aws.s3.BucketPolicy("policy", {
bucket: bucket.id,
policy: bucket.arn.apply(arn => JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: {
AWS: "arn:aws:iam::123456789012:role/specific-role" // Specify exact principal ARN
},
Action: ["s3:GetObject", "s3:PutObject"], // Use specific S3 actions
Resource: `${arn}/*` // Scope to specific bucket
}]
}))
});
s3-bucket-lifecycle
Severity: medium · Enforcement: advisory
Ensures each S3 bucket has lifecycle rules configured for retention/disposal
- MP.L1-3.8.3 Sanitize or destroy system media before disposal — Sanitize or destroy system media containing CUI before disposal or release for reuse.
Remediation
Fix: Configure Lifecycle Rules for S3 Bucket
Create a BucketLifecycleConfiguration resource with at least one enabled rule:
const myBucket = new aws.s3.Bucket("my-bucket", {
// Bucket configuration
});
const lifecycleConfig = new aws.s3.BucketLifecycleConfiguration("my-bucket-lifecycle", {
bucket: myBucket.id,
rules: [
{
id: "delete-old-objects",
status: "Enabled", // Rule must be enabled
expiration: {
days: 90, // Define retention period (e.g., expire after 90 days)
},
},
],
});
s3-bucket-public-access-block
Severity: critical · Enforcement: advisory
Ensures each S3 bucket has a public access block with all settings enabled
- AC.L2-3.1.22 Control CUI on publicly accessible systems — Control CUI posted or processed on publicly accessible systems.
- MP.L1-3.8.2 Limit access to CUI on system media — Limit access to CUI on system media to authorized users.
Remediation
Fix: Enable All Public Access Block Settings
Create a BucketPublicAccessBlock resource with all four settings set to true:
const myBucket = new aws.s3.Bucket("my-bucket", {
// Bucket configuration
});
const publicAccessBlock = new aws.s3.BucketPublicAccessBlock("my-bucket-public-access-block", {
bucket: myBucket.id,
blockPublicAcls: true, // Blocks new public ACLs
blockPublicPolicy: true, // Blocks new public bucket policies
ignorePublicAcls: true, // Ignores existing public ACLs
restrictPublicBuckets: true, // Restricts public access to buckets with public policies
});
secrets-manager-secret-configure-customer-managed-key
Severity: low · Enforcement: advisory
Check that Secrets Manager Secrets use a customer-manager KMS key.
- SC.L2-3.13.16 Protect confidentiality of CUI at rest — Protect the confidentiality of CUI at rest.
Remediation
Fix: Configure Customer-Managed KMS Key for Secrets Manager Secret
Set the kmsKeyId property to reference a customer-managed KMS key for encrypting the secret:
const secret = new aws.secretsmanager.Secret("my-secret", {
name: "my-application-secret",
kmsKeyId: kmsKey.arn, // Use customer-managed KMS key
description: "Sensitive application credentials",
});
security-group-default-deny
Severity: high · Enforcement: advisory
Ensures Security Groups follow default deny with explicit allow principle
- CM.L2-3.4.6 Employ principle of least functionality — Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
- SC.L2-3.13.6 Deny network traffic by default — Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Remediation
Fix: Replace Unrestricted CIDR Blocks with Specific IP Ranges
Replace 0.0.0.0/0 in ingress and egress rules with specific CIDR blocks or security group references to follow the default deny with explicit allow principle:
const webSecurityGroup = new aws.ec2.SecurityGroup("web-sg", {
vpcId: vpc.id,
ingress: [{
protocol: "tcp",
fromPort: 443,
toPort: 443,
cidrBlocks: ["10.0.0.0/16"], // Use specific CIDR block instead of 0.0.0.0/0
}],
egress: [{
protocol: "tcp",
fromPort: 443,
toPort: 443,
cidrBlocks: ["10.0.0.0/16"], // Use specific CIDR block instead of 0.0.0.0/0
}],
});
security-group-strict
Severity: high · Enforcement: advisory
Ensures security groups follow strict firewall rules with default deny
- AC.L2-3.1.3 Control the flow of CUI — Control the flow of CUI in accordance with approved authorizations.
- CM.L2-3.4.6 Employ principle of least functionality — Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
- CM.L2-3.4.7 Restrict nonessential programs and services — Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
- SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
- SC.L2-3.13.6 Deny network traffic by default — Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Remediation
Fix: Configure Strict Security Group Rules
Restrict ingress rules to specific CIDR blocks instead of allowing access from the entire internet (0.0.0.0/0). Use specific protocols and narrow port ranges:
const securityGroup = new aws.ec2.SecurityGroup("my-sg", {
vpcId: vpc.id,
ingress: [
{
protocol: "tcp", // Use specific protocol, not "-1" (all)
fromPort: 443,
toPort: 443,
cidrBlocks: ["10.0.0.0/8"], // Restrict to internal network, not "0.0.0.0/0"
},
],
egress: [
{
protocol: "-1",
fromPort: 0,
toPort: 0,
cidrBlocks: ["0.0.0.0/0"],
},
],
});
subnet-multi-az
Severity: medium · Enforcement: advisory
Ensures subnets are distributed across multiple availability zones
- SC.L1-3.13.2 Employ architectural designs promoting security — Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
Remediation
Fix: Distribute Subnets Across Multiple Availability Zones
Create subnets in at least 2 different availability zones to ensure high availability and fault tolerance:
const subnet1 = new aws.ec2.Subnet("subnet-az1", {
vpcId: vpc.id,
cidrBlock: "10.0.1.0/24",
availabilityZone: "us-east-1a", // Specify explicit AZ
});
const subnet2 = new aws.ec2.Subnet("subnet-az2", {
vpcId: vpc.id,
cidrBlock: "10.0.2.0/24",
availabilityZone: "us-east-1b", // Use different AZ for redundancy
});
vpc-endpoint-security-policy
Severity: medium · Enforcement: advisory
Ensures that VPC endpoints are associated with security policies that limit access to specified resources
- SC.L1-3.13.2 Employ architectural designs promoting security — Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
Remediation
Fix: Configure Restrictive VPC Endpoint Policy
Add a policy to your VPC endpoint that specifies explicit principals and resources instead of wildcards:
const vpcEndpoint = new aws.ec2.VpcEndpoint("my-endpoint", {
vpcId: vpc.id,
serviceName: "com.amazonaws.us-west-2.s3",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Principal: {
AWS: "arn:aws:iam::123456789012:role/MyRole" // Specify explicit principal ARN
},
Action: "s3:GetObject",
Resource: "arn:aws:s3:::my-bucket/*" // Specify explicit resource ARN
}]
}),
});
vpc-flow-logs
Severity: medium · Enforcement: advisory
Ensures VPC flow logs use approved destinations for centralized monitoring
- AC.L2-3.1.3 Control the flow of CUI — Control the flow of CUI in accordance with approved authorizations.
- AC.L2-3.1.12 Monitor and control remote access sessions — Monitor and control remote access sessions.
- AU.L1-3.3.1 Create and retain system audit logs — Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
- SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
- SI.L2-3.14.6 Monitor systems to detect attacks — Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
Remediation
Fix: Configure VPC Flow Logs with Approved Destination
Configure VPC Flow Logs to use one of the approved log destinations specified in the policy configuration:
const flowLog = new aws.ec2.FlowLog("vpc-flow-log", {
vpcId: vpc.id,
trafficType: "ALL",
logDestination: "arn:aws:s3:::approved-logging-bucket", // Use approved destination
logDestinationType: "s3",
});
vpc-subnet-flow-logs
Severity: medium · Enforcement: advisory
Ensures all VPCs and subnets have flow logs enabled
- SC.L2-3.13.5 Implement subnetworks for publicly accessible components — Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- SI.L2-3.14.6 Monitor systems to detect attacks — Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
Remediation
Fix: Enable VPC Flow Logs for Network Monitoring
Create a VPC Flow Log resource and associate it with your VPC or subnet to capture network traffic information:
const vpc = new aws.ec2.Vpc("my-vpc", {
cidrBlock: "10.0.0.0/16",
});
// Enable flow logs for the VPC
const flowLog = new aws.ec2.FlowLog("vpc-flow-log", {
vpcId: vpc.id, // Associate flow log with VPC
trafficType: "ALL", // Capture all traffic (ACCEPT, REJECT, ALL)
logDestinationType: "cloud-watch-logs",
logDestination: logGroup.arn,
iamRoleArn: flowLogRole.arn,
});
waf-association-validation
Severity: critical · Enforcement: advisory
Validates WAF Web ACL associations are properly configured
- SC.L1-3.13.1 Monitor and control communications at boundaries — Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
Remediation
Fix: Configure WAF Web ACL Association Properties
Ensure both resourceArn and webAclArn are specified in the WAF association:
const wafAssociation = new aws.wafv2.WebAclAssociation("my-waf-association", {
resourceArn: resource.arn, // Specify the resource ARN to protect
webAclArn: webAcl.arn, // Specify the WAF Web ACL ARN
});